From 28ea155558f0fb16eb1bf98ce53cca9ec08970c5 Mon Sep 17 00:00:00 2001
From: Inna Palant <ipalant@google.com>
Date: Fri, 22 Jan 2021 08:06:42 -0800
Subject: [PATCH 001/921] Initial empty repository


From ed6fcdbdc1f5ef30e840b21edfc07b27507bcd53 Mon Sep 17 00:00:00 2001
From: Robin Peng <robinpeng@google.com>
Date: Thu, 4 Mar 2021 16:33:18 +0800
Subject: [PATCH 002/921] Add owners file

Bug: 167996145
Change-Id: I0865c8272d32859ab5ce44841582ee371b0cf972
---
 OWNERS | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 OWNERS

diff --git a/OWNERS b/OWNERS
new file mode 100644
index 00000000..33a29255
--- /dev/null
+++ b/OWNERS
@@ -0,0 +1,3 @@
+aaronding@google.com
+robinpeng@google.com
+lucaswei@google.com

From 5009efa7762477694a7d223e9a84dc95be2651a6 Mon Sep 17 00:00:00 2001
From: Robin Peng <robinpeng@google.com>
Date: Fri, 5 Mar 2021 14:21:41 +0800
Subject: [PATCH 003/921] Move slider-sepolicy into gs101-sepolicy

from: 71e609c24c97fc8d44843af30527cbeb90d5dcdf

Bug: 167996145
Change-Id: Ie00e7e0983a3ca695bbd5140c929d07a80144301
---
 OWNERS                                        |  14 +-
 ambient/exo_app.te                            |  11 +
 ambient/exo_wirecutter_app.te                 |   7 +
 ambient/keys.conf                             |   2 +
 ambient/mac_permissions.xml                   |  26 ++
 ambient/seapp_contexts                        |   5 +
 display/common/file.te                        |   1 +
 display/common/file_contexts                  |   1 +
 display/gs101/genfs_contexts                  |  11 +
 .../gs101/hal_graphics_composer_default.te    |  34 ++
 gs101-sepolicy.mk                             |  23 +
 private/gmscore_app.te                        |   2 +
 private/hal_dumpstate_default.te              |   2 +
 private/hal_vibrator_default.te               |   2 +
 private/incidentd.te                          |  14 +
 private/lpdumpd.te                            |   7 +
 private/priv_app.te                           |  19 +
 private/radio.te                              |   1 +
 private/service_contexts                      |   1 +
 private/untrusted_app_25.te                   |   2 +
 tracking_denials/aocd.te                      |   2 +
 tracking_denials/bootanim.te                  |   5 +
 tracking_denials/cbd.te                       |  51 +++
 tracking_denials/dumpstate.te                 |  35 ++
 tracking_denials/gmscore_app.te               |  67 +++
 tracking_denials/gpsd.te                      |  11 +
 tracking_denials/hal_camera_default.te        |  15 +
 tracking_denials/hal_dumpstate_default.te     |  16 +
 tracking_denials/hal_fingerprint_default.te   |  52 +++
 .../hal_graphics_composer_default.te          |  23 +
 tracking_denials/hal_health_default.te        |  15 +
 tracking_denials/hal_memtrack_default.te      |   3 +
 tracking_denials/hal_neuralnetworks_armnn.te  |  33 ++
 tracking_denials/hal_power_default.te         |  15 +
 tracking_denials/hal_power_stats_default.te   |  68 +++
 tracking_denials/hal_vibrator_default.te      |   2 +
 tracking_denials/hal_wifi_ext.te              |   4 +
 tracking_denials/hardware_info_app.te         |  18 +
 tracking_denials/incidentd.te                 | 139 ++++++
 tracking_denials/init-thermal-symlinks-sh.te  |   9 +
 tracking_denials/init.te                      |  20 +
 tracking_denials/mediacodec.te                |   6 +
 tracking_denials/modem_logging_control.te     |  13 +
 tracking_denials/pixelstats_vendor.te         |   4 +
 tracking_denials/platform_app.te              |   8 +
 tracking_denials/priv_app.te                  |  51 +++
 tracking_denials/rild.te                      |  16 +
 tracking_denials/scd.te                       |  13 +
 tracking_denials/sced.te                      |  10 +
 tracking_denials/shell.te                     |   7 +
 tracking_denials/surfaceflinger.te            |  12 +
 tracking_denials/system_app.te                |   4 +
 tracking_denials/system_server.te             |   2 +
 tracking_denials/tee.te                       |  11 +
 tracking_denials/trusty_apploader.te          |   9 +
 tracking_denials/untrusted_app.te             |  14 +
 tracking_denials/untrusted_app_25.te          | 149 +++++++
 tracking_denials/update_engine.te             |   5 +
 tracking_denials/vendor_init.te               |  20 +
 tracking_denials/vendor_telephony_app.te      |  21 +
 usf/file.te                                   |  12 +
 usf/file_contexts                             |  10 +
 usf/sensor_hal.te                             |  22 +
 whitechapel/vendor/google/abox.te             |   4 +
 whitechapel/vendor/google/aocd.te             |  14 +
 whitechapel/vendor/google/aocdump.te          |  16 +
 whitechapel/vendor/google/attributes          |   1 +
 whitechapel/vendor/google/bipchmgr.te         |   9 +
 whitechapel/vendor/google/bootanim.te         |   5 +
 .../vendor/google/bootdevice_sysdev.te        |   1 +
 whitechapel/vendor/google/cbd.te              |  44 ++
 whitechapel/vendor/google/chre.te             |  13 +
 whitechapel/vendor/google/device.te           |  52 +++
 whitechapel/vendor/google/dmd.te              |  29 ++
 whitechapel/vendor/google/domain.te           |   1 +
 whitechapel/vendor/google/dumpstate.te        |   4 +
 whitechapel/vendor/google/edgetpu_logging.te  |   6 +
 whitechapel/vendor/google/edgetpu_service.te  |  28 ++
 .../google/exo_camera_injection/dumpstate.te  |   2 +
 .../google/exo_camera_injection/file_contexts |   1 +
 .../hal_exo_camera_injection.te               |  10 +
 .../google/exo_camera_injection/hwservice.te  |   1 +
 .../exo_camera_injection/hwservice_contexts   |   1 +
 .../exo_camera_injection/platform_app.te      |   3 +
 whitechapel/vendor/google/file.te             | 177 ++++++++
 whitechapel/vendor/google/file_contexts       | 397 ++++++++++++++++++
 whitechapel/vendor/google/fsck.te             |   3 +
 whitechapel/vendor/google/genfs_contexts      | 178 ++++++++
 whitechapel/vendor/google/gpsd.te             |  25 ++
 whitechapel/vendor/google/grilservice_app.te  |   8 +
 .../vendor/google/hal_audio_default.te        |  22 +
 .../vendor/google/hal_bluetooth_btlinux.te    |  19 +
 .../vendor/google/hal_bootctl_default.te      |   1 +
 .../vendor/google/hal_camera_default.te       |  36 ++
 .../vendor/google/hal_confirmationui.te       |  13 +
 whitechapel/vendor/google/hal_contexthub.te   |   3 +
 whitechapel/vendor/google/hal_drm_clearkey.te |   5 +
 whitechapel/vendor/google/hal_drm_default.te  |   6 +
 .../vendor/google/hal_dumpstate_default.te    | 142 +++++++
 whitechapel/vendor/google/hal_gnss_default.te |   4 +
 .../google/hal_graphics_allocator_default.te  |   4 +
 .../google/hal_graphics_composer_default.te   |   5 +
 .../vendor/google/hal_health_default.te       |   7 +
 .../google/hal_health_storage_default.te      |   3 +
 .../vendor/google/hal_neuralnetworks_armnn.te |   4 +
 .../google/hal_neuralnetworks_darwinn.te      |  20 +
 whitechapel/vendor/google/hal_nfc_default.te  |   9 +
 .../vendor/google/hal_power_default.te        |   8 +
 .../vendor/google/hal_power_stats_default.te  |   9 +
 .../vendor/google/hal_radioext_default.te     |  12 +
 .../google/hal_secure_element_default.te      |  10 +
 .../vendor/google/hal_sensors_default.te      |  19 +
 .../google/hal_tetheroffload_default.te       |  17 +
 .../vendor/google/hal_thermal_default.te      |   1 +
 whitechapel/vendor/google/hal_usb_impl.te     |  12 +
 .../google/hal_vendor_hwcservice_default.te   |   4 +
 whitechapel/vendor/google/hal_wlc.te          |  16 +
 .../vendor/google/hardware_info_app.te        |   5 +
 whitechapel/vendor/google/hbmsvmanager_app.te |  11 +
 whitechapel/vendor/google/hwservice.te        |  20 +
 whitechapel/vendor/google/hwservice_contexts  |  28 ++
 whitechapel/vendor/google/hwservicemanager.te |   1 +
 whitechapel/vendor/google/init-insmod-sh.te   |  11 +
 whitechapel/vendor/google/init.te             |  15 +
 whitechapel/vendor/google/init_radio.te       |   8 +
 whitechapel/vendor/google/kernel.te           |   5 +
 whitechapel/vendor/google/lhd.te              |  23 +
 whitechapel/vendor/google/logger_app.te       |  19 +
 whitechapel/vendor/google/mediacodec.te       |   6 +
 .../vendor/google/modem_logging_control.te    |  17 +
 whitechapel/vendor/google/modem_svc_sit.te    |  24 ++
 whitechapel/vendor/google/netutils_wrapper.te |   4 +
 .../vendor/google/pixelstats_vendor.te        |  15 +
 whitechapel/vendor/google/pktrouter.te        |  12 +
 whitechapel/vendor/google/platform_app.te     |   8 +
 whitechapel/vendor/google/priv_app.te         |   6 +
 whitechapel/vendor/google/property.te         |  34 ++
 whitechapel/vendor/google/property_contexts   |  89 ++++
 whitechapel/vendor/google/radio.te            |   1 +
 whitechapel/vendor/google/ramdump_app.te      |  24 ++
 whitechapel/vendor/google/rfsd.te             |  32 ++
 whitechapel/vendor/google/rild.te             |  28 ++
 whitechapel/vendor/google/rlsservice.te       |  21 +
 whitechapel/vendor/google/rpmbd.te            |   4 +
 whitechapel/vendor/google/scd.te              |  17 +
 whitechapel/vendor/google/sced.te             |  10 +
 whitechapel/vendor/google/seapp_contexts      |  30 ++
 .../vendor/google/securedpud.slider.te        |   9 +
 whitechapel/vendor/google/service.te          |   1 +
 whitechapel/vendor/google/service_contexts    |   3 +
 whitechapel/vendor/google/shell.te            |   1 +
 whitechapel/vendor/google/sscoredump.te       |  17 +
 whitechapel/vendor/google/ssr_detector.te     |  16 +
 whitechapel/vendor/google/storageproxyd.te    |   4 +
 whitechapel/vendor/google/system_app.te       |   6 +
 whitechapel/vendor/google/system_server.te    |   3 +
 whitechapel/vendor/google/toolbox.te          |   3 +
 whitechapel/vendor/google/trusty_apploader.te |   6 +
 .../vendor/google/untrusted_app_all.te        |   6 +
 whitechapel/vendor/google/vcd.te              |  11 +
 whitechapel/vendor/google/vendor_ims_app.te   |   2 +
 whitechapel/vendor/google/vendor_init.te      |  14 +
 .../vendor/google/vendor_telephony_app.te     |   4 +
 whitechapel/vendor/google/vndservice.te       |   4 +
 whitechapel/vendor/google/vndservice_contexts |   4 +
 whitechapel/vendor/google/vold.te             |   6 +
 166 files changed, 3296 insertions(+), 3 deletions(-)
 create mode 100644 ambient/exo_app.te
 create mode 100644 ambient/exo_wirecutter_app.te
 create mode 100644 ambient/keys.conf
 create mode 100644 ambient/mac_permissions.xml
 create mode 100644 ambient/seapp_contexts
 create mode 100644 display/common/file.te
 create mode 100644 display/common/file_contexts
 create mode 100644 display/gs101/genfs_contexts
 create mode 100644 display/gs101/hal_graphics_composer_default.te
 create mode 100644 gs101-sepolicy.mk
 create mode 100644 private/gmscore_app.te
 create mode 100644 private/hal_dumpstate_default.te
 create mode 100644 private/hal_vibrator_default.te
 create mode 100644 private/incidentd.te
 create mode 100644 private/lpdumpd.te
 create mode 100644 private/priv_app.te
 create mode 100644 private/radio.te
 create mode 100644 private/service_contexts
 create mode 100644 private/untrusted_app_25.te
 create mode 100644 tracking_denials/aocd.te
 create mode 100644 tracking_denials/bootanim.te
 create mode 100644 tracking_denials/cbd.te
 create mode 100644 tracking_denials/dumpstate.te
 create mode 100644 tracking_denials/gmscore_app.te
 create mode 100644 tracking_denials/gpsd.te
 create mode 100644 tracking_denials/hal_camera_default.te
 create mode 100644 tracking_denials/hal_dumpstate_default.te
 create mode 100644 tracking_denials/hal_fingerprint_default.te
 create mode 100644 tracking_denials/hal_graphics_composer_default.te
 create mode 100644 tracking_denials/hal_health_default.te
 create mode 100644 tracking_denials/hal_memtrack_default.te
 create mode 100644 tracking_denials/hal_neuralnetworks_armnn.te
 create mode 100644 tracking_denials/hal_power_default.te
 create mode 100644 tracking_denials/hal_power_stats_default.te
 create mode 100644 tracking_denials/hal_vibrator_default.te
 create mode 100644 tracking_denials/hal_wifi_ext.te
 create mode 100644 tracking_denials/hardware_info_app.te
 create mode 100644 tracking_denials/incidentd.te
 create mode 100644 tracking_denials/init-thermal-symlinks-sh.te
 create mode 100644 tracking_denials/init.te
 create mode 100644 tracking_denials/mediacodec.te
 create mode 100644 tracking_denials/modem_logging_control.te
 create mode 100644 tracking_denials/pixelstats_vendor.te
 create mode 100644 tracking_denials/platform_app.te
 create mode 100644 tracking_denials/priv_app.te
 create mode 100644 tracking_denials/rild.te
 create mode 100644 tracking_denials/scd.te
 create mode 100644 tracking_denials/sced.te
 create mode 100644 tracking_denials/shell.te
 create mode 100644 tracking_denials/surfaceflinger.te
 create mode 100644 tracking_denials/system_app.te
 create mode 100644 tracking_denials/system_server.te
 create mode 100644 tracking_denials/tee.te
 create mode 100644 tracking_denials/trusty_apploader.te
 create mode 100644 tracking_denials/untrusted_app.te
 create mode 100644 tracking_denials/untrusted_app_25.te
 create mode 100644 tracking_denials/update_engine.te
 create mode 100644 tracking_denials/vendor_init.te
 create mode 100644 tracking_denials/vendor_telephony_app.te
 create mode 100644 usf/file.te
 create mode 100644 usf/file_contexts
 create mode 100644 usf/sensor_hal.te
 create mode 100644 whitechapel/vendor/google/abox.te
 create mode 100644 whitechapel/vendor/google/aocd.te
 create mode 100644 whitechapel/vendor/google/aocdump.te
 create mode 100644 whitechapel/vendor/google/attributes
 create mode 100644 whitechapel/vendor/google/bipchmgr.te
 create mode 100644 whitechapel/vendor/google/bootanim.te
 create mode 100644 whitechapel/vendor/google/bootdevice_sysdev.te
 create mode 100644 whitechapel/vendor/google/cbd.te
 create mode 100644 whitechapel/vendor/google/chre.te
 create mode 100644 whitechapel/vendor/google/device.te
 create mode 100644 whitechapel/vendor/google/dmd.te
 create mode 100644 whitechapel/vendor/google/domain.te
 create mode 100644 whitechapel/vendor/google/dumpstate.te
 create mode 100644 whitechapel/vendor/google/edgetpu_logging.te
 create mode 100644 whitechapel/vendor/google/edgetpu_service.te
 create mode 100644 whitechapel/vendor/google/exo_camera_injection/dumpstate.te
 create mode 100644 whitechapel/vendor/google/exo_camera_injection/file_contexts
 create mode 100644 whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te
 create mode 100644 whitechapel/vendor/google/exo_camera_injection/hwservice.te
 create mode 100644 whitechapel/vendor/google/exo_camera_injection/hwservice_contexts
 create mode 100644 whitechapel/vendor/google/exo_camera_injection/platform_app.te
 create mode 100644 whitechapel/vendor/google/file.te
 create mode 100644 whitechapel/vendor/google/file_contexts
 create mode 100644 whitechapel/vendor/google/fsck.te
 create mode 100644 whitechapel/vendor/google/genfs_contexts
 create mode 100644 whitechapel/vendor/google/gpsd.te
 create mode 100644 whitechapel/vendor/google/grilservice_app.te
 create mode 100644 whitechapel/vendor/google/hal_audio_default.te
 create mode 100644 whitechapel/vendor/google/hal_bluetooth_btlinux.te
 create mode 100644 whitechapel/vendor/google/hal_bootctl_default.te
 create mode 100644 whitechapel/vendor/google/hal_camera_default.te
 create mode 100644 whitechapel/vendor/google/hal_confirmationui.te
 create mode 100644 whitechapel/vendor/google/hal_contexthub.te
 create mode 100644 whitechapel/vendor/google/hal_drm_clearkey.te
 create mode 100644 whitechapel/vendor/google/hal_drm_default.te
 create mode 100644 whitechapel/vendor/google/hal_dumpstate_default.te
 create mode 100644 whitechapel/vendor/google/hal_gnss_default.te
 create mode 100644 whitechapel/vendor/google/hal_graphics_allocator_default.te
 create mode 100644 whitechapel/vendor/google/hal_graphics_composer_default.te
 create mode 100644 whitechapel/vendor/google/hal_health_default.te
 create mode 100644 whitechapel/vendor/google/hal_health_storage_default.te
 create mode 100644 whitechapel/vendor/google/hal_neuralnetworks_armnn.te
 create mode 100644 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
 create mode 100644 whitechapel/vendor/google/hal_nfc_default.te
 create mode 100644 whitechapel/vendor/google/hal_power_default.te
 create mode 100644 whitechapel/vendor/google/hal_power_stats_default.te
 create mode 100644 whitechapel/vendor/google/hal_radioext_default.te
 create mode 100644 whitechapel/vendor/google/hal_secure_element_default.te
 create mode 100644 whitechapel/vendor/google/hal_sensors_default.te
 create mode 100644 whitechapel/vendor/google/hal_tetheroffload_default.te
 create mode 100644 whitechapel/vendor/google/hal_thermal_default.te
 create mode 100644 whitechapel/vendor/google/hal_usb_impl.te
 create mode 100644 whitechapel/vendor/google/hal_vendor_hwcservice_default.te
 create mode 100644 whitechapel/vendor/google/hal_wlc.te
 create mode 100644 whitechapel/vendor/google/hardware_info_app.te
 create mode 100644 whitechapel/vendor/google/hbmsvmanager_app.te
 create mode 100644 whitechapel/vendor/google/hwservice.te
 create mode 100644 whitechapel/vendor/google/hwservice_contexts
 create mode 100644 whitechapel/vendor/google/hwservicemanager.te
 create mode 100644 whitechapel/vendor/google/init-insmod-sh.te
 create mode 100644 whitechapel/vendor/google/init.te
 create mode 100644 whitechapel/vendor/google/init_radio.te
 create mode 100644 whitechapel/vendor/google/kernel.te
 create mode 100644 whitechapel/vendor/google/lhd.te
 create mode 100644 whitechapel/vendor/google/logger_app.te
 create mode 100644 whitechapel/vendor/google/mediacodec.te
 create mode 100644 whitechapel/vendor/google/modem_logging_control.te
 create mode 100644 whitechapel/vendor/google/modem_svc_sit.te
 create mode 100644 whitechapel/vendor/google/netutils_wrapper.te
 create mode 100644 whitechapel/vendor/google/pixelstats_vendor.te
 create mode 100644 whitechapel/vendor/google/pktrouter.te
 create mode 100644 whitechapel/vendor/google/platform_app.te
 create mode 100644 whitechapel/vendor/google/priv_app.te
 create mode 100644 whitechapel/vendor/google/property.te
 create mode 100644 whitechapel/vendor/google/property_contexts
 create mode 100644 whitechapel/vendor/google/radio.te
 create mode 100644 whitechapel/vendor/google/ramdump_app.te
 create mode 100644 whitechapel/vendor/google/rfsd.te
 create mode 100644 whitechapel/vendor/google/rild.te
 create mode 100644 whitechapel/vendor/google/rlsservice.te
 create mode 100644 whitechapel/vendor/google/rpmbd.te
 create mode 100644 whitechapel/vendor/google/scd.te
 create mode 100644 whitechapel/vendor/google/sced.te
 create mode 100644 whitechapel/vendor/google/seapp_contexts
 create mode 100644 whitechapel/vendor/google/securedpud.slider.te
 create mode 100644 whitechapel/vendor/google/service.te
 create mode 100644 whitechapel/vendor/google/service_contexts
 create mode 100644 whitechapel/vendor/google/shell.te
 create mode 100644 whitechapel/vendor/google/sscoredump.te
 create mode 100644 whitechapel/vendor/google/ssr_detector.te
 create mode 100644 whitechapel/vendor/google/storageproxyd.te
 create mode 100644 whitechapel/vendor/google/system_app.te
 create mode 100644 whitechapel/vendor/google/system_server.te
 create mode 100644 whitechapel/vendor/google/toolbox.te
 create mode 100644 whitechapel/vendor/google/trusty_apploader.te
 create mode 100644 whitechapel/vendor/google/untrusted_app_all.te
 create mode 100644 whitechapel/vendor/google/vcd.te
 create mode 100644 whitechapel/vendor/google/vendor_ims_app.te
 create mode 100644 whitechapel/vendor/google/vendor_init.te
 create mode 100644 whitechapel/vendor/google/vendor_telephony_app.te
 create mode 100644 whitechapel/vendor/google/vndservice.te
 create mode 100644 whitechapel/vendor/google/vndservice_contexts
 create mode 100644 whitechapel/vendor/google/vold.te

diff --git a/OWNERS b/OWNERS
index 33a29255..a24d5fb4 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,11 @@
-aaronding@google.com
-robinpeng@google.com
-lucaswei@google.com
+adamshih@google.com
+alanstokes@google.com
+bowgotsai@google.com
+jbires@google.com
+jeffv@google.com
+jgalenson@google.com
+jiyong@google.com
+rurumihong@google.com
+sspatil@google.com
+smoreland@google.com
+trong@google.com
diff --git a/ambient/exo_app.te b/ambient/exo_app.te
new file mode 100644
index 00000000..a66e9413
--- /dev/null
+++ b/ambient/exo_app.te
@@ -0,0 +1,11 @@
+type exo_app, domain;
+
+app_domain(exo_app)
+
+allow exo_app app_api_service:service_manager find;
+allow exo_app audioserver_service:service_manager find;
+allow exo_app cameraserver_service:service_manager find;
+allow exo_app mediaserver_service:service_manager find;
+allow exo_app radio_service:service_manager find;
+allow exo_app fwk_stats_hwservice:hwservice_manager find;
+binder_call(exo_app, statsd)
diff --git a/ambient/exo_wirecutter_app.te b/ambient/exo_wirecutter_app.te
new file mode 100644
index 00000000..c8b63b8f
--- /dev/null
+++ b/ambient/exo_wirecutter_app.te
@@ -0,0 +1,7 @@
+type exo_wirecutter_app, domain;
+
+app_domain(exo_wirecutter_app)
+
+allow exo_wirecutter_app app_api_service:service_manager find;
+allow exo_wirecutter_app fwk_stats_hwservice:hwservice_manager find;
+binder_call(exo_wirecutter_app, statsd)
diff --git a/ambient/keys.conf b/ambient/keys.conf
new file mode 100644
index 00000000..9be4f7f5
--- /dev/null
+++ b/ambient/keys.conf
@@ -0,0 +1,2 @@
+[@EXO_WIRECUTTER]
+ALL : vendor/google/dev-keystore/certs/com_google_pixel_wirecutter/com_google_pixel_wirecutter.x509.pem
diff --git a/ambient/mac_permissions.xml b/ambient/mac_permissions.xml
new file mode 100644
index 00000000..d1ba106a
--- /dev/null
+++ b/ambient/mac_permissions.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <signer signature="@EXO_WIRECUTTER" >
+        <seinfo value="wirecutter" />
+    </signer>
+</policy>
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
new file mode 100644
index 00000000..2bfdde8e
--- /dev/null
+++ b/ambient/seapp_contexts
@@ -0,0 +1,5 @@
+# Domain for Exo app
+user=_app isPrivApp=true seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
+
+# Domain for Exo Wirecutter app
+user=_app seinfo=wirecutter name=com.google.pixel.wirecutter domain=exo_wirecutter_app type=app_data_file levelFrom=all
diff --git a/display/common/file.te b/display/common/file.te
new file mode 100644
index 00000000..3734e33c
--- /dev/null
+++ b/display/common/file.te
@@ -0,0 +1 @@
+type persist_display_file, file_type, vendor_persist_type;
diff --git a/display/common/file_contexts b/display/common/file_contexts
new file mode 100644
index 00000000..bca77466
--- /dev/null
+++ b/display/common/file_contexts
@@ -0,0 +1 @@
+/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts
new file mode 100644
index 00000000..1bc6f30a
--- /dev/null
+++ b/display/gs101/genfs_contexts
@@ -0,0 +1,11 @@
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
new file mode 100644
index 00000000..5a607815
--- /dev/null
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -0,0 +1,34 @@
+allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
+add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+vndbinder_use(hal_graphics_composer_default)
+
+userdebug_or_eng(`
+    allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms;
+
+    # For HWC/libdisplaycolor to generate calibration file.
+    allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+    allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
+')
+
+# allow HWC/libdisplaycolor to read calibration data
+allow hal_graphics_composer_default mnt_vendor_file:dir search;
+allow hal_graphics_composer_default persist_file:dir search;
+allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+
+# allow HWC to r/w backlight
+allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
+
+# allow HWC to get vendor_persist_sys_default_prop
+get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
+
+# allow HWC to get vendor_display_prop
+get_prop(hal_graphics_composer_default, vendor_display_prop)
+
+# allow HWC to access vendor_displaycolor_service
+add_service(hal_graphics_composer_default, vendor_displaycolor_service)
+
+add_service(hal_graphics_composer_default, hal_pixel_display_service)
+binder_use(hal_graphics_composer_default)
diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
new file mode 100644
index 00000000..c08b8023
--- /dev/null
+++ b/gs101-sepolicy.mk
@@ -0,0 +1,23 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/whitechapel/vendor/google
+
+# unresolved SELinux error log with bug tracking
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/tracking_denials
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/private
+
+#
+# Pixel-wide
+#
+#   Dauntless (uses Citadel policy currently)
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
+
+#   Wifi
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext
+
+#   PowerStats HAL
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
+
+# Display
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
new file mode 100644
index 00000000..fa20f247
--- /dev/null
+++ b/private/gmscore_app.te
@@ -0,0 +1,2 @@
+# b/177389198
+dontaudit gmscore_app adbd_prop:file *;
diff --git a/private/hal_dumpstate_default.te b/private/hal_dumpstate_default.te
new file mode 100644
index 00000000..83c75689
--- /dev/null
+++ b/private/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/176868217
+dontaudit hal_dumpstate adbd_prop:file *;
diff --git a/private/hal_vibrator_default.te b/private/hal_vibrator_default.te
new file mode 100644
index 00000000..f565173c
--- /dev/null
+++ b/private/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+# b/177176811
+dontaudit hal_vibrator adbd_prop:file *;
diff --git a/private/incidentd.te b/private/incidentd.te
new file mode 100644
index 00000000..1557f065
--- /dev/null
+++ b/private/incidentd.te
@@ -0,0 +1,14 @@
+# b/174961589
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file map ;
+dontaudit incidentd apexd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file map ;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
new file mode 100644
index 00000000..86a101c5
--- /dev/null
+++ b/private/lpdumpd.te
@@ -0,0 +1,7 @@
+# b/177176997
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file read ;
diff --git a/private/priv_app.te b/private/priv_app.te
new file mode 100644
index 00000000..2ef1f969
--- /dev/null
+++ b/private/priv_app.te
@@ -0,0 +1,19 @@
+# b/178433525
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app adbd_prop:file { getattr };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app adbd_prop:file { getattr };
diff --git a/private/radio.te b/private/radio.te
new file mode 100644
index 00000000..a569b9c5
--- /dev/null
+++ b/private/radio.te
@@ -0,0 +1 @@
+add_service(radio, uce_service)
diff --git a/private/service_contexts b/private/service_contexts
new file mode 100644
index 00000000..8877518a
--- /dev/null
+++ b/private/service_contexts
@@ -0,0 +1 @@
+telephony.oem.oemrilhook        u:object_r:radio_service:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
new file mode 100644
index 00000000..f26e0815
--- /dev/null
+++ b/private/untrusted_app_25.te
@@ -0,0 +1,2 @@
+# b/177389321
+dontaudit untrusted_app_25 adbd_prop:file *;
diff --git a/tracking_denials/aocd.te b/tracking_denials/aocd.te
new file mode 100644
index 00000000..35c47c50
--- /dev/null
+++ b/tracking_denials/aocd.te
@@ -0,0 +1,2 @@
+# b/171267323
+dontaudit aocd device:dir r_dir_perms;
diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te
new file mode 100644
index 00000000..2be251e3
--- /dev/null
+++ b/tracking_denials/bootanim.te
@@ -0,0 +1,5 @@
+# b/180567480
+dontaudit bootanim traced_producer_socket:sock_file { write };
+dontaudit bootanim traced:unix_stream_socket { connectto };
+dontaudit bootanim traced:unix_stream_socket { connectto };
+dontaudit bootanim traced_producer_socket:sock_file { write };
diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te
new file mode 100644
index 00000000..7cd0342d
--- /dev/null
+++ b/tracking_denials/cbd.te
@@ -0,0 +1,51 @@
+# b/171267363
+dontaudit cbd cbd:capability {setuid };
+dontaudit cbd proc_cmdline:file {open };
+dontaudit cbd persist_file:dir {search };
+dontaudit cbd init:unix_stream_socket {connectto };
+dontaudit cbd proc_cmdline:file {read };
+dontaudit cbd kernel:system {syslog_read };
+# b/173971138
+dontaudit cbd radio_prop:file { map };
+dontaudit cbd radio_prop:file { open };
+dontaudit cbd radio_prop:file { read };
+dontaudit cbd radio_prop:file { open };
+dontaudit cbd radio_prop:file { map };
+dontaudit cbd radio_prop:file { read };
+dontaudit cbd radio_prop:file { getattr };
+dontaudit cbd radio_prop:file { getattr };
+# b/178331928
+dontaudit cbd mnt_vendor_file:dir { search };
+dontaudit cbd mnt_vendor_file:dir { search };
+# b/178979986
+dontaudit cbd unlabeled:dir { getattr };
+dontaudit cbd unlabeled:file { open };
+dontaudit cbd unlabeled:file { read };
+dontaudit cbd unlabeled:file { getattr };
+dontaudit cbd unlabeled:lnk_file { read };
+dontaudit cbd unlabeled:dir { search };
+dontaudit cbd unlabeled:file { getattr };
+dontaudit cbd unlabeled:dir { getattr };
+dontaudit cbd unlabeled:lnk_file { read };
+dontaudit cbd unlabeled:dir { search };
+dontaudit cbd unlabeled:file { read };
+dontaudit cbd unlabeled:file { open };
+# b/179198083
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd radio_vendor_data_file:dir { write };
+dontaudit cbd radio_vendor_data_file:dir { add_name };
+dontaudit cbd radio_vendor_data_file:file { create };
+dontaudit cbd radio_vendor_data_file:file { write };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd unlabeled:file { ioctl };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd radio_vendor_data_file:file { read };
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd unlabeled:file { ioctl };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd radio_vendor_data_file:file { read };
+dontaudit cbd radio_vendor_data_file:file { write };
+dontaudit cbd radio_vendor_data_file:file { create };
+dontaudit cbd radio_vendor_data_file:dir { add_name };
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd radio_vendor_data_file:dir { write };
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
new file mode 100644
index 00000000..6c6d8ec7
--- /dev/null
+++ b/tracking_denials/dumpstate.te
@@ -0,0 +1,35 @@
+# ag/13067824
+dontaudit dumpstate fuse:dir r_dir_perms;
+# b/174618507
+dontaudit dumpstate default_android_service:service_manager { find };
+dontaudit dumpstate vold:binder { call };
+dontaudit dumpstate modem_userdata_file:dir { getattr };
+dontaudit dumpstate modem_efs_file:dir { getattr };
+dontaudit dumpstate vold:binder { call };
+dontaudit dumpstate modem_userdata_file:dir { getattr };
+dontaudit dumpstate hal_drm_clearkey:process { signal };
+dontaudit dumpstate hal_drm_clearkey:process { signal };
+dontaudit dumpstate modem_efs_file:dir { getattr };
+# b/177778645
+dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
+# b/177860804
+dontaudit dumpstate incident:process { sigkill };
+dontaudit dumpstate incident:process { signal };
+dontaudit dumpstate incident:process { sigkill };
+dontaudit dumpstate incident:process { signal };
+# b/179310854
+dontaudit dumpstate unlabeled:dir { getattr };
+dontaudit dumpstate unlabeled:dir { getattr };
+# b/180963249
+dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
+dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
+# b/181915316
+dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { open };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { open };
diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
new file mode 100644
index 00000000..2ace5b71
--- /dev/null
+++ b/tracking_denials/gmscore_app.te
@@ -0,0 +1,67 @@
+# b/177389198
+dontaudit gmscore_app aac_drc_prop:file { open };
+dontaudit gmscore_app ab_update_gki_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { getattr };
+dontaudit gmscore_app aac_drc_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { open };
+dontaudit gmscore_app aac_drc_prop:file { getattr };
+# b/177860960
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+# b/178752576
+dontaudit gmscore_app apexd_prop:file { open };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit gmscore_app apexd_prop:file { getattr };
+dontaudit gmscore_app apexd_prop:file { map };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+# b/178753472
+dontaudit gmscore_app audio_config_prop:file { getattr };
+dontaudit gmscore_app apk_verity_prop:file { map };
+dontaudit gmscore_app apk_verity_prop:file { getattr };
+dontaudit gmscore_app apk_verity_prop:file { open };
+dontaudit gmscore_app audio_config_prop:file { open };
+# b/179310892
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit gmscore_app bluetooth_prop:file { getattr };
+dontaudit gmscore_app audio_config_prop:file { map };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { open };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { map };
+dontaudit gmscore_app bluetooth_prop:file { open };
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { getattr };
+# b/179437292
+dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
+dontaudit gmscore_app bluetooth_prop:file { map };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
+dontaudit gmscore_app boottime_prop:file { open };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
+# b/179437988
+dontaudit gmscore_app bluetooth_prop:file { map };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
+dontaudit gmscore_app boottime_prop:file { open };
+dontaudit gmscore_app boottime_prop:file { getattr };
+dontaudit gmscore_app boottime_prop:file { map };
+dontaudit gmscore_app boottime_public_prop:file { open };
+dontaudit gmscore_app boottime_public_prop:file { getattr };
+# b/180656125
+dontaudit gmscore_app boottime_public_prop:file { map };
+dontaudit gmscore_app build_bootimage_prop:file { open };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
+dontaudit gmscore_app build_bootimage_prop:file { open };
+dontaudit gmscore_app boottime_public_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
+# b/180960879
+dontaudit gmscore_app property_type:file *;
diff --git a/tracking_denials/gpsd.te b/tracking_denials/gpsd.te
new file mode 100644
index 00000000..fe554396
--- /dev/null
+++ b/tracking_denials/gpsd.te
@@ -0,0 +1,11 @@
+# b/173969091
+dontaudit gpsd radio_prop:file { read };
+dontaudit gpsd radio_prop:file { open };
+dontaudit gpsd radio_prop:file { map };
+dontaudit gpsd radio_prop:file { map };
+dontaudit gpsd system_data_file:dir { search };
+dontaudit gpsd radio_prop:file { read };
+dontaudit gpsd radio_prop:file { open };
+dontaudit gpsd radio_prop:file { getattr };
+dontaudit gpsd system_data_file:dir { search };
+dontaudit gpsd radio_prop:file { getattr };
diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
new file mode 100644
index 00000000..18ae1337
--- /dev/null
+++ b/tracking_denials/hal_camera_default.te
@@ -0,0 +1,15 @@
+# b/178980085
+dontaudit hal_camera_default system_data_file:dir { search };
+dontaudit hal_camera_default system_data_file:dir { search };
+# b/180567725
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+# b/181913550
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
new file mode 100644
index 00000000..66e10a91
--- /dev/null
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -0,0 +1,16 @@
+# b/181915591
+dontaudit hal_dumpstate_default aac_drc_prop:file { open };
+dontaudit hal_dumpstate_default sysfs:dir { read };
+dontaudit hal_dumpstate_default sysfs:dir { open };
+dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
+dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
+dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
+dontaudit hal_dumpstate_default aac_drc_prop:file { map };
+dontaudit hal_dumpstate_default aac_drc_prop:file { open };
+dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
+dontaudit hal_dumpstate_default aac_drc_prop:file { map };
+dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
+dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
+dontaudit hal_dumpstate_default sysfs:dir { read };
+dontaudit hal_dumpstate_default sysfs:dir { open };
+dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
new file mode 100644
index 00000000..0fced323
--- /dev/null
+++ b/tracking_denials/hal_fingerprint_default.te
@@ -0,0 +1,52 @@
+# b/174438167
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default tee_device:chr_file { open };
+dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
+dontaudit hal_fingerprint_default tee_device:chr_file { open };
+dontaudit hal_fingerprint_default tee_device:chr_file { read write };
+dontaudit hal_fingerprint_default device:chr_file { open };
+dontaudit hal_fingerprint_default device:chr_file { read write };
+dontaudit hal_fingerprint_default tee_device:chr_file { read write };
+dontaudit hal_fingerprint_default device:chr_file { ioctl };
+dontaudit hal_fingerprint_default device:chr_file { open };
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default device:chr_file { ioctl };
+dontaudit hal_fingerprint_default device:chr_file { read write };
+# b/174714991
+dontaudit hal_fingerprint_default system_data_file:file { read };
+dontaudit hal_fingerprint_default system_data_file:file { open };
+dontaudit hal_fingerprint_default system_data_file:file { read };
+dontaudit hal_fingerprint_default system_data_file:file { open };
+# b/177966377
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+# b/180655836
+dontaudit hal_fingerprint_default system_data_root_file:dir { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
+dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
new file mode 100644
index 00000000..3bc97c42
--- /dev/null
+++ b/tracking_denials/hal_graphics_composer_default.te
@@ -0,0 +1,23 @@
+# b/181712799
+dontaudit hal_graphics_composer_default hal_power_default:binder { call };
+dontaudit hal_graphics_composer_default boot_status_prop:file { read };
+dontaudit hal_graphics_composer_default boot_status_prop:file { open };
+dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
+dontaudit hal_graphics_composer_default boot_status_prop:file { map };
+dontaudit hal_graphics_composer_default hal_power_default:binder { call };
+dontaudit hal_graphics_composer_default boot_status_prop:file { map };
+dontaudit hal_graphics_composer_default vendor_log_file:file { create };
+dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
+dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
+dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
+dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
+dontaudit hal_graphics_composer_default vendor_log_file:file { create };
+dontaudit hal_graphics_composer_default hal_power_service:service_manager { find };
+dontaudit hal_graphics_composer_default boot_status_prop:file { read };
+dontaudit hal_graphics_composer_default boot_status_prop:file { open };
+dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
+# b/181915065
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te
new file mode 100644
index 00000000..2ffd7634
--- /dev/null
+++ b/tracking_denials/hal_health_default.te
@@ -0,0 +1,15 @@
+# b/177966434
+dontaudit hal_health_default sysfs_wlc:dir { search };
+# b/181177925
+dontaudit hal_health_default thermal_link_device:dir { search };
+dontaudit hal_health_default sysfs_thermal:file { open };
+dontaudit hal_health_default sysfs_thermal:file { write };
+dontaudit hal_health_default sysfs_thermal:lnk_file { read };
+dontaudit hal_health_default sysfs_thermal:dir { search };
+dontaudit hal_health_default sysfs_thermal:file { write };
+dontaudit hal_health_default sysfs_thermal:file { open };
+dontaudit hal_health_default sysfs_batteryinfo:file { write };
+dontaudit hal_health_default sysfs_thermal:dir { search };
+dontaudit hal_health_default thermal_link_device:dir { search };
+dontaudit hal_health_default sysfs_batteryinfo:file { write };
+dontaudit hal_health_default sysfs_thermal:lnk_file { read };
diff --git a/tracking_denials/hal_memtrack_default.te b/tracking_denials/hal_memtrack_default.te
new file mode 100644
index 00000000..8bb56ce2
--- /dev/null
+++ b/tracking_denials/hal_memtrack_default.te
@@ -0,0 +1,3 @@
+# b/181913683
+dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };
+dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };
diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
new file mode 100644
index 00000000..9ebda637
--- /dev/null
+++ b/tracking_denials/hal_neuralnetworks_armnn.te
@@ -0,0 +1,33 @@
+# b/171160755
+dontaudit hal_neuralnetworks_armnn traced:unix_stream_socket connectto ;
+dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager add ;
+dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager find ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager:binder transfer ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager:binder call ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file map ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file getattr ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file open ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file read ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file open ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file getattr ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file ioctl ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file map ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
+dontaudit hal_neuralnetworks_armnn traced_producer_socket:sock_file write ;
+dontaudit hal_neuralnetworks_armnn hidl_base_hwservice:hwservice_manager add ;
+# b/171670122
+dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { read };
+dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { open };
+# b/180550063
+dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
+dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
+# b/180858476
+dontaudit hal_neuralnetworks_armnn default_prop:file { read };
+dontaudit hal_neuralnetworks_armnn default_prop:file { read };
+dontaudit hal_neuralnetworks_armnn default_prop:file { open };
+dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
+dontaudit hal_neuralnetworks_armnn default_prop:file { map };
+dontaudit hal_neuralnetworks_armnn default_prop:file { open };
+dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
+dontaudit hal_neuralnetworks_armnn default_prop:file { map };
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
new file mode 100644
index 00000000..ba08e0ad
--- /dev/null
+++ b/tracking_denials/hal_power_default.te
@@ -0,0 +1,15 @@
+# b/171760921
+dontaudit hal_power_default hal_power_default:capability { dac_override };
+# b/178331773
+dontaudit hal_power_default sysfs:file { write };
+dontaudit hal_power_default sysfs:file { open };
+dontaudit hal_power_default sysfs:file { write };
+dontaudit hal_power_default sysfs:file { open };
+# b/178752616
+dontaudit hal_power_default sysfs:file { read };
+dontaudit hal_power_default sysfs:file { getattr };
+dontaudit hal_power_default sysfs:file { read };
+dontaudit hal_power_default sysfs:file { getattr };
+# b/181713002
+dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
+dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te
new file mode 100644
index 00000000..20c95e4b
--- /dev/null
+++ b/tracking_denials/hal_power_stats_default.te
@@ -0,0 +1,68 @@
+# b/171760721
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default citadeld:binder { call };
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default sysfs:file { open };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default sysfs:dir { read };
+dontaudit hal_power_stats_default sysfs:dir { open };
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { open };
+dontaudit hal_power_stats_default sysfs:file { open };
+# b/176777337
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+dontaudit hal_power_stats_default sysfs_leds:file read ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+# b/176868314
+dontaudit hal_power_stats_default sysfs_leds:file read ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+# b/179093124
+dontaudit hal_power_stats_default sysfs_backlight:file { open };
+dontaudit hal_power_stats_default sysfs_backlight:file { read };
+dontaudit hal_power_stats_default sysfs_backlight:file { open };
+dontaudit hal_power_stats_default sysfs_backlight:dir { search };
+dontaudit hal_power_stats_default sysfs_backlight:dir { search };
+dontaudit hal_power_stats_default sysfs_backlight:file { read };
+# b/180963514
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+# b/181915165
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
+dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
+dontaudit hal_power_stats_default sysfs_wifi:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_wifi:file { read };
+dontaudit hal_power_stats_default sysfs_wifi:dir { search };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { read };
diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
new file mode 100644
index 00000000..eea73ffc
--- /dev/null
+++ b/tracking_denials/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+# b/174961422
+dontaudit hal_vibrator_default property_type:file * ;
diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te
new file mode 100644
index 00000000..c43741be
--- /dev/null
+++ b/tracking_denials/hal_wifi_ext.te
@@ -0,0 +1,4 @@
+# b/177966433
+dontaudit hal_wifi_ext vendor_default_prop:property_service { set };
+dontaudit hal_wifi_ext grilservice_app:binder { call };
+dontaudit hal_wifi_ext grilservice_app:binder { call };
diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te
new file mode 100644
index 00000000..810cb701
--- /dev/null
+++ b/tracking_denials/hardware_info_app.te
@@ -0,0 +1,18 @@
+# b/181177926
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { getattr };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { open };
+dontaudit hardware_info_app sysfs_batteryinfo:file { read };
+dontaudit hardware_info_app sysfs:file { read };
+dontaudit hardware_info_app sysfs:file { open };
+dontaudit hardware_info_app sysfs:file { getattr };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:dir { search };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { read };
+dontaudit hardware_info_app sysfs_batteryinfo:dir { search };
+# b/181914888
+dontaudit hardware_info_app sysfs_batteryinfo:file { open };
+dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
+dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
+# b/181915166
+dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
+dontaudit hardware_info_app sysfs_batteryinfo:file { open };
+dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
new file mode 100644
index 00000000..61223df0
--- /dev/null
+++ b/tracking_denials/incidentd.te
@@ -0,0 +1,139 @@
+# b/176868159
+dontaudit incidentd apk_verity_prop:file getattr ;
+dontaudit incidentd apk_verity_prop:file map ;
+dontaudit incidentd apk_verity_prop:file getattr ;
+dontaudit incidentd apk_verity_prop:file open ;
+dontaudit incidentd apexd_prop:file map ;
+dontaudit incidentd apexd_prop:file getattr ;
+dontaudit incidentd apexd_prop:file getattr ;
+dontaudit incidentd apexd_prop:file map ;
+dontaudit incidentd apk_verity_prop:file open ;
+dontaudit incidentd apk_verity_prop:file map ;
+# b/177176812
+dontaudit incidentd audio_config_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file map ;
+dontaudit incidentd ab_update_gki_prop:file getattr ;
+dontaudit incidentd audio_config_prop:file open ;
+dontaudit incidentd aac_drc_prop:file map ;
+dontaudit incidentd aac_drc_prop:file getattr ;
+dontaudit incidentd aac_drc_prop:file open ;
+dontaudit incidentd aac_drc_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file map ;
+dontaudit incidentd aac_drc_prop:file map ;
+dontaudit incidentd ab_update_gki_prop:file getattr ;
+dontaudit incidentd aac_drc_prop:file getattr ;
+dontaudit incidentd ab_update_gki_prop:file open ;
+# b/177389412
+dontaudit incidentd audio_config_prop:file { getattr };
+dontaudit incidentd audio_config_prop:file { getattr };
+dontaudit incidentd audio_config_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
+dontaudit incidentd nfc_service:service_manager { find };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
+dontaudit incidentd audio_config_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
+# b/177614642
+dontaudit incidentd bluetooth_audio_hal_prop:file { map };
+dontaudit incidentd bluetooth_audio_hal_prop:file { open };
+dontaudit incidentd bluetooth_prop:file { map };
+dontaudit incidentd bluetooth_prop:file { getattr };
+dontaudit incidentd bluetooth_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { map };
+dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { open };
+dontaudit incidentd bluetooth_prop:file { map };
+dontaudit incidentd bluetooth_prop:file { getattr };
+dontaudit incidentd bluetooth_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { open };
+# b/177778217
+dontaudit incidentd boottime_public_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { getattr };
+dontaudit incidentd bpf_progs_loaded_prop:file { open };
+dontaudit incidentd boottime_public_prop:file { map };
+dontaudit incidentd boottime_public_prop:file { getattr };
+dontaudit incidentd boottime_public_prop:file { open };
+dontaudit incidentd boottime_prop:file { map };
+dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
+dontaudit incidentd bpf_progs_loaded_prop:file { open };
+dontaudit incidentd boottime_public_prop:file { map };
+dontaudit incidentd boottime_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { map };
+dontaudit incidentd boottime_public_prop:file { open };
+dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
+# b/177860841
+dontaudit incidentd build_bootimage_prop:file { map };
+dontaudit incidentd build_config_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { open };
+dontaudit incidentd bpf_progs_loaded_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { open };
+dontaudit incidentd build_bootimage_prop:file { getattr };
+dontaudit incidentd build_bootimage_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { map };
+dontaudit incidentd bpf_progs_loaded_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { open };
+dontaudit incidentd build_config_prop:file { open };
+dontaudit incidentd build_config_prop:file { map };
+# b/178752460
+dontaudit incidentd camera_calibration_prop:file { open };
+dontaudit incidentd charger_config_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { open };
+dontaudit incidentd camera_calibration_prop:file { map };
+dontaudit incidentd camera_calibration_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { getattr };
+dontaudit incidentd camera_calibration_prop:file { open };
+dontaudit incidentd camera_calibration_prop:file { getattr };
+dontaudit incidentd camera_calibration_prop:file { map };
+dontaudit incidentd charger_config_prop:file { open };
+# b/179310909
+dontaudit incidentd charger_status_prop:file { open };
+dontaudit incidentd charger_prop:file { open };
+dontaudit incidentd charger_prop:file { getattr };
+dontaudit incidentd charger_prop:file { map };
+dontaudit incidentd charger_status_prop:file { open };
+dontaudit incidentd charger_status_prop:file { getattr };
+dontaudit incidentd charger_status_prop:file { map };
+dontaudit incidentd charger_config_prop:file { map };
+dontaudit incidentd charger_status_prop:file { map };
+dontaudit incidentd charger_status_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { map };
+dontaudit incidentd charger_prop:file { open };
+dontaudit incidentd charger_prop:file { getattr };
+dontaudit incidentd charger_prop:file { map };
+# b/179437463
+dontaudit incidentd cold_boot_done_prop:file { map };
+dontaudit incidentd cold_boot_done_prop:file { getattr };
+dontaudit incidentd cpu_variant_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { getattr };
+dontaudit incidentd cold_boot_done_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { open };
+dontaudit incidentd cold_boot_done_prop:file { getattr };
+dontaudit incidentd cold_boot_done_prop:file { open };
+dontaudit incidentd cold_boot_done_prop:file { open };
+dontaudit incidentd cpu_variant_prop:file { open };
+dontaudit incidentd cpu_variant_prop:file { getattr };
+# b/180963481
+dontaudit incidentd ctl_bootanim_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { getattr };
+dontaudit incidentd ctl_adbd_prop:file { map };
+dontaudit incidentd ctl_apexd_prop:file { getattr };
+dontaudit incidentd ctl_apexd_prop:file { map };
+dontaudit incidentd ctl_adbd_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { getattr };
+dontaudit incidentd ctl_adbd_prop:file { map };
+dontaudit incidentd ctl_apexd_prop:file { open };
+dontaudit incidentd ctl_apexd_prop:file { getattr };
+dontaudit incidentd ctl_apexd_prop:file { map };
+dontaudit incidentd ctl_bootanim_prop:file { open };
+dontaudit incidentd ctl_apexd_prop:file { open };
+# b/181177909
+dontaudit incidentd property_type:file *;
diff --git a/tracking_denials/init-thermal-symlinks-sh.te b/tracking_denials/init-thermal-symlinks-sh.te
new file mode 100644
index 00000000..bfb04c06
--- /dev/null
+++ b/tracking_denials/init-thermal-symlinks-sh.te
@@ -0,0 +1,9 @@
+# b/177862403
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
new file mode 100644
index 00000000..48fddf60
--- /dev/null
+++ b/tracking_denials/init.te
@@ -0,0 +1,20 @@
+# b/177966144
+dontaudit init sysfs:file { open };
+dontaudit init sysfs:file { setattr };
+dontaudit init sysfs:file { open };
+dontaudit init sysfs:file { write };
+dontaudit init sysfs:file { setattr };
+dontaudit init sysfs:file { write };
+# b/178979985
+dontaudit init device:chr_file { ioctl };
+dontaudit init modem_img_file:dir { mounton };
+dontaudit init device:chr_file { open };
+dontaudit init device:chr_file { read write };
+dontaudit init modem_img_file:dir { mounton };
+dontaudit init device:chr_file { ioctl };
+dontaudit init device:chr_file { open };
+dontaudit init device:chr_file { read write };
+# b/180963348
+dontaudit init overlayfs_file:chr_file { unlink };
+dontaudit init unlabeled:dir { mounton };
+dontaudit init overlayfs_file:file { rename };
diff --git a/tracking_denials/mediacodec.te b/tracking_denials/mediacodec.te
new file mode 100644
index 00000000..2d3f4475
--- /dev/null
+++ b/tracking_denials/mediacodec.te
@@ -0,0 +1,6 @@
+# b/172173484
+dontaudit mediacodec sysfs:file { getattr };
+dontaudit mediacodec sysfs:file { open };
+dontaudit mediacodec sysfs:file { read };
+# b/176777184
+dontaudit mediacodec default_android_vndservice:service_manager add ;
diff --git a/tracking_denials/modem_logging_control.te b/tracking_denials/modem_logging_control.te
new file mode 100644
index 00000000..e7b77922
--- /dev/null
+++ b/tracking_denials/modem_logging_control.te
@@ -0,0 +1,13 @@
+# b/176777145
+dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;
+# b/176851633
+dontaudit modem_logging_control vendor_sys_default_prop:file { read };
+dontaudit modem_logging_control vendor_sys_default_prop:file { read };
+dontaudit modem_logging_control vendor_sys_default_prop:file { open };
+dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
+dontaudit modem_logging_control vendor_sys_default_prop:file { map };
+dontaudit modem_logging_control vendor_sys_default_prop:file { open };
+dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
+dontaudit modem_logging_control vendor_sys_default_prop:file { map };
+# b/176868315
+dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;
diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te
new file mode 100644
index 00000000..4eb0f6d0
--- /dev/null
+++ b/tracking_denials/pixelstats_vendor.te
@@ -0,0 +1,4 @@
+# b/181914749
+dontaudit pixelstats_vendor servicemanager:binder { call };
+# b/181915066
+dontaudit pixelstats_vendor servicemanager:binder { call };
diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te
new file mode 100644
index 00000000..6e8841af
--- /dev/null
+++ b/tracking_denials/platform_app.te
@@ -0,0 +1,8 @@
+# b/178433506
+dontaudit platform_app property_type:file *;
+# b/179093352
+dontaudit platform_app hal_wlc:binder { transfer };
+dontaudit platform_app hal_wlc:binder { call };
+dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find };
+dontaudit platform_app hal_wlc:binder { call };
+dontaudit platform_app hal_wlc:binder { transfer };
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
new file mode 100644
index 00000000..4eba31d3
--- /dev/null
+++ b/tracking_denials/priv_app.te
@@ -0,0 +1,51 @@
+# b/180551518
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app audio_config_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app audio_config_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app apk_verity_prop:file { map };
+dontaudit priv_app audio_config_prop:file { open };
+dontaudit priv_app audio_config_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { getattr };
+# b/180567612
+dontaudit priv_app audio_config_prop:file { map };
+dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { map };
+dontaudit priv_app bluetooth_prop:file { open };
+dontaudit priv_app bluetooth_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { open };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit priv_app audio_config_prop:file { map };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit priv_app bluetooth_audio_hal_prop:file { open };
+dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { map };
+dontaudit priv_app bluetooth_prop:file { open };
+dontaudit priv_app bluetooth_prop:file { getattr };
+# b/180656244
+dontaudit priv_app property_type:file *;
+# b/180858511
+dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
+dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
new file mode 100644
index 00000000..10680da3
--- /dev/null
+++ b/tracking_denials/rild.te
@@ -0,0 +1,16 @@
+# b/178980065
+dontaudit rild unlabeled:dir { search };
+dontaudit rild unlabeled:lnk_file { read };
+dontaudit rild unlabeled:dir { search };
+dontaudit rild unlabeled:lnk_file { read };
+# b/179198085
+dontaudit rild unlabeled:file { ioctl };
+dontaudit rild unlabeled:file { open };
+dontaudit rild unlabeled:file { read };
+dontaudit rild unlabeled:file { getattr };
+dontaudit rild unlabeled:file { lock };
+dontaudit rild unlabeled:file { ioctl };
+dontaudit rild unlabeled:file { open };
+dontaudit rild unlabeled:file { read };
+dontaudit rild unlabeled:file { getattr };
+dontaudit rild unlabeled:file { lock };
diff --git a/tracking_denials/scd.te b/tracking_denials/scd.te
new file mode 100644
index 00000000..f66f49eb
--- /dev/null
+++ b/tracking_denials/scd.te
@@ -0,0 +1,13 @@
+# b/173969190
+dontaudit scd vendor_data_file:dir { write };
+dontaudit scd vendor_data_file:dir { add_name };
+dontaudit scd vendor_data_file:dir { write };
+dontaudit scd vendor_data_file:file { create };
+dontaudit scd vendor_data_file:file { lock };
+dontaudit scd vendor_data_file:file { create };
+dontaudit scd vendor_data_file:file { lock };
+dontaudit scd vendor_data_file:file { open };
+dontaudit scd vendor_data_file:file { write };
+dontaudit scd vendor_data_file:file { write };
+dontaudit scd vendor_data_file:file { open };
+dontaudit scd vendor_data_file:dir { add_name };
diff --git a/tracking_denials/sced.te b/tracking_denials/sced.te
new file mode 100644
index 00000000..fa8893fd
--- /dev/null
+++ b/tracking_denials/sced.te
@@ -0,0 +1,10 @@
+# b/171760846
+dontaudit sced hwservicemanager:binder { call };
+dontaudit sced hidl_base_hwservice:hwservice_manager { add };
+dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { add };
+dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { find };
+dontaudit sced hwservicemanager_prop:file { read };
+dontaudit sced hwservicemanager_prop:file { open };
+dontaudit sced hwservicemanager:binder { transfer };
+dontaudit sced hwservicemanager_prop:file { map };
+dontaudit sced hwservicemanager_prop:file { getattr };
diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te
new file mode 100644
index 00000000..66ac4fb3
--- /dev/null
+++ b/tracking_denials/shell.te
@@ -0,0 +1,7 @@
+# b/171760597
+dontaudit shell property_type:file *;
+# b/178979984
+dontaudit shell device:chr_file { ioctl };
+dontaudit shell device:chr_file { read write };
+dontaudit shell device:chr_file { read write };
+dontaudit shell device:chr_file { ioctl };
diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te
new file mode 100644
index 00000000..1f7fd2ad
--- /dev/null
+++ b/tracking_denials/surfaceflinger.te
@@ -0,0 +1,12 @@
+# b/176868297
+dontaudit surfaceflinger hal_graphics_composer_default:dir search ;
+# b/177176899
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te
new file mode 100644
index 00000000..0dd274b6
--- /dev/null
+++ b/tracking_denials/system_app.te
@@ -0,0 +1,4 @@
+# b/178433618
+dontaudit system_app property_type:file *;
+# b/179435036
+dontaudit system_app default_android_service:service_manager { add };
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
new file mode 100644
index 00000000..d7e456ab
--- /dev/null
+++ b/tracking_denials/system_server.te
@@ -0,0 +1,2 @@
+# b/178980142
+dontaudit system_server property_type:file *;
diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
new file mode 100644
index 00000000..9148a9c7
--- /dev/null
+++ b/tracking_denials/tee.te
@@ -0,0 +1,11 @@
+# b/173971240
+dontaudit tee persist_file:file { open };
+dontaudit tee tee_data_file:lnk_file { read };
+dontaudit tee mnt_vendor_file:dir { search };
+dontaudit tee persist_file:dir { search };
+dontaudit tee persist_file:file { open };
+dontaudit tee persist_file:file { read write };
+dontaudit tee persist_file:dir { search };
+dontaudit tee mnt_vendor_file:dir { search };
+dontaudit tee tee_data_file:lnk_file { read };
+dontaudit tee persist_file:file { read write };
diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te
new file mode 100644
index 00000000..0914a14f
--- /dev/null
+++ b/tracking_denials/trusty_apploader.te
@@ -0,0 +1,9 @@
+# b/180874342
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };
diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te
new file mode 100644
index 00000000..703cdf53
--- /dev/null
+++ b/tracking_denials/untrusted_app.te
@@ -0,0 +1,14 @@
+# b/178331791
+dontaudit untrusted_app selinuxfs:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { map };
+dontaudit untrusted_app vendor_camera_prop:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { getattr };
+dontaudit untrusted_app selinuxfs:file { read };
+dontaudit untrusted_app selinuxfs:file { read };
+dontaudit untrusted_app selinuxfs:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { getattr };
+dontaudit untrusted_app vendor_camera_prop:file { map };
+# b/178433597
+dontaudit untrusted_app vendor_camera_prop:file { read };
+dontaudit untrusted_app vendor_camera_prop:file { read };
diff --git a/tracking_denials/untrusted_app_25.te b/tracking_denials/untrusted_app_25.te
new file mode 100644
index 00000000..3dcf4615
--- /dev/null
+++ b/tracking_denials/untrusted_app_25.te
@@ -0,0 +1,149 @@
+# b/177389321
+dontaudit untrusted_app_25 ab_update_gki_prop:file { map };
+dontaudit untrusted_app_25 aac_drc_prop:file { open };
+dontaudit untrusted_app_25 ab_update_gki_prop:file { getattr };
+dontaudit untrusted_app_25 ab_update_gki_prop:file { open };
+dontaudit untrusted_app_25 aac_drc_prop:file { map };
+dontaudit untrusted_app_25 aac_drc_prop:file { getattr };
+# b/177614659
+dontaudit untrusted_app_25 apk_verity_prop:file { open };
+dontaudit untrusted_app_25 apexd_prop:file { getattr };
+dontaudit untrusted_app_25 apexd_prop:file { open };
+dontaudit untrusted_app_25 apexd_prop:file { map };
+dontaudit untrusted_app_25 apk_verity_prop:file { map };
+dontaudit untrusted_app_25 audio_config_prop:file { open };
+dontaudit untrusted_app_25 audio_config_prop:file { getattr };
+dontaudit untrusted_app_25 audio_config_prop:file { map };
+dontaudit untrusted_app_25 apk_verity_prop:file { getattr };
+# b/177616188
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { map };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { map };
+dontaudit untrusted_app_25 bluetooth_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_prop:file { map };
+# b/177778551
+dontaudit untrusted_app_25 boottime_public_prop:file { open };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { getattr };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { map };
+dontaudit untrusted_app_25 boottime_prop:file { open };
+dontaudit untrusted_app_25 boottime_prop:file { getattr };
+dontaudit untrusted_app_25 boottime_prop:file { map };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { open };
+# b/177778793
+dontaudit untrusted_app_25 boottime_public_prop:file { getattr };
+dontaudit untrusted_app_25 boottime_public_prop:file { map };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { open };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { getattr };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { map };
+dontaudit untrusted_app_25 build_bootimage_prop:file { open };
+dontaudit untrusted_app_25 build_bootimage_prop:file { getattr };
+dontaudit untrusted_app_25 build_bootimage_prop:file { map };
+dontaudit untrusted_app_25 build_config_prop:file { open };
+# b/177860838
+dontaudit untrusted_app_25 charger_status_prop:file { open };
+dontaudit untrusted_app_25 charger_prop:file { map };
+dontaudit untrusted_app_25 charger_prop:file { getattr };
+dontaudit untrusted_app_25 charger_prop:file { open };
+dontaudit untrusted_app_25 charger_config_prop:file { map };
+dontaudit untrusted_app_25 charger_config_prop:file { getattr };
+dontaudit untrusted_app_25 build_config_prop:file { map };
+dontaudit untrusted_app_25 build_config_prop:file { getattr };
+dontaudit untrusted_app_25 charger_config_prop:file { open };
+# b/177862777
+dontaudit untrusted_app_25 charger_status_prop:file { getattr };
+dontaudit untrusted_app_25 charger_status_prop:file { map };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { open };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { getattr };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { map };
+dontaudit untrusted_app_25 cpu_variant_prop:file { open };
+dontaudit untrusted_app_25 cpu_variant_prop:file { getattr };
+dontaudit untrusted_app_25 cpu_variant_prop:file { map };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { open };
+# b/178752409
+dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { map };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { open };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
+# b/178753151
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
+dontaudit untrusted_app_25 ctl_console_prop:file { open };
+dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_console_prop:file { map };
+dontaudit untrusted_app_25 ctl_default_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
+dontaudit untrusted_app_25 ctl_console_prop:file { open };
+dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
+# b/179310875
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { map };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { open };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { map };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
+# b/179437293
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+# b/179437737
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+# b/180963328
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
+# b/180963587
+dontaudit untrusted_app_25 property_type:file *;
diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te
new file mode 100644
index 00000000..e1f320af
--- /dev/null
+++ b/tracking_denials/update_engine.te
@@ -0,0 +1,5 @@
+# b/174961421
+dontaudit update_engine dumpstate:fifo_file write ;
+dontaudit update_engine dumpstate:fifo_file write ;
+dontaudit update_engine dumpstate:fd use ;
+dontaudit update_engine dumpstate:fd use ;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
new file mode 100644
index 00000000..f00248a0
--- /dev/null
+++ b/tracking_denials/vendor_init.te
@@ -0,0 +1,20 @@
+# b/176528556
+dontaudit vendor_init tmpfs:dir { add_name write };
+# b/176528557
+dontaudit vendor_init debugfs_trace_marker:file { getattr };
+# b/177186257
+dontaudit vendor_init system_data_file:dir { open ioctl read };
+# b/174443175
+dontaudit vendor_init vendor_power_prop:property_service { set };
+# b/177386448
+dontaudit vendor_init device:file { create };
+dontaudit vendor_init device:file { create };
+# b/178980032
+dontaudit vendor_init unlabeled:dir { setattr };
+dontaudit vendor_init unlabeled:dir { read };
+dontaudit vendor_init unlabeled:dir { search };
+dontaudit vendor_init unlabeled:dir { search };
+dontaudit vendor_init unlabeled:dir { open };
+dontaudit vendor_init unlabeled:dir { read };
+dontaudit vendor_init unlabeled:dir { setattr };
+dontaudit vendor_init unlabeled:dir { open };
diff --git a/tracking_denials/vendor_telephony_app.te b/tracking_denials/vendor_telephony_app.te
new file mode 100644
index 00000000..2969a576
--- /dev/null
+++ b/tracking_denials/vendor_telephony_app.te
@@ -0,0 +1,21 @@
+# b/174961423
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file open ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file read ;
+dontaudit vendor_telephony_app system_app_data_file:dir search ;
+dontaudit vendor_telephony_app system_app_data_file:dir getattr ;
+dontaudit vendor_telephony_app system_data_file:dir search ;
+# b/176868380
+dontaudit vendor_telephony_app user_profile_root_file:dir search ;
+dontaudit vendor_telephony_app user_profile_root_file:dir search ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file getattr ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file map ;
+dontaudit vendor_telephony_app vendor_slog_file:dir search ;
+# b/177176900
+dontaudit vendor_telephony_app vendor_rild_prop:file getattr ;
+dontaudit vendor_telephony_app vendor_rild_prop:file open ;
+dontaudit vendor_telephony_app vendor_rild_prop:file read ;
+dontaudit vendor_telephony_app vendor_rild_prop:file map ;
+# b/179437464
+dontaudit vendor_telephony_app activity_service:service_manager { find };
+dontaudit vendor_telephony_app thermal_service:service_manager { find };
+dontaudit vendor_telephony_app tethering_service:service_manager { find };
diff --git a/usf/file.te b/usf/file.te
new file mode 100644
index 00000000..e264c277
--- /dev/null
+++ b/usf/file.te
@@ -0,0 +1,12 @@
+#
+# USF file SELinux type enforcements.
+#
+
+# Declare the sensor registry persist file type. By convention, persist file
+# types begin with "persist_".
+type persist_sensor_reg_file, file_type, vendor_persist_type;
+
+# Declare the sensor registry data file type. By convention, data file types
+# end with "data_file".
+type sensor_reg_data_file, file_type, data_file_type;
+
diff --git a/usf/file_contexts b/usf/file_contexts
new file mode 100644
index 00000000..ff3d41d3
--- /dev/null
+++ b/usf/file_contexts
@@ -0,0 +1,10 @@
+#
+# USF SELinux file security contexts.
+#
+
+# Sensor registry persist files.
+/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
+
+# Sensor registry data files.
+/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
+
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
new file mode 100644
index 00000000..afb74634
--- /dev/null
+++ b/usf/sensor_hal.te
@@ -0,0 +1,22 @@
+#
+# USF sensor HAL SELinux type enforcements.
+#
+
+# Allow reading of sensor registry persist files.
+allow hal_sensors_default persist_file:dir search;
+allow hal_sensors_default mnt_vendor_file:dir search;
+r_dir_file(hal_sensors_default, persist_sensor_reg_file)
+
+# Allow creation and writing of sensor registry data files.
+allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
+allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
+
+# Allow access to the AoC communication driver.
+allow hal_sensors_default aoc_device:chr_file rw_file_perms;
+
+# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
+# to synchronize the AP and AoC clock timestamps.
+allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
+
+# Allow create thread to watch AOC's device.
+allow hal_sensors_default device:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/abox.te b/whitechapel/vendor/google/abox.te
new file mode 100644
index 00000000..eb2c3aaf
--- /dev/null
+++ b/whitechapel/vendor/google/abox.te
@@ -0,0 +1,4 @@
+type abox, domain;
+type abox_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(abox)
+
diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te
new file mode 100644
index 00000000..4cab55af
--- /dev/null
+++ b/whitechapel/vendor/google/aocd.te
@@ -0,0 +1,14 @@
+type aocd, domain;
+type aocd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocd)
+
+# access persist files
+allow aocd mnt_vendor_file:dir search;
+allow aocd persist_file:dir search;
+
+# sysfs operations
+allow aocd sysfs_aoc:dir search;
+allow aocd sysfs_aoc_firmware:file w_file_perms;
+
+# dev operations
+allow aocd aoc_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/aocdump.te b/whitechapel/vendor/google/aocdump.te
new file mode 100644
index 00000000..bfd11d48
--- /dev/null
+++ b/whitechapel/vendor/google/aocdump.te
@@ -0,0 +1,16 @@
+type aocdump, domain;
+type aocdump_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocdump)
+
+userdebug_or_eng(`
+    # Permit communication with AoC
+    allow aocdump aoc_device:chr_file rw_file_perms;
+
+    allow aocdump radio_vendor_data_file:dir rw_dir_perms;
+    allow aocdump radio_vendor_data_file:file create_file_perms;
+    set_prop(aocdump, vendor_audio_prop);
+
+    allow aocdump self:unix_stream_socket create_stream_socket_perms;
+    allow aocdump property_socket:sock_file { write };
+    allow aocdump audio_vendor_data_file:sock_file { create unlink };
+')
diff --git a/whitechapel/vendor/google/attributes b/whitechapel/vendor/google/attributes
new file mode 100644
index 00000000..7e6def72
--- /dev/null
+++ b/whitechapel/vendor/google/attributes
@@ -0,0 +1 @@
+attribute vendor_persist_type;
diff --git a/whitechapel/vendor/google/bipchmgr.te b/whitechapel/vendor/google/bipchmgr.te
new file mode 100644
index 00000000..9298e322
--- /dev/null
+++ b/whitechapel/vendor/google/bipchmgr.te
@@ -0,0 +1,9 @@
+type bipchmgr, domain;
+type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(bipchmgr)
+
+get_prop(bipchmgr, hwservicemanager_prop);
+
+allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
+hwbinder_use(bipchmgr)
+binder_call(bipchmgr, rild)
diff --git a/whitechapel/vendor/google/bootanim.te b/whitechapel/vendor/google/bootanim.te
new file mode 100644
index 00000000..7b3019df
--- /dev/null
+++ b/whitechapel/vendor/google/bootanim.te
@@ -0,0 +1,5 @@
+# TODO(b/62954877). On Android Wear, bootanim reads the time
+# during boot to display. It currently gets that time from a file
+# in /data/system. This should be moved. In the meantime, suppress
+# this denial on phones since this functionality is not used.
+dontaudit bootanim system_data_file:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/bootdevice_sysdev.te b/whitechapel/vendor/google/bootdevice_sysdev.te
new file mode 100644
index 00000000..2ff0acb9
--- /dev/null
+++ b/whitechapel/vendor/google/bootdevice_sysdev.te
@@ -0,0 +1 @@
+allow bootdevice_sysdev sysfs:filesystem associate;
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
new file mode 100644
index 00000000..6e21902e
--- /dev/null
+++ b/whitechapel/vendor/google/cbd.te
@@ -0,0 +1,44 @@
+type cbd, domain;
+type cbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(cbd)
+
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_rild_prop)
+
+allow cbd kmsg_device:chr_file rw_file_perms;
+
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;
+
+# Allow cbd to access modem block device
+allow cbd block_device:dir search;
+allow cbd modem_block_device:blk_file r_file_perms;
+
+# Allow cbd to access sysfs chosen files
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd sysfs_chosen:dir r_dir_perms;
+
+allow cbd radio_device:chr_file rw_file_perms;
+
+# Allow cbd to operate with modem EFS file/dir
+allow cbd modem_efs_file:dir create_dir_perms;
+allow cbd modem_efs_file:file create_file_perms;
+
+# Allow cbd to operate with modem userdata file/dir
+allow cbd modem_userdata_file:dir create_dir_perms;
+allow cbd modem_userdata_file:file create_file_perms;
+
+# Allow cbd to access modem image file/dir
+allow cbd modem_img_file:dir r_dir_perms;
+allow cbd modem_img_file:file r_file_perms;
+
+# Allow cbd to collect crash info
+allow cbd sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
+
diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
new file mode 100644
index 00000000..f8d395fc
--- /dev/null
+++ b/whitechapel/vendor/google/chre.te
@@ -0,0 +1,13 @@
+type chre, domain;
+type chre_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(chre)
+
+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
new file mode 100644
index 00000000..375c91c3
--- /dev/null
+++ b/whitechapel/vendor/google/device.te
@@ -0,0 +1,52 @@
+# Block Devices
+type efs_block_device, dev_type;
+type fat_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type vendor_block_device, dev_type;
+type sda_block_device, dev_type;
+
+# Exynos devices
+type vendor_m2m1shot_device, dev_type;
+type vendor_gnss_device, dev_type;
+type vendor_nanohub_device, dev_type;
+type vendor_secmem_device, dev_type;
+type pktrouter_device, dev_type;
+type vendor_toe_device, dev_type;
+type custom_ab_block_device, dev_type;
+type devinfo_block_device, dev_type;
+type tui_device, dev_type;
+
+# usbpd
+type logbuffer_device, dev_type;
+
+# EdgeTPU device (DarwiNN)
+type edgetpu_device, dev_type, mlstrustedobject;
+
+#cpuctl
+type cpuctl_device, dev_type;
+
+# Bt Wifi Coexistence device
+type wb_coexistence_dev, dev_type;
+
+# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
+type lwis_device, dev_type;
+
+# sensor direct DMA-BUF heap
+type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
+
+#faceauth DMA-BUF heaps
+type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
+
+#vframe-secure DMA-BUF heap
+type vframe_heap_device, dmabuf_heap_device_type, dev_type;
+
+#vscaler-secure DMA-BUF heap
+type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
+
+# subsystem-coredump
+type sscoredump_device, dev_type;
+
+# AOC device
+type aoc_device, dev_type;
diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te
new file mode 100644
index 00000000..c0c695f2
--- /dev/null
+++ b/whitechapel/vendor/google/dmd.te
@@ -0,0 +1,29 @@
+type dmd, domain;
+type dmd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(dmd)
+
+# Grant to access serial device for external logging tool
+allow dmd serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow dmd radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow dmd node:tcp_socket node_bind;
+allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_slog_prop)
+set_prop(dmd, vendor_modem_prop)
+
+get_prop(dmd, vendor_persist_config_default_prop)
+
+# Grant to access hwservice manager
+get_prop(dmd, hwservicemanager_prop)
+add_hwservice(dmd, hal_vendor_oem_hwservice)
+binder_call(dmd, hwservicemanager)
diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te
new file mode 100644
index 00000000..cffaf8cd
--- /dev/null
+++ b/whitechapel/vendor/google/domain.te
@@ -0,0 +1 @@
+allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
new file mode 100644
index 00000000..fb325056
--- /dev/null
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -0,0 +1,4 @@
+dump_hal(hal_telephony)
+
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te
new file mode 100644
index 00000000..021338f4
--- /dev/null
+++ b/whitechapel/vendor/google/edgetpu_logging.te
@@ -0,0 +1,6 @@
+type edgetpu_logging, domain;
+type edgetpu_logging_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_logging)
+
+# The logging service accesses /dev/abrolhos
+allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
new file mode 100644
index 00000000..241a87eb
--- /dev/null
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -0,0 +1,28 @@
+# EdgeTPU server process which runs the EdgeTPU binder service.
+type edgetpu_server, coredomain, domain;
+type edgetpu_server_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(edgetpu_server, edgetpu_server_exec)
+
+# The server will use binder calls.
+binder_use(edgetpu_server);
+
+# The server will serve a binder service.
+binder_service(edgetpu_server);
+
+# EdgeTPU binder service type declaration.
+type edgetpu_service, service_manager_type;
+
+# EdgeTPU server to register the service to service_manager.
+add_service(edgetpu_server, edgetpu_service);
+
+# EdgeTPU service needs to access /dev/abrolhos.
+allow edgetpu_server edgetpu_device:chr_file rw_file_perms;
+allow edgetpu_server sysfs_edgetpu:dir r_dir_perms;
+allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
+
+# Applications are not allowed to open the EdgeTPU device directly.
+neverallow appdomain edgetpu_device:chr_file { open };
+
+# Allow EdgeTPU service access to its data files.
+allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
+allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
diff --git a/whitechapel/vendor/google/exo_camera_injection/dumpstate.te b/whitechapel/vendor/google/exo_camera_injection/dumpstate.te
new file mode 100644
index 00000000..1a5b393d
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/dumpstate.te
@@ -0,0 +1,2 @@
+# For collecting bugreports.
+dump_hal(hal_camera)
diff --git a/whitechapel/vendor/google/exo_camera_injection/file_contexts b/whitechapel/vendor/google/exo_camera_injection/file_contexts
new file mode 100644
index 00000000..cfcbd6ff
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.0-service  u:object_r:hal_exo_camera_injection_exec:s0
diff --git a/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te b/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te
new file mode 100644
index 00000000..138d1b1d
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te
@@ -0,0 +1,10 @@
+# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches.
+type hal_exo_camera_injection, domain;
+hal_server_domain(hal_exo_camera_injection, hal_camera)
+
+type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_exo_camera_injection)
+
+hwbinder_use(hal_exo_camera_injection)
+add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice)
+allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice.te b/whitechapel/vendor/google/exo_camera_injection/hwservice.te
new file mode 100644
index 00000000..cea97689
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/hwservice.te
@@ -0,0 +1 @@
+type hal_exo_camera_injection_hwservice, hwservice_manager_type;
diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts b/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts
new file mode 100644
index 00000000..59ccfe67
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts
@@ -0,0 +1 @@
+vendor.google.exo_camera_injection::IExoCameraInjection         u:object_r:hal_exo_camera_injection_hwservice:s0
diff --git a/whitechapel/vendor/google/exo_camera_injection/platform_app.te b/whitechapel/vendor/google/exo_camera_injection/platform_app.te
new file mode 100644
index 00000000..b4dee87f
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/platform_app.te
@@ -0,0 +1,3 @@
+# Allow exo app to find and bind exo camera injection hal.
+allow platform_app hal_exo_camera_injection_hwservice:hwservice_manager find;
+binder_call(platform_app, hal_exo_camera_injection)
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
new file mode 100644
index 00000000..5ec18e27
--- /dev/null
+++ b/whitechapel/vendor/google/file.te
@@ -0,0 +1,177 @@
+# Exynos Data Files
+#type vendor_data_file, file_type, data_file_type;
+type vendor_cbd_boot_file, file_type, data_file_type;
+type vendor_media_data_file, file_type, data_file_type;
+
+# Exynos Log Files
+type vendor_log_file, file_type, data_file_type;
+type vendor_abox_log_file, file_type, data_file_type;
+type vendor_cbd_log_file, file_type, data_file_type;
+type vendor_dmd_log_file, file_type, data_file_type;
+type vendor_rfsd_log_file, file_type, data_file_type;
+type vendor_dump_log_file, file_type, data_file_type;
+type vendor_rild_log_file, file_type, data_file_type;
+type vendor_sced_log_file, file_type, data_file_type;
+type vendor_slog_file, file_type, data_file_type, mlstrustedobject;
+type vendor_telephony_log_file, file_type, data_file_type;
+type vendor_vcd_log_file, file_type, data_file_type;
+
+# app data files
+type vendor_test_data_file, file_type, data_file_type;
+type vendor_telephony_data_file, file_type, data_file_type;
+type vendor_ims_data_file, file_type, data_file_type;
+type vendor_misc_data_file, file_type, data_file_type;
+type vendor_rpmbmock_data_file, file_type, data_file_type;
+
+# Exynos debugfs
+type vendor_abox_debugfs, fs_type, debugfs_type;
+type vendor_ion_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_dmabuf_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_mali_debugfs, fs_type, debugfs_type;
+type vendor_dri_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_pm_genpd_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_regmap_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_usb_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_maxfg_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_charger_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_votable_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_battery_debugfs, fs_type, debugfs_type, sysfs_type;
+
+# Exynos sysfs
+type sysfs_exynos_bts, sysfs_type, fs_type;
+type sysfs_exynos_bts_stats, sysfs_type, fs_type;
+
+# Exynos Firmware
+type vendor_fw_file, vendor_file_type, file_type;
+
+# ACPM
+type sysfs_acpm_stats, sysfs_type, fs_type;
+
+# Vendor tools
+type vendor_usf_stats, vendor_file_type, file_type;
+type vendor_dumpsys, vendor_file_type, file_type;
+
+# Sensors
+type nanohub_lock_file, file_type, data_file_type;
+type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type sensors_cal_file, file_type;
+type sysfs_nanoapp_cmd, sysfs_type, fs_type;
+
+# CHRE
+type chre_socket, file_type;
+
+# IOMMU
+type sysfs_iommu, sysfs_type, fs_type;
+
+type sysfs_devicetree, sysfs_type, fs_type;
+type sysfs_mem, sysfs_type, fs_type;
+type sysfs_sscoredump_level, sysfs_type, fs_type;
+
+# WiFi
+type sysfs_wifi, sysfs_type, fs_type;
+
+# Widevine DRM
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
+# Subsystem coredump
+type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject;
+type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject;
+
+# Storage Health HAL
+type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+type debugfs_f2fs, debugfs_type, fs_type;
+type proc_f2fs, proc_type, fs_type;
+
+type bootdevice_sysdev, dev_type;
+
+# ZRam
+type per_boot_file, file_type, data_file_type, core_data_file_type;
+
+# Touch
+type proc_touch, proc_type, fs_type, mlstrustedobject;
+type sysfs_touch, sysfs_type, fs_type;
+
+# AOC
+type sysfs_aoc_boottime, sysfs_type, fs_type;
+type sysfs_aoc_firmware, sysfs_type, fs_type;
+type sysfs_aoc, sysfs_type, fs_type;
+
+# Audio
+type persist_audio_file, file_type , vendor_persist_type;
+type audio_vendor_data_file, file_type, data_file_type;
+type aoc_audio_file, file_type, vendor_file_type;
+
+# Radio
+type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
+# RILD
+type rild_vendor_data_file, file_type, data_file_type;
+
+# Modem
+type modem_stat_data_file, file_type, data_file_type;
+type modem_efs_file, file_type;
+type modem_img_file, file_type;
+type modem_userdata_file, file_type;
+type sysfs_modem, sysfs_type, fs_type;
+
+# Wireless
+type sysfs_wlc, sysfs_type, fs_type;
+
+# Kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
+# Camera
+type persist_camera_file, file_type;
+type vendor_camera_tuning_file, vendor_file_type, file_type;
+type vendor_camera_data_file, file_type, data_file_type;
+
+# EdgeTPU device (DarwiNN)
+type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
+
+# EdgeTPU
+type edgetpu_service_data_file, file_type, data_file_type, core_data_file_type;
+type sysfs_edgetpu, sysfs_type, fs_type;
+
+# Vendor sched files
+type sysfs_vendor_sched, sysfs_type, fs_type;
+
+# GPS
+type vendor_gps_file, file_type, data_file_type;
+userdebug_or_eng(`
+    typeattribute vendor_gps_file mlstrustedobject;
+')
+type sysfs_gps, sysfs_type, fs_type;
+
+# Display
+type sysfs_display, sysfs_type, fs_type;
+
+# Backlight
+type sysfs_backlight, sysfs_type, fs_type;
+
+# Charger
+type sysfs_chargelevel, sysfs_type, fs_type;
+
+# ODPM
+type odpm_config_file, file_type, data_file_type;
+type sysfs_odpm, sysfs_type, fs_type;
+
+# Chosen
+type sysfs_chosen, sysfs_type, fs_type;
+
+type sysfs_chip_id, sysfs_type, fs_type;
+type sysfs_spi, sysfs_type, fs_type;
+
+# subsystem-coredump
+type sscoredump_sysfs_level, sysfs_type, fs_type;
+
+# Battery
+type persist_battery_file, file_type, vendor_persist_type;
+
+# CPU
+type sysfs_cpu, sysfs_type, fs_type;
+
+# Memory
+type sysfs_memory, sysfs_type, fs_type;
+
+# bcmdhd (Broadcom FullMAC wireless cards support)
+type sysfs_bcmdhd, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
new file mode 100644
index 00000000..d16737ec
--- /dev/null
+++ b/whitechapel/vendor/google/file_contexts
@@ -0,0 +1,397 @@
+#
+# Exynos HAL
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine                    u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.clearkey                    u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service               u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service         u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs101                       u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/lib(64)?/libion_exynos\.so                                              u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so                                            u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so                                              u:object_r:same_process_hal_file:s0
+
+/vendor/bin/usf_stats                                                                           u:object_r:vendor_usf_stats:s0
+/vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0
+
+#
+# HALs
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs101                   u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm                        u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm                        u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm                u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
+# Wireless charger HAL
+/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.2-service-vendor             u:object_r:hal_wlc_exec:s0
+
+# Vendor Firmwares
+/(vendor|system/vendor)/firmware(/.*)?                        u:object_r:vendor_fw_file:s0
+
+#
+# Exynos Block Devices
+#
+/dev/block/platform/14700000\.ufs/by-name/cache               u:object_r:cache_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs                 u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs_backup          u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_userdata      u:object_r:modem_userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/fat                 u:object_r:fat_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_[ab]          u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem               u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/persist             u:object_r:persist_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/system              u:object_r:system_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/userdata            u:object_r:userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor              u:object_r:vendor_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/frp                 u:object_r:frp_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/misc                u:object_r:misc_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/devinfo             u:object_r:devinfo_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/abl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab]      u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl1_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl2_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl31_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/boot_[ab]           u:object_r:boot_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtb_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab]       u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/gsa_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/metadata            u:object_r:metadata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pbl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab]        u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/super               u:object_r:super_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab]         u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab]  u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab]    u:object_r:custom_ab_block_device:s0
+/dev/block/sda                                                u:object_r:sda_block_device:s0
+/dev/sys/block/bootdevice(/.*)?                               u:object_r:bootdevice_sysdev:s0
+
+#
+# Exynos Devices
+#
+/dev/gnss_ipc                  u:object_r:vendor_gnss_device:s0
+/dev/bbd_control               u:object_r:vendor_gnss_device:s0
+/dev/ttyBCM                    u:object_r:vendor_gnss_device:s0
+/dev/nanohub                   u:object_r:vendor_nanohub_device:s0
+/dev/nanohub_comms             u:object_r:vendor_nanohub_device:s0
+/dev/m2m1shot_scaler0          u:object_r:vendor_m2m1shot_device:s0
+/dev/radio0                    u:object_r:radio_device:s0
+/dev/dri/card0                 u:object_r:graphics_device:s0
+/dev/fimg2d                    u:object_r:graphics_device:s0
+/dev/g2d                       u:object_r:graphics_device:s0
+/dev/tsmux                     u:object_r:video_device:s0
+/dev/repeater                  u:object_r:video_device:s0
+/dev/scsc_h4_0                 u:object_r:radio_device:s0
+/dev/umts_boot0                u:object_r:radio_device:s0
+/dev/tui-driver                u:object_r:tui_device:s0
+/dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
+/dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
+/dev/logbuffer_wireless        u:object_r:logbuffer_device:s0
+/dev/logbuffer_ttf             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxq            u:object_r:logbuffer_device:s0
+/dev/logbuffer_rtx             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg           u:object_r:logbuffer_device:s0
+
+# DM tools device
+/dev/umts_dm0                  u:object_r:radio_device:s0
+/dev/umts_router               u:object_r:radio_device:s0
+
+# OEM IPC device
+/dev/oem_ipc[0-7]              u:object_r:radio_device:s0
+
+# SIPC RIL device
+/dev/umts_ipc0                 u:object_r:radio_device:s0
+/dev/umts_ipc1                 u:object_r:radio_device:s0
+/dev/umts_rfs0                 u:object_r:radio_device:s0
+/dev/ttyGS[0-3]                u:object_r:serial_device:s0
+/dev/watchdog0                 u:object_r:watchdog_device:s0
+
+# GPU device
+/dev/mali0                     u:object_r:gpu_device:s0
+/dev/s5p-smem                  u:object_r:vendor_secmem_device:s0
+/dev/umts_wfc[01]                 u:object_r:pktrouter_device:s0
+
+#
+# Exynos Daemon Exec
+#
+/(vendor|system/vendor)/bin/cbd                u:object_r:cbd_exec:s0
+/(vendor|system/vendor)/bin/dmd                u:object_r:dmd_exec:s0
+/(vendor|system/vendor)/bin/hw/scd             u:object_r:scd_exec:s0
+/(vendor|system/vendor)/bin/hw/gpsd            u:object_r:gpsd_exec:s0
+/(vendor|system/vendor)/bin/hw/lhd             u:object_r:lhd_exec:s0
+/(vendor|system/vendor)/bin/hw/rild_exynos     u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/main_abox          u:object_r:abox_exec:s0
+/(vendor|system/vendor)/bin/rfsd               u:object_r:rfsd_exec:s0
+/(vendor|system/vendor)/bin/rpmbd              u:object_r:rpmbd_exec:s0
+/(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
+/(vendor|system/vendor)/bin/vcd                u:object_r:vcd_exec:s0
+/(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
+
+# WFC
+/(vendor|system/vendor)/bin/wfc-pkt-router     u:object_r:pktrouter_exec:s0
+
+#
+# Exynos Data Files
+#
+# gnss/gps data/log files
+/data/vendor/gps(/.*)?       u:object_r:vendor_gps_file:s0
+
+#
+# Exynos Log Files
+#
+/data/vendor/log(/.*)?       u:object_r:vendor_log_file:s0
+/data/vendor/log/abox(/.*)?  u:object_r:vendor_abox_log_file:s0
+/data/vendor/log/cbd(/.*)?   u:object_r:vendor_cbd_log_file:s0
+/data/vendor/log/dmd(/.*)?   u:object_r:vendor_dmd_log_file:s0
+/data/vendor/log/rfsd(/.*)?  u:object_r:vendor_rfsd_log_file:s0
+/data/vendor/log/dump(/.*)?  u:object_r:vendor_dump_log_file:s0
+/data/vendor/log/rild(/.*)?  u:object_r:vendor_rild_log_file:s0
+/data/vendor/log/sced(/.*)?  u:object_r:vendor_sced_log_file:s0
+/data/vendor/log/slog(/.*)?  u:object_r:vendor_slog_file:s0
+/data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
+/data/vendor/log/vcd(/.*)?   u:object_r:vendor_vcd_log_file:s0
+
+/persist/sensorcal\.json     u:object_r:sensors_cal_file:s0
+
+# data files
+/data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
+
+# Camera
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
+/vendor/lib64/camera                                                    u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/ghawb_para_lut\.bin                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/slider_.*\.binarypb                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/bin/rlsservice                                                  u:object_r:rlsservice_exec:s0
+/mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
+/data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
+
+/dev/lwis-act0                                                          u:object_r:lwis_device:s0
+/dev/lwis-act1                                                          u:object_r:lwis_device:s0
+/dev/lwis-act-ak7377                                                    u:object_r:lwis_device:s0
+/dev/lwis-act-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-csi                                                           u:object_r:lwis_device:s0
+/dev/lwis-dpm                                                           u:object_r:lwis_device:s0
+/dev/lwis-eeprom0                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom1                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom2                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898128                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx386                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx663                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-sem1215sa                                              u:object_r:lwis_device:s0
+/dev/lwis-flash0                                                        u:object_r:lwis_device:s0
+/dev/lwis-flash-lm3644                                                  u:object_r:lwis_device:s0
+/dev/lwis-g3aa                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc0                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc1                                                          u:object_r:lwis_device:s0
+/dev/lwis-gtnr-align                                                    u:object_r:lwis_device:s0
+/dev/lwis-gtnr-merge                                                    u:object_r:lwis_device:s0
+/dev/lwis-ipp                                                           u:object_r:lwis_device:s0
+/dev/lwis-itp                                                           u:object_r:lwis_device:s0
+/dev/lwis-mcsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898128                                                  u:object_r:lwis_device:s0
+/dev/lwis-ois-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-pdp                                                           u:object_r:lwis_device:s0
+/dev/lwis-scsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-sensor0                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor1                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor2                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor-gn1                                                    u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx386                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx586                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx663                                                 u:object_r:lwis_device:s0
+/dev/lwis-slc                                                           u:object_r:lwis_device:s0
+/dev/lwis-top                                                           u:object_r:lwis_device:s0
+/dev/lwis-votf                                                          u:object_r:lwis_device:s0
+
+# VIDEO
+/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service                u:object_r:mediacodec_exec:s0
+/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service                 u:object_r:mediacodec_exec:s0
+/data/vendor/media(/.*)?                                                u:object_r:vendor_media_data_file:s0
+
+# thermal sysfs files
+/sys/class/thermal(/.*)?               u:object_r:sysfs_thermal:s0
+/sys/devices/virtual/thermal(/.*)?     u:object_r:sysfs_thermal:s0
+
+
+# IMS VoWiFi
+/data/vendor/misc(/.*)?                u:object_r:vendor_misc_data_file:s0
+/data/vendor/VoWiFi(/.*)?              u:object_r:vendor_ims_data_file:s0
+
+# Sensors
+/data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
+/dev/acd-com.google.usf                u:object_r:aoc_device:s0
+/dev/acd-logging                       u:object_r:aoc_device:s0
+/dev/aoc                               u:object_r:aoc_device:s0
+
+# Contexthub
+/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.small_fragments  u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/chre                                            u:object_r:chre_exec:s0
+/dev/socket/chre                                                            u:object_r:chre_socket:s0
+
+# Modem logging
+/vendor/bin/modem_logging_control   u:object_r:modem_logging_control_exec:s0
+
+# Audio logging
+/vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
+
+# modem_svc_sit files
+/vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0
+/data/vendor/modem_stat/debug\.txt  u:object_r:modem_stat_data_file:s0
+
+# modem mnt files
+/mnt/vendor/efs(/.*)?                                         u:object_r:modem_efs_file:s0
+/mnt/vendor/efs_backup(/.*)?                                  u:object_r:modem_efs_file:s0
+/mnt/vendor/modem_img(/.*)?                                   u:object_r:modem_img_file:s0
+/mnt/vendor/modem_userdata(/.*)?                              u:object_r:modem_userdata_file:s0
+
+# Subsystem coredump
+/vendor/bin/sscoredump                         u:object_r:sscoredump_exec:s0
+/data/vendor/ssrdump(/.*)?                     u:object_r:sscoredump_vendor_data_crashinfo_file:s0
+/data/vendor/ssrdump/coredump(/.*)?            u:object_r:sscoredump_vendor_data_coredump_file:s0
+/dev/sscd_.*                                   u:object_r:sscoredump_device:s0
+
+# Kernel modules related
+/vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
+
+# NFC
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/dev/st21nfc                                                                          u:object_r:nfc_device:s0
+/data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
+
+# SecureElement
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st     u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2     u:object_r:hal_secure_element_default_exec:s0
+/dev/st54j_se                                                                         u:object_r:secure_element_device:s0
+/dev/st54spi                                                                          u:object_r:secure_element_device:s0
+/dev/st33spi                                                                          u:object_r:secure_element_device:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service    u:object_r:hal_secure_element_default_exec:s0
+
+# Bluetooth
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
+/dev/wbrc                           u:object_r:wb_coexistence_dev:s0
+/dev/ttySAC16                       u:object_r:hci_attach_dev:s0
+
+# Audio
+/mnt/vendor/persist/audio(/.*)?     u:object_r:persist_audio_file:s0
+/data/vendor/audio(/.*)?            u:object_r:audio_vendor_data_file:s0
+/vendor/etc/aoc(/.*)?               u:object_r:aoc_audio_file:s0
+/dev/acd-audio_output_tuning        u:object_r:aoc_device:s0
+/dev/acd-audio_bulk_tx              u:object_r:aoc_device:s0
+/dev/acd-audio_bulk_rx              u:object_r:aoc_device:s0
+/dev/acd-audio_input_tuning         u:object_r:aoc_device:s0
+/dev/acd-audio_input_bulk_tx        u:object_r:aoc_device:s0
+/dev/acd-audio_input_bulk_rx        u:object_r:aoc_device:s0
+/dev/acd-sound_trigger              u:object_r:aoc_device:s0
+/dev/acd-hotword_notification       u:object_r:aoc_device:s0
+/dev/acd-hotword_pcm                u:object_r:aoc_device:s0
+/dev/acd-ambient_pcm                u:object_r:aoc_device:s0
+/dev/acd-model_data                 u:object_r:aoc_device:s0
+/dev/acd-debug                      u:object_r:aoc_device:s0
+/dev/acd-audio_tap[0-9]*            u:object_r:aoc_device:s0
+
+# Trusty
+/vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
+/vendor/bin/storageproxyd            u:object_r:tee_exec:s0
+/vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+/dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
+/data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
+/mnt/vendor/persist/data/ss(/.*)?    u:object_r:tee_data_file:s0
+/dev/sg1                             u:object_r:sg_device:s0
+
+# Battery
+/mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0
+
+# AoC file contexts.
+/vendor/bin/aocd   u:object_r:aocd_exec:s0
+
+# NeuralNetworks file contexts
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0
+
+# GRIL
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
+
+# Radio files.
+/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
+
+# RILD files
+/data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
+
+# Citadel StrongBox
+/dev/gsc0                                                                   u:object_r:citadel_device:s0
+
+# EdgeTPU device (DarwiNN)
+/dev/abrolhos                      u:object_r:edgetpu_device:s0
+/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
+/system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
+/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
+/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
+
+# EdgeTPU data file
+/data/edgetpu(/.*)?                                                         u:object_r:edgetpu_service_data_file:s0
+
+# Tetheroffload Service
+/dev/dit2                      u:object_r:vendor_toe_device:s0
+/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service     u:object_r:hal_tetheroffload_default_exec:s0
+
+# pixelstats binary
+/vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
+
+# Vendor_kernel_modules
+/vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
+
+# Display
+/vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
+
+# Fingerprint
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
+
+# ECC List
+/vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
+
+# Zram
+/data/per_boot(/.*)?                                                          u:object_r:per_boot_file:s0
+
+# cpuctl
+/dev/cpuctl(/.*)?	                                                      u:object_r:cpuctl_device:s0
+
+# ODPM
+/data/vendor/powerstats(/.*)?                                              u:object_r:odpm_config_file:s0
+
+# sensor direct DMA-BUF heap
+/dev/dma_heap/sensor_direct_heap                                               u:object_r:sensor_direct_heap_device:s0
+
+# Console
+/dev/ttySAC0                                                                   u:object_r:tty_device:s0
+
+# faceauth DMA-BUF heaps
+/dev/dma_heap/faceauth_tpu-secure                                              u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faimg-secure                                                     u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/famodel-secure                                                   u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faprev-secure                                                    u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/farawimg-secure                                                  u:object_r:faceauth_heap_device:s0
+
+# vframe-secure DMA-BUF heap
+/dev/dma_heap/vframe-secure                                                    u:object_r:vframe_heap_device:s0
+
+# vscaler-secure DMA-BUF heap
+/dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
diff --git a/whitechapel/vendor/google/fsck.te b/whitechapel/vendor/google/fsck.te
new file mode 100644
index 00000000..d29555b3
--- /dev/null
+++ b/whitechapel/vendor/google/fsck.te
@@ -0,0 +1,3 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
new file mode 100644
index 00000000..b98a7494
--- /dev/null
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -0,0 +1,178 @@
+# AOC
+genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0
+genfscon sysfs /devices/platform/19000000.aoc/firmware                      u:object_r:sysfs_aoc_firmware:s0
+genfscon sysfs /devices/platform/19000000.aoc                               u:object_r:sysfs_aoc:s0
+
+# WiFi
+genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0
+# Battery
+genfscon sysfs /devices/platform/google,battery/power_supply/battery            u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply                        u:object_r:sysfs_batteryinfo:s0
+
+#   Slider
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   Whitefin
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   R4 / P7 LunchBox
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   O6
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
+
+# Storage
+genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
+genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt           u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt          u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt          u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt           u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/manual_gc                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/io_stats                  u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/req_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/err_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/device_descriptor         u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable            u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable    u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/health_descriptor         u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:  u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+
+# Vibrator
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+
+# System_suspend
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup/wakeup                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
+
+# Touch
+genfscon sysfs /class/spi_master/spi11/spi11.0                                  u:object_r:sysfs_touch:s0
+genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
+genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
+
+# EdgeTPU
+genfscon sysfs /class/edgetpu                                                   u:object_r:sysfs_edgetpu:s0
+
+# Vendor sched files
+genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/prefer_high_cap_enable                     u:object_r:sysfs_vendor_sched:s0
+
+# GPS
+genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
+
+# Display
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+
+# Modem
+genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
+
+# Bluetooth
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
+
+# ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+
+# Chosen
+genfscon sysfs /firmware/devicetree/base/chosen                                u:object_r:sysfs_chosen:s0
+
+genfscon sysfs /devices/system/chip-id/ap_hw_tune_str  u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/evt_ver         u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/lot_id          u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/product_id      u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
+
+# system_suspend wakeup nodes
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-5-0025/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                            u:object_r:sysfs_wakeup:s0
+
+# subsystem-coredump
+genfscon sysfs /class/sscoredump/level                                                                  u:object_r:sscoredump_sysfs_level:s0
+
+# ACPM
+genfscon sysfs /devices/platform/1742048c.acpm_stats                                                    u:object_r:sysfs_acpm_stats:s0
+
+genfscon sysfs /devices/platform/10d40000.spi/spi_master                                                u:object_r:sysfs_spi:s0
+
+# Exynos
+genfscon sysfs /devices/platform/exynos-bts                                                             u:object_r:sysfs_exynos_bts:s0
+genfscon sysfs /devices/platform/exynos-bts/bts_stats                                                   u:object_r:sysfs_exynos_bts_stats:s0
+
+# CPU
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state                                              u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state  u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state      u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/time_in_state                                            u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state          u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
+
+# nvmem (Non Volatile Memory layer)
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
+
+# Broadcom
+genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
+
+# debugfs
+
+genfscon debugfs /maxfg                                                                                   u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /dma_buf/bufinfo                                                                         u:object_r:vendor_dmabuf_debugfs:s0
+genfscon debugfs /dri/0/crtc-                                                                             u:object_r:vendor_dri_debugfs:s0
+genfscon debugfs /ion                                                                                     u:object_r:vendor_ion_debugfs:s0
+genfscon debugfs /pm_genpd/pm_genpd_summary                                                               u:object_r:vendor_pm_genpd_debugfs:s0
+genfscon debugfs /regmap                                                                                  u:object_r:vendor_regmap_debugfs:s0
+genfscon debugfs /usb                                                                                     u:object_r:vendor_usb_debugfs:s0
+genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
+genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0
diff --git a/whitechapel/vendor/google/gpsd.te b/whitechapel/vendor/google/gpsd.te
new file mode 100644
index 00000000..64591cba
--- /dev/null
+++ b/whitechapel/vendor/google/gpsd.te
@@ -0,0 +1,25 @@
+type gpsd, domain;
+type gpsd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(gpsd)
+
+# Allow gpsd access PixelLogger unix socket in debug build only
+userdebug_or_eng(`
+    typeattribute gpsd mlstrustedsubject;
+    allow gpsd logger_app:unix_stream_socket connectto;
+')
+
+# Allow gpsd to obtain wakelock
+wakelock_use(gpsd)
+
+# Allow gpsd access data vendor gps files
+allow gpsd vendor_gps_file:dir create_dir_perms;
+allow gpsd vendor_gps_file:file create_file_perms;
+allow gpsd vendor_gps_file:fifo_file create_file_perms;
+
+# Allow gpsd to access rild
+binder_call(gpsd, rild);
+allow gpsd hal_exynos_rild_hwservice:hwservice_manager find;
+
+# Allow gpsd to access sensor service
+binder_call(gpsd, system_server);
+allow gpsd fwk_sensor_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
new file mode 100644
index 00000000..9eb8b8e0
--- /dev/null
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -0,0 +1,8 @@
+type grilservice_app, domain;
+app_domain(grilservice_app)
+
+allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app app_api_service:service_manager find;
+binder_call(grilservice_app, hal_radioext_default)
+binder_call(grilservice_app, hal_wifi_ext)
diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
new file mode 100644
index 00000000..079d6bdf
--- /dev/null
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -0,0 +1,22 @@
+vndbinder_use(hal_audio_default)
+hwbinder_use(hal_audio_default)
+
+allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms;
+allow hal_audio_default audio_vendor_data_file:file create_file_perms;
+
+r_dir_file(hal_audio_default, aoc_audio_file);
+r_dir_file(hal_audio_default, mnt_vendor_file);
+r_dir_file(hal_audio_default, persist_audio_file);
+
+allow hal_audio_default persist_file:dir search;
+allow hal_audio_default aoc_device:file rw_file_perms;
+allow hal_audio_default aoc_device:chr_file rw_file_perms;
+
+allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add };
+
+get_prop(hal_audio_default, vendor_audio_prop);
+
+userdebug_or_eng(`
+    allow hal_audio_default self:unix_stream_socket create_stream_socket_perms;
+    allow hal_audio_default audio_vendor_data_file:sock_file { create unlink };
+')
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
new file mode 100644
index 00000000..4e61c620
--- /dev/null
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -0,0 +1,19 @@
+add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice);
+
+allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms;
+allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms;
+
+# power stats
+vndbinder_use(hal_bluetooth_btlinux)
+allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find;
+binder_call(hal_bluetooth_btlinux, hal_power_stats_default)
+
+allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
new file mode 100644
index 00000000..63741aed
--- /dev/null
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
new file mode 100644
index 00000000..0de87854
--- /dev/null
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -0,0 +1,36 @@
+allow hal_camera_default self:global_capability_class_set sys_nice;
+
+vndbinder_use(hal_camera_default);
+
+allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;
+allow hal_camera_default vendor_camera_tuning_file:file r_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+allow hal_camera_default lwis_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
+allow hal_camera_default sysfs_edgetpu:file r_file_perms;
+allow hal_camera_default sysfs_chip_id:file r_file_perms;
+
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default persist_file:dir search;
+allow hal_camera_default persist_camera_file:dir search;
+allow hal_camera_default persist_camera_file:file r_file_perms;
+
+get_prop(hal_camera_default, vendor_camera_prop);
+get_prop(hal_camera_default, vendor_camera_debug_prop);
+
+hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_power);
+hal_client_domain(hal_camera_default, hal_thermal);
+
+# Allow access to sensor service for sensor_listener
+binder_call(hal_camera_default, system_server);
+
+# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
+allow hal_camera_default eco_service:service_manager find;
+binder_call(hal_camera_default, mediacodec);
+
+# grant access to hal_graphics_composer
+hal_client_domain(hal_camera_default, hal_graphics_composer)
diff --git a/whitechapel/vendor/google/hal_confirmationui.te b/whitechapel/vendor/google/hal_confirmationui.te
new file mode 100644
index 00000000..a8f4ae8c
--- /dev/null
+++ b/whitechapel/vendor/google/hal_confirmationui.te
@@ -0,0 +1,13 @@
+allow hal_confirmationui_default tee_device:chr_file rw_file_perms;
+
+binder_call(hal_confirmationui_default, keystore)
+
+vndbinder_use(hal_confirmationui_default)
+binder_call(hal_confirmationui_default, citadeld)
+allow hal_confirmationui_default citadeld_service:service_manager find;
+
+allow hal_confirmationui_default input_device:chr_file rw_file_perms;
+allow hal_confirmationui_default input_device:dir r_dir_perms;
+
+allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_confirmationui_default ion_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_contexthub.te b/whitechapel/vendor/google/hal_contexthub.te
new file mode 100644
index 00000000..ba776c89
--- /dev/null
+++ b/whitechapel/vendor/google/hal_contexthub.te
@@ -0,0 +1,3 @@
+# Allow context hub HAL to communicate with daemon via socket
+allow hal_contexthub_default chre:unix_stream_socket connectto;
+allow hal_contexthub_default chre_socket:sock_file write;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/hal_drm_clearkey.te b/whitechapel/vendor/google/hal_drm_clearkey.te
new file mode 100644
index 00000000..0e0a5c24
--- /dev/null
+++ b/whitechapel/vendor/google/hal_drm_clearkey.te
@@ -0,0 +1,5 @@
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)
diff --git a/whitechapel/vendor/google/hal_drm_default.te b/whitechapel/vendor/google/hal_drm_default.te
new file mode 100644
index 00000000..30e443a8
--- /dev/null
+++ b/whitechapel/vendor/google/hal_drm_default.te
@@ -0,0 +1,6 @@
+# L3
+allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms;
+
+# L1
+allow hal_drm_default dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
new file mode 100644
index 00000000..d590a06d
--- /dev/null
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -0,0 +1,142 @@
+allow hal_dumpstate_default sysfs_exynos_bts:dir search;
+allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_bcmdhd:dir search;
+allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_memory:file r_file_perms;
+allow hal_dumpstate_default sysfs_cpu:file r_file_perms;
+
+vndbinder_use(hal_dumpstate_default)
+
+allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_gps_file:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_wlc:dir search;
+allow hal_dumpstate_default sysfs_wlc:file r_file_perms;
+
+allow hal_dumpstate_default shell_data_file:file getattr;
+
+allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
+
+allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
+
+allow hal_dumpstate_default vendor_log_file:dir search;
+
+allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;
+allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
+
+allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_spi:dir search;
+allow hal_dumpstate_default sysfs_spi:file rw_file_perms;
+
+allow hal_dumpstate_default device:dir r_dir_perms;
+allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms;
+allow hal_dumpstate_default aoc_device:chr_file rw_file_perms;
+
+allow hal_dumpstate_default sysfs_wifi:dir search;
+allow hal_dumpstate_default sysfs_wifi:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
+allow hal_dumpstate_default sysfs_thermal:lnk_file read;
+
+allow hal_dumpstate_default modem_efs_file:dir search;
+allow hal_dumpstate_default modem_efs_file:file r_file_perms;
+allow hal_dumpstate_default modem_stat_data_file:file r_file_perms;
+
+allow hal_dumpstate_default block_device:dir r_dir_perms;
+
+allow hal_dumpstate_default proc_f2fs:dir r_dir_perms;
+allow hal_dumpstate_default proc_f2fs:file r_file_perms;
+allow hal_dumpstate_default proc_touch:file rw_file_perms;
+
+allow hal_dumpstate_default sysfs_batteryinfo:dir search;
+allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms;
+allow hal_dumpstate_default sysfs_chip_id:file r_file_perms;
+
+allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
+allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
+
+allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms;
+allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
+allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
+
+userdebug_or_eng(`
+  allow hal_dumpstate_default mnt_vendor_file:dir search;
+  allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search;
+  allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms;
+')
+
+get_prop(hal_dumpstate_default, boottime_public_prop)
+get_prop(hal_dumpstate_default, vendor_gps_prop)
+get_prop(hal_dumpstate_default, vendor_persist_sys_modem_prop)
+get_prop(hal_dumpstate_default, vendor_rild_prop)
+
+userdebug_or_eng(`
+  allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
+  allow hal_dumpstate_default vendor_dri_debugfs:dir search;
+
+  allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_maxfg_debugfs:dir search;
+  allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
+')
+
+dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
+dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search;
+
+dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search;
+dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_gnss_default.te b/whitechapel/vendor/google/hal_gnss_default.te
new file mode 100644
index 00000000..e3004237
--- /dev/null
+++ b/whitechapel/vendor/google/hal_gnss_default.te
@@ -0,0 +1,4 @@
+# Allow hal_gnss_default access data vendor gps files
+allow hal_gnss_default vendor_gps_file:dir create_dir_perms;
+allow hal_gnss_default vendor_gps_file:file create_file_perms;
+allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms;
diff --git a/whitechapel/vendor/google/hal_graphics_allocator_default.te b/whitechapel/vendor/google/hal_graphics_allocator_default.te
new file mode 100644
index 00000000..63a7dcfb
--- /dev/null
+++ b/whitechapel/vendor/google/hal_graphics_allocator_default.te
@@ -0,0 +1,4 @@
+allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vframe_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/whitechapel/vendor/google/hal_graphics_composer_default.te
new file mode 100644
index 00000000..f1d97149
--- /dev/null
+++ b/whitechapel/vendor/google/hal_graphics_composer_default.te
@@ -0,0 +1,5 @@
+allow hal_graphics_composer_default sysfs_display:dir search;
+allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
+
+# allow HWC to access power hal
+binder_call(hal_graphics_composer_default, hal_power_default);
diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
new file mode 100644
index 00000000..4bc85f26
--- /dev/null
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -0,0 +1,7 @@
+allow hal_health_default mnt_vendor_file:dir search;
+allow hal_health_default persist_file:dir search;
+allow hal_health_default persist_battery_file:file create_file_perms;
+allow hal_health_default persist_battery_file:dir rw_dir_perms;
+
+set_prop(hal_health_default, vendor_battery_defender_prop)
+r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
diff --git a/whitechapel/vendor/google/hal_health_storage_default.te b/whitechapel/vendor/google/hal_health_storage_default.te
new file mode 100644
index 00000000..2aa0881e
--- /dev/null
+++ b/whitechapel/vendor/google/hal_health_storage_default.te
@@ -0,0 +1,3 @@
+# Access to /sys/devices/platform/14700000.ufs/*
+allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
new file mode 100644
index 00000000..f81d617b
--- /dev/null
+++ b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
@@ -0,0 +1,4 @@
+type hal_neuralnetworks_armnn, domain;
+type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_neuralnetworks_armnn)
+
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
new file mode 100644
index 00000000..9329a878
--- /dev/null
+++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
@@ -0,0 +1,20 @@
+type hal_neuralnetworks_darwinn, domain;
+hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks)
+
+type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_darwinn)
+
+# The TPU HAL looks for TPU instance in /dev/abrolhos
+allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms;
+
+# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/.
+allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
+
+# Allow DarwiNN service to access data files.
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms;
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms;
+
+# Register to hwbinder service
+add_hwservice(hal_neuralnetworks_darwinn, hal_neuralnetworks_hwservice)
+hwbinder_use(hal_neuralnetworks_darwinn)
+get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te
new file mode 100644
index 00000000..f98e78c6
--- /dev/null
+++ b/whitechapel/vendor/google/hal_nfc_default.te
@@ -0,0 +1,9 @@
+# NFC property
+set_prop(hal_nfc_default, vendor_nfc_prop)
+
+# SecureElement property
+set_prop(hal_nfc_default, vendor_secure_element_prop)
+
+# Modem property
+set_prop(hal_nfc_default, vendor_modem_prop)
+
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
new file mode 100644
index 00000000..c5aa154a
--- /dev/null
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -0,0 +1,8 @@
+allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms;
+allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms;
+allow hal_power_default sysfs_fs_f2fs:file rw_file_perms;
+allow hal_power_default sysfs_vendor_sched:file rw_file_perms;
+allow hal_power_default cpuctl_device:file rw_file_perms;
+set_prop(hal_power_default, vendor_camera_prop)
+set_prop(hal_power_default, vendor_camera_debug_prop)
+set_prop(hal_power_default, vendor_camera_fatp_prop)
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
new file mode 100644
index 00000000..8ffff074
--- /dev/null
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -0,0 +1,9 @@
+allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms;
+
+# getStats AIDL callback to each power entry
+binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
+
+allow hal_power_stats_default odpm_config_file:dir search;
+allow hal_power_stats_default odpm_config_file:file r_file_perms;
+allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te
new file mode 100644
index 00000000..666d8db4
--- /dev/null
+++ b/whitechapel/vendor/google/hal_radioext_default.te
@@ -0,0 +1,12 @@
+type hal_radioext_default, domain;
+type hal_radioext_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_radioext_default)
+
+hwbinder_use(hal_radioext_default)
+get_prop(hal_radioext_default, hwservicemanager_prop)
+add_hwservice(hal_radioext_default, hal_radioext_hwservice)
+
+binder_call(hal_radioext_default, grilservice_app)
+
+# RW /dev/oem_ipc0
+allow hal_radioext_default radio_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_secure_element_default.te b/whitechapel/vendor/google/hal_secure_element_default.te
new file mode 100644
index 00000000..dc048746
--- /dev/null
+++ b/whitechapel/vendor/google/hal_secure_element_default.te
@@ -0,0 +1,10 @@
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+allow hal_secure_element_default nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_default, vendor_secure_element_prop)
+set_prop(hal_secure_element_default, vendor_nfc_prop)
+set_prop(hal_secure_element_default, vendor_modem_prop)
+
+# Allow hal_secure_element_default to access rild
+binder_call(hal_secure_element_default, rild);
+allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find;
+
diff --git a/whitechapel/vendor/google/hal_sensors_default.te b/whitechapel/vendor/google/hal_sensors_default.te
new file mode 100644
index 00000000..64620ba3
--- /dev/null
+++ b/whitechapel/vendor/google/hal_sensors_default.te
@@ -0,0 +1,19 @@
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
+
+# Allow access to the leds driver.
+allow hal_sensors_default sysfs_leds:dir search;
+allow hal_sensors_default sysfs_leds:file rw_file_perms;
+
+# Allow access to the power supply files for MagCC.
+r_dir_file(hal_sensors_default, sysfs_batteryinfo)
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
+
+# Allow access to sensor service for sensor_listener.
+binder_call(hal_sensors_default, system_server);
+
+# Allow access to the stats service.
+allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
+
+# Allow access to the sysfs_aoc.
+allow hal_sensors_default sysfs_aoc:dir search;
diff --git a/whitechapel/vendor/google/hal_tetheroffload_default.te b/whitechapel/vendor/google/hal_tetheroffload_default.te
new file mode 100644
index 00000000..00ae3214
--- /dev/null
+++ b/whitechapel/vendor/google/hal_tetheroffload_default.te
@@ -0,0 +1,17 @@
+# associate netdomain to use for accessing internet sockets
+net_domain(hal_tetheroffload_default)
+
+# Allow operations with TOE device
+allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms;
+
+# Allow NETLINK and socket
+allow hal_tetheroffload_default self:{
+    netlink_socket
+    netlink_generic_socket
+    unix_dgram_socket
+} create_socket_perms_no_ioctl;
+
+# Register to hwbinder service
+add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice)
+hwbinder_use(hal_tetheroffload_default)
+get_prop(hal_tetheroffload_default, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te
new file mode 100644
index 00000000..66c3af87
--- /dev/null
+++ b/whitechapel/vendor/google/hal_thermal_default.te
@@ -0,0 +1 @@
+allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
new file mode 100644
index 00000000..c95035ca
--- /dev/null
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -0,0 +1,12 @@
+type hal_usb_impl, domain;
+hal_server_domain(hal_usb_impl, hal_usb)
+hal_server_domain(hal_usb_impl, hal_usb_gadget)
+
+type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_impl)
+
+allow hal_usb_impl functionfs:dir { watch watch_reads };
+set_prop(hal_usb_impl, vendor_usb_config_prop)
+
+allow hal_usb_impl sysfs_batteryinfo:dir search;
+allow hal_usb_impl sysfs_batteryinfo:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_vendor_hwcservice_default.te b/whitechapel/vendor/google/hal_vendor_hwcservice_default.te
new file mode 100644
index 00000000..0cd13b33
--- /dev/null
+++ b/whitechapel/vendor/google/hal_vendor_hwcservice_default.te
@@ -0,0 +1,4 @@
+type hal_vendor_hwcservice_default, domain;
+type hal_vendor_hwcservice_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_vendor_hwcservice_default)
+
diff --git a/whitechapel/vendor/google/hal_wlc.te b/whitechapel/vendor/google/hal_wlc.te
new file mode 100644
index 00000000..891853c9
--- /dev/null
+++ b/whitechapel/vendor/google/hal_wlc.te
@@ -0,0 +1,16 @@
+type hal_wlc, domain;
+type hal_wlc_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_wlc)
+hwbinder_use(hal_wlc)
+add_hwservice(hal_wlc, hal_wlc_hwservice)
+get_prop(hal_wlc, hwservicemanager_prop)
+
+r_dir_file(hal_wlc, sysfs_batteryinfo)
+allow hal_wlc sysfs_wlc:dir r_dir_perms;
+allow hal_wlc sysfs_wlc:file rw_file_perms;
+
+allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+binder_call(hal_wlc, platform_app)
+binder_call(hal_wlc, system_app)
\ No newline at end of file
diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
new file mode 100644
index 00000000..b8774183
--- /dev/null
+++ b/whitechapel/vendor/google/hardware_info_app.te
@@ -0,0 +1,5 @@
+type hardware_info_app, domain;
+
+app_domain(hardware_info_app)
+
+allow hardware_info_app app_api_service:service_manager find;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
new file mode 100644
index 00000000..534f6c82
--- /dev/null
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+type hbmsvmanager_app, domain, coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
+binder_call(hbmsvmanager_app, hal_graphics_composer_default)
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
new file mode 100644
index 00000000..0b489022
--- /dev/null
+++ b/whitechapel/vendor/google/hwservice.te
@@ -0,0 +1,20 @@
+type hal_vendor_telephony_hwservice, hwservice_manager_type;
+type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type;
+
+# dmd servcie
+type hal_vendor_oem_hwservice, hwservice_manager_type;
+
+# rild service
+type hal_exynos_rild_hwservice, hwservice_manager_type;
+
+# GRIL service
+type hal_radioext_hwservice, hwservice_manager_type;
+
+# Audio
+type hal_audio_ext_hwservice, hwservice_manager_type;
+
+# WLC
+type hal_wlc_hwservice, hwservice_manager_type;
+
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
new file mode 100644
index 00000000..64a59cb6
--- /dev/null
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -0,0 +1,28 @@
+vendor.samsung_slsi.hardware.radio::IOemSamsungslsi                   u:object_r:hal_telephony_hwservice:s0
+vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW  u:object_r:hal_vendor_surfaceflinger_hwservice:s0
+vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs  u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+
+# dmd HAL
+vendor.samsung_slsi.telephony.hardware.oemservice::IOemService  u:object_r:hal_vendor_oem_hwservice:s0
+
+# rild HAL
+vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi        u:object_r:hal_exynos_rild_hwservice:s0
+android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi        u:object_r:hal_exynos_rild_hwservice:s0
+vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal        u:object_r:hal_exynos_rild_hwservice:s0
+
+# VIDEO
+android.hardware.media.c2::IComponentStore                      u:object_r:hal_codec2_hwservice:s0
+android.hardware.media.c2::IConfigurable                        u:object_r:hal_codec2_hwservice:s0
+
+# GRIL HAL
+vendor.google.radioext::IRadioExt                               u:object_r:hal_radioext_hwservice:s0
+
+#Audio
+vendor.google.whitechapel.audio.audioext::IAudioExt             u:object_r:hal_audio_ext_hwservice:s0
+
+# Wireless charger hal
+vendor.google.wireless_charger::IWirelessCharger                u:object_r:hal_wlc_hwservice:s0
+
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
diff --git a/whitechapel/vendor/google/hwservicemanager.te b/whitechapel/vendor/google/hwservicemanager.te
new file mode 100644
index 00000000..7b64499b
--- /dev/null
+++ b/whitechapel/vendor/google/hwservicemanager.te
@@ -0,0 +1 @@
+binder_call(hwservicemanager, bipchmgr)
diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
new file mode 100644
index 00000000..e8424941
--- /dev/null
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -0,0 +1,11 @@
+type init-insmod-sh, domain;
+type init-insmod-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(init-insmod-sh)
+
+allow init-insmod-sh self:capability sys_module;
+allow init-insmod-sh vendor_kernel_modules:system module_load;
+allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans;
+
+set_prop(init-insmod-sh, vendor_device_prop)
+
+dontaudit init-insmod-sh proc_cmdline:file r_file_perms;
diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te
new file mode 100644
index 00000000..a703c47a
--- /dev/null
+++ b/whitechapel/vendor/google/init.te
@@ -0,0 +1,15 @@
+allow init custom_ab_block_device:lnk_file relabelto;
+
+# This is needed for chaining a boot partition vbmeta
+# descriptor, where init will probe the boot partition
+# to read the chained vbmeta in the first-stage, then
+# relabel /dev/block/by-name/boot_[a|b] to block_device
+# after loading sepolicy in the second stage.
+allow init boot_block_device:lnk_file relabelto;
+
+allow init persist_file:dir mounton;
+allow init modem_efs_file:dir mounton;
+allow init modem_userdata_file:dir mounton;
+allow init ram_device:blk_file w_file_perms;
+allow init per_boot_file:file ioctl;
+allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE };
diff --git a/whitechapel/vendor/google/init_radio.te b/whitechapel/vendor/google/init_radio.te
new file mode 100644
index 00000000..3a29edf3
--- /dev/null
+++ b/whitechapel/vendor/google/init_radio.te
@@ -0,0 +1,8 @@
+type init_radio, domain;
+type init_radio_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_radio);
+
+allow init_radio vendor_toolbox_exec:file execute_no_trans;
+allow init_radio radio_vendor_data_file:dir create_dir_perms;
+allow init_radio radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
new file mode 100644
index 00000000..cab39fb5
--- /dev/null
+++ b/whitechapel/vendor/google/kernel.te
@@ -0,0 +1,5 @@
+allow kernel vendor_fw_file:dir search;
+allow kernel vendor_fw_file:file r_file_perms;
+
+# ZRam
+allow kernel per_boot_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/lhd.te b/whitechapel/vendor/google/lhd.te
new file mode 100644
index 00000000..e980897c
--- /dev/null
+++ b/whitechapel/vendor/google/lhd.te
@@ -0,0 +1,23 @@
+type lhd, domain;
+type lhd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(lhd)
+
+# Allow lhd access PixelLogger unix socket in debug build only
+userdebug_or_eng(`
+    typeattribute lhd mlstrustedsubject;
+    allow lhd logger_app:unix_stream_socket connectto;
+')
+
+# Allow lhd access data vendor gps files
+allow lhd vendor_gps_file:dir create_dir_perms;
+allow lhd vendor_gps_file:file create_file_perms;
+allow lhd vendor_gps_file:fifo_file create_file_perms;
+
+# Allow lhd to obtain wakelock
+wakelock_use(lhd)
+
+# Allow lhd access /dev/bbd_control file
+allow lhd vendor_gnss_device:chr_file rw_file_perms;
+
+# Allow lhd access nstandby gpio
+allow lhd sysfs_gps:file rw_file_perms;
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
new file mode 100644
index 00000000..3e603c5f
--- /dev/null
+++ b/whitechapel/vendor/google/logger_app.te
@@ -0,0 +1,19 @@
+type logger_app, domain;
+
+userdebug_or_eng(`
+  app_domain(logger_app)
+  net_domain(logger_app)
+
+  allow logger_app app_api_service:service_manager find;
+  allow logger_app surfaceflinger_service:service_manager find;
+
+  allow logger_app radio_vendor_data_file:file create_file_perms;
+  allow logger_app radio_vendor_data_file:dir create_dir_perms;
+  allow logger_app vendor_slog_file:file {r_file_perms unlink};
+  allow logger_app vendor_gps_file:file create_file_perms;
+  allow logger_app vendor_gps_file:dir create_dir_perms;
+
+  set_prop(logger_app, vendor_modem_prop)
+  set_prop(logger_app, vendor_persist_sys_modem_prop)
+  set_prop(logger_app, vendor_gps_prop)
+')
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
new file mode 100644
index 00000000..d3b108f6
--- /dev/null
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+  set_prop(mediacodec, vendor_codec2_debug_prop)
+')
+
+add_service(mediacodec, eco_service)
+allow mediacodec hal_camera_default:binder call;
diff --git a/whitechapel/vendor/google/modem_logging_control.te b/whitechapel/vendor/google/modem_logging_control.te
new file mode 100644
index 00000000..7392297f
--- /dev/null
+++ b/whitechapel/vendor/google/modem_logging_control.te
@@ -0,0 +1,17 @@
+type modem_logging_control, domain;
+type modem_logging_control_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(modem_logging_control)
+
+hwbinder_use(modem_logging_control)
+binder_call(modem_logging_control, dmd)
+
+allow modem_logging_control radio_device:chr_file rw_file_perms;
+allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find;
+allow modem_logging_control radio_vendor_data_file:dir create_dir_perms;
+allow modem_logging_control radio_vendor_data_file:file create_file_perms;
+allow modem_logging_control vendor_slog_file:dir create_dir_perms;
+allow modem_logging_control vendor_slog_file:file create_file_perms;
+
+set_prop(modem_logging_control, vendor_modem_prop)
+get_prop(modem_logging_control, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
new file mode 100644
index 00000000..9ee5976f
--- /dev/null
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -0,0 +1,24 @@
+type modem_svc_sit, domain;
+type modem_svc_sit_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(modem_svc_sit)
+
+hwbinder_use(modem_svc_sit)
+binder_call(modem_svc_sit, rild)
+
+# Grant sysfs_modem access
+allow modem_svc_sit sysfs_modem:file rw_file_perms;
+
+# Grant radio device access
+allow modem_svc_sit radio_device:chr_file rw_file_perms;
+
+# Grant vendor radio and modem file/dir creation permission
+allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms;
+allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
+allow modem_svc_sit modem_stat_data_file:file create_file_perms;
+
+# RIL property
+get_prop(modem_svc_sit, vendor_rild_prop)
+
+# hwservice permission
+allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find;
+get_prop(modem_svc_sit, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/netutils_wrapper.te b/whitechapel/vendor/google/netutils_wrapper.te
new file mode 100644
index 00000000..a8090e37
--- /dev/null
+++ b/whitechapel/vendor/google/netutils_wrapper.te
@@ -0,0 +1,4 @@
+allow netutils_wrapper pktrouter:fd use;
+allow netutils_wrapper pktrouter:fifo_file write;
+allow netutils_wrapper pktrouter:packet_socket { read write };
+allow netutils_wrapper pktrouter:rawip_socket { read write };
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
new file mode 100644
index 00000000..23ae03d5
--- /dev/null
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -0,0 +1,15 @@
+# pixelstats vendor
+type pixelstats_vendor, domain;
+
+type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(pixelstats_vendor)
+
+unix_socket_connect(pixelstats_vendor, chre, chre)
+
+get_prop(pixelstats_vendor, hwservicemanager_prop)
+hwbinder_use(pixelstats_vendor)
+
+allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
+binder_call(pixelstats_vendor, stats_service_server)
+
+allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
diff --git a/whitechapel/vendor/google/pktrouter.te b/whitechapel/vendor/google/pktrouter.te
new file mode 100644
index 00000000..8c436f3f
--- /dev/null
+++ b/whitechapel/vendor/google/pktrouter.te
@@ -0,0 +1,12 @@
+type pktrouter, domain;
+type pktrouter_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(pktrouter)
+net_domain(pktrouter)
+
+domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper);
+
+allow pktrouter pktrouter_device:chr_file rw_file_perms;
+allow pktrouter self:netlink_route_socket nlmsg_write;
+allow pktrouter self:packet_socket { bind create read write getattr shutdown};
+
+get_prop(pktrouter, vendor_ims_prop);
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
new file mode 100644
index 00000000..3c7be060
--- /dev/null
+++ b/whitechapel/vendor/google/platform_app.te
@@ -0,0 +1,8 @@
+binder_call(platform_app, rild)
+allow platform_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+allow platform_app hal_wlc_hwservice:hwservice_manager find;
+binder_call(platform_app, hal_wlc)
+
+allow platform_app fwk_stats_hwservice:hwservice_manager find;
+allow platform_app nfc_service:service_manager find;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te
new file mode 100644
index 00000000..aed639f7
--- /dev/null
+++ b/whitechapel/vendor/google/priv_app.te
@@ -0,0 +1,6 @@
+# Allows privileged applications to discover the EdgeTPU service.
+allow priv_app edgetpu_service:service_manager find;
+
+# Allows privileged applications to access the EdgeTPU device, except open,
+# which is guarded by the EdgeTPU service.
+allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
new file mode 100644
index 00000000..5ac31d8b
--- /dev/null
+++ b/whitechapel/vendor/google/property.te
@@ -0,0 +1,34 @@
+# For Exynos Properties
+vendor_internal_prop(vendor_prop)
+vendor_internal_prop(vendor_ims_prop)
+vendor_internal_prop(vendor_rild_prop)
+vendor_internal_prop(vendor_slog_prop)
+vendor_internal_prop(sensors_prop)
+vendor_internal_prop(vendor_ssrdump_prop)
+vendor_internal_prop(vendor_device_prop)
+vendor_internal_prop(vendor_usb_config_prop)
+vendor_internal_prop(vendor_secure_element_prop)
+vendor_internal_prop(vendor_modem_prop)
+vendor_internal_prop(vendor_diag_prop)
+vendor_internal_prop(vendor_cbd_prop)
+# vendor defaults
+vendor_internal_prop(vendor_config_default_prop)
+vendor_internal_prop(vendor_ro_config_default_prop)
+vendor_internal_prop(vendor_persist_config_default_prop)
+vendor_internal_prop(vendor_sys_default_prop)
+vendor_internal_prop(vendor_ro_sys_default_prop)
+vendor_internal_prop(vendor_persist_sys_default_prop)
+vendor_internal_prop(vendor_audio_prop)
+vendor_internal_prop(vendor_codec2_debug_prop)
+vendor_internal_prop(vendor_display_prop)
+vendor_internal_prop(vendor_persist_sys_modem_prop)
+vendor_internal_prop(vendor_camera_prop)
+vendor_internal_prop(vendor_camera_debug_prop)
+vendor_internal_prop(vendor_camera_fatp_prop)
+vendor_internal_prop(vendor_gps_prop)
+
+# Battery defender
+vendor_internal_prop(vendor_battery_defender_prop)
+
+# NFC
+vendor_internal_prop(vendor_nfc_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
new file mode 100644
index 00000000..a3f993b1
--- /dev/null
+++ b/whitechapel/vendor/google/property_contexts
@@ -0,0 +1,89 @@
+# for rild
+persist.vendor.debug_level       u:object_r:vendor_rild_prop:s0
+persist.vendor.ril.              u:object_r:vendor_rild_prop:s0
+persist.vendor.radio.            u:object_r:vendor_rild_prop:s0
+vendor.radio.ril.                u:object_r:vendor_rild_prop:s0
+vendor.sys.rild_reset            u:object_r:vendor_rild_prop:s0
+vendor.ril.                      u:object_r:vendor_rild_prop:s0
+ro.vendor.build.svn              u:object_r:vendor_rild_prop:s0
+
+# for ims service
+vendor.charon.                u:object_r:vendor_ims_prop:s0
+vendor.pktrouter              u:object_r:vendor_ims_prop:s0
+
+# Ramdump
+persist.vendor.sys.crash_rcu    u:object_r:vendor_ramdump_prop:s0
+
+# SSR Detector
+vendor.debug.ssrdump.           u:object_r:vendor_ssrdump_prop:s0
+persist.vendor.sys.ssr.         u:object_r:vendor_ssrdump_prop:s0
+
+# Kernel modules related
+vendor.common.modules.ready     u:object_r:vendor_device_prop:s0
+vendor.device.modules.ready     u:object_r:vendor_device_prop:s0
+vendor.all.modules.ready        u:object_r:vendor_device_prop:s0
+vendor.all.devices.ready        u:object_r:vendor_device_prop:s0
+
+# for codec2
+vendor.debug.c2.level       u:object_r:vendor_codec2_debug_prop:s0
+vendor.debug.c2.dump        u:object_r:vendor_codec2_debug_prop:s0
+vendor.debug.c2.dump.opt    u:object_r:vendor_codec2_debug_prop:s0
+
+# USB HAL
+persist.vendor.usb.    u:object_r:vendor_usb_config_prop:s0
+vendor.usb.            u:object_r:vendor_usb_config_prop:s0
+
+# for modem
+persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
+vendor.modem.                u:object_r:vendor_modem_prop:s0
+vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
+vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
+persist.vendor.sys.modem.    u:object_r:vendor_persist_sys_modem_prop:s0
+
+# for cbd
+vendor.cbd.                  u:object_r:vendor_cbd_prop:s0
+persist.vendor.cbd.          u:object_r:vendor_cbd_prop:s0
+
+# for slog
+vendor.sys.silentlog.        u:object_r:vendor_slog_prop:s0
+vendor.sys.exynos.slog.      u:object_r:vendor_slog_prop:s0
+
+# for dmd
+persist.vendor.sys.dm.       u:object_r:vendor_diag_prop:s0
+persist.vendor.sys.diag.     u:object_r:vendor_diag_prop:s0
+vendor.sys.dmd.              u:object_r:vendor_diag_prop:s0
+vendor.sys.diag.             u:object_r:vendor_diag_prop:s0
+
+# vendor default
+vendor.config.               u:object_r:vendor_config_default_prop:s0
+ro.vendor.config.            u:object_r:vendor_ro_config_default_prop:s0
+persist.vendor.config.       u:object_r:vendor_persist_config_default_prop:s0
+vendor.sys.                  u:object_r:vendor_sys_default_prop:s0
+ro.vendor.sys.               u:object_r:vendor_ro_sys_default_prop:s0
+persist.vendor.sys.          u:object_r:vendor_persist_sys_default_prop:s0
+
+
+# for audio
+vendor.audio_hal.period_multiplier      u:object_r:vendor_audio_prop:s0
+vendor.audiodump.enable                 u:object_r:vendor_audio_prop:s0
+
+# for display
+ro.vendor.hwc.drm.device                u:object_r:vendor_display_prop:s0
+
+# for camera
+persist.camera.                      u:object_r:vendor_camera_prop:s0
+vendor.camera.                       u:object_r:vendor_camera_prop:s0
+vendor.camera.debug.                 u:object_r:vendor_camera_debug_prop:s0
+vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
+
+# for gps
+vendor.gps                   u:object_r:vendor_gps_prop:s0
+
+# SecureElement
+persist.vendor.se.                              u:object_r:vendor_secure_element_prop:s0
+
+# NFC
+persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
+
+# Battery
+vendor.battery.defender.                        u:object_r:vendor_battery_defender_prop:s0
diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te
new file mode 100644
index 00000000..ffa43521
--- /dev/null
+++ b/whitechapel/vendor/google/radio.te
@@ -0,0 +1 @@
+allow radio hal_exynos_rild_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te
new file mode 100644
index 00000000..308e9fb7
--- /dev/null
+++ b/whitechapel/vendor/google/ramdump_app.te
@@ -0,0 +1,24 @@
+type ramdump_app, domain;
+
+userdebug_or_eng(`
+  app_domain(ramdump_app)
+
+  allow ramdump_app app_api_service:service_manager find;
+
+  allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
+  allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
+
+  set_prop(ramdump_app, vendor_ramdump_prop)
+  get_prop(ramdump_app, system_boot_reason_prop)
+
+  # To access ramdumpfs.
+  allow ramdump_app mnt_vendor_file:dir search;
+  allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
+  allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
+
+  # To access subsystem ramdump files and dirs.
+  allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+  allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+  allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
+  allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
+')
diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te
new file mode 100644
index 00000000..df395cb4
--- /dev/null
+++ b/whitechapel/vendor/google/rfsd.te
@@ -0,0 +1,32 @@
+type rfsd, domain;
+type rfsd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(rfsd)
+
+# Allow to setuid from root to radio
+allow rfsd self:capability { chown setuid };
+
+# Allow to search block device and mnt dir for modem EFS partitions
+allow rfsd mnt_vendor_file:dir search;
+allow rfsd block_device:dir search;
+
+# Allow to operate with modem EFS file/dir
+allow rfsd modem_efs_file:dir create_dir_perms;
+allow rfsd modem_efs_file:file create_file_perms;
+
+allow rfsd radio_vendor_data_file:dir r_dir_perms;
+allow rfsd radio_vendor_data_file:file r_file_perms;
+
+# Allow to access rfsd log file/dir
+allow rfsd vendor_log_file:dir search;
+allow rfsd vendor_rfsd_log_file:dir create_dir_perms;
+allow rfsd vendor_rfsd_log_file:file create_file_perms;
+
+# Allow to read/write modem block device
+allow rfsd modem_block_device:blk_file rw_file_perms;
+
+# Allow to operate with radio device
+allow rfsd radio_device:chr_file rw_file_perms;
+
+# Allow to set rild and modem property
+set_prop(rfsd, vendor_modem_prop)
+set_prop(rfsd, vendor_rild_prop)
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
new file mode 100644
index 00000000..a45d2b5f
--- /dev/null
+++ b/whitechapel/vendor/google/rild.te
@@ -0,0 +1,28 @@
+set_prop(rild, vendor_rild_prop)
+
+get_prop(rild, vendor_persist_config_default_prop)
+get_prop(rild, vendor_ro_config_default_prop)
+set_prop(rild, vendor_sys_default_prop)
+
+get_prop(rild, system_boot_reason_prop)
+
+allow rild proc_net:file rw_file_perms;
+allow rild radio_vendor_data_file:dir create_dir_perms;
+allow rild radio_vendor_data_file:file create_file_perms;
+allow rild rild_vendor_data_file:dir create_dir_perms;
+allow rild rild_vendor_data_file:file create_file_perms;
+allow rild vendor_fw_file:file r_file_perms;
+allow rild mnt_vendor_file:dir r_dir_perms;
+
+r_dir_file(rild, modem_img_file)
+
+binder_call(rild, bipchmgr)
+binder_call(rild, gpsd)
+binder_call(rild, hal_audio_default)
+binder_call(rild, hal_secure_element_default)
+binder_call(rild, platform_app)
+binder_call(rild, modem_svc_sit)
+
+# for hal service
+add_hwservice(rild, hal_exynos_rild_hwservice)
+allow rild hal_audio_ext_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
new file mode 100644
index 00000000..2217908d
--- /dev/null
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -0,0 +1,21 @@
+type rlsservice, domain;
+type rlsservice_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(rlsservice)
+
+vndbinder_use(rlsservice)
+
+add_service(rlsservice, rls_service)
+
+# access rainbow sensor calibration files
+allow rlsservice persist_file:dir search;
+allow rlsservice persist_camera_file:dir search;
+allow rlsservice persist_camera_file:file r_file_perms;
+allow rlsservice mnt_vendor_file:dir search;
+
+binder_call(rlsservice, hal_sensors_default)
+binder_call(rlsservice, hal_camera_default)
+
+# Allow access to always-on compute device node
+allow rlsservice device:dir { read watch };
+allow rlsservice aoc_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/rpmbd.te b/whitechapel/vendor/google/rpmbd.te
new file mode 100644
index 00000000..4113c2d8
--- /dev/null
+++ b/whitechapel/vendor/google/rpmbd.te
@@ -0,0 +1,4 @@
+type rpmbd, domain;
+type rpmbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(rpmbd)
+
diff --git a/whitechapel/vendor/google/scd.te b/whitechapel/vendor/google/scd.te
new file mode 100644
index 00000000..28aaee0a
--- /dev/null
+++ b/whitechapel/vendor/google/scd.te
@@ -0,0 +1,17 @@
+type scd, domain;
+type scd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(scd)
+
+# Allow scd access PixelLogger unix socket in debug build only
+userdebug_or_eng(`
+    typeattribute scd mlstrustedsubject;
+    allow scd logger_app:unix_stream_socket connectto;
+')
+
+# Allow a base set of permissions required for network access.
+net_domain(scd);
+
+# Allow scd access data vendor gps files
+allow scd vendor_gps_file:dir create_dir_perms;
+allow scd vendor_gps_file:file create_file_perms;
+allow scd vendor_gps_file:fifo_file create_file_perms;
diff --git a/whitechapel/vendor/google/sced.te b/whitechapel/vendor/google/sced.te
new file mode 100644
index 00000000..52c2b2b6
--- /dev/null
+++ b/whitechapel/vendor/google/sced.te
@@ -0,0 +1,10 @@
+type sced, domain;
+type sced_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(sced)
+
+userdebug_or_eng(`
+hwbinder_use(sced)
+binder_call(sced, dmd)
+
+get_prop(sced, hwservicemanager_prop)
+')
\ No newline at end of file
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
new file mode 100644
index 00000000..8dfa07e4
--- /dev/null
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -0,0 +1,30 @@
+# Samsung S.LSI telephony
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app
+
+# Samsung S.LSI IMS
+user=system seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.imsservice:remote domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.dataservice domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.networkservice domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.qualifiednetworksservice domain=vendor_ims_app
+
+# coredump/ramdump
+user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
+user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
+
+# grilservice
+user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all
+
+# PixelLogger
+user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# Hardware Info Collection
+user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
diff --git a/whitechapel/vendor/google/securedpud.slider.te b/whitechapel/vendor/google/securedpud.slider.te
new file mode 100644
index 00000000..fd553a30
--- /dev/null
+++ b/whitechapel/vendor/google/securedpud.slider.te
@@ -0,0 +1,9 @@
+type securedpud_slider, domain;
+type securedpud_slider_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(securedpud_slider)
+
+allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms;
+allow securedpud_slider ion_device:chr_file r_file_perms;
+allow securedpud_slider tee_device:chr_file rw_file_perms;
+allow securedpud_slider tui_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
new file mode 100644
index 00000000..9c935e9c
--- /dev/null
+++ b/whitechapel/vendor/google/service.te
@@ -0,0 +1 @@
+type hal_pixel_display_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
new file mode 100644
index 00000000..aed05336
--- /dev/null
+++ b/whitechapel/vendor/google/service_contexts
@@ -0,0 +1,3 @@
+# EdgeTPU service
+com.google.edgetpu.IEdgeTpuService/default  u:object_r:edgetpu_service:s0
+com.google.hardware.pixel.display.IDisplay/default                            u:object_r:hal_pixel_display_service:s0
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
new file mode 100644
index 00000000..29274f5f
--- /dev/null
+++ b/whitechapel/vendor/google/shell.te
@@ -0,0 +1 @@
+allow shell eco_service:service_manager find;
diff --git a/whitechapel/vendor/google/sscoredump.te b/whitechapel/vendor/google/sscoredump.te
new file mode 100644
index 00000000..e66abc66
--- /dev/null
+++ b/whitechapel/vendor/google/sscoredump.te
@@ -0,0 +1,17 @@
+type sscoredump, domain;
+type sscoredump_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(sscoredump)
+
+set_prop(sscoredump, vendor_ssrdump_prop)
+
+allow sscoredump device:dir r_dir_perms;
+allow sscoredump sscoredump_device:chr_file rw_file_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow sscoredump sscoredump_sysfs_level:file rw_file_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
new file mode 100644
index 00000000..48361bd8
--- /dev/null
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -0,0 +1,16 @@
+type ssr_detector_app, domain;
+
+app_domain(ssr_detector_app)
+allow ssr_detector_app app_api_service:service_manager find;
+allow ssr_detector_app radio_service:service_manager find;
+
+allow ssr_detector_app system_app_data_file:dir r_dir_perms;
+
+allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+userdebug_or_eng(`
+  allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
+  allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
+')
+
+get_prop(ssr_detector_app, vendor_ssrdump_prop)
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
new file mode 100644
index 00000000..ef9d93a8
--- /dev/null
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -0,0 +1,4 @@
+type sg_device, dev_type;
+
+allow tee sg_device:chr_file rw_file_perms;
+allow tee self:capability { setgid setuid };
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
new file mode 100644
index 00000000..f8fe4f20
--- /dev/null
+++ b/whitechapel/vendor/google/system_app.te
@@ -0,0 +1,6 @@
+allow system_app sysfs_vendor_sched:file w_file_perms;
+
+allow system_app hal_wlc_hwservice:hwservice_manager find;
+binder_call(system_app, hal_wlc)
+
+allow system_app fwk_stats_hwservice:hwservice_manager find;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
new file mode 100644
index 00000000..329a693a
--- /dev/null
+++ b/whitechapel/vendor/google/system_server.te
@@ -0,0 +1,3 @@
+# Allow system server to send sensor data callbacks to GPS and camera HALs
+binder_call(system_server, gpsd);
+binder_call(system_server, hal_camera_default);
diff --git a/whitechapel/vendor/google/toolbox.te b/whitechapel/vendor/google/toolbox.te
new file mode 100644
index 00000000..9fbbb7ab
--- /dev/null
+++ b/whitechapel/vendor/google/toolbox.te
@@ -0,0 +1,3 @@
+allow toolbox ram_device:blk_file rw_file_perms;
+allow toolbox per_boot_file:dir create_dir_perms;
+allow toolbox per_boot_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/trusty_apploader.te b/whitechapel/vendor/google/trusty_apploader.te
new file mode 100644
index 00000000..b3f91794
--- /dev/null
+++ b/whitechapel/vendor/google/trusty_apploader.te
@@ -0,0 +1,6 @@
+type trusty_apploader, domain;
+type trusty_apploader_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(trusty_apploader)
+
+allow trusty_apploader ion_device:chr_file r_file_perms;
+allow trusty_apploader tee_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
new file mode 100644
index 00000000..8e79515f
--- /dev/null
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -0,0 +1,6 @@
+# Allows applications to discover the EdgeTPU service.
+allow untrusted_app_all edgetpu_service:service_manager find;
+
+# Allows applications to access the EdgeTPU device, except open, which is guarded
+# by the EdgeTPU service.
+allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
diff --git a/whitechapel/vendor/google/vcd.te b/whitechapel/vendor/google/vcd.te
new file mode 100644
index 00000000..c4af485f
--- /dev/null
+++ b/whitechapel/vendor/google/vcd.te
@@ -0,0 +1,11 @@
+type vcd, domain;
+type vcd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(vcd)
+
+get_prop(vcd, vendor_rild_prop);
+get_prop(vcd, vendor_persist_config_default_prop);
+
+allow vcd serial_device:chr_file rw_file_perms;
+allow vcd radio_device:chr_file rw_file_perms;
+allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+allow vcd node:tcp_socket node_bind;
diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
new file mode 100644
index 00000000..058450d0
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -0,0 +1,2 @@
+type vendor_ims_app, domain;
+app_domain(vendor_ims_app)
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
new file mode 100644
index 00000000..7a0a9d51
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -0,0 +1,14 @@
+set_prop(vendor_init, vendor_device_prop)
+set_prop(vendor_init, vendor_modem_prop)
+set_prop(vendor_init, vendor_cbd_prop)
+get_prop(vendor_init, vendor_rild_prop)
+get_prop(vendor_init, vendor_persist_sys_modem_prop)
+
+allow vendor_init proc_dirty:file w_file_perms;
+allow vendor_init proc_sched:file write;
+allow vendor_init bootdevice_sysdev:file create_file_perms;
+
+# NFC vendor property
+set_prop(vendor_init, vendor_nfc_prop)
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)
diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
new file mode 100644
index 00000000..06d867c7
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -0,0 +1,4 @@
+type vendor_telephony_app, domain;
+app_domain(vendor_telephony_app)
+
+set_prop(vendor_telephony_app, vendor_modem_prop)
\ No newline at end of file
diff --git a/whitechapel/vendor/google/vndservice.te b/whitechapel/vendor/google/vndservice.te
new file mode 100644
index 00000000..f70a26fe
--- /dev/null
+++ b/whitechapel/vendor/google/vndservice.te
@@ -0,0 +1,4 @@
+type rls_service, vndservice_manager_type;
+type vendor_surfaceflinger_vndservice, vndservice_manager_type;
+type vendor_displaycolor_service, vndservice_manager_type;
+type eco_service, vndservice_manager_type;
diff --git a/whitechapel/vendor/google/vndservice_contexts b/whitechapel/vendor/google/vndservice_contexts
new file mode 100644
index 00000000..d44e1cb8
--- /dev/null
+++ b/whitechapel/vendor/google/vndservice_contexts
@@ -0,0 +1,4 @@
+Exynos.HWCService     u:object_r:vendor_surfaceflinger_vndservice:s0
+rlsservice            u:object_r:rls_service:s0
+displaycolor          u:object_r:vendor_displaycolor_service:s0
+media.ecoservice      u:object_r:eco_service:s0
diff --git a/whitechapel/vendor/google/vold.te b/whitechapel/vendor/google/vold.te
new file mode 100644
index 00000000..ecea1946
--- /dev/null
+++ b/whitechapel/vendor/google/vold.te
@@ -0,0 +1,6 @@
+allow vold sysfs_scsi_devices_0000:file rw_file_perms;
+allow vold modem_efs_file:dir rw_dir_perms;
+allow vold modem_userdata_file:dir rw_dir_perms;
+
+dontaudit vold dumpstate:fifo_file rw_file_perms;
+dontaudit vold dumpstate:fd { use };

From fc5a6a88dbd5e84cb98b63acaaaf87e5994ed982 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 8 Mar 2021 09:42:05 +0800
Subject: [PATCH 004/921] update error on ROM 7191013

Bug: 182086633
Bug: 182086611
Bug: 182086552
Bug: 182086686
Bug: 182086550
Bug: 182086551
Bug: 182086482
Bug: 182086688
Bug: 182086481
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I3c8c411d985a4a3c9210a39aa30ea0c3626f65e0
---
 tracking_denials/hal_sensors_default.te | 55 +++++++++++++++++++++++++
 tracking_denials/init-insmod-sh.te      |  4 ++
 tracking_denials/mediacodec.te          |  7 ++++
 tracking_denials/mediaserver.te         | 10 +++++
 tracking_denials/mediaswcodec.te        |  7 ++++
 tracking_denials/nfc.te                 |  4 ++
 tracking_denials/platform_app.te        |  4 ++
 tracking_denials/servicemanager.te      |  3 ++
 tracking_denials/system_server.te       |  4 ++
 9 files changed, 98 insertions(+)
 create mode 100644 tracking_denials/hal_sensors_default.te
 create mode 100644 tracking_denials/init-insmod-sh.te
 create mode 100644 tracking_denials/mediaserver.te
 create mode 100644 tracking_denials/mediaswcodec.te
 create mode 100644 tracking_denials/nfc.te
 create mode 100644 tracking_denials/servicemanager.te

diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te
new file mode 100644
index 00000000..c52d7136
--- /dev/null
+++ b/tracking_denials/hal_sensors_default.te
@@ -0,0 +1,55 @@
+# b/182086633
+dontaudit hal_sensors_default servicemanager:binder { call };
+dontaudit hal_sensors_default device:dir { read };
+dontaudit hal_sensors_default device:dir { watch };
+dontaudit hal_sensors_default aoc_device:chr_file { read write };
+dontaudit hal_sensors_default aoc_device:chr_file { open };
+dontaudit hal_sensors_default mnt_vendor_file:dir { search };
+dontaudit hal_sensors_default persist_file:dir { search };
+dontaudit hal_sensors_default persist_file:dir { getattr };
+dontaudit hal_sensors_default persist_file:dir { read };
+dontaudit hal_sensors_default persist_file:dir { open };
+dontaudit hal_sensors_default persist_file:file { getattr };
+dontaudit hal_sensors_default persist_file:file { read };
+dontaudit hal_sensors_default persist_file:file { open };
+dontaudit hal_sensors_default vendor_data_file:dir { read };
+dontaudit hal_sensors_default vendor_data_file:dir { open };
+dontaudit hal_sensors_default vendor_data_file:file { getattr };
+dontaudit hal_sensors_default vendor_data_file:file { read };
+dontaudit hal_sensors_default vendor_data_file:file { open };
+dontaudit hal_sensors_default fwk_stats_service:service_manager { find };
+dontaudit hal_sensors_default servicemanager:binder { call };
+dontaudit hal_sensors_default servicemanager:binder { transfer };
+dontaudit hal_sensors_default servicemanager:binder { transfer };
+dontaudit hal_sensors_default servicemanager:binder { call };
+dontaudit hal_sensors_default aoc_device:chr_file { getattr };
+dontaudit hal_sensors_default aoc_device:chr_file { read write };
+dontaudit hal_sensors_default aoc_device:chr_file { open };
+dontaudit hal_sensors_default vendor_data_file:file { write };
+dontaudit hal_sensors_default sysfs_aoc_boottime:file { read };
+dontaudit hal_sensors_default sysfs_aoc_boottime:file { open };
+dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr };
+dontaudit hal_sensors_default vendor_data_file:file { write };
+dontaudit hal_sensors_default vendor_data_file:file { read };
+dontaudit hal_sensors_default vendor_data_file:file { getattr };
+dontaudit hal_sensors_default persist_file:dir { search };
+dontaudit hal_sensors_default vendor_data_file:dir { open };
+dontaudit hal_sensors_default aoc_device:chr_file { read write };
+dontaudit hal_sensors_default vendor_data_file:dir { read };
+dontaudit hal_sensors_default persist_file:file { open };
+dontaudit hal_sensors_default vendor_data_file:file { open };
+dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr };
+dontaudit hal_sensors_default sysfs_aoc_boottime:file { open };
+dontaudit hal_sensors_default sysfs_aoc_boottime:file { read };
+dontaudit hal_sensors_default persist_file:file { read };
+dontaudit hal_sensors_default persist_file:file { getattr };
+dontaudit hal_sensors_default device:dir { read };
+dontaudit hal_sensors_default persist_file:dir { open };
+dontaudit hal_sensors_default persist_file:dir { read };
+dontaudit hal_sensors_default persist_file:dir { getattr };
+dontaudit hal_sensors_default vendor_data_file:file { open };
+dontaudit hal_sensors_default mnt_vendor_file:dir { search };
+dontaudit hal_sensors_default device:dir { read };
+dontaudit hal_sensors_default device:dir { watch };
+dontaudit hal_sensors_default servicemanager:binder { transfer };
+dontaudit hal_sensors_default aoc_device:chr_file { open };
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
new file mode 100644
index 00000000..9f615fab
--- /dev/null
+++ b/tracking_denials/init-insmod-sh.te
@@ -0,0 +1,4 @@
+# b/182086611
+dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
+dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
+dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
diff --git a/tracking_denials/mediacodec.te b/tracking_denials/mediacodec.te
index 2d3f4475..3955ae14 100644
--- a/tracking_denials/mediacodec.te
+++ b/tracking_denials/mediacodec.te
@@ -4,3 +4,10 @@ dontaudit mediacodec sysfs:file { open };
 dontaudit mediacodec sysfs:file { read };
 # b/176777184
 dontaudit mediacodec default_android_vndservice:service_manager add ;
+# b/182086552
+dontaudit mediacodec dmabuf_heap_device:chr_file { open };
+dontaudit mediacodec dmabuf_heap_device:chr_file { read };
+dontaudit mediacodec dmabuf_heap_device:chr_file { ioctl };
+dontaudit mediacodec dmabuf_heap_device:chr_file { read };
+dontaudit mediacodec dmabuf_heap_device:chr_file { open };
+dontaudit mediacodec dmabuf_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/mediaserver.te b/tracking_denials/mediaserver.te
new file mode 100644
index 00000000..5b1f85ae
--- /dev/null
+++ b/tracking_denials/mediaserver.te
@@ -0,0 +1,10 @@
+# b/182086686
+dontaudit mediaserver dmabuf_heap_device:chr_file { open };
+dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
+dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
+dontaudit mediaserver dmabuf_heap_device:chr_file { read };
+dontaudit mediaserver dmabuf_heap_device:chr_file { read };
+dontaudit mediaserver dmabuf_heap_device:chr_file { open };
+dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
+dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
+dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/mediaswcodec.te b/tracking_denials/mediaswcodec.te
new file mode 100644
index 00000000..90396e8d
--- /dev/null
+++ b/tracking_denials/mediaswcodec.te
@@ -0,0 +1,7 @@
+# b/182086550
+dontaudit mediaswcodec dmabuf_heap_device:chr_file { open };
+dontaudit mediaswcodec dmabuf_heap_device:chr_file { read };
+dontaudit mediaswcodec dmabuf_heap_device:chr_file { read };
+dontaudit mediaswcodec dmabuf_heap_device:chr_file { ioctl };
+dontaudit mediaswcodec dmabuf_heap_device:chr_file { open };
+dontaudit mediaswcodec dmabuf_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te
new file mode 100644
index 00000000..c0904dcf
--- /dev/null
+++ b/tracking_denials/nfc.te
@@ -0,0 +1,4 @@
+# b/182086551
+dontaudit nfc dmabuf_heap_device:chr_file { open };
+dontaudit nfc dmabuf_heap_device:chr_file { ioctl };
+dontaudit nfc dmabuf_heap_device:chr_file { read };
diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te
index 6e8841af..2f9c64f4 100644
--- a/tracking_denials/platform_app.te
+++ b/tracking_denials/platform_app.te
@@ -6,3 +6,7 @@ dontaudit platform_app hal_wlc:binder { call };
 dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find };
 dontaudit platform_app hal_wlc:binder { call };
 dontaudit platform_app hal_wlc:binder { transfer };
+# b/182086482
+dontaudit platform_app dmabuf_heap_device:chr_file { ioctl };
+dontaudit platform_app dmabuf_heap_device:chr_file { read };
+dontaudit platform_app dmabuf_heap_device:chr_file { open };
diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
new file mode 100644
index 00000000..0900dcdf
--- /dev/null
+++ b/tracking_denials/servicemanager.te
@@ -0,0 +1,3 @@
+# b/182086688
+dontaudit servicemanager hal_sensors_default:binder { call };
+dontaudit servicemanager hal_sensors_default:binder { call };
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
index d7e456ab..2f1e9463 100644
--- a/tracking_denials/system_server.te
+++ b/tracking_denials/system_server.te
@@ -1,2 +1,6 @@
 # b/178980142
 dontaudit system_server property_type:file *;
+# b/182086481
+dontaudit system_server dmabuf_heap_device:chr_file { ioctl };
+dontaudit system_server dmabuf_heap_device:chr_file { open };
+dontaudit system_server dmabuf_heap_device:chr_file { read };

From 4d87bc0f2a9ea36443e12f68ca2c4354e9754e74 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Tue, 2 Mar 2021 19:57:23 +0800
Subject: [PATCH 005/921] cbd: Fix avc errors

avc: denied { write } for comm="cbd" name="ssrdump" dev="dm-9" ino=284 scontext=u:r:cbd:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir
avc: denied { add_name } for comm="cbd" name="crashinfo_modem_2021-03-02_10-57-06.txt" scontext=u:r:cbd:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir
avc: denied { write } for comm="sh" name="image" dev="dm-9" ino=231 scontext=u:r:cbd:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir
avc: denied { read } for comm="cbd" name="u:object_r:radio_prop:s0" dev="tmpfs" ino=206 scontext=u:r:cbd:s0 tcontext=u:object_r:radio_prop:s0 tclass=file
avc: denied { search } for comm="cbd" name="/" dev="sda15" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:persist_file:s0 tclass=dir
avc: denied { syslog_read } for comm="cbd" scontext=u:r:cbd:s0 tcontext=u:r:kernel:s0 tclass=system

Bug: 179198083
Bug: 178331928
Bug: 171267363
Change-Id: I8a89e360e6d614ad76ed2eb78467fcbedf1ea0ce
---
 tracking_denials/cbd.te                 | 30 -------------------------
 whitechapel/vendor/google/cbd.te        | 12 +++++++++-
 whitechapel/vendor/google/file.te       |  2 ++
 whitechapel/vendor/google/file_contexts |  2 ++
 4 files changed, 15 insertions(+), 31 deletions(-)

diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te
index 7cd0342d..4fe18028 100644
--- a/tracking_denials/cbd.te
+++ b/tracking_denials/cbd.te
@@ -1,19 +1,5 @@
 # b/171267363
 dontaudit cbd cbd:capability {setuid };
-dontaudit cbd proc_cmdline:file {open };
-dontaudit cbd persist_file:dir {search };
-dontaudit cbd init:unix_stream_socket {connectto };
-dontaudit cbd proc_cmdline:file {read };
-dontaudit cbd kernel:system {syslog_read };
-# b/173971138
-dontaudit cbd radio_prop:file { map };
-dontaudit cbd radio_prop:file { open };
-dontaudit cbd radio_prop:file { read };
-dontaudit cbd radio_prop:file { open };
-dontaudit cbd radio_prop:file { map };
-dontaudit cbd radio_prop:file { read };
-dontaudit cbd radio_prop:file { getattr };
-dontaudit cbd radio_prop:file { getattr };
 # b/178331928
 dontaudit cbd mnt_vendor_file:dir { search };
 dontaudit cbd mnt_vendor_file:dir { search };
@@ -31,21 +17,5 @@ dontaudit cbd unlabeled:dir { search };
 dontaudit cbd unlabeled:file { read };
 dontaudit cbd unlabeled:file { open };
 # b/179198083
-dontaudit cbd radio_vendor_data_file:dir { search };
-dontaudit cbd radio_vendor_data_file:dir { write };
-dontaudit cbd radio_vendor_data_file:dir { add_name };
-dontaudit cbd radio_vendor_data_file:file { create };
-dontaudit cbd radio_vendor_data_file:file { write };
-dontaudit cbd radio_vendor_data_file:file { open };
 dontaudit cbd unlabeled:file { ioctl };
-dontaudit cbd radio_vendor_data_file:file { open };
-dontaudit cbd radio_vendor_data_file:file { read };
-dontaudit cbd radio_vendor_data_file:dir { search };
 dontaudit cbd unlabeled:file { ioctl };
-dontaudit cbd radio_vendor_data_file:file { open };
-dontaudit cbd radio_vendor_data_file:file { read };
-dontaudit cbd radio_vendor_data_file:file { write };
-dontaudit cbd radio_vendor_data_file:file { create };
-dontaudit cbd radio_vendor_data_file:dir { add_name };
-dontaudit cbd radio_vendor_data_file:dir { search };
-dontaudit cbd radio_vendor_data_file:dir { write };
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index 6e21902e..41ee23d7 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -21,6 +21,14 @@ allow cbd sysfs_chosen:dir r_dir_perms;
 
 allow cbd radio_device:chr_file rw_file_perms;
 
+allow cbd proc_cmdline:file r_file_perms;
+
+allow cbd persist_modem_file:dir create_dir_perms;
+allow cbd persist_modem_file:file create_file_perms;
+
+allow cbd radio_vendor_data_file:dir create_dir_perms;
+allow cbd radio_vendor_data_file:file create_file_perms;
+
 # Allow cbd to operate with modem EFS file/dir
 allow cbd modem_efs_file:dir create_dir_perms;
 allow cbd modem_efs_file:file create_file_perms;
@@ -34,10 +42,12 @@ allow cbd modem_img_file:dir r_dir_perms;
 allow cbd modem_img_file:file r_file_perms;
 
 # Allow cbd to collect crash info
-allow cbd sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
 allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
 
 userdebug_or_eng(`
+  allow cbd kernel:system syslog_read;
+
   allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
   allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
 ')
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 5ec18e27..5776174b 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -113,6 +113,8 @@ type modem_efs_file, file_type;
 type modem_img_file, file_type;
 type modem_userdata_file, file_type;
 type sysfs_modem, sysfs_type, fs_type;
+type persist_modem_file, file_type, vendor_persist_type;
+
 
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index d16737ec..e1ae842f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -254,6 +254,8 @@
 /mnt/vendor/efs_backup(/.*)?                                  u:object_r:modem_efs_file:s0
 /mnt/vendor/modem_img(/.*)?                                   u:object_r:modem_img_file:s0
 /mnt/vendor/modem_userdata(/.*)?                              u:object_r:modem_userdata_file:s0
+/mnt/vendor/persist/modem(/.*)?                               u:object_r:persist_modem_file:s0
+
 
 # Subsystem coredump
 /vendor/bin/sscoredump                         u:object_r:sscoredump_exec:s0

From 04275485f7862a54367f1d56c4a42007f27c9196 Mon Sep 17 00:00:00 2001
From: matthuang <matthuang@google.com>
Date: Mon, 8 Mar 2021 14:07:36 +0800
Subject: [PATCH 006/921] sepolicy: add usf folder to BOARD_SEPOLICY_DIRS.

03-08 09:26:34.320   701   701 I MonitorFdThread: type=1400
audit(0.0:5): avc: denied { read } for name="/" dev="tmpfs" ino=1
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:device:s0
tclass=dir permissive=1
03-08 09:26:34.320   701   701 I MonitorFdThread: type=1400
audit(0.0:6): avc: denied { watch } for path="/dev" dev="tmpfs" ino=1
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:device:s0
tclass=dir permissive=1
03-08 09:26:36.344   701   701 I android.hardwar: type=1400
audit(0.0:11): avc: denied { read write } for name="acd-com.google.usf"
dev="tmpfs" ino=932 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=1
03-08 09:26:36.344   701   701 I android.hardwar: type=1400
audit(0.0:12): avc: denied { open } for path="/dev/acd-com.google.usf"
dev="tmpfs" ino=932 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=1
03-08 09:26:36.948   701   701 I android.hardwar: type=1400
audit(0.0:13): avc: denied { search } for name="vendor" dev="tmpfs"
ino=2 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1
03-08 09:26:36.948   701   701 I android.hardwar: type=1400
audit(0.0:14): avc: denied { search } for name="/" dev="sda1" ino=2
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:persist_file:s0
tclass=dir permissive=1
03-08 09:26:36.952   701   701 I android.hardwar: type=1400
audit(0.0:15): avc: denied { getattr } for
path="/mnt/vendor/persist/sensors/registry" dev="sda1" ino=24
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:persist_file:s0
tclass=dir permissive=1
03-08 09:26:36.952   701   701 I android.hardwar: type=1400
audit(0.0:16): avc: denied { read } for name="registry" dev="sda1"
ino=24

Bug:182086633
Test: make selinux_policy -j128 and push to device.
Test: avc denials are disappeared in boot log.

Change-Id: Id7ad6dcb63c880a4b7b07dbe4588ec231e9e00b5
---
 gs101-sepolicy.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index c08b8023..e623328a 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -21,3 +21,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 # Display
 BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
 BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
+
+# Micro sensor framework (usf)
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/usf

From 6bfbfc3c3aa3de57cf2886b0defe174ba77ec081 Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Mon, 8 Mar 2021 14:59:13 +0800
Subject: [PATCH 007/921] Allow vendor_init to set USB properties

Bug: 181925042
Test: $ make selinux_policy
      Push SELinux modules, switch to Enforcing mode
      Ensure the vendor_init denials are gone
Change-Id: I4007cbc2396fa1fc22f1d18a977beb11c57e3b12
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 7a0a9d51..00906fcc 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -3,6 +3,7 @@ set_prop(vendor_init, vendor_modem_prop)
 set_prop(vendor_init, vendor_cbd_prop)
 get_prop(vendor_init, vendor_rild_prop)
 get_prop(vendor_init, vendor_persist_sys_modem_prop)
+set_prop(vendor_init, vendor_usb_config_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From 5e63caa5689ae4e41d9238a33d794c34304ed652 Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Mon, 8 Mar 2021 15:48:34 +0800
Subject: [PATCH 008/921] Fix selinux error for vendor_telephony_app

// b/174961423
[   43.295540] type=1400 audit(1607136492.652:21): avc: denied { open } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   43.295445] type=1400 audit(1607136492.652:20): avc: denied { read } for comm="y.silentlogging" name="u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   43.290494] type=1400 audit(1607136492.648:19): avc: denied { search } for comm="y.silentlogging" name="com.samsung.slsi.telephony.silentlogging" dev="dm-6" ino=3751 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=1
[   43.267396] type=1400 audit(1607136492.624:18): avc: denied { getattr } for comm="y.silentlogging" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-6" ino=3751 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=1
[   43.267076] type=1400 audit(1607136492.624:17): avc: denied { search } for comm="y.silentlogging" name="data" dev="dm-6" ino=87 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=dir permissive=1

// b/176868380
[   44.640326] type=1400 audit(1609377760.052:32): avc: denied { search } for comm="y.silentlogging" name="0" dev="dm-6" ino=181 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
[   44.705763] type=1400 audit(1609377760.120:36): avc: denied { search } for comm="ephony.testmode" name="0" dev="dm-6" ino=181 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
[   44.649879] type=1400 audit(1609377760.064:33): avc: denied { getattr } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   44.649981] type=1400 audit(1609377760.064:34): avc: denied { map } for comm="y.silentlogging" path="/dev/__properties__/u:object_r:vendor_persist_sys_default_prop:s0" dev="tmpfs" ino=261 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=file permissive=1
[   44.650286] type=1400 audit(1609377760.064:35): avc: denied { search } for comm="y.silentlogging" name="slog" dev="dm-6" ino=228 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1

// b/177176900
[   46.609809] type=1400 audit(1610075109.964:21): avc: denied { getattr } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609747] type=1400 audit(1610075109.964:20): avc: denied { open } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609580] type=1400 audit(1610075109.960:19): avc: denied { read } for comm="ephony.testmode" name="u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1
[   46.609867] type=1400 audit(1610075109.964:22): avc: denied { map } for comm="ephony.testmode" path="/dev/__properties__/u:object_r:vendor_rild_prop:s0" dev="tmpfs" ino=266 scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:vendor_rild_prop:s0 tclass=file permissive=1

// b/179437464
02-05 09:46:38.796   376   376 E SELinux : avc:  denied  { find } for pid=9609 uid=1000 name=activity scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
02-05 09:46:38.894   376   376 E SELinux : avc:  denied  { find } for pid=9631 uid=1000 name=thermalservice scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:thermal_service:s0 tclass=service_manager permissive=1
02-05 09:46:38.825   376   376 E SELinux : avc:  denied  { find } for pid=9609 uid=1000 name=tethering scontext=u:r:vendor_telephony_app:s0 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1


Bug: 174961423
Bug: 176868380
Bug: 177176900
Bug: 179437464

Test: verified with the forrest ROM and error log gone
Change-Id: Ibd2dfb61eb58b381504ac43595e99695a5e21b7e
---
 tracking_denials/vendor_telephony_app.te      | 21 -------------------
 whitechapel/vendor/google/seapp_contexts      | 12 +++++------
 .../vendor/google/vendor_telephony_app.te     |  8 ++++++-
 3 files changed, 13 insertions(+), 28 deletions(-)
 delete mode 100644 tracking_denials/vendor_telephony_app.te

diff --git a/tracking_denials/vendor_telephony_app.te b/tracking_denials/vendor_telephony_app.te
deleted file mode 100644
index 2969a576..00000000
--- a/tracking_denials/vendor_telephony_app.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# b/174961423
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file open ;
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file read ;
-dontaudit vendor_telephony_app system_app_data_file:dir search ;
-dontaudit vendor_telephony_app system_app_data_file:dir getattr ;
-dontaudit vendor_telephony_app system_data_file:dir search ;
-# b/176868380
-dontaudit vendor_telephony_app user_profile_root_file:dir search ;
-dontaudit vendor_telephony_app user_profile_root_file:dir search ;
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file getattr ;
-dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file map ;
-dontaudit vendor_telephony_app vendor_slog_file:dir search ;
-# b/177176900
-dontaudit vendor_telephony_app vendor_rild_prop:file getattr ;
-dontaudit vendor_telephony_app vendor_rild_prop:file open ;
-dontaudit vendor_telephony_app vendor_rild_prop:file read ;
-dontaudit vendor_telephony_app vendor_rild_prop:file map ;
-# b/179437464
-dontaudit vendor_telephony_app activity_service:service_manager { find };
-dontaudit vendor_telephony_app thermal_service:service_manager { find };
-dontaudit vendor_telephony_app tethering_service:service_manager { find };
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 8dfa07e4..287d6ecf 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -1,10 +1,10 @@
 # Samsung S.LSI telephony
-user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app
-user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all
 
 # Samsung S.LSI IMS
 user=system seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app
diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
index 06d867c7..1f114508 100644
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -1,4 +1,10 @@
 type vendor_telephony_app, domain;
 app_domain(vendor_telephony_app)
 
-set_prop(vendor_telephony_app, vendor_modem_prop)
\ No newline at end of file
+get_prop(vendor_telephony_app, vendor_rild_prop)
+get_prop(vendor_telephony_app, vendor_persist_sys_default_prop)
+set_prop(vendor_telephony_app, vendor_modem_prop)
+r_dir_file(vendor_telephony_app, system_app_data_file)
+r_dir_file(vendor_telephony_app, vendor_slog_file)
+
+allow vendor_telephony_app app_api_service:service_manager find;

From 5c76e0c1f3166a61c6cdd6ff5480a1c361d6a562 Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Mon, 8 Mar 2021 16:35:50 +0800
Subject: [PATCH 009/921] trusty_apploader: Fix avc errors

Fix the following avc denials:
trusty_apploade: type=1400 audit(0.0:3): avc: denied { read } for name="system" dev="tmpfs" ino=713 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
trusty_apploade: type=1400 audit(0.0:4): avc: denied { open } for path="/dev/dma_heap/system" dev="tmpfs" ino=713 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
trusty_apploade: type=1400 audit(0.0:5): avc: denied { ioctl } for path="/dev/dma_heap/system" dev="tmpfs" ino=713 ioctlcmd=0x4800 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1

Bug: 180874342
Test: Verify no avc denied when trusty app is loaded.
Change-Id: Idbd850580220a1cb85a221d769d741f63cd8751f
---
 whitechapel/vendor/google/trusty_apploader.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/trusty_apploader.te b/whitechapel/vendor/google/trusty_apploader.te
index b3f91794..983e3a03 100644
--- a/whitechapel/vendor/google/trusty_apploader.te
+++ b/whitechapel/vendor/google/trusty_apploader.te
@@ -4,3 +4,4 @@ init_daemon_domain(trusty_apploader)
 
 allow trusty_apploader ion_device:chr_file r_file_perms;
 allow trusty_apploader tee_device:chr_file rw_file_perms;
+allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms;

From 94095e1fd38f53f1478650d073b462032d05a60e Mon Sep 17 00:00:00 2001
From: matthuang <matthuang@google.com>
Date: Mon, 8 Mar 2021 13:59:03 +0800
Subject: [PATCH 010/921] sepolicy: add sensor related rules for AIDL APIs

SELinux : avc:  denied  { find } for pid=703 uid=1000name=android.frameworks.stats.IStats/default
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1
android.hardwar: type=1400 audit(0.0:24): avc: denied { transfer } for scontext=u:r:hal_sensors_default:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

Bug: 182086688
Test: make selinux_policy -j128 and push to device.
Test: avc denials are disappeared in boot log.
Change-Id: I13e658c1cef3bd24ae25cc1c22dd9336b4e45b0f
---
 whitechapel/vendor/google/hal_sensors_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_sensors_default.te b/whitechapel/vendor/google/hal_sensors_default.te
index 64620ba3..396fd3c5 100644
--- a/whitechapel/vendor/google/hal_sensors_default.te
+++ b/whitechapel/vendor/google/hal_sensors_default.te
@@ -17,3 +17,7 @@ allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
 
 # Allow access to the sysfs_aoc.
 allow hal_sensors_default sysfs_aoc:dir search;
+
+# Allow SensorSuez to connect AIDL stats.
+binder_use(hal_sensors_default);
+allow hal_sensors_default fwk_stats_service:service_manager find;

From 73ce34397a986bc70fac2eb7c5f3fa7dd5461694 Mon Sep 17 00:00:00 2001
From: Isaac Chiou <isaacchiou@google.com>
Date: Mon, 1 Feb 2021 22:13:12 +0800
Subject: [PATCH 011/921] Wifi: Add sepolicy files for wifi_ext service

This commit adds the sepolicy related files for wifi_ext service.

Bug: 171944352
Bug: 177966433
Bug: 177673356
Test: Manual
Change-Id: I1613e396fd4c904ed563dfd533fb4b8f807f9657
---
 tracking_denials/hal_wifi_ext.te            | 4 ----
 whitechapel/vendor/google/hal_wifi_ext.te   | 5 +++++
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 4 ++++
 4 files changed, 12 insertions(+), 4 deletions(-)
 delete mode 100644 tracking_denials/hal_wifi_ext.te
 create mode 100644 whitechapel/vendor/google/hal_wifi_ext.te

diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te
deleted file mode 100644
index c43741be..00000000
--- a/tracking_denials/hal_wifi_ext.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/177966433
-dontaudit hal_wifi_ext vendor_default_prop:property_service { set };
-dontaudit hal_wifi_ext grilservice_app:binder { call };
-dontaudit hal_wifi_ext grilservice_app:binder { call };
diff --git a/whitechapel/vendor/google/hal_wifi_ext.te b/whitechapel/vendor/google/hal_wifi_ext.te
new file mode 100644
index 00000000..659239e8
--- /dev/null
+++ b/whitechapel/vendor/google/hal_wifi_ext.te
@@ -0,0 +1,5 @@
+# Allow wifi_ext to report callbacks to gril-service app
+binder_call(hal_wifi_ext, grilservice_app)
+
+# Write wlan driver/fw version into property
+set_prop(hal_wifi_ext, vendor_wifi_version)
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 5ac31d8b..70f00d46 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -32,3 +32,6 @@ vendor_internal_prop(vendor_battery_defender_prop)
 
 # NFC
 vendor_internal_prop(vendor_nfc_prop)
+
+# WiFi
+vendor_internal_prop(vendor_wifi_version)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index a3f993b1..784291df 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -87,3 +87,7 @@ persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
 
 # Battery
 vendor.battery.defender.                        u:object_r:vendor_battery_defender_prop:s0
+
+# WiFi
+vendor.wlan.driver.version                      u:object_r:vendor_wifi_version:s0
+vendor.wlan.firmware.version                    u:object_r:vendor_wifi_version:s0

From d18a92b0efa0c7bb1779d6ea374a6253c22c014c Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Mon, 8 Mar 2021 16:02:14 -0800
Subject: [PATCH 012/921] Allowed the EdgeTPU service to access Package Manager
 binder service.

EdgeTPU service will connect to the Package Manager service
to verify applicatoin signatures.
This change added the corresponding SELinux rules to allow such
connection.

Bug: 181821398
Test: Verified using Google Camera App on local device.
Change-Id: Ia32b3de102c162e28710e0aa917831e8de784183
---
 whitechapel/vendor/google/edgetpu_service.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
index 241a87eb..b6789cff 100644
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -26,3 +26,7 @@ neverallow appdomain edgetpu_device:chr_file { open };
 # Allow EdgeTPU service access to its data files.
 allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
 allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
+
+# Allow EdgeTPU service to access the Package Manager service.
+allow edgetpu_server package_native_service:service_manager find;
+binder_call(edgetpu_server, system_server);

From 47abac4459d9986fda624b700d827fda2d34d43f Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 9 Mar 2021 09:47:50 +0800
Subject: [PATCH 013/921] update error on ROM 7193586

Bug: 182218891
Bug: 182219008
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Id3d823c2ec41f9b777ccb666338a195bbd3047b6
---
 tracking_denials/aocd.te | 6 ++++++
 tracking_denials/cbd.te  | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/tracking_denials/aocd.te b/tracking_denials/aocd.te
index 35c47c50..ce3c3365 100644
--- a/tracking_denials/aocd.te
+++ b/tracking_denials/aocd.te
@@ -1,2 +1,8 @@
 # b/171267323
 dontaudit aocd device:dir r_dir_perms;
+# b/182218891
+dontaudit aocd property_socket:sock_file { write };
+dontaudit aocd init:unix_stream_socket { connectto };
+dontaudit aocd vendor_default_prop:property_service { set };
+dontaudit aocd property_socket:sock_file { write };
+dontaudit aocd init:unix_stream_socket { connectto };
diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te
index 4fe18028..2dd39498 100644
--- a/tracking_denials/cbd.te
+++ b/tracking_denials/cbd.te
@@ -19,3 +19,6 @@ dontaudit cbd unlabeled:file { open };
 # b/179198083
 dontaudit cbd unlabeled:file { ioctl };
 dontaudit cbd unlabeled:file { ioctl };
+# b/182219008
+dontaudit cbd persist_file:dir { search };
+dontaudit cbd persist_file:dir { search };

From 7d778201274a4c61dfd51035b936f530a80283de Mon Sep 17 00:00:00 2001
From: Taehwan Kim <t_h.kim@samsung.com>
Date: Mon, 22 Feb 2021 16:53:29 +0900
Subject: [PATCH 014/921] Add missing permission to dmabuf_video_system_heap

Bug: 153786620
Bug: 182086551
Bug: 182086552
Bug: 182086686
Bug: 182086482
Bug: 182086481
Bug: 182086550
Test: atest VtsHalMediaC2V1_0TargetVideoDecTest
Signed-off-by: Taehwan Kim <t_h.kim@samsung.com>
Change-Id: I2bc6057d16bbcc32ef8891f89c0440618d174982
---
 whitechapel/vendor/google/file_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index e1ae842f..68bcf67f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -397,3 +397,7 @@
 
 # vscaler-secure DMA-BUF heap
 /dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
+
+# video system DMA-BUF heap
+/dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0

From 019eec3f64cb82f2c2d66d52962b899a58581614 Mon Sep 17 00:00:00 2001
From: Charlie Chen <yuchungchen@google.com>
Date: Tue, 9 Mar 2021 10:34:42 +0800
Subject: [PATCH 015/921] Remove dma_buf_heap tracking_denials

Bug: 182086551
Bug: 182086552
Bug: 182086686
Bug: 182086482
Bug: 182086481
Bug: 182086550
Test: atest VtsHalMediaC2V1_0TargetVideoDecTest
Change-Id: I8de6132fb41b0418f67baac4971ee03031ec3e32
---
 tracking_denials/mediacodec.te    |  7 -------
 tracking_denials/mediaserver.te   | 10 ----------
 tracking_denials/mediaswcodec.te  |  7 -------
 tracking_denials/nfc.te           |  4 ----
 tracking_denials/platform_app.te  |  4 ----
 tracking_denials/system_server.te |  4 ----
 6 files changed, 36 deletions(-)
 delete mode 100644 tracking_denials/mediaserver.te
 delete mode 100644 tracking_denials/mediaswcodec.te
 delete mode 100644 tracking_denials/nfc.te

diff --git a/tracking_denials/mediacodec.te b/tracking_denials/mediacodec.te
index 3955ae14..2d3f4475 100644
--- a/tracking_denials/mediacodec.te
+++ b/tracking_denials/mediacodec.te
@@ -4,10 +4,3 @@ dontaudit mediacodec sysfs:file { open };
 dontaudit mediacodec sysfs:file { read };
 # b/176777184
 dontaudit mediacodec default_android_vndservice:service_manager add ;
-# b/182086552
-dontaudit mediacodec dmabuf_heap_device:chr_file { open };
-dontaudit mediacodec dmabuf_heap_device:chr_file { read };
-dontaudit mediacodec dmabuf_heap_device:chr_file { ioctl };
-dontaudit mediacodec dmabuf_heap_device:chr_file { read };
-dontaudit mediacodec dmabuf_heap_device:chr_file { open };
-dontaudit mediacodec dmabuf_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/mediaserver.te b/tracking_denials/mediaserver.te
deleted file mode 100644
index 5b1f85ae..00000000
--- a/tracking_denials/mediaserver.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# b/182086686
-dontaudit mediaserver dmabuf_heap_device:chr_file { open };
-dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
-dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
-dontaudit mediaserver dmabuf_heap_device:chr_file { read };
-dontaudit mediaserver dmabuf_heap_device:chr_file { read };
-dontaudit mediaserver dmabuf_heap_device:chr_file { open };
-dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
-dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
-dontaudit mediaserver dmabuf_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/mediaswcodec.te b/tracking_denials/mediaswcodec.te
deleted file mode 100644
index 90396e8d..00000000
--- a/tracking_denials/mediaswcodec.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/182086550
-dontaudit mediaswcodec dmabuf_heap_device:chr_file { open };
-dontaudit mediaswcodec dmabuf_heap_device:chr_file { read };
-dontaudit mediaswcodec dmabuf_heap_device:chr_file { read };
-dontaudit mediaswcodec dmabuf_heap_device:chr_file { ioctl };
-dontaudit mediaswcodec dmabuf_heap_device:chr_file { open };
-dontaudit mediaswcodec dmabuf_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te
deleted file mode 100644
index c0904dcf..00000000
--- a/tracking_denials/nfc.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/182086551
-dontaudit nfc dmabuf_heap_device:chr_file { open };
-dontaudit nfc dmabuf_heap_device:chr_file { ioctl };
-dontaudit nfc dmabuf_heap_device:chr_file { read };
diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te
index 2f9c64f4..6e8841af 100644
--- a/tracking_denials/platform_app.te
+++ b/tracking_denials/platform_app.te
@@ -6,7 +6,3 @@ dontaudit platform_app hal_wlc:binder { call };
 dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find };
 dontaudit platform_app hal_wlc:binder { call };
 dontaudit platform_app hal_wlc:binder { transfer };
-# b/182086482
-dontaudit platform_app dmabuf_heap_device:chr_file { ioctl };
-dontaudit platform_app dmabuf_heap_device:chr_file { read };
-dontaudit platform_app dmabuf_heap_device:chr_file { open };
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
index 2f1e9463..d7e456ab 100644
--- a/tracking_denials/system_server.te
+++ b/tracking_denials/system_server.te
@@ -1,6 +1,2 @@
 # b/178980142
 dontaudit system_server property_type:file *;
-# b/182086481
-dontaudit system_server dmabuf_heap_device:chr_file { ioctl };
-dontaudit system_server dmabuf_heap_device:chr_file { open };
-dontaudit system_server dmabuf_heap_device:chr_file { read };

From df06cd77606b122879ccfeef63f0d304bcfc20c2 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 9 Mar 2021 10:50:59 +0800
Subject: [PATCH 016/921] remove obsolete entries and put crucial domains to
 permissive

Bug: 171942789
Bug: 178979986
Bug: 179310854
Bug: 178980065
Bug: 179198085
Bug: 178980032
Test: boot to home under enforcing mode
Change-Id: Ic925dbbb74ca2ba38b22c982761c1e214886bfa1
---
 tracking_denials/hal_power_default.te | 3 ---
 tracking_denials/mediacodec.te        | 5 +++--
 tracking_denials/tee.te               | 3 +++
 tracking_denials/vendor_init.te       | 3 +++
 4 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
index ba08e0ad..ab5c7ecd 100644
--- a/tracking_denials/hal_power_default.te
+++ b/tracking_denials/hal_power_default.te
@@ -10,6 +10,3 @@ dontaudit hal_power_default sysfs:file { read };
 dontaudit hal_power_default sysfs:file { getattr };
 dontaudit hal_power_default sysfs:file { read };
 dontaudit hal_power_default sysfs:file { getattr };
-# b/181713002
-dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
-dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
diff --git a/tracking_denials/mediacodec.te b/tracking_denials/mediacodec.te
index 2d3f4475..d4a74b8a 100644
--- a/tracking_denials/mediacodec.te
+++ b/tracking_denials/mediacodec.te
@@ -2,5 +2,6 @@
 dontaudit mediacodec sysfs:file { getattr };
 dontaudit mediacodec sysfs:file { open };
 dontaudit mediacodec sysfs:file { read };
-# b/176777184
-dontaudit mediacodec default_android_vndservice:service_manager add ;
+userdebug_or_eng(`
+  permissive mediacodec;
+')
diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
index 9148a9c7..3375948f 100644
--- a/tracking_denials/tee.te
+++ b/tracking_denials/tee.te
@@ -9,3 +9,6 @@ dontaudit tee persist_file:dir { search };
 dontaudit tee mnt_vendor_file:dir { search };
 dontaudit tee tee_data_file:lnk_file { read };
 dontaudit tee persist_file:file { read write };
+userdebug_or_eng(`
+  permissive tee;
+')
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index f00248a0..500c14ff 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -4,6 +4,9 @@ dontaudit vendor_init tmpfs:dir { add_name write };
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
 # b/177186257
 dontaudit vendor_init system_data_file:dir { open ioctl read };
+userdebug_or_eng(`
+  permissive vendor_init;
+')
 # b/174443175
 dontaudit vendor_init vendor_power_prop:property_service { set };
 # b/177386448

From 43fb32d30098ceca5fbc3a1626e38ed54bfb99d4 Mon Sep 17 00:00:00 2001
From: raylinhsu <raylinhsu@google.com>
Date: Tue, 9 Mar 2021 17:08:09 +0800
Subject: [PATCH 017/921] dumpstate: allow dumpstate to access displaycolor

In bugreport, we need to dump libdisplaycolor information.
Hence, we should add corresponding sepolicy.

Bug: 181915591
Test: There is no avc denied regarding to displaycolor when we
capture the bugreport.

Change-Id: I9f7f8f451fab24b4d0c49305d96b8db6b4d0eed4
---
 tracking_denials/hal_dumpstate_default.te          | 3 ---
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
index 66e10a91..80494570 100644
--- a/tracking_denials/hal_dumpstate_default.te
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -2,8 +2,6 @@
 dontaudit hal_dumpstate_default aac_drc_prop:file { open };
 dontaudit hal_dumpstate_default sysfs:dir { read };
 dontaudit hal_dumpstate_default sysfs:dir { open };
-dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
-dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
 dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
 dontaudit hal_dumpstate_default aac_drc_prop:file { map };
 dontaudit hal_dumpstate_default aac_drc_prop:file { open };
@@ -13,4 +11,3 @@ dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
 dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
 dontaudit hal_dumpstate_default sysfs:dir { read };
 dontaudit hal_dumpstate_default sysfs:dir { open };
-dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index d590a06d..4b3b4e4a 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -70,6 +70,9 @@ allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
 
+allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
+binder_call(hal_dumpstate_default, hal_graphics_composer_default);
+
 userdebug_or_eng(`
   allow hal_dumpstate_default mnt_vendor_file:dir search;
   allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search;

From a3678d9487832929bd7e7e33c23c62c0dcecd80e Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Mon, 8 Mar 2021 21:21:30 +0800
Subject: [PATCH 018/921] hal_power_stats_default: Fix avc denials

[  351.298850] type=1400 audit(1614041245.976:13): avc: denied { read } for comm="android.hardwar" name="hf1_wfi" dev="sysfs" ino=78155 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
[  698.658433] type=1400 audit(1614041593.336:1733): avc: denied { open } for comm="stats@1.0-servi" path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:53:13.336   673   673 I stats@1.0-servi: type=1400 audit(0.0:1734): avc: denied { getattr } for path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:52:26.228   670   670 I android.hardwar: type=1400 audit(0.0:724): avc: denied { search } for name="19000000.aoc" dev="sysfs" ino=18343 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=1

Bug: 180963514
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: Iab245b320c1f6e75407f1fafb5ad20a087b1a707
---
 tracking_denials/hal_power_stats_default.te   | 56 -------------------
 whitechapel/vendor/google/genfs_contexts      | 15 +++++
 .../vendor/google/hal_power_stats_default.te  |  8 +++
 3 files changed, 23 insertions(+), 56 deletions(-)

diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te
index 20c95e4b..866c5176 100644
--- a/tracking_denials/hal_power_stats_default.te
+++ b/tracking_denials/hal_power_stats_default.te
@@ -1,7 +1,6 @@
 # b/171760721
 dontaudit hal_power_stats_default sysfs:file { read };
 dontaudit hal_power_stats_default sysfs:file { getattr };
-dontaudit hal_power_stats_default citadeld:binder { call };
 dontaudit hal_power_stats_default sysfs:file { read };
 dontaudit hal_power_stats_default sysfs:file { getattr };
 dontaudit hal_power_stats_default sysfs:file { open };
@@ -11,58 +10,3 @@ dontaudit hal_power_stats_default sysfs:dir { open };
 dontaudit hal_power_stats_default sysfs:file { read };
 dontaudit hal_power_stats_default sysfs:file { open };
 dontaudit hal_power_stats_default sysfs:file { open };
-# b/176777337
-dontaudit hal_power_stats_default sysfs_leds:dir search ;
-dontaudit hal_power_stats_default sysfs_leds:file open ;
-dontaudit hal_power_stats_default sysfs_leds:dir search ;
-dontaudit hal_power_stats_default sysfs_leds:file read ;
-dontaudit hal_power_stats_default sysfs_leds:file open ;
-# b/176868314
-dontaudit hal_power_stats_default sysfs_leds:file read ;
-dontaudit hal_power_stats_default sysfs_leds:file open ;
-dontaudit hal_power_stats_default sysfs_leds:dir search ;
-# b/179093124
-dontaudit hal_power_stats_default sysfs_backlight:file { open };
-dontaudit hal_power_stats_default sysfs_backlight:file { read };
-dontaudit hal_power_stats_default sysfs_backlight:file { open };
-dontaudit hal_power_stats_default sysfs_backlight:dir { search };
-dontaudit hal_power_stats_default sysfs_backlight:dir { search };
-dontaudit hal_power_stats_default sysfs_backlight:file { read };
-# b/180963514
-dontaudit hal_power_stats_default sysfs_aoc:file { read };
-dontaudit hal_power_stats_default sysfs_aoc:file { read };
-dontaudit hal_power_stats_default sysfs_aoc:file { open };
-dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
-dontaudit hal_power_stats_default sysfs_aoc:file { open };
-dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
-dontaudit hal_power_stats_default sysfs_aoc:dir { search };
-dontaudit hal_power_stats_default sysfs_aoc:file { read };
-dontaudit hal_power_stats_default sysfs_aoc:file { open };
-dontaudit hal_power_stats_default sysfs_aoc:file { open };
-dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
-dontaudit hal_power_stats_default sysfs_aoc:dir { search };
-dontaudit hal_power_stats_default sysfs_aoc:dir { search };
-dontaudit hal_power_stats_default sysfs_aoc:file { read };
-dontaudit hal_power_stats_default sysfs_aoc:file { open };
-dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
-dontaudit hal_power_stats_default sysfs_aoc:file { read };
-# b/181915165
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
-dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
-dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
-dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
-dontaudit hal_power_stats_default sysfs_wifi:file { open };
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
-dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
-dontaudit hal_power_stats_default sysfs_wifi:file { open };
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
-dontaudit hal_power_stats_default sysfs_wifi:file { read };
-dontaudit hal_power_stats_default sysfs_wifi:dir { search };
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
-dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
-dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
-dontaudit hal_power_stats_default sysfs_wifi:dir { search };
-dontaudit hal_power_stats_default sysfs_wifi:file { read };
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b98a7494..759f260b 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -107,7 +107,22 @@ genfscon proc /bluetooth/sleep/btwrite
 genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
 
 # ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 
 # Chosen
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index 8ffff074..3fd46419 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -6,4 +6,12 @@ binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
 
 allow hal_power_stats_default odpm_config_file:dir search;
 allow hal_power_stats_default odpm_config_file:file r_file_perms;
+allow hal_power_stats_default sysfs_odpm:dir search;
 allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
+
+binder_call(hal_power_stats_default, citadeld)
+r_dir_file(hal_power_stats_default, sysfs_aoc)
+r_dir_file(hal_power_stats_default, sysfs_leds)
+r_dir_file(hal_power_stats_default, sysfs_acpm_stats)
+r_dir_file(hal_power_stats_default, sysfs_wifi)
+r_dir_file(hal_power_stats_default, sysfs_backlight)

From ce711fd18ec25292a6497cf091c4a893d0c53d9e Mon Sep 17 00:00:00 2001
From: andychou <andychou@google.com>
Date: Mon, 8 Mar 2021 18:31:07 +0800
Subject: [PATCH 019/921] Fix avc denied issue when accessing to IStats service

Originally we use isPriv=true but Exo APP is not located in priv-app
folder.
So has to remove isPriv=true and add into net_domain in order to network
accessing.
This is a clone cl updated from ag/13794482

Bug: 180594376
Test: manual test if there is avc denied
Change-Id: Icb5009248d10c23e772040aad8ac2fed849bafa0
---
 ambient/exo_app.te     | 5 ++++-
 ambient/seapp_contexts | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
index a66e9413..a901a197 100644
--- a/ambient/exo_app.te
+++ b/ambient/exo_app.te
@@ -1,6 +1,7 @@
-type exo_app, domain;
+type exo_app, coredomain, domain;
 
 app_domain(exo_app)
+net_domain(exo_app)
 
 allow exo_app app_api_service:service_manager find;
 allow exo_app audioserver_service:service_manager find;
@@ -8,4 +9,6 @@ allow exo_app cameraserver_service:service_manager find;
 allow exo_app mediaserver_service:service_manager find;
 allow exo_app radio_service:service_manager find;
 allow exo_app fwk_stats_hwservice:hwservice_manager find;
+allow exo_app mediametrics_service:service_manager find;
+
 binder_call(exo_app, statsd)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
index 2bfdde8e..4ee10805 100644
--- a/ambient/seapp_contexts
+++ b/ambient/seapp_contexts
@@ -1,5 +1,5 @@
 # Domain for Exo app
-user=_app isPrivApp=true seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
 
 # Domain for Exo Wirecutter app
 user=_app seinfo=wirecutter name=com.google.pixel.wirecutter domain=exo_wirecutter_app type=app_data_file levelFrom=all

From 487f66f754771e092a8d037f51fd7775d57ecb6e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 10 Mar 2021 09:44:05 +0800
Subject: [PATCH 020/921] update error on ROM 7196668

Bug: 182320300
Bug: 182320246
Bug: 182320258
Bug: 182320172
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ib7bf40299374061526a87714cfd8982544a1698f
---
 tracking_denials/hal_bluetooth_btlinux.te   | 4 ++++
 tracking_denials/hal_power_stats_default.te | 2 ++
 tracking_denials/init-insmod-sh.te          | 9 +++++++++
 tracking_denials/rild.te                    | 9 +++++++++
 4 files changed, 24 insertions(+)
 create mode 100644 tracking_denials/hal_bluetooth_btlinux.te

diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te
new file mode 100644
index 00000000..0136730b
--- /dev/null
+++ b/tracking_denials/hal_bluetooth_btlinux.te
@@ -0,0 +1,4 @@
+# b/182320300
+dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
+dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
+dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find };
diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te
index 866c5176..a3e7430e 100644
--- a/tracking_denials/hal_power_stats_default.te
+++ b/tracking_denials/hal_power_stats_default.te
@@ -10,3 +10,5 @@ dontaudit hal_power_stats_default sysfs:dir { open };
 dontaudit hal_power_stats_default sysfs:file { read };
 dontaudit hal_power_stats_default sysfs:file { open };
 dontaudit hal_power_stats_default sysfs:file { open };
+# b/182320246
+dontaudit hal_power_stats_default default_android_service:service_manager { add };
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
index 9f615fab..ca69d4cb 100644
--- a/tracking_denials/init-insmod-sh.te
+++ b/tracking_denials/init-insmod-sh.te
@@ -2,3 +2,12 @@
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
+# b/182320258
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
+dontaudit init-insmod-sh vendor_file:system { module_load };
diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
index 10680da3..405763e2 100644
--- a/tracking_denials/rild.te
+++ b/tracking_denials/rild.te
@@ -14,3 +14,12 @@ dontaudit rild unlabeled:file { open };
 dontaudit rild unlabeled:file { read };
 dontaudit rild unlabeled:file { getattr };
 dontaudit rild unlabeled:file { lock };
+# b/182320172
+dontaudit rild sota_prop:file { map };
+dontaudit rild sota_prop:file { getattr };
+dontaudit rild sota_prop:file { open };
+dontaudit rild sota_prop:file { read };
+dontaudit rild sota_prop:file { read };
+dontaudit rild sota_prop:file { open };
+dontaudit rild sota_prop:file { getattr };
+dontaudit rild sota_prop:file { map };

From 58b3344c7aa5ade1f70361a50c9409832e0f771d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 10 Mar 2021 10:36:45 +0800
Subject: [PATCH 021/921] label kernel modules and grant bt permission

Bug: 182320300
Bug: 182320258
Test: boot to home and connect to bluetooth headset under enforcing mode
Change-Id: I6f6e8359d03eb4205268d56a1fcd50ce1445f442
---
 tracking_denials/hal_bluetooth_btlinux.te          | 2 --
 tracking_denials/init-insmod-sh.te                 | 9 ---------
 whitechapel/vendor/google/file_contexts            | 1 +
 whitechapel/vendor/google/hal_bluetooth_btlinux.te | 1 +
 4 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te
index 0136730b..7a2c4f88 100644
--- a/tracking_denials/hal_bluetooth_btlinux.te
+++ b/tracking_denials/hal_bluetooth_btlinux.te
@@ -1,4 +1,2 @@
 # b/182320300
-dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
-dontaudit hal_bluetooth_btlinux servicemanager:binder { call };
 dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find };
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
index ca69d4cb..9f615fab 100644
--- a/tracking_denials/init-insmod-sh.te
+++ b/tracking_denials/init-insmod-sh.te
@@ -2,12 +2,3 @@
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
 dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
-# b/182320258
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
-dontaudit init-insmod-sh vendor_file:system { module_load };
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..5c3908d6 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -356,6 +356,7 @@
 
 # Vendor_kernel_modules
 /vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/.*\.ko                                               u:object_r:vendor_kernel_modules:s0
 
 # Display
 /vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
index 4e61c620..f7096836 100644
--- a/whitechapel/vendor/google/hal_bluetooth_btlinux.te
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -4,6 +4,7 @@ allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
 allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;
 allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms;
 allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms;
+binder_call(hal_bluetooth_btlinux, servicemanager)
 
 # power stats
 vndbinder_use(hal_bluetooth_btlinux)

From 522a8aefcfa28660a4b506ecefee88185ee7403e Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Wed, 10 Mar 2021 12:23:34 +0800
Subject: [PATCH 022/921] hal_health_default: Fix avc denials

[    5.146740] type=1400 audit(1611123521.796:23): avc: denied { search } for comm="android.hardwar" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[    5.425436] type=1400 audit(1611123522.076:24): avc: denied { search } for comm="health@2.1-serv" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[   29.943710] type=1400 audit(1611123546.592:483): avc: denied { write } for comm="health@2.1-serv" name="mode" dev="sysfs" ino=14741 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
01-20 14:18:41.796   656   656 I android.hardwar: type=1400 audit(0.0:23): avc: denied { search } for name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1

Bug: 177966434
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I576547e27dceb55fd768de2834e3bb0155857f56
---
 tracking_denials/hal_health_default.te          | 15 ---------------
 whitechapel/vendor/google/hal_health_default.te |  7 +++++++
 2 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te
index 2ffd7634..e69de29b 100644
--- a/tracking_denials/hal_health_default.te
+++ b/tracking_denials/hal_health_default.te
@@ -1,15 +0,0 @@
-# b/177966434
-dontaudit hal_health_default sysfs_wlc:dir { search };
-# b/181177925
-dontaudit hal_health_default thermal_link_device:dir { search };
-dontaudit hal_health_default sysfs_thermal:file { open };
-dontaudit hal_health_default sysfs_thermal:file { write };
-dontaudit hal_health_default sysfs_thermal:lnk_file { read };
-dontaudit hal_health_default sysfs_thermal:dir { search };
-dontaudit hal_health_default sysfs_thermal:file { write };
-dontaudit hal_health_default sysfs_thermal:file { open };
-dontaudit hal_health_default sysfs_batteryinfo:file { write };
-dontaudit hal_health_default sysfs_thermal:dir { search };
-dontaudit hal_health_default thermal_link_device:dir { search };
-dontaudit hal_health_default sysfs_batteryinfo:file { write };
-dontaudit hal_health_default sysfs_thermal:lnk_file { read };
diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
index 4bc85f26..a684dcc2 100644
--- a/whitechapel/vendor/google/hal_health_default.te
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -5,3 +5,10 @@ allow hal_health_default persist_battery_file:dir rw_dir_perms;
 
 set_prop(hal_health_default, vendor_battery_defender_prop)
 r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
+
+allow hal_health_default sysfs_wlc:dir search;
+allow hal_health_default sysfs_batteryinfo:file w_file_perms;
+allow hal_health_default sysfs_thermal:dir search;
+allow hal_health_default sysfs_thermal:file w_file_perms;
+allow hal_health_default sysfs_thermal:lnk_file read;
+allow hal_health_default thermal_link_device:dir search;

From 47bf48c03b180a610a3cf2fce893f12f0a7749e5 Mon Sep 17 00:00:00 2001
From: Calvin Pan <calvinpan@google.com>
Date: Wed, 10 Mar 2021 15:07:30 +0800
Subject: [PATCH 023/921] Fix avc denied in OMA DM

03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:493): avc: denied { search } for comm="IntentService[D" name="radio" dev="dm-6" ino=242 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:493): avc: denied { search } for name="radio" dev="dm-6" ino=242 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:494): avc: denied { getattr } for comm="IntentService[D" path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:494): avc: denied { getattr } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:495): avc: denied { setattr } for comm="IntentService[D" name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:495): avc: denied { setattr } for name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:496): avc: denied { append } for comm="IntentService[D" name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:496): avc: denied { append } for name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:497): avc: denied { open } for comm="IntentService[D" path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:497): avc: denied { open } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service

03-10 11:57:07.155   386   386 E SELinux : avc:  denied  { find } for pid=8406 uid=10141 name=autofill scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
03-10 11:57:07.155   386   386 I auditd  : avc:  denied  { find } for pid=8406 uid=10141 name=autofill scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1

03-10 12:26:05.904   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=activity scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.904   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=activity scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.931   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=activity_task scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.931   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=activity_task scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=SurfaceFlinger scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=SurfaceFlinger scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=gpu scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=gpu scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
03-10 12:26:06.041   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=audio scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
03-10 12:26:06.041   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=audio scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1

03-10 12:35:40.653   387   387 E SELinux : avc:  denied  { find } for pid=8328 uid=10141 name=tethering scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.654   387   387 I auditd  : avc:  denied  { find } for pid=8328 uid=10141 name=tethering scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.658   387   387 E SELinux : avc:  denied  { find } for pid=8328 uid=10141 name=isub scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.658   387   387 I auditd  : avc:  denied  { find } for pid=8328 uid=10141 name=isub scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1

Bug: 173990082
Test: Trigger OMA DM
Change-Id: Ie66ecd1c9d80f7b12a4545f3651dd2c5f02b119b
---
 whitechapel/vendor/google/omadm.te       | 10 ++++++++++
 whitechapel/vendor/google/seapp_contexts |  3 +++
 2 files changed, 13 insertions(+)
 create mode 100644 whitechapel/vendor/google/omadm.te

diff --git a/whitechapel/vendor/google/omadm.te b/whitechapel/vendor/google/omadm.te
new file mode 100644
index 00000000..3990dd7b
--- /dev/null
+++ b/whitechapel/vendor/google/omadm.te
@@ -0,0 +1,10 @@
+# OMADM app
+type omadm_app, domain;
+
+app_domain(omadm_app)
+net_domain(omadm_app)
+
+allow omadm_app radio_vendor_data_file:dir rw_dir_perms;
+allow omadm_app radio_vendor_data_file:file create_file_perms;
+allow omadm_app app_api_service:service_manager find;
+allow omadm_app radio_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 287d6ecf..a9dec13d 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -28,3 +28,6 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app
 
 # Hardware Info Collection
 user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
+
+# Domain for omadm
+user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all

From 4dd3e1e99ee36f091ce473780ea5a1bd2bb15364 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Wed, 10 Mar 2021 17:00:16 +0800
Subject: [PATCH 024/921] Add touch procfs and sysfs sepolicy

Touch palm sepolicies are not included.

Bug: 173330981
Test: No avc denied log for touch sysfs, procfs access.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Idf510e4a9c65e5af0885159353ef85d6b6ec553f
---
 whitechapel/vendor/google/genfs_contexts           | 4 +++-
 whitechapel/vendor/google/hal_dumpstate_default.te | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 759f260b..d01b107d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -76,8 +76,10 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeu
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
 
 # Touch
-genfscon sysfs /class/spi_master/spi11/spi11.0                                  u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0            u:object_r:sysfs_touch:s0
 genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
+genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
 genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
 
 # EdgeTPU
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 4b3b4e4a..a72f1257 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -44,6 +44,11 @@ allow hal_dumpstate_default aoc_device:chr_file rw_file_perms;
 allow hal_dumpstate_default sysfs_wifi:dir search;
 allow hal_dumpstate_default sysfs_wifi:file r_file_perms;
 
+# Touch sysfs interface
+allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
+allow hal_dumpstate_default proc_touch:file rw_file_perms;
+
 allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
 allow hal_dumpstate_default sysfs_thermal:lnk_file read;

From 7edb7e30c445eea6468fd6c9bd403533de81a9a1 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 10 Mar 2021 14:37:33 +0800
Subject: [PATCH 025/921] vendor_init: Update tracking denials

Removed the path creation from init rc.

Bug: 177186257
Change-Id: I5a8e99ae273d0c8370255bcdb4b9e802fa9895ca
---
 tracking_denials/vendor_init.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 500c14ff..4e26b99d 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -2,8 +2,6 @@
 dontaudit vendor_init tmpfs:dir { add_name write };
 # b/176528557
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
-# b/177186257
-dontaudit vendor_init system_data_file:dir { open ioctl read };
 userdebug_or_eng(`
   permissive vendor_init;
 ')

From 6247ff69b2bc00f2629b85c8cba242297b4310fa Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 10 Mar 2021 14:31:55 +0800
Subject: [PATCH 026/921] cbd: Fix avc errors

avc: denied { setuid } for comm="cbd" capability=7 scontext=u:r:cbd:s0 tcontext=u:r:cbd:s0 tclass=capability permissive=1
avc: denied { search } for comm="cbd" name="vendor" dev="tmpfs" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1

Bug: 178331928
Bug: 171267363
Change-Id: Icf28f494f05ee386ce94213929926369f2775173
---
 tracking_denials/cbd.te          | 8 --------
 whitechapel/vendor/google/cbd.te | 6 ++++++
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te
index 2dd39498..f0d5d6b0 100644
--- a/tracking_denials/cbd.te
+++ b/tracking_denials/cbd.te
@@ -1,8 +1,3 @@
-# b/171267363
-dontaudit cbd cbd:capability {setuid };
-# b/178331928
-dontaudit cbd mnt_vendor_file:dir { search };
-dontaudit cbd mnt_vendor_file:dir { search };
 # b/178979986
 dontaudit cbd unlabeled:dir { getattr };
 dontaudit cbd unlabeled:file { open };
@@ -19,6 +14,3 @@ dontaudit cbd unlabeled:file { open };
 # b/179198083
 dontaudit cbd unlabeled:file { ioctl };
 dontaudit cbd unlabeled:file { ioctl };
-# b/182219008
-dontaudit cbd persist_file:dir { search };
-dontaudit cbd persist_file:dir { search };
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index 41ee23d7..c283c3b3 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -6,6 +6,12 @@ set_prop(cbd, vendor_modem_prop)
 set_prop(cbd, vendor_cbd_prop)
 set_prop(cbd, vendor_rild_prop)
 
+# Allow cbd to setuid from root to radio
+# TODO: confirming with vendor via b/182334947
+allow cbd self:capability { setgid setuid };
+
+allow cbd mnt_vendor_file:dir r_dir_perms;
+
 allow cbd kmsg_device:chr_file rw_file_perms;
 
 allow cbd vendor_shell_exec:file execute_no_trans;

From 8cac55487b2da4349c90341e8cda1a4e6098f939 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Wed, 10 Mar 2021 17:05:47 +0800
Subject: [PATCH 027/921] gs101-sepolicy: Add twoshay permissions

Add twoshay and touch input context library permissions

Bug: 173330899
Bug: 173330981
Test: check boot-time twoshay startup and no denials.
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
Change-Id: I68aace66f49c2af1ebfd4bde7082039f9caf3f64
Signed-off-by: Tai Kuo <taikuo@google.com>
---
 whitechapel/vendor/google/device.te     | 3 +++
 whitechapel/vendor/google/file_contexts | 4 ++++
 whitechapel/vendor/google/twoshay.te    | 8 ++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 whitechapel/vendor/google/twoshay.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 375c91c3..9287dd13 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -30,6 +30,9 @@ type cpuctl_device, dev_type;
 # Bt Wifi Coexistence device
 type wb_coexistence_dev, dev_type;
 
+# Touch
+type touch_offload_device, dev_type;
+
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..d257d295 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -363,6 +363,10 @@
 /vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
 
+# Touch
+/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
+/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
+
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
new file mode 100644
index 00000000..139294d6
--- /dev/null
+++ b/whitechapel/vendor/google/twoshay.te
@@ -0,0 +1,8 @@
+type twoshay, domain;
+type twoshay_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(twoshay)
+
+allow twoshay touch_offload_device:chr_file rw_file_perms;
+allow twoshay twoshay:capability sys_nice;
+

From cc8429cc0db1fd8f181e05a62fcc4fa523386da5 Mon Sep 17 00:00:00 2001
From: yihsiangpeng <yihsiangpeng@google.com>
Date: Thu, 11 Mar 2021 14:47:49 +0800
Subject: [PATCH 028/921] Move wireless charger HAL to 1.3

Bug: 179464598
Signed-off-by: yihsiangpeng <yihsiangpeng@google.com>
Change-Id: I73d1d811f2483bbe80e7d4aea1f6e9f143bc2836
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..18977e33 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -27,7 +27,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
 # Wireless charger HAL
-/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.2-service-vendor             u:object_r:hal_wlc_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor             u:object_r:hal_wlc_exec:s0
 
 # Vendor Firmwares
 /(vendor|system/vendor)/firmware(/.*)?                        u:object_r:vendor_fw_file:s0

From 5019452cbba5567f864b170155257a7890731fe6 Mon Sep 17 00:00:00 2001
From: Lopy Cheng <lopycheng@google.com>
Date: Wed, 10 Mar 2021 20:07:06 +0800
Subject: [PATCH 029/921] HardwareInfo: Add sepolicy for display

hardwareinfo: type=1400 audit(0.0:17): avc: denied { read } for name="serial_number" dev="sysfs" ino=68309 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo
hardwareinfo: type=1400 audit(0.0:18): avc: denied { open } for path="/sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number" dev="sysfs" ino=68309 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo
hardwareinfo: type=1400 audit(0.0:19): avc: denied { getattr } for path="/sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number" dev="sysfs" ino=68309 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo

Bug: 161943795
Test:
1. Remove hardwareinfo app
rm -r /data/data/com.google.android.hardwareinfo/
2. Connect wifi and reboot
3. Check the HardwareInfoService status.
4. There is no AVC denied log.

Change-Id: I4d1c83a1c5b0f2f3bdd64ab79ab45fb69470b25b
---
 whitechapel/vendor/google/hardware_info_app.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
index b8774183..c5bfb879 100644
--- a/whitechapel/vendor/google/hardware_info_app.te
+++ b/whitechapel/vendor/google/hardware_info_app.te
@@ -3,3 +3,7 @@ type hardware_info_app, domain;
 app_domain(hardware_info_app)
 
 allow hardware_info_app app_api_service:service_manager find;
+
+# Display
+allow hardware_info_app sysfs_display:dir search;
+allow hardware_info_app sysfs_display:file r_file_perms;

From 78cd6eb78e799c0c91c43d28fb2e6f7ea0132fa4 Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Mon, 22 Feb 2021 11:40:13 -0800
Subject: [PATCH 030/921] Add selinux policies for mounted modem parition

Bug: 178980032
Bug: 178979986
Bug: 179198083
Bug: 179198085
Bug: 178980065

Test: Check selinux denials
Change-Id: I7f826442d1536946d0e84aadfd80f679c0f4d6da
---
 tracking_denials/cbd.te           | 16 ----------------
 tracking_denials/init.te          |  1 -
 tracking_denials/rild.te          | 16 ----------------
 whitechapel/vendor/google/cbd.te  |  1 +
 whitechapel/vendor/google/file.te |  4 +++-
 whitechapel/vendor/google/init.te |  3 +++
 whitechapel/vendor/google/rfsd.te |  5 +++++
 whitechapel/vendor/google/rild.te |  5 +++++
 8 files changed, 17 insertions(+), 34 deletions(-)
 delete mode 100644 tracking_denials/cbd.te

diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te
deleted file mode 100644
index f0d5d6b0..00000000
--- a/tracking_denials/cbd.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# b/178979986
-dontaudit cbd unlabeled:dir { getattr };
-dontaudit cbd unlabeled:file { open };
-dontaudit cbd unlabeled:file { read };
-dontaudit cbd unlabeled:file { getattr };
-dontaudit cbd unlabeled:lnk_file { read };
-dontaudit cbd unlabeled:dir { search };
-dontaudit cbd unlabeled:file { getattr };
-dontaudit cbd unlabeled:dir { getattr };
-dontaudit cbd unlabeled:lnk_file { read };
-dontaudit cbd unlabeled:dir { search };
-dontaudit cbd unlabeled:file { read };
-dontaudit cbd unlabeled:file { open };
-# b/179198083
-dontaudit cbd unlabeled:file { ioctl };
-dontaudit cbd unlabeled:file { ioctl };
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
index 48fddf60..4371b751 100644
--- a/tracking_denials/init.te
+++ b/tracking_denials/init.te
@@ -16,5 +16,4 @@ dontaudit init device:chr_file { open };
 dontaudit init device:chr_file { read write };
 # b/180963348
 dontaudit init overlayfs_file:chr_file { unlink };
-dontaudit init unlabeled:dir { mounton };
 dontaudit init overlayfs_file:file { rename };
diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
index 405763e2..c9a686c4 100644
--- a/tracking_denials/rild.te
+++ b/tracking_denials/rild.te
@@ -1,19 +1,3 @@
-# b/178980065
-dontaudit rild unlabeled:dir { search };
-dontaudit rild unlabeled:lnk_file { read };
-dontaudit rild unlabeled:dir { search };
-dontaudit rild unlabeled:lnk_file { read };
-# b/179198085
-dontaudit rild unlabeled:file { ioctl };
-dontaudit rild unlabeled:file { open };
-dontaudit rild unlabeled:file { read };
-dontaudit rild unlabeled:file { getattr };
-dontaudit rild unlabeled:file { lock };
-dontaudit rild unlabeled:file { ioctl };
-dontaudit rild unlabeled:file { open };
-dontaudit rild unlabeled:file { read };
-dontaudit rild unlabeled:file { getattr };
-dontaudit rild unlabeled:file { lock };
 # b/182320172
 dontaudit rild sota_prop:file { map };
 dontaudit rild sota_prop:file { getattr };
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index c283c3b3..d888deb5 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -46,6 +46,7 @@ allow cbd modem_userdata_file:file create_file_perms;
 # Allow cbd to access modem image file/dir
 allow cbd modem_img_file:dir r_dir_perms;
 allow cbd modem_img_file:file r_file_perms;
+allow cbd modem_img_file:lnk_file r_file_perms;
 
 # Allow cbd to collect crash info
 allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 5776174b..efe9e8d1 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -110,12 +110,14 @@ type rild_vendor_data_file, file_type, data_file_type;
 # Modem
 type modem_stat_data_file, file_type, data_file_type;
 type modem_efs_file, file_type;
-type modem_img_file, file_type;
 type modem_userdata_file, file_type;
 type sysfs_modem, sysfs_type, fs_type;
 type persist_modem_file, file_type, vendor_persist_type;
 
 
+type modem_img_file, contextmount_type, file_type, vendor_file_type;
+allow modem_img_file self:filesystem associate;
+
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te
index a703c47a..b83d9be7 100644
--- a/whitechapel/vendor/google/init.te
+++ b/whitechapel/vendor/google/init.te
@@ -7,6 +7,9 @@ allow init custom_ab_block_device:lnk_file relabelto;
 # after loading sepolicy in the second stage.
 allow init boot_block_device:lnk_file relabelto;
 
+allow init modem_img_file:dir mounton;
+allow init modem_img_file:filesystem { getattr mount relabelfrom };
+
 allow init persist_file:dir mounton;
 allow init modem_efs_file:dir mounton;
 allow init modem_userdata_file:dir mounton;
diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te
index df395cb4..212b6700 100644
--- a/whitechapel/vendor/google/rfsd.te
+++ b/whitechapel/vendor/google/rfsd.te
@@ -30,3 +30,8 @@ allow rfsd radio_device:chr_file rw_file_perms;
 # Allow to set rild and modem property
 set_prop(rfsd, vendor_modem_prop)
 set_prop(rfsd, vendor_rild_prop)
+
+# Allow rfsd to access modem image file/dir
+allow rfsd modem_img_file:dir r_dir_perms;
+allow rfsd modem_img_file:file r_file_perms;
+allow rfsd modem_img_file:lnk_file r_file_perms;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index a45d2b5f..edaa026b 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -26,3 +26,8 @@ binder_call(rild, modem_svc_sit)
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)
 allow rild hal_audio_ext_hwservice:hwservice_manager find;
+
+# Allow rild to access files on modem img.
+allow rild modem_img_file:dir r_dir_perms;
+allow rild modem_img_file:file r_file_perms;
+allow rild modem_img_file:lnk_file r_file_perms;

From ebd2a245969a5a1e076b9449cdf4d1107d906e38 Mon Sep 17 00:00:00 2001
From: linpeter <linpeter@google.com>
Date: Thu, 11 Mar 2021 17:33:45 +0800
Subject: [PATCH 031/921] Add atc sysfs permission for composer service

avc: denied { read write } for name="en" dev="sysfs" ino=66979 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/en" dev="sysfs" ino=66979 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/en" dev="sysfs" ino=66979 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

avc: denied { read write } for name="gain_limit" dev="sysfs" ino=66998 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/gain_limit" dev="sysfs" ino=66998 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/gain_limit" dev="sysfs" ino=66998 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

avc: denied { read write } for name="st" dev="sysfs" ino=66982 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/st" dev="sysfs" ino=66982 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/platform/1c300000.drmdecon/dqe/atc/st" dev="sysfs" ino=66982 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 168848203
test: test: check avc denied
Change-Id: I48dd839e0ca6f3eb16e35f1b7a4d5f6d4a1fd88b
---
 display/gs101/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts
index 1bc6f30a..cc8eba70 100644
--- a/display/gs101/genfs_contexts
+++ b/display/gs101/genfs_contexts
@@ -9,3 +9,5 @@ genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_numb
 genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible                 u:object_r:sysfs_display:s0
 
 genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c300000.drmdecon/dqe/atc                                     u:object_r:sysfs_display:s0

From 82376e2d4999adff1a219769bf8eab93dcbb21e4 Mon Sep 17 00:00:00 2001
From: Sung-fang Tsai <sungfang@google.com>
Date: Thu, 11 Mar 2021 08:36:40 +0000
Subject: [PATCH 032/921] Mark lib_aion_buffer and related library as
 same_process_hal_file

To allow access by Google Camera App, which needs this for vendor-specific
buffer management functionality to enable zero-copy camera RAW->GPU buffer
handling.

Test: GCA works with forrest build P20546991.
Bug: 159839616
Change-Id: I71bdcd12f17013881d7a5da2f11e444f0d3b4f94
---
 whitechapel/vendor/google/file_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..5bcada6a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -172,6 +172,8 @@
 /vendor/bin/rlsservice                                                  u:object_r:rlsservice_exec:s0
 /mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
 /data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
+/vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
+
 
 /dev/lwis-act0                                                          u:object_r:lwis_device:s0
 /dev/lwis-act1                                                          u:object_r:lwis_device:s0

From bfa18a7b2a4333dd143044102a3745b2e1791154 Mon Sep 17 00:00:00 2001
From: Benjamin Schwartz <bsschwar@google.com>
Date: Thu, 11 Mar 2021 14:06:52 -0800
Subject: [PATCH 033/921] whitechapel: Correct acpm_stats path

Bug: 182320246
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: I7a67b31e28f34d606cfab369b9e982e9fffe3b3f
---
 whitechapel/vendor/google/genfs_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index d01b107d..096e780e 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -155,7 +155,7 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup
 genfscon sysfs /class/sscoredump/level                                                                  u:object_r:sscoredump_sysfs_level:s0
 
 # ACPM
-genfscon sysfs /devices/platform/1742048c.acpm_stats                                                    u:object_r:sysfs_acpm_stats:s0
+genfscon sysfs /devices/platform/acpm_stats                                                             u:object_r:sysfs_acpm_stats:s0
 
 genfscon sysfs /devices/platform/10d40000.spi/spi_master                                                u:object_r:sysfs_spi:s0
 

From 2ed30c23e3e32251cc0fc6bea6752541202c4300 Mon Sep 17 00:00:00 2001
From: Vova Sharaienko <sharaienko@google.com>
Date: Fri, 12 Mar 2021 01:12:21 +0000
Subject: [PATCH 034/921] Stats: new sepolicy for the AIDL service

This allows the pixelstats_vendor communicate with new AIDL IStats service via ServiceManager

Bug: 181914749
Test: Build, flash, and logcat -s "pixelstats_vendor"
Change-Id: Icf1bbbd7f72835fe8f9c2f23281a2f5b4bf8e698
---
 tracking_denials/pixelstats_vendor.te          | 4 ----
 whitechapel/vendor/google/pixelstats_vendor.te | 2 ++
 2 files changed, 2 insertions(+), 4 deletions(-)
 delete mode 100644 tracking_denials/pixelstats_vendor.te

diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te
deleted file mode 100644
index 4eb0f6d0..00000000
--- a/tracking_denials/pixelstats_vendor.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/181914749
-dontaudit pixelstats_vendor servicemanager:binder { call };
-# b/181915066
-dontaudit pixelstats_vendor servicemanager:binder { call };
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 23ae03d5..c4c1c275 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -11,5 +11,7 @@ hwbinder_use(pixelstats_vendor)
 
 allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
 binder_call(pixelstats_vendor, stats_service_server)
+binder_use(pixelstats_vendor);
+allow pixelstats_vendor fwk_stats_service:service_manager find;
 
 allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;

From b52121a259a1cc8bd652233abefb5d6d770b2568 Mon Sep 17 00:00:00 2001
From: wenchangliu <wenchangliu@google.com>
Date: Thu, 11 Mar 2021 22:34:13 +0800
Subject: [PATCH 035/921] Add sepolicy for MFC device

- Add sysfs_video type for mfc device
- Allow mediacode to access sysfs_video

avc: denied { read } for name="name" dev="sysfs" ino=62278 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { read } for name="name" dev="sysfs" ino=62230 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

Bug: 172173484
Test: video playback / camera recording with enforcing mode
Change-Id: Id7f43fe11c9ed089067f43a50d7f765df873d6c6
---
 tracking_denials/mediacodec.te          | 7 -------
 whitechapel/vendor/google/file.te       | 3 +++
 whitechapel/vendor/google/file_contexts | 4 ++++
 whitechapel/vendor/google/mediacodec.te | 1 +
 4 files changed, 8 insertions(+), 7 deletions(-)
 delete mode 100644 tracking_denials/mediacodec.te

diff --git a/tracking_denials/mediacodec.te b/tracking_denials/mediacodec.te
deleted file mode 100644
index d4a74b8a..00000000
--- a/tracking_denials/mediacodec.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/172173484
-dontaudit mediacodec sysfs:file { getattr };
-dontaudit mediacodec sysfs:file { open };
-dontaudit mediacodec sysfs:file { read };
-userdebug_or_eng(`
-  permissive mediacodec;
-')
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 5776174b..eafc7a48 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -177,3 +177,6 @@ type sysfs_memory, sysfs_type, fs_type;
 
 # bcmdhd (Broadcom FullMAC wireless cards support)
 type sysfs_bcmdhd, sysfs_type, fs_type;
+
+# Video
+type sysfs_video, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 68bcf67f..8a7d5906 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -401,3 +401,7 @@
 # video system DMA-BUF heap
 /dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0
+
+# Video sysfs files
+/sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
+/sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index d3b108f6..2264eac9 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -4,3 +4,4 @@ userdebug_or_eng(`
 
 add_service(mediacodec, eco_service)
 allow mediacodec hal_camera_default:binder call;
+allow mediacodec sysfs_video:file r_file_perms;

From f98706e87b021353b38bbeebbd63edd431e4c568 Mon Sep 17 00:00:00 2001
From: wenchangliu <wenchangliu@google.com>
Date: Thu, 11 Mar 2021 22:52:45 +0800
Subject: [PATCH 036/921] Add sepolicy for BigOcean device

add /dev/bigocean to video_device

avc: denied { read write } for name="bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { open } for path="/dev/bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/bigocean" dev="tmpfs" ino=629 \
ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for comm=436F646563322E30204C6F6F706572 path="/dev/bigocean" \
dev="tmpfs" ino=629 ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 \
tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Bug: 172173484
Test: Play AV1 clips in enforcing mode
Change-Id: Ie0ed96d7bf4324bd38a9c42500f4f747f092bfd9
---
 whitechapel/vendor/google/file_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 8a7d5906..da3ee7b0 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -405,3 +405,6 @@
 # Video sysfs files
 /sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
 /sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
+
+# BigOcean
+/dev/bigocean                                                                  u:object_r:video_device:s0

From 526da2f9b152ea894efb4aedd545a815c21b43ea Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 12 Mar 2021 11:18:10 +0800
Subject: [PATCH 037/921] update error on ROM 7202683

Bug: 182524105
Bug: 182523946
Bug: 182524202
Bug: 182524203
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I4c97960d106a74cbe2ba819671612514d4cba282
---
 tracking_denials/hal_neuralnetworks_darwinn.te | 11 +++++++++++
 tracking_denials/hal_sensors_default.te        |  4 ++++
 tracking_denials/init.te                       |  2 ++
 tracking_denials/installd.te                   |  4 ++++
 4 files changed, 21 insertions(+)
 create mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te
 create mode 100644 tracking_denials/installd.te

diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te
new file mode 100644
index 00000000..52568fc6
--- /dev/null
+++ b/tracking_denials/hal_neuralnetworks_darwinn.te
@@ -0,0 +1,11 @@
+# b/182524105
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { open };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { write };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { map };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { write };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { open };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { map };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
+dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te
index c52d7136..b3331836 100644
--- a/tracking_denials/hal_sensors_default.te
+++ b/tracking_denials/hal_sensors_default.te
@@ -53,3 +53,7 @@ dontaudit hal_sensors_default device:dir { read };
 dontaudit hal_sensors_default device:dir { watch };
 dontaudit hal_sensors_default servicemanager:binder { transfer };
 dontaudit hal_sensors_default aoc_device:chr_file { open };
+# b/182523946
+dontaudit hal_sensors_default chre_socket:sock_file { write };
+dontaudit hal_sensors_default chre:unix_stream_socket { connectto };
+dontaudit hal_sensors_default chre:unix_stream_socket { connectto };
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
index 4371b751..29744e9a 100644
--- a/tracking_denials/init.te
+++ b/tracking_denials/init.te
@@ -17,3 +17,5 @@ dontaudit init device:chr_file { read write };
 # b/180963348
 dontaudit init overlayfs_file:chr_file { unlink };
 dontaudit init overlayfs_file:file { rename };
+# b/182524202
+dontaudit init mnt_vendor_file:dir { mounton };
diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te
new file mode 100644
index 00000000..9ef8051f
--- /dev/null
+++ b/tracking_denials/installd.te
@@ -0,0 +1,4 @@
+# b/182524203
+dontaudit installd modem_img_file:filesystem { quotaget };
+dontaudit installd modem_img_file:filesystem { quotaget };
+dontaudit installd modem_img_file:filesystem { quotaget };

From 9e582d4bc39d4c5117a22b6619323868c672eb7b Mon Sep 17 00:00:00 2001
From: andychou <andychou@google.com>
Date: Fri, 12 Mar 2021 11:41:24 +0800
Subject: [PATCH 038/921] Fix cuttlefish test fail due to sepolicy of Exo

Need to grant gpu_device dir search permission and
device_config_runtime_native_boot_prop for testing.

Bug: 182445508
Test: atest ExoTests pass  on Cuttlefish
Change-Id: Ia4c27efa2a900a3781301de19ab38209f818aba1
---
 ambient/exo_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
index a901a197..941f09ae 100644
--- a/ambient/exo_app.te
+++ b/ambient/exo_app.te
@@ -10,5 +10,8 @@ allow exo_app mediaserver_service:service_manager find;
 allow exo_app radio_service:service_manager find;
 allow exo_app fwk_stats_hwservice:hwservice_manager find;
 allow exo_app mediametrics_service:service_manager find;
+allow exo_app gpu_device:dir search;
 
 binder_call(exo_app, statsd)
+
+get_prop(exo_app, device_config_runtime_native_boot_prop)

From fdeedcba656e3ffab2c11043c5c1a1055e886201 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 12 Mar 2021 12:53:38 +0800
Subject: [PATCH 039/921] allow init to mount modem_img

Bug: 182524202
Bug: 182524203
Test: modem_img is mounted under enforcing mode
Change-Id: Ie5448468d4d7f1ad6acdd2c93055bba9001185d1
---
 tracking_denials/init.te              | 4 ----
 tracking_denials/installd.te          | 4 ----
 whitechapel/vendor/google/init.te     | 1 +
 whitechapel/vendor/google/installd.te | 1 +
 4 files changed, 2 insertions(+), 8 deletions(-)
 delete mode 100644 tracking_denials/installd.te
 create mode 100644 whitechapel/vendor/google/installd.te

diff --git a/tracking_denials/init.te b/tracking_denials/init.te
index 29744e9a..065cdd61 100644
--- a/tracking_denials/init.te
+++ b/tracking_denials/init.te
@@ -7,15 +7,11 @@ dontaudit init sysfs:file { setattr };
 dontaudit init sysfs:file { write };
 # b/178979985
 dontaudit init device:chr_file { ioctl };
-dontaudit init modem_img_file:dir { mounton };
 dontaudit init device:chr_file { open };
 dontaudit init device:chr_file { read write };
-dontaudit init modem_img_file:dir { mounton };
 dontaudit init device:chr_file { ioctl };
 dontaudit init device:chr_file { open };
 dontaudit init device:chr_file { read write };
 # b/180963348
 dontaudit init overlayfs_file:chr_file { unlink };
 dontaudit init overlayfs_file:file { rename };
-# b/182524202
-dontaudit init mnt_vendor_file:dir { mounton };
diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te
deleted file mode 100644
index 9ef8051f..00000000
--- a/tracking_denials/installd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/182524203
-dontaudit installd modem_img_file:filesystem { quotaget };
-dontaudit installd modem_img_file:filesystem { quotaget };
-dontaudit installd modem_img_file:filesystem { quotaget };
diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te
index b83d9be7..9cf7d73f 100644
--- a/whitechapel/vendor/google/init.te
+++ b/whitechapel/vendor/google/init.te
@@ -8,6 +8,7 @@ allow init custom_ab_block_device:lnk_file relabelto;
 allow init boot_block_device:lnk_file relabelto;
 
 allow init modem_img_file:dir mounton;
+allow init mnt_vendor_file:dir mounton;
 allow init modem_img_file:filesystem { getattr mount relabelfrom };
 
 allow init persist_file:dir mounton;
diff --git a/whitechapel/vendor/google/installd.te b/whitechapel/vendor/google/installd.te
new file mode 100644
index 00000000..44e74c63
--- /dev/null
+++ b/whitechapel/vendor/google/installd.te
@@ -0,0 +1 @@
+dontaudit installd modem_img_file:filesystem quotaget;

From 36e82d438a18d1a45652c9c347333b2e645cc754 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 15 Mar 2021 09:26:46 +0800
Subject: [PATCH 040/921] update error on ROM 7207833

Bug: 182706078
Bug: 182705863
Bug: 182705986
Bug: 182705901
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I37728b3b475998668f37d50a70ce980eeff70a63
---
 tracking_denials/edgetpu_server.te      |  9 +++++++++
 tracking_denials/gmscore_app.te         |  3 +++
 tracking_denials/hal_bootctl_default.te |  3 +++
 tracking_denials/hal_camera_default.te  | 14 ++++++++++++++
 4 files changed, 29 insertions(+)
 create mode 100644 tracking_denials/edgetpu_server.te
 create mode 100644 tracking_denials/hal_bootctl_default.te

diff --git a/tracking_denials/edgetpu_server.te b/tracking_denials/edgetpu_server.te
new file mode 100644
index 00000000..61a19774
--- /dev/null
+++ b/tracking_denials/edgetpu_server.te
@@ -0,0 +1,9 @@
+# b/182706078
+dontaudit edgetpu_server tmpfs:file { getattr };
+dontaudit edgetpu_server tmpfs:file { getattr };
+dontaudit edgetpu_server tmpfs:file { map };
+dontaudit edgetpu_server tmpfs:file { read write };
+dontaudit edgetpu_server hal_camera_default:fd { use };
+dontaudit edgetpu_server hal_camera_default:fd { use };
+dontaudit edgetpu_server tmpfs:file { read write };
+dontaudit edgetpu_server tmpfs:file { map };
diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
index 2ace5b71..3a274f4b 100644
--- a/tracking_denials/gmscore_app.te
+++ b/tracking_denials/gmscore_app.te
@@ -65,3 +65,6 @@ dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
 dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
 # b/180960879
 dontaudit gmscore_app property_type:file *;
+# b/182705863
+dontaudit gmscore_app modem_img_file:filesystem { getattr };
+dontaudit gmscore_app modem_img_file:filesystem { getattr };
diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te
new file mode 100644
index 00000000..27271c57
--- /dev/null
+++ b/tracking_denials/hal_bootctl_default.te
@@ -0,0 +1,3 @@
+# b/182705986
+dontaudit hal_bootctl_default devinfo_block_device:blk_file { open };
+dontaudit hal_bootctl_default devinfo_block_device:blk_file { read };
diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
index 18ae1337..a4c93a04 100644
--- a/tracking_denials/hal_camera_default.te
+++ b/tracking_denials/hal_camera_default.te
@@ -13,3 +13,17 @@ dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
 dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
 dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
 dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
+# b/182705901
+dontaudit hal_camera_default tmpfs:file { getattr };
+dontaudit hal_camera_default tmpfs:file { read };
+dontaudit hal_camera_default edgetpu_server:binder { call };
+dontaudit hal_camera_default tmpfs:file { write };
+dontaudit hal_camera_default tmpfs:file { map };
+dontaudit hal_camera_default tmpfs:file { read };
+dontaudit hal_camera_default tmpfs:file { getattr };
+dontaudit hal_camera_default tmpfs:file { map };
+dontaudit hal_camera_default tmpfs:file { write };
+dontaudit hal_camera_default edgetpu_server:binder { call };
+dontaudit hal_camera_default edgetpu_service:service_manager { find };
+dontaudit hal_camera_default edgetpu_server:fd { use };
+dontaudit hal_camera_default edgetpu_server:fd { use };

From 45e33146f1c9ccbe01b17f5b26e079e11df52157 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 15 Mar 2021 09:41:48 +0800
Subject: [PATCH 041/921] Allow bluetooth hal to get boot status

[    5.299448] type=1400 audit(1615772363.892:3): avc: denied { read } for comm="bluetooth@1.1-s" name="u:object_r:boot_status_prop:s0" dev="tmpfs" ino=81 scontext=u:r:hal_bluetooth_btlinux:s0 tcontext=u:object_r:boot_status_prop:s0 tclass=file permissive=1
Bug: 171942789
Test: boot and see such log no longer appear

Change-Id: Ib27585183be1ba9913b5f0620d987f26fad663e0
---
 whitechapel/vendor/google/hal_bluetooth_btlinux.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
index f7096836..3299ffe8 100644
--- a/whitechapel/vendor/google/hal_bluetooth_btlinux.te
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -1,4 +1,5 @@
 add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice);
+get_prop(hal_bluetooth_btlinux, boot_status_prop)
 
 allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
 allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;

From cf9666369003a130eab4bfeb79118a239f07eba6 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 15 Mar 2021 10:21:24 +0800
Subject: [PATCH 042/921] label power.stats-vendor properly

Bug: 182320246
Test: boot with power.stats-vendor labeled
Change-Id: Icc3ff763be1a23e8f3e9d1ed076fcb5c74401abe
---
 tracking_denials/hal_bluetooth_btlinux.te   | 2 --
 tracking_denials/hal_power_stats_default.te | 2 --
 2 files changed, 4 deletions(-)
 delete mode 100644 tracking_denials/hal_bluetooth_btlinux.te

diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te
deleted file mode 100644
index 7a2c4f88..00000000
--- a/tracking_denials/hal_bluetooth_btlinux.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/182320300
-dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find };
diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te
index a3e7430e..866c5176 100644
--- a/tracking_denials/hal_power_stats_default.te
+++ b/tracking_denials/hal_power_stats_default.te
@@ -10,5 +10,3 @@ dontaudit hal_power_stats_default sysfs:dir { open };
 dontaudit hal_power_stats_default sysfs:file { read };
 dontaudit hal_power_stats_default sysfs:file { open };
 dontaudit hal_power_stats_default sysfs:file { open };
-# b/182320246
-dontaudit hal_power_stats_default default_android_service:service_manager { add };

From 0218941cb86c12e1a97faa8ff4e3f436342ac917 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 15 Mar 2021 11:00:41 +0800
Subject: [PATCH 043/921] allow df to collect partition info

Bug: 179310854
Test: do bugreport and the error disappear
Change-Id: I9fdcbb27742a70f3b796c668c3e0d4688d36b4d8
---
 tracking_denials/dumpstate.te          | 38 +++-----------------------
 whitechapel/vendor/google/dumpstate.te |  5 ++++
 2 files changed, 9 insertions(+), 34 deletions(-)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 6c6d8ec7..1f3ef62e 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,35 +1,5 @@
-# ag/13067824
-dontaudit dumpstate fuse:dir r_dir_perms;
-# b/174618507
-dontaudit dumpstate default_android_service:service_manager { find };
-dontaudit dumpstate vold:binder { call };
-dontaudit dumpstate modem_userdata_file:dir { getattr };
-dontaudit dumpstate modem_efs_file:dir { getattr };
-dontaudit dumpstate vold:binder { call };
-dontaudit dumpstate modem_userdata_file:dir { getattr };
-dontaudit dumpstate hal_drm_clearkey:process { signal };
-dontaudit dumpstate hal_drm_clearkey:process { signal };
-dontaudit dumpstate modem_efs_file:dir { getattr };
-# b/177778645
-dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
-dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
-dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
-dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
-# b/177860804
-dontaudit dumpstate incident:process { sigkill };
-dontaudit dumpstate incident:process { signal };
-dontaudit dumpstate incident:process { sigkill };
-dontaudit dumpstate incident:process { signal };
 # b/179310854
-dontaudit dumpstate unlabeled:dir { getattr };
-dontaudit dumpstate unlabeled:dir { getattr };
-# b/180963249
-dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
-dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
-# b/181915316
-dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
-dontaudit dumpstate vendor_dmabuf_debugfs:file { open };
-dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
-dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
-dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
-dontaudit dumpstate vendor_dmabuf_debugfs:file { open };
+dontaudit dumpstate hal_neuralnetworks_armnn:process signal;
+dontaudit dumpstate hal_power_stats_vendor_service:service_manager find;
+dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr open read };
+dontaudit dumpstate vold:binder call;
diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index fb325056..462492cc 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -2,3 +2,8 @@ dump_hal(hal_telephony)
 
 allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
 allow dumpstate persist_file:dir r_dir_perms;
+
+allow dumpstate modem_efs_file:dir getattr;
+allow dumpstate modem_img_file:dir getattr;
+allow dumpstate modem_userdata_file:dir getattr;
+allow dumpstate fuse:dir search;

From abfa9355ee5674554e72b332175d98e6ec0f8a40 Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Fri, 12 Mar 2021 01:02:23 +0800
Subject: [PATCH 044/921] Clean up the obsoleted dontaudit rules

Verify with the ROM: go/ab/7203892 oriole-userdebug

Test: $ make selinux_policy
      Push selinux modules. Check the denials during boot.

      $ pts-tradefed run commandAndExit pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanBugreport
      $ pts-tradefed run commandAndExit pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot
Bug: 171760597
Bug: 171760846
Bug: 173969190
Bug: 174443175
Bug: 176777145
Bug: 176868315
Bug: 177386448
Bug: 177389321
Bug: 177614659
Bug: 177616188
Bug: 177778551
Bug: 177778793
Bug: 177860838
Bug: 177862403
Bug: 177862777
Bug: 177966144
Bug: 178433506
Bug: 178433618
Bug: 178753151
Bug: 178752409
Bug: 178979985
Bug: 178980142
Bug: 179093352
Bug: 179310875
Bug: 179435036
Bug: 179437293
Bug: 179437737
Bug: 180551518
Bug: 180567612
Bug: 180655373
Bug: 180656244
Bug: 180874342
Bug: 180963328
Bug: 180963587
Change-Id: I19e19e49d36e5635629c1e68c7d23a98c714ebcf
---
 tracking_denials/init-thermal-symlinks-sh.te |   9 --
 tracking_denials/init.te                     |  14 --
 tracking_denials/modem_logging_control.te    |  13 --
 tracking_denials/platform_app.te             |   8 -
 tracking_denials/priv_app.te                 |  48 ------
 tracking_denials/scd.te                      |  13 --
 tracking_denials/sced.te                     |   6 -
 tracking_denials/shell.te                    |   5 -
 tracking_denials/system_app.te               |   4 -
 tracking_denials/system_server.te            |   2 -
 tracking_denials/trusty_apploader.te         |   9 --
 tracking_denials/untrusted_app_25.te         | 149 -------------------
 tracking_denials/vendor_init.te              |   5 -
 13 files changed, 285 deletions(-)
 delete mode 100644 tracking_denials/init-thermal-symlinks-sh.te
 delete mode 100644 tracking_denials/modem_logging_control.te
 delete mode 100644 tracking_denials/platform_app.te
 delete mode 100644 tracking_denials/scd.te
 delete mode 100644 tracking_denials/system_app.te
 delete mode 100644 tracking_denials/system_server.te
 delete mode 100644 tracking_denials/trusty_apploader.te
 delete mode 100644 tracking_denials/untrusted_app_25.te

diff --git a/tracking_denials/init-thermal-symlinks-sh.te b/tracking_denials/init-thermal-symlinks-sh.te
deleted file mode 100644
index bfb04c06..00000000
--- a/tracking_denials/init-thermal-symlinks-sh.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# b/177862403
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
-dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
index 065cdd61..27d6f882 100644
--- a/tracking_denials/init.te
+++ b/tracking_denials/init.te
@@ -1,17 +1,3 @@
-# b/177966144
-dontaudit init sysfs:file { open };
-dontaudit init sysfs:file { setattr };
-dontaudit init sysfs:file { open };
-dontaudit init sysfs:file { write };
-dontaudit init sysfs:file { setattr };
-dontaudit init sysfs:file { write };
-# b/178979985
-dontaudit init device:chr_file { ioctl };
-dontaudit init device:chr_file { open };
-dontaudit init device:chr_file { read write };
-dontaudit init device:chr_file { ioctl };
-dontaudit init device:chr_file { open };
-dontaudit init device:chr_file { read write };
 # b/180963348
 dontaudit init overlayfs_file:chr_file { unlink };
 dontaudit init overlayfs_file:file { rename };
diff --git a/tracking_denials/modem_logging_control.te b/tracking_denials/modem_logging_control.te
deleted file mode 100644
index e7b77922..00000000
--- a/tracking_denials/modem_logging_control.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# b/176777145
-dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;
-# b/176851633
-dontaudit modem_logging_control vendor_sys_default_prop:file { read };
-dontaudit modem_logging_control vendor_sys_default_prop:file { read };
-dontaudit modem_logging_control vendor_sys_default_prop:file { open };
-dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
-dontaudit modem_logging_control vendor_sys_default_prop:file { map };
-dontaudit modem_logging_control vendor_sys_default_prop:file { open };
-dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
-dontaudit modem_logging_control vendor_sys_default_prop:file { map };
-# b/176868315
-dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;
diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te
deleted file mode 100644
index 6e8841af..00000000
--- a/tracking_denials/platform_app.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# b/178433506
-dontaudit platform_app property_type:file *;
-# b/179093352
-dontaudit platform_app hal_wlc:binder { transfer };
-dontaudit platform_app hal_wlc:binder { call };
-dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find };
-dontaudit platform_app hal_wlc:binder { call };
-dontaudit platform_app hal_wlc:binder { transfer };
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
index 4eba31d3..56a2bbe9 100644
--- a/tracking_denials/priv_app.te
+++ b/tracking_denials/priv_app.te
@@ -1,51 +1,3 @@
-# b/180551518
-dontaudit priv_app apk_verity_prop:file { getattr };
-dontaudit priv_app audio_config_prop:file { getattr };
-dontaudit priv_app apexd_prop:file { open };
-dontaudit priv_app apexd_prop:file { getattr };
-dontaudit priv_app apexd_prop:file { map };
-dontaudit priv_app apk_verity_prop:file { open };
-dontaudit priv_app audio_config_prop:file { open };
-dontaudit priv_app apk_verity_prop:file { map };
-dontaudit priv_app apk_verity_prop:file { getattr };
-dontaudit priv_app apk_verity_prop:file { open };
-dontaudit priv_app apexd_prop:file { map };
-dontaudit priv_app apexd_prop:file { getattr };
-dontaudit priv_app apexd_prop:file { open };
-dontaudit priv_app apexd_prop:file { open };
-dontaudit priv_app apexd_prop:file { getattr };
-dontaudit priv_app apexd_prop:file { map };
-dontaudit priv_app apk_verity_prop:file { open };
-dontaudit priv_app apk_verity_prop:file { getattr };
-dontaudit priv_app apk_verity_prop:file { map };
-dontaudit priv_app audio_config_prop:file { open };
-dontaudit priv_app audio_config_prop:file { getattr };
-dontaudit priv_app apexd_prop:file { open };
-dontaudit priv_app apexd_prop:file { getattr };
-dontaudit priv_app apexd_prop:file { map };
-dontaudit priv_app apk_verity_prop:file { open };
-dontaudit priv_app apk_verity_prop:file { getattr };
-# b/180567612
-dontaudit priv_app audio_config_prop:file { map };
-dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
-dontaudit priv_app bluetooth_audio_hal_prop:file { map };
-dontaudit priv_app bluetooth_prop:file { open };
-dontaudit priv_app bluetooth_prop:file { getattr };
-dontaudit priv_app bluetooth_audio_hal_prop:file { open };
-dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
-dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
-dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
-dontaudit priv_app audio_config_prop:file { map };
-dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
-dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
-dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
-dontaudit priv_app bluetooth_audio_hal_prop:file { open };
-dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
-dontaudit priv_app bluetooth_audio_hal_prop:file { map };
-dontaudit priv_app bluetooth_prop:file { open };
-dontaudit priv_app bluetooth_prop:file { getattr };
-# b/180656244
-dontaudit priv_app property_type:file *;
 # b/180858511
 dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
 dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
diff --git a/tracking_denials/scd.te b/tracking_denials/scd.te
deleted file mode 100644
index f66f49eb..00000000
--- a/tracking_denials/scd.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# b/173969190
-dontaudit scd vendor_data_file:dir { write };
-dontaudit scd vendor_data_file:dir { add_name };
-dontaudit scd vendor_data_file:dir { write };
-dontaudit scd vendor_data_file:file { create };
-dontaudit scd vendor_data_file:file { lock };
-dontaudit scd vendor_data_file:file { create };
-dontaudit scd vendor_data_file:file { lock };
-dontaudit scd vendor_data_file:file { open };
-dontaudit scd vendor_data_file:file { write };
-dontaudit scd vendor_data_file:file { write };
-dontaudit scd vendor_data_file:file { open };
-dontaudit scd vendor_data_file:dir { add_name };
diff --git a/tracking_denials/sced.te b/tracking_denials/sced.te
index fa8893fd..00243ca3 100644
--- a/tracking_denials/sced.te
+++ b/tracking_denials/sced.te
@@ -1,10 +1,4 @@
 # b/171760846
-dontaudit sced hwservicemanager:binder { call };
 dontaudit sced hidl_base_hwservice:hwservice_manager { add };
 dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { add };
 dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { find };
-dontaudit sced hwservicemanager_prop:file { read };
-dontaudit sced hwservicemanager_prop:file { open };
-dontaudit sced hwservicemanager:binder { transfer };
-dontaudit sced hwservicemanager_prop:file { map };
-dontaudit sced hwservicemanager_prop:file { getattr };
diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te
index 66ac4fb3..747394b1 100644
--- a/tracking_denials/shell.te
+++ b/tracking_denials/shell.te
@@ -1,7 +1,2 @@
 # b/171760597
 dontaudit shell property_type:file *;
-# b/178979984
-dontaudit shell device:chr_file { ioctl };
-dontaudit shell device:chr_file { read write };
-dontaudit shell device:chr_file { read write };
-dontaudit shell device:chr_file { ioctl };
diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te
deleted file mode 100644
index 0dd274b6..00000000
--- a/tracking_denials/system_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/178433618
-dontaudit system_app property_type:file *;
-# b/179435036
-dontaudit system_app default_android_service:service_manager { add };
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
deleted file mode 100644
index d7e456ab..00000000
--- a/tracking_denials/system_server.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/178980142
-dontaudit system_server property_type:file *;
diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te
deleted file mode 100644
index 0914a14f..00000000
--- a/tracking_denials/trusty_apploader.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# b/180874342
-dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
-dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
-dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
-dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
-dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
-dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
-dontaudit trusty_apploader trusty_apploader:capability { dac_override };
-dontaudit trusty_apploader trusty_apploader:capability { dac_override };
diff --git a/tracking_denials/untrusted_app_25.te b/tracking_denials/untrusted_app_25.te
deleted file mode 100644
index 3dcf4615..00000000
--- a/tracking_denials/untrusted_app_25.te
+++ /dev/null
@@ -1,149 +0,0 @@
-# b/177389321
-dontaudit untrusted_app_25 ab_update_gki_prop:file { map };
-dontaudit untrusted_app_25 aac_drc_prop:file { open };
-dontaudit untrusted_app_25 ab_update_gki_prop:file { getattr };
-dontaudit untrusted_app_25 ab_update_gki_prop:file { open };
-dontaudit untrusted_app_25 aac_drc_prop:file { map };
-dontaudit untrusted_app_25 aac_drc_prop:file { getattr };
-# b/177614659
-dontaudit untrusted_app_25 apk_verity_prop:file { open };
-dontaudit untrusted_app_25 apexd_prop:file { getattr };
-dontaudit untrusted_app_25 apexd_prop:file { open };
-dontaudit untrusted_app_25 apexd_prop:file { map };
-dontaudit untrusted_app_25 apk_verity_prop:file { map };
-dontaudit untrusted_app_25 audio_config_prop:file { open };
-dontaudit untrusted_app_25 audio_config_prop:file { getattr };
-dontaudit untrusted_app_25 audio_config_prop:file { map };
-dontaudit untrusted_app_25 apk_verity_prop:file { getattr };
-# b/177616188
-dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { open };
-dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { getattr };
-dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { map };
-dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { open };
-dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { getattr };
-dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { map };
-dontaudit untrusted_app_25 bluetooth_prop:file { open };
-dontaudit untrusted_app_25 bluetooth_prop:file { getattr };
-dontaudit untrusted_app_25 bluetooth_prop:file { map };
-# b/177778551
-dontaudit untrusted_app_25 boottime_public_prop:file { open };
-dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { getattr };
-dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { map };
-dontaudit untrusted_app_25 boottime_prop:file { open };
-dontaudit untrusted_app_25 boottime_prop:file { getattr };
-dontaudit untrusted_app_25 boottime_prop:file { map };
-dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { open };
-# b/177778793
-dontaudit untrusted_app_25 boottime_public_prop:file { getattr };
-dontaudit untrusted_app_25 boottime_public_prop:file { map };
-dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { open };
-dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { getattr };
-dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { map };
-dontaudit untrusted_app_25 build_bootimage_prop:file { open };
-dontaudit untrusted_app_25 build_bootimage_prop:file { getattr };
-dontaudit untrusted_app_25 build_bootimage_prop:file { map };
-dontaudit untrusted_app_25 build_config_prop:file { open };
-# b/177860838
-dontaudit untrusted_app_25 charger_status_prop:file { open };
-dontaudit untrusted_app_25 charger_prop:file { map };
-dontaudit untrusted_app_25 charger_prop:file { getattr };
-dontaudit untrusted_app_25 charger_prop:file { open };
-dontaudit untrusted_app_25 charger_config_prop:file { map };
-dontaudit untrusted_app_25 charger_config_prop:file { getattr };
-dontaudit untrusted_app_25 build_config_prop:file { map };
-dontaudit untrusted_app_25 build_config_prop:file { getattr };
-dontaudit untrusted_app_25 charger_config_prop:file { open };
-# b/177862777
-dontaudit untrusted_app_25 charger_status_prop:file { getattr };
-dontaudit untrusted_app_25 charger_status_prop:file { map };
-dontaudit untrusted_app_25 cold_boot_done_prop:file { open };
-dontaudit untrusted_app_25 cold_boot_done_prop:file { getattr };
-dontaudit untrusted_app_25 cold_boot_done_prop:file { map };
-dontaudit untrusted_app_25 cpu_variant_prop:file { open };
-dontaudit untrusted_app_25 cpu_variant_prop:file { getattr };
-dontaudit untrusted_app_25 cpu_variant_prop:file { map };
-dontaudit untrusted_app_25 ctl_adbd_prop:file { open };
-# b/178752409
-dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
-dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
-dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
-dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
-dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
-dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
-dontaudit untrusted_app_25 ctl_bootanim_prop:file { map };
-dontaudit untrusted_app_25 ctl_bootanim_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_bootanim_prop:file { open };
-dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
-# b/178753151
-dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
-dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
-dontaudit untrusted_app_25 ctl_console_prop:file { open };
-dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_console_prop:file { map };
-dontaudit untrusted_app_25 ctl_default_prop:file { open };
-dontaudit untrusted_app_25 ctl_default_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
-dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
-dontaudit untrusted_app_25 ctl_console_prop:file { open };
-dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
-# b/179310875
-dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
-dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
-dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
-dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
-dontaudit untrusted_app_25 ctl_default_prop:file { map };
-dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
-dontaudit untrusted_app_25 ctl_default_prop:file { map };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { open };
-dontaudit untrusted_app_25 ctl_fuse_prop:file { map };
-dontaudit untrusted_app_25 ctl_fuse_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
-dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
-# b/179437293
-dontaudit untrusted_app_25 ctl_interface_stop_prop:file { open };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
-dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
-# b/179437737
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
-dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
-dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
-# b/180963328
-dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
-dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
-dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
-dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
-dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
-dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
-dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
-dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
-# b/180963587
-dontaudit untrusted_app_25 property_type:file *;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 4e26b99d..5e1763fd 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -5,11 +5,6 @@ dontaudit vendor_init debugfs_trace_marker:file { getattr };
 userdebug_or_eng(`
   permissive vendor_init;
 ')
-# b/174443175
-dontaudit vendor_init vendor_power_prop:property_service { set };
-# b/177386448
-dontaudit vendor_init device:file { create };
-dontaudit vendor_init device:file { create };
 # b/178980032
 dontaudit vendor_init unlabeled:dir { setattr };
 dontaudit vendor_init unlabeled:dir { read };

From a1f92cdd9049c7889b854246a287d54049e2fb36 Mon Sep 17 00:00:00 2001
From: Benjamin Schwartz <bsschwar@google.com>
Date: Mon, 15 Mar 2021 17:37:29 -0700
Subject: [PATCH 045/921] Give power stats HAL permission to read ufs stats

Bug: 140217385
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: Ib3fa9440982bc5846053e9ddf56d3ed178599c0c
---
 whitechapel/vendor/google/hal_power_stats_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index 3fd46419..7047add3 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -15,3 +15,4 @@ r_dir_file(hal_power_stats_default, sysfs_leds)
 r_dir_file(hal_power_stats_default, sysfs_acpm_stats)
 r_dir_file(hal_power_stats_default, sysfs_wifi)
 r_dir_file(hal_power_stats_default, sysfs_backlight)
+r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000)

From b70e0bebddad53a6fa57b4d6a032988928e7c02c Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 10 Mar 2021 14:55:10 +0800
Subject: [PATCH 046/921] MDS: Fix avc errors

avc: denied { search } for name="vendor" dev="tmpfs" ino=2 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 app=com.google.mds
avc: denied { search } for name="vendor" dev="tmpfs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 app=com.google.mds
avc: denied { search } for comm=4173796E635461736B202332 name="radio" dev="dm-9" ino=242 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.google.mds
avc: denied { call } for comm=4173796E635461736B202331 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:dmd:s0 tclass=binder permissive=1 app=com.google.mds
avc: denied { write } for name="property_service" dev="tmpfs" ino=316 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 app=com.google.mds
avc: denied { read } for name="u:object_r:vendor_modem_prop:s0" dev="tmpfs" ino=289 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=file permissive=1 app=com.google.mds
avc: denied { search } for comm=4173796E635461736B202331 name="chosen" dev="sysfs" ino=9330 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs_chosen:s0 tclass=dir permissive=1 app=com.google.mds

Bug: 181185131
Bug: 179110848

Change-Id: I1ac00b68e2db44cc86f6b5c70001cda78264ff6e
---
 .../google/certs/com_google_mds.x509.pem      | 29 +++++++++++++++++++
 whitechapel/vendor/google/keys.conf           |  2 ++
 whitechapel/vendor/google/mac_permissions.xml | 27 +++++++++++++++++
 .../vendor/google/modem_diagnostics.te        | 29 +++++++++++++++++++
 whitechapel/vendor/google/seapp_contexts      |  3 ++
 5 files changed, 90 insertions(+)
 create mode 100644 whitechapel/vendor/google/certs/com_google_mds.x509.pem
 create mode 100644 whitechapel/vendor/google/keys.conf
 create mode 100644 whitechapel/vendor/google/mac_permissions.xml
 create mode 100644 whitechapel/vendor/google/modem_diagnostics.te

diff --git a/whitechapel/vendor/google/certs/com_google_mds.x509.pem b/whitechapel/vendor/google/certs/com_google_mds.x509.pem
new file mode 100644
index 00000000..640c6fb9
--- /dev/null
+++ b/whitechapel/vendor/google/certs/com_google_mds.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----
diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
new file mode 100644
index 00000000..00dd8e6f
--- /dev/null
+++ b/whitechapel/vendor/google/keys.conf
@@ -0,0 +1,2 @@
+[@MDS]
+ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
new file mode 100644
index 00000000..4b997c27
--- /dev/null
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@MDS" >
+        <seinfo value="mds" />
+    </signer>
+</policy>
diff --git a/whitechapel/vendor/google/modem_diagnostics.te b/whitechapel/vendor/google/modem_diagnostics.te
new file mode 100644
index 00000000..8585319a
--- /dev/null
+++ b/whitechapel/vendor/google/modem_diagnostics.te
@@ -0,0 +1,29 @@
+type modem_diagnostic_app, domain;
+
+app_domain(modem_diagnostic_app)
+net_domain(modem_diagnostic_app)
+
+allow modem_diagnostic_app app_api_service:service_manager find;
+allow modem_diagnostic_app radio_service:service_manager find;
+
+userdebug_or_eng(`
+  binder_call(modem_diagnostic_app, dmd)
+
+  set_prop(modem_diagnostic_app, vendor_cbd_prop)
+  set_prop(modem_diagnostic_app, vendor_rild_prop)
+  set_prop(modem_diagnostic_app, vendor_modem_prop)
+
+  allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms;
+  allow modem_diagnostic_app sysfs_chosen:file r_file_perms;
+
+  allow modem_diagnostic_app radio_vendor_data_file:dir r_dir_perms;
+  allow modem_diagnostic_app radio_vendor_data_file:file r_file_perms;
+
+  allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms;
+  allow modem_diagnostic_app mnt_vendor_file:file r_file_perms;
+
+  allow modem_diagnostic_app modem_img_file:dir r_dir_perms;
+  allow modem_diagnostic_app modem_img_file:file r_file_perms;
+
+  allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find;
+')
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index a9dec13d..7a969d68 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -31,3 +31,6 @@ user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_in
 
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
+
+# Modem Diagnostic System
+user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user

From 031fe80418c781cc891b8e118b83986d8c2926c2 Mon Sep 17 00:00:00 2001
From: raylinhsu <raylinhsu@google.com>
Date: Tue, 16 Mar 2021 13:18:29 +0800
Subject: [PATCH 047/921] display: add sepolicy for hal_graphics_composer

Allow HWC to access vendor_log_file and also allow hwc to access
power hal

Bug: 181712799
Test: pts -m PtsSELinuxTest -t
com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: I403a528f651b9ee5755d11525f2a33c39628ecee
---
 .../gs101/hal_graphics_composer_default.te    |  4 ++++
 .../hal_graphics_composer_default.te          | 23 -------------------
 .../google/hal_graphics_composer_default.te   |  1 +
 3 files changed, 5 insertions(+), 23 deletions(-)
 delete mode 100644 tracking_denials/hal_graphics_composer_default.te

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index 5a607815..b5139133 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -32,3 +32,7 @@ add_service(hal_graphics_composer_default, vendor_displaycolor_service)
 
 add_service(hal_graphics_composer_default, hal_pixel_display_service)
 binder_use(hal_graphics_composer_default)
+get_prop(hal_graphics_composer_default, boot_status_prop);
+
+# allow HWC to access vendor log file
+allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
deleted file mode 100644
index 3bc97c42..00000000
--- a/tracking_denials/hal_graphics_composer_default.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# b/181712799
-dontaudit hal_graphics_composer_default hal_power_default:binder { call };
-dontaudit hal_graphics_composer_default boot_status_prop:file { read };
-dontaudit hal_graphics_composer_default boot_status_prop:file { open };
-dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
-dontaudit hal_graphics_composer_default boot_status_prop:file { map };
-dontaudit hal_graphics_composer_default hal_power_default:binder { call };
-dontaudit hal_graphics_composer_default boot_status_prop:file { map };
-dontaudit hal_graphics_composer_default vendor_log_file:file { create };
-dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
-dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
-dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
-dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
-dontaudit hal_graphics_composer_default vendor_log_file:file { create };
-dontaudit hal_graphics_composer_default hal_power_service:service_manager { find };
-dontaudit hal_graphics_composer_default boot_status_prop:file { read };
-dontaudit hal_graphics_composer_default boot_status_prop:file { open };
-dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
-# b/181915065
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/whitechapel/vendor/google/hal_graphics_composer_default.te
index f1d97149..0562aa0e 100644
--- a/whitechapel/vendor/google/hal_graphics_composer_default.te
+++ b/whitechapel/vendor/google/hal_graphics_composer_default.te
@@ -3,3 +3,4 @@ allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
 
 # allow HWC to access power hal
 binder_call(hal_graphics_composer_default, hal_power_default);
+hal_client_domain(hal_graphics_composer_default, hal_power);

From 46fedc214876d7715c2a218655fab9252bad0d69 Mon Sep 17 00:00:00 2001
From: Hsiaoan Hsu <hsiaoanhsu@google.com>
Date: Tue, 16 Mar 2021 15:48:53 +0800
Subject: [PATCH 048/921] Add Sepolicy rule for connectivity monitor app

sync sepolicy from previous projects.

Bug: 182715920
Test: build pass. connetivity monitor service running successfully.
Change-Id: Id5606b5db74fbf672ac41549862a83557734ac57
---
 whitechapel/vendor/google/con_monitor.te | 7 +++++++
 whitechapel/vendor/google/seapp_contexts | 3 +++
 2 files changed, 10 insertions(+)
 create mode 100644 whitechapel/vendor/google/con_monitor.te

diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
new file mode 100644
index 00000000..f630b455
--- /dev/null
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -0,0 +1,7 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain, coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 7a969d68..f22516fa 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -34,3 +34,6 @@ user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=o
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all

From ed8fdc9997e302c0e87472f5b0e6c1815ea1c744 Mon Sep 17 00:00:00 2001
From: Benjamin Schwartz <bsschwar@google.com>
Date: Mon, 15 Mar 2021 11:57:21 -0700
Subject: [PATCH 049/921] Fix sepolicies for hal_power_stats_default

Bug: 182320246
Test: No more avc denied log messages for hal_power_stats_default
Change-Id: I1cd801bb4823e80bd5ea112fb0b7bdfaeabbdef5
---
 tracking_denials/hal_power_stats_default.te          | 12 ------------
 whitechapel/vendor/google/genfs_contexts             |  7 +++++++
 whitechapel/vendor/google/hal_power_stats_default.te |  2 ++
 3 files changed, 9 insertions(+), 12 deletions(-)
 delete mode 100644 tracking_denials/hal_power_stats_default.te

diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te
deleted file mode 100644
index 866c5176..00000000
--- a/tracking_denials/hal_power_stats_default.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# b/171760721
-dontaudit hal_power_stats_default sysfs:file { read };
-dontaudit hal_power_stats_default sysfs:file { getattr };
-dontaudit hal_power_stats_default sysfs:file { read };
-dontaudit hal_power_stats_default sysfs:file { getattr };
-dontaudit hal_power_stats_default sysfs:file { open };
-dontaudit hal_power_stats_default sysfs:file { getattr };
-dontaudit hal_power_stats_default sysfs:dir { read };
-dontaudit hal_power_stats_default sysfs:dir { open };
-dontaudit hal_power_stats_default sysfs:file { read };
-dontaudit hal_power_stats_default sysfs:file { open };
-dontaudit hal_power_stats_default sysfs:file { open };
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 096e780e..11d98a63 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -171,6 +171,7 @@ genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_i
 genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state      u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state        u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/time_in_state                                            u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state                                        u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state          u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
@@ -181,6 +182,12 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem
 # Broadcom
 genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
 
+# Power Stats
+genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/power_stats                                u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
+
 # debugfs
 
 genfscon debugfs /maxfg                                                                                   u:object_r:vendor_maxfg_debugfs:s0
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index 3fd46419..86cc9968 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -4,6 +4,7 @@ allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms;
 # getStats AIDL callback to each power entry
 binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
 
+r_dir_file(hal_power_stats_default, sysfs_iio_devices)
 allow hal_power_stats_default odpm_config_file:dir search;
 allow hal_power_stats_default odpm_config_file:file r_file_perms;
 allow hal_power_stats_default sysfs_odpm:dir search;
@@ -11,6 +12,7 @@ allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
 
 binder_call(hal_power_stats_default, citadeld)
 r_dir_file(hal_power_stats_default, sysfs_aoc)
+r_dir_file(hal_power_stats_default, sysfs_cpu)
 r_dir_file(hal_power_stats_default, sysfs_leds)
 r_dir_file(hal_power_stats_default, sysfs_acpm_stats)
 r_dir_file(hal_power_stats_default, sysfs_wifi)

From 7c0fd2a41394fba7936bad0406d48ff77a14e5cc Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 17 Mar 2021 10:13:21 +0800
Subject: [PATCH 050/921] update error on ROM 7213588

Bug: 182954169
Bug: 182954060
Bug: 182954138
Bug: 182954062
Bug: 182953824
Bug: 182953825
Bug: 182954248
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I8417d4ebacefa691838e25131749b0e4fd152a2f
---
 tracking_denials/hal_health_default.te   | 13 ++++++++
 tracking_denials/hal_vibrator_default.te | 11 +++++++
 tracking_denials/init.te                 |  5 +++
 tracking_denials/kernel.te               |  3 ++
 tracking_denials/system_app.te           |  2 ++
 tracking_denials/trusty_apploader.te     |  3 ++
 tracking_denials/vendor_init.te          |  2 ++
 whitechapel/vendor/google/genfs_contexts | 39 ++++++++++++++++--------
 8 files changed, 66 insertions(+), 12 deletions(-)
 create mode 100644 tracking_denials/kernel.te
 create mode 100644 tracking_denials/system_app.te
 create mode 100644 tracking_denials/trusty_apploader.te

diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te
index e69de29b..f5ffd871 100644
--- a/tracking_denials/hal_health_default.te
+++ b/tracking_denials/hal_health_default.te
@@ -0,0 +1,13 @@
+# b/182954169
+dontaudit hal_health_default sysfs:file { read };
+dontaudit hal_health_default sysfs:file { getattr };
+dontaudit hal_health_default sysfs:file { read };
+dontaudit hal_health_default sysfs:file { read };
+dontaudit hal_health_default sysfs:file { open };
+dontaudit hal_health_default sysfs:file { getattr };
+dontaudit hal_health_default sysfs:file { open };
+dontaudit hal_health_default sysfs:file { read };
+dontaudit hal_health_default sysfs:file { open };
+dontaudit hal_health_default sysfs:file { getattr };
+dontaudit hal_health_default sysfs:file { open };
+dontaudit hal_health_default sysfs:file { getattr };
diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
index eea73ffc..58df632c 100644
--- a/tracking_denials/hal_vibrator_default.te
+++ b/tracking_denials/hal_vibrator_default.te
@@ -1,2 +1,13 @@
 # b/174961422
 dontaudit hal_vibrator_default property_type:file * ;
+# b/182954060
+dontaudit hal_vibrator_default sysfs:file { getattr };
+dontaudit hal_vibrator_default sysfs:file { getattr };
+dontaudit hal_vibrator_default sysfs:file { getattr };
+dontaudit hal_vibrator_default sysfs:file { getattr };
+dontaudit hal_vibrator_default sysfs:file { getattr };
+dontaudit hal_vibrator_default sysfs:file { open };
+dontaudit hal_vibrator_default sysfs:file { read write };
+dontaudit hal_vibrator_default sysfs:file { open };
+dontaudit hal_vibrator_default sysfs:file { read write };
+dontaudit hal_vibrator_default sysfs:file { getattr };
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
index 27d6f882..6ecb2c0c 100644
--- a/tracking_denials/init.te
+++ b/tracking_denials/init.te
@@ -1,3 +1,8 @@
 # b/180963348
 dontaudit init overlayfs_file:chr_file { unlink };
 dontaudit init overlayfs_file:file { rename };
+# b/182954138
+dontaudit init vendor_file:file { execute };
+dontaudit init vendor_file:file { execute };
+dontaudit init sysfs:file { setattr };
+dontaudit init sysfs:file { setattr };
diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
new file mode 100644
index 00000000..7d36d7fe
--- /dev/null
+++ b/tracking_denials/kernel.te
@@ -0,0 +1,3 @@
+# b/182954062
+dontaudit kernel kernel:perf_event { cpu };
+dontaudit kernel kernel:perf_event { cpu };
diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te
new file mode 100644
index 00000000..41c59a5d
--- /dev/null
+++ b/tracking_denials/system_app.te
@@ -0,0 +1,2 @@
+# b/182953824
+dontaudit system_app default_android_service:service_manager { add };
diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te
new file mode 100644
index 00000000..3f6e9ae9
--- /dev/null
+++ b/tracking_denials/trusty_apploader.te
@@ -0,0 +1,3 @@
+# b/182953825
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 5e1763fd..b30930a8 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -14,3 +14,5 @@ dontaudit vendor_init unlabeled:dir { open };
 dontaudit vendor_init unlabeled:dir { read };
 dontaudit vendor_init unlabeled:dir { setattr };
 dontaudit vendor_init unlabeled:dir { open };
+# b/182954248
+dontaudit vendor_init default_prop:file { read };
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 11d98a63..0b212f49 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -138,18 +138,33 @@ genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:
 genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
 
 # system_suspend wakeup nodes
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-5-0025/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-5-0025/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-6-0025/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
 
 # subsystem-coredump
 genfscon sysfs /class/sscoredump/level                                                                  u:object_r:sscoredump_sysfs_level:s0

From 78047fa17be13a4968d41ad187641d6229ebd5a4 Mon Sep 17 00:00:00 2001
From: Rick Chen <rickctchen@google.com>
Date: Tue, 16 Mar 2021 17:43:57 +0800
Subject: [PATCH 051/921] sensors: Add sensor related rule to chre.

[    8.417813] type=1400 audit(1615518074.988:4): avc: denied { write } for comm="sensors@2.0-ser" name="chre" dev="tmpfs" ino=908 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1
[    8.418075] type=1400 audit(1615518074.988:5): avc: denied { connectto } for comm="sensors@2.0-ser" path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1
03-12 11:01:14.988   694   694 I sensors@2.0-ser: type=1400 audit(0.0:5): avc: denied { connectto } for path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1

Also merge two sensor_hal related files into single file.

Bug: 182523946
Test: make selinux_policy -j128 and push to device.
      No hal_sensors_default related avc deined log during boot.
Signed-off-by: Rick Chen <rickctchen@google.com>
Change-Id: I49ce71ba4703528fb2e26dd8956c4ed741337ffc
---
 tracking_denials/hal_sensors_default.te       | 59 -------------------
 usf/sensor_hal.te                             | 31 ++++++++++
 .../vendor/google/hal_sensors_default.te      | 23 --------
 3 files changed, 31 insertions(+), 82 deletions(-)
 delete mode 100644 tracking_denials/hal_sensors_default.te
 delete mode 100644 whitechapel/vendor/google/hal_sensors_default.te

diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te
deleted file mode 100644
index b3331836..00000000
--- a/tracking_denials/hal_sensors_default.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# b/182086633
-dontaudit hal_sensors_default servicemanager:binder { call };
-dontaudit hal_sensors_default device:dir { read };
-dontaudit hal_sensors_default device:dir { watch };
-dontaudit hal_sensors_default aoc_device:chr_file { read write };
-dontaudit hal_sensors_default aoc_device:chr_file { open };
-dontaudit hal_sensors_default mnt_vendor_file:dir { search };
-dontaudit hal_sensors_default persist_file:dir { search };
-dontaudit hal_sensors_default persist_file:dir { getattr };
-dontaudit hal_sensors_default persist_file:dir { read };
-dontaudit hal_sensors_default persist_file:dir { open };
-dontaudit hal_sensors_default persist_file:file { getattr };
-dontaudit hal_sensors_default persist_file:file { read };
-dontaudit hal_sensors_default persist_file:file { open };
-dontaudit hal_sensors_default vendor_data_file:dir { read };
-dontaudit hal_sensors_default vendor_data_file:dir { open };
-dontaudit hal_sensors_default vendor_data_file:file { getattr };
-dontaudit hal_sensors_default vendor_data_file:file { read };
-dontaudit hal_sensors_default vendor_data_file:file { open };
-dontaudit hal_sensors_default fwk_stats_service:service_manager { find };
-dontaudit hal_sensors_default servicemanager:binder { call };
-dontaudit hal_sensors_default servicemanager:binder { transfer };
-dontaudit hal_sensors_default servicemanager:binder { transfer };
-dontaudit hal_sensors_default servicemanager:binder { call };
-dontaudit hal_sensors_default aoc_device:chr_file { getattr };
-dontaudit hal_sensors_default aoc_device:chr_file { read write };
-dontaudit hal_sensors_default aoc_device:chr_file { open };
-dontaudit hal_sensors_default vendor_data_file:file { write };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { read };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { open };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr };
-dontaudit hal_sensors_default vendor_data_file:file { write };
-dontaudit hal_sensors_default vendor_data_file:file { read };
-dontaudit hal_sensors_default vendor_data_file:file { getattr };
-dontaudit hal_sensors_default persist_file:dir { search };
-dontaudit hal_sensors_default vendor_data_file:dir { open };
-dontaudit hal_sensors_default aoc_device:chr_file { read write };
-dontaudit hal_sensors_default vendor_data_file:dir { read };
-dontaudit hal_sensors_default persist_file:file { open };
-dontaudit hal_sensors_default vendor_data_file:file { open };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { open };
-dontaudit hal_sensors_default sysfs_aoc_boottime:file { read };
-dontaudit hal_sensors_default persist_file:file { read };
-dontaudit hal_sensors_default persist_file:file { getattr };
-dontaudit hal_sensors_default device:dir { read };
-dontaudit hal_sensors_default persist_file:dir { open };
-dontaudit hal_sensors_default persist_file:dir { read };
-dontaudit hal_sensors_default persist_file:dir { getattr };
-dontaudit hal_sensors_default vendor_data_file:file { open };
-dontaudit hal_sensors_default mnt_vendor_file:dir { search };
-dontaudit hal_sensors_default device:dir { read };
-dontaudit hal_sensors_default device:dir { watch };
-dontaudit hal_sensors_default servicemanager:binder { transfer };
-dontaudit hal_sensors_default aoc_device:chr_file { open };
-# b/182523946
-dontaudit hal_sensors_default chre_socket:sock_file { write };
-dontaudit hal_sensors_default chre:unix_stream_socket { connectto };
-dontaudit hal_sensors_default chre:unix_stream_socket { connectto };
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index afb74634..84d1caff 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -20,3 +20,34 @@ allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
 
 # Allow create thread to watch AOC's device.
 allow hal_sensors_default device:dir r_dir_perms;
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
+
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_leds:dir search;
+allow hal_sensors_default sysfs_leds:file rw_file_perms;
+
+# Allow access to the power supply files for MagCC.
+r_dir_file(hal_sensors_default, sysfs_batteryinfo)
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
+
+# Allow access to sensor service for sensor_listener.
+binder_call(hal_sensors_default, system_server);
+
+# Allow access to the stats service.
+allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
+
+# Allow access to the sysfs_aoc.
+allow hal_sensors_default sysfs_aoc:dir search;
+
+#
+# Suez type enforcements.
+#
+
+# Allow SensorSuez to connect AIDL stats.
+binder_use(hal_sensors_default);
+allow hal_sensors_default fwk_stats_service:service_manager find;
+
+# Allow access to CHRE socket to connect to nanoapps.
+unix_socket_connect(hal_sensors_default, chre, chre)
diff --git a/whitechapel/vendor/google/hal_sensors_default.te b/whitechapel/vendor/google/hal_sensors_default.te
deleted file mode 100644
index 396fd3c5..00000000
--- a/whitechapel/vendor/google/hal_sensors_default.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Allow access to the files of CDT information.
-r_dir_file(hal_sensors_default, sysfs_chosen)
-
-# Allow access to the leds driver.
-allow hal_sensors_default sysfs_leds:dir search;
-allow hal_sensors_default sysfs_leds:file rw_file_perms;
-
-# Allow access to the power supply files for MagCC.
-r_dir_file(hal_sensors_default, sysfs_batteryinfo)
-allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
-
-# Allow access to sensor service for sensor_listener.
-binder_call(hal_sensors_default, system_server);
-
-# Allow access to the stats service.
-allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
-
-# Allow access to the sysfs_aoc.
-allow hal_sensors_default sysfs_aoc:dir search;
-
-# Allow SensorSuez to connect AIDL stats.
-binder_use(hal_sensors_default);
-allow hal_sensors_default fwk_stats_service:service_manager find;

From 74052118a824c98f670df13f5454f3168902204e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 17 Mar 2021 10:49:24 +0800
Subject: [PATCH 052/921] label missing power sys nodes

Bug: 182954169
Test: boot with no avc error found
Change-Id: I33cd99d5748dd9fc40301c460a050b6e969f30f4
---
 tracking_denials/hal_health_default.te   | 13 -------------
 whitechapel/vendor/google/genfs_contexts |  4 ++++
 2 files changed, 4 insertions(+), 13 deletions(-)
 delete mode 100644 tracking_denials/hal_health_default.te

diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te
deleted file mode 100644
index f5ffd871..00000000
--- a/tracking_denials/hal_health_default.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# b/182954169
-dontaudit hal_health_default sysfs:file { read };
-dontaudit hal_health_default sysfs:file { getattr };
-dontaudit hal_health_default sysfs:file { read };
-dontaudit hal_health_default sysfs:file { read };
-dontaudit hal_health_default sysfs:file { open };
-dontaudit hal_health_default sysfs:file { getattr };
-dontaudit hal_health_default sysfs:file { open };
-dontaudit hal_health_default sysfs:file { read };
-dontaudit hal_health_default sysfs:file { open };
-dontaudit hal_health_default sysfs:file { getattr };
-dontaudit hal_health_default sysfs:file { open };
-dontaudit hal_health_default sysfs:file { getattr };
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 0b212f49..3fc33bc9 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -22,6 +22,10 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
+
 #   O6
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply       u:object_r:sysfs_batteryinfo:s0

From 2dc4d2d61f47e92d868594bdf0adf9b191005329 Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Wed, 17 Mar 2021 11:27:05 +0800
Subject: [PATCH 053/921] genfs_contexts: add sepolicy for dumping eeprom data

I auditd  : type=1400 audit(0.0:53): avc: denied { getattr } for comm="sh" path="/sys/devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom" dev="sysfs" ino=59692 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
I sh      : type=1400 audit(0.0:53): avc: denied { getattr } for path="/sys/devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom" dev="sysfs" ino=59692 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
I auditd  : type=1400 audit(0.0:57): avc: denied { getattr } for comm="ls" path="/sys/devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom" dev="sysfs" ino=59692 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
I ls      : type=1400 audit(0.0:57): avc: denied { getattr } for path="/sys/devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom" dev="sysfs" ino=59692 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 182531832
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: If189575c6db8b43b59c6009378ec724bd075c0d1
---
 whitechapel/vendor/google/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 3fc33bc9..90a40bcb 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -25,6 +25,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 
 #   O6
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
@@ -34,6 +35,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 
 # Storage
 genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0

From a570dc6991610623581562ce40678589780efbf5 Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Tue, 16 Mar 2021 22:50:58 -0700
Subject: [PATCH 054/921] Add a label for Pixel DMA-BUF heap tracepoints

These tracepoint are the DMA-BUF equivalents to the ION tracepoints.
They expose the size of the DMA-BUF, unique inode number of the DMA-BUF
and total size of all DMA-BUFs exported from the DMA-BUF heap framework.

Test: build
Bug: 182328989
Change-Id: I311b68275ebd668f73d0ccff0fcaa01d251250bc
---
 whitechapel/vendor/google/genfs_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b98a7494..83732201 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -176,3 +176,6 @@ genfscon debugfs /usb
 genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
 genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
 genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0
+
+# tracefs
+genfscon tracefs /events/dmabuf_heap/dma_heap_stat                                                        u:object_r:debugfs_tracing:s0

From ebeae6abc3bc762dd4df3373dc4dd81bf531fbcd Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 17 Mar 2021 15:15:22 +0800
Subject: [PATCH 055/921] label uwb service to prevent reset after unplugging
 USB

Bug: 182953824
Test: unplug USB under enforcing mode
Change-Id: Ib4bdf9b9339fc631d045bde57f78a46ce3ca8b6e
---
 tracking_denials/system_app.te             | 2 --
 whitechapel/vendor/google/service.te       | 1 +
 whitechapel/vendor/google/service_contexts | 5 +++--
 whitechapel/vendor/google/system_app.te    | 4 +++-
 4 files changed, 7 insertions(+), 5 deletions(-)
 delete mode 100644 tracking_denials/system_app.te

diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te
deleted file mode 100644
index 41c59a5d..00000000
--- a/tracking_denials/system_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/182953824
-dontaudit system_app default_android_service:service_manager { add };
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 9c935e9c..e94b128e 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1 +1,2 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
+type uwb_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index aed05336..669a5166 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,3 +1,4 @@
 # EdgeTPU service
-com.google.edgetpu.IEdgeTpuService/default  u:object_r:edgetpu_service:s0
-com.google.hardware.pixel.display.IDisplay/default                            u:object_r:hal_pixel_display_service:s0
+com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
+com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
+uwb                                                        u:object_r:uwb_service:s0
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
index f8fe4f20..043d4bb1 100644
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@@ -3,4 +3,6 @@ allow system_app sysfs_vendor_sched:file w_file_perms;
 allow system_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(system_app, hal_wlc)
 
-allow system_app fwk_stats_hwservice:hwservice_manager find;
\ No newline at end of file
+allow system_app fwk_stats_hwservice:hwservice_manager find;
+
+add_service(system_app, uwb_service)

From 185dbee4eb04f51903847c405633fb036dde2b94 Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Tue, 16 Mar 2021 12:55:01 +0800
Subject: [PATCH 056/921] Fix selinux error for vendor_init

03-12 18:15:16.240  root     1     1 I /system/bin/init: type=1107 audit(0.0:19): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.sys.modem_reset pid=354 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_sys_default_prop:s0 tclass=property_service permissive=1'

Bug: 182715587
Test: verified with the forrest ROM and error log gone
Change-Id: Icfea06220c491d414f6bdbf04ceda4c46299fb29
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 00906fcc..c2a42e58 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -4,6 +4,7 @@ set_prop(vendor_init, vendor_cbd_prop)
 get_prop(vendor_init, vendor_rild_prop)
 get_prop(vendor_init, vendor_persist_sys_modem_prop)
 set_prop(vendor_init, vendor_usb_config_prop)
+set_prop(vendor_init, vendor_sys_default_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From 86aa1562026aa3e7030d26ef474fb5122b3dbd7a Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Tue, 16 Mar 2021 11:53:12 -0700
Subject: [PATCH 057/921] Allowed Camera hal to access EdgeTPU service for
 on-device compilation.

Camera hal DarwiNN pipelines are switching to use the on-device
compilation, which achieves by talking to the EdgeTPU service.
This change added the required selinux policies to allow accessing
the service, as well as allowing file descriptors to be shared
between them for passing the compilation info around.

Bug: 182423730
Bug: 182706078
Test: verified on Oriole running camera.
Change-Id: I5d3bc84fd54d4618f505f37d9773894261061d7f
---
 tracking_denials/edgetpu_server.te              | 9 ---------
 whitechapel/vendor/google/edgetpu_service.te    | 4 ++++
 whitechapel/vendor/google/hal_camera_default.te | 7 +++++++
 3 files changed, 11 insertions(+), 9 deletions(-)
 delete mode 100644 tracking_denials/edgetpu_server.te

diff --git a/tracking_denials/edgetpu_server.te b/tracking_denials/edgetpu_server.te
deleted file mode 100644
index 61a19774..00000000
--- a/tracking_denials/edgetpu_server.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# b/182706078
-dontaudit edgetpu_server tmpfs:file { getattr };
-dontaudit edgetpu_server tmpfs:file { getattr };
-dontaudit edgetpu_server tmpfs:file { map };
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server hal_camera_default:fd { use };
-dontaudit edgetpu_server hal_camera_default:fd { use };
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server tmpfs:file { map };
diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
index b6789cff..a30400ad 100644
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -30,3 +30,7 @@ allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
 # Allow EdgeTPU service to access the Package Manager service.
 allow edgetpu_server package_native_service:service_manager find;
 binder_call(edgetpu_server, system_server);
+
+# Allow EdgeTPU service to access Android shared memory allocated
+# by the camera hal for on-device compilation.
+allow edgetpu_server hal_camera_default:fd use;
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 0de87854..9938de38 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -13,6 +13,13 @@ allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
 allow hal_camera_default sysfs_edgetpu:file r_file_perms;
 allow hal_camera_default sysfs_chip_id:file r_file_perms;
 
+# Allow the camera hal to access the EdgeTPU service and the
+# Android shared memory allocated by the EdgeTPU service for
+# on-device compilation.
+allow hal_camera_default edgetpu_server:fd use;
+allow hal_camera_default edgetpu_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_server)
+
 allow hal_camera_default mnt_vendor_file:dir search;
 allow hal_camera_default persist_file:dir search;
 allow hal_camera_default persist_camera_file:dir search;

From adeaaead76ffbe8951469cea4ec589490912c0ad Mon Sep 17 00:00:00 2001
From: iayara <iayara@google.com>
Date: Wed, 17 Mar 2021 13:53:18 -0700
Subject: [PATCH 058/921] Add "libedgetpu_darwinn2.so" library duplicate to be
 used for external launch.

This change is intended to keep naming consistency with previous
Darwinn external launch. In the future, all "libedgetpu_darwinn2.so"
instances should be replaced by "libedgetpu_util.so".

Bug: 182303547
Change-Id: I99e83f5f2e317b195b2061c781cb23544e547c55
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 0c1822ae..013f2a37 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -344,6 +344,7 @@
 /vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
 /system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
 /vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
 /data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
 
 # EdgeTPU data file

From beb4f82d327e10d4f2516a2fbd7ac8dee3d9d877 Mon Sep 17 00:00:00 2001
From: Albert Wang <albertccwang@google.com>
Date: Wed, 17 Mar 2021 16:24:42 +0800
Subject: [PATCH 059/921] sepolicy: fix usb hal selinux permission

avc: denied { read } for name="port0-partner" dev="sysfs" ino=98412 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
avc: denied { open } for path="/sys/devices/platform/10d50000.hsi2c/i2c-6/6-0025/typec/port0/port0-partner" dev="sysfs" ino=98412 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/sys/devices/platform/10d50000.hsi2c/i2c-5/5-0025/typec/port0/power_role" dev="sysfs" ino=67861 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/platform/10d50000.hsi2c/i2c-5/5-0025/typec/port0/power_role" dev="sysfs" ino=67861 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
avc: denied { write } for name="port_type" dev="sysfs" ino=71778 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1

Bug: 182122983
Test: atest VtsHalUsbV1_0TargetTest
      atest HalUsbGadgetV1_0HostTest
Signed-off-by: Albert Wang <albertccwang@google.com>
Change-Id: Ia2cf9061dd5eaa7af582331477afd34db56531e8
---
 whitechapel/vendor/google/hal_usb_impl.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index c95035ca..6c48682a 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -8,5 +8,5 @@ init_daemon_domain(hal_usb_impl)
 allow hal_usb_impl functionfs:dir { watch watch_reads };
 set_prop(hal_usb_impl, vendor_usb_config_prop)
 
-allow hal_usb_impl sysfs_batteryinfo:dir search;
-allow hal_usb_impl sysfs_batteryinfo:file r_file_perms;
+allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
+allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;

From 15a0c61432a8a9394264ff0ff3275369949d42d2 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 18 Mar 2021 10:03:37 +0800
Subject: [PATCH 060/921] update error on ROM 7216638

Bug: 183055762
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Id60bb2e822734e23803b8f937b71dc59a325c27b
---
 tracking_denials/edgetpu_server.te | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 tracking_denials/edgetpu_server.te

diff --git a/tracking_denials/edgetpu_server.te b/tracking_denials/edgetpu_server.te
new file mode 100644
index 00000000..c4c9dfd4
--- /dev/null
+++ b/tracking_denials/edgetpu_server.te
@@ -0,0 +1,7 @@
+# b/183055762
+dontaudit edgetpu_server tmpfs:file { read write };
+dontaudit edgetpu_server tmpfs:file { map };
+dontaudit edgetpu_server tmpfs:file { getattr };
+dontaudit edgetpu_server tmpfs:file { read write };
+dontaudit edgetpu_server tmpfs:file { map };
+dontaudit edgetpu_server tmpfs:file { getattr };

From c36661eb0bc3b55ae6ab507a043d73a69fece079 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 18 Mar 2021 10:14:46 +0800
Subject: [PATCH 061/921] remove obsolete entries

Bug: 177389198
Bug: 177860960
Bug: 178752576
Bug: 178753472
Bug: 179310892
Bug: 179437292
Bug: 179437988
Bug: 180656125
Bug: 180960879
Bug: 182705863
Test: boot and grab bugreport with no gmscore error found
Change-Id: I154733215aeca58a76add8d346cc0016a5f0dff7
---
 tracking_denials/gmscore_app.te | 70 ---------------------------------
 1 file changed, 70 deletions(-)
 delete mode 100644 tracking_denials/gmscore_app.te

diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
deleted file mode 100644
index 3a274f4b..00000000
--- a/tracking_denials/gmscore_app.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# b/177389198
-dontaudit gmscore_app aac_drc_prop:file { open };
-dontaudit gmscore_app ab_update_gki_prop:file { map };
-dontaudit gmscore_app ab_update_gki_prop:file { getattr };
-dontaudit gmscore_app aac_drc_prop:file { map };
-dontaudit gmscore_app ab_update_gki_prop:file { open };
-dontaudit gmscore_app aac_drc_prop:file { getattr };
-# b/177860960
-dontaudit gmscore_app hal_memtrack_default:binder { call };
-dontaudit gmscore_app hal_memtrack_default:binder { call };
-dontaudit gmscore_app hal_memtrack_default:binder { call };
-dontaudit gmscore_app hal_memtrack_default:binder { call };
-dontaudit gmscore_app hal_memtrack_default:binder { call };
-dontaudit gmscore_app hal_memtrack_default:binder { call };
-dontaudit gmscore_app hal_memtrack_default:binder { call };
-# b/178752576
-dontaudit gmscore_app apexd_prop:file { open };
-dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
-dontaudit gmscore_app apexd_prop:file { getattr };
-dontaudit gmscore_app apexd_prop:file { map };
-dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
-dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
-# b/178753472
-dontaudit gmscore_app audio_config_prop:file { getattr };
-dontaudit gmscore_app apk_verity_prop:file { map };
-dontaudit gmscore_app apk_verity_prop:file { getattr };
-dontaudit gmscore_app apk_verity_prop:file { open };
-dontaudit gmscore_app audio_config_prop:file { open };
-# b/179310892
-dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { map };
-dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { open };
-dontaudit gmscore_app bluetooth_prop:file { getattr };
-dontaudit gmscore_app audio_config_prop:file { map };
-dontaudit gmscore_app bluetooth_audio_hal_prop:file { open };
-dontaudit gmscore_app bluetooth_audio_hal_prop:file { getattr };
-dontaudit gmscore_app bluetooth_audio_hal_prop:file { map };
-dontaudit gmscore_app bluetooth_prop:file { open };
-dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { getattr };
-# b/179437292
-dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
-dontaudit gmscore_app bluetooth_prop:file { map };
-dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
-dontaudit gmscore_app boottime_prop:file { open };
-dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
-# b/179437988
-dontaudit gmscore_app bluetooth_prop:file { map };
-dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
-dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
-dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
-dontaudit gmscore_app boottime_prop:file { open };
-dontaudit gmscore_app boottime_prop:file { getattr };
-dontaudit gmscore_app boottime_prop:file { map };
-dontaudit gmscore_app boottime_public_prop:file { open };
-dontaudit gmscore_app boottime_public_prop:file { getattr };
-# b/180656125
-dontaudit gmscore_app boottime_public_prop:file { map };
-dontaudit gmscore_app build_bootimage_prop:file { open };
-dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
-dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
-dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
-dontaudit gmscore_app build_bootimage_prop:file { open };
-dontaudit gmscore_app boottime_public_prop:file { map };
-dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
-dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
-dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
-# b/180960879
-dontaudit gmscore_app property_type:file *;
-# b/182705863
-dontaudit gmscore_app modem_img_file:filesystem { getattr };
-dontaudit gmscore_app modem_img_file:filesystem { getattr };

From 2797490192c8db8cf88676ff862b4be7f6a6d161 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 17 Mar 2021 11:11:42 +0800
Subject: [PATCH 062/921] Update vendor_modem_prop and add rules for mds

Bug: 181185131
Change-Id: Ie709e08152d23428a687c949359316206843b9fa
---
 whitechapel/vendor/google/dmd.te                   | 1 +
 whitechapel/vendor/google/hal_dumpstate_default.te | 2 +-
 whitechapel/vendor/google/logger_app.te            | 1 -
 whitechapel/vendor/google/modem_diagnostics.te     | 3 +++
 whitechapel/vendor/google/property.te              | 1 -
 whitechapel/vendor/google/property_contexts        | 2 +-
 whitechapel/vendor/google/vendor_init.te           | 1 -
 7 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te
index c0c695f2..8c9a2fc0 100644
--- a/whitechapel/vendor/google/dmd.te
+++ b/whitechapel/vendor/google/dmd.te
@@ -27,3 +27,4 @@ get_prop(dmd, vendor_persist_config_default_prop)
 get_prop(dmd, hwservicemanager_prop)
 add_hwservice(dmd, hal_vendor_oem_hwservice)
 binder_call(dmd, hwservicemanager)
+binder_call(dmd, modem_diagnostic_app)
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index a72f1257..e28d864e 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -86,7 +86,7 @@ userdebug_or_eng(`
 
 get_prop(hal_dumpstate_default, boottime_public_prop)
 get_prop(hal_dumpstate_default, vendor_gps_prop)
-get_prop(hal_dumpstate_default, vendor_persist_sys_modem_prop)
+get_prop(hal_dumpstate_default, vendor_modem_prop)
 get_prop(hal_dumpstate_default, vendor_rild_prop)
 
 userdebug_or_eng(`
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 3e603c5f..ce9c473b 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -14,6 +14,5 @@ userdebug_or_eng(`
   allow logger_app vendor_gps_file:dir create_dir_perms;
 
   set_prop(logger_app, vendor_modem_prop)
-  set_prop(logger_app, vendor_persist_sys_modem_prop)
   set_prop(logger_app, vendor_gps_prop)
 ')
diff --git a/whitechapel/vendor/google/modem_diagnostics.te b/whitechapel/vendor/google/modem_diagnostics.te
index 8585319a..c7ade412 100644
--- a/whitechapel/vendor/google/modem_diagnostics.te
+++ b/whitechapel/vendor/google/modem_diagnostics.te
@@ -16,6 +16,8 @@ userdebug_or_eng(`
   allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms;
   allow modem_diagnostic_app sysfs_chosen:file r_file_perms;
 
+  allow modem_diagnostic_app vendor_fw_file:file r_file_perms;
+
   allow modem_diagnostic_app radio_vendor_data_file:dir r_dir_perms;
   allow modem_diagnostic_app radio_vendor_data_file:file r_file_perms;
 
@@ -24,6 +26,7 @@ userdebug_or_eng(`
 
   allow modem_diagnostic_app modem_img_file:dir r_dir_perms;
   allow modem_diagnostic_app modem_img_file:file r_file_perms;
+  allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms;
 
   allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find;
 ')
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 70f00d46..55d06df7 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -21,7 +21,6 @@ vendor_internal_prop(vendor_persist_sys_default_prop)
 vendor_internal_prop(vendor_audio_prop)
 vendor_internal_prop(vendor_codec2_debug_prop)
 vendor_internal_prop(vendor_display_prop)
-vendor_internal_prop(vendor_persist_sys_modem_prop)
 vendor_internal_prop(vendor_camera_prop)
 vendor_internal_prop(vendor_camera_debug_prop)
 vendor_internal_prop(vendor_camera_fatp_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 784291df..d921e065 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -38,7 +38,7 @@ persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
 vendor.modem.                u:object_r:vendor_modem_prop:s0
 vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
 vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
-persist.vendor.sys.modem.    u:object_r:vendor_persist_sys_modem_prop:s0
+persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
 
 # for cbd
 vendor.cbd.                  u:object_r:vendor_cbd_prop:s0
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index c2a42e58..3f650192 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -2,7 +2,6 @@ set_prop(vendor_init, vendor_device_prop)
 set_prop(vendor_init, vendor_modem_prop)
 set_prop(vendor_init, vendor_cbd_prop)
 get_prop(vendor_init, vendor_rild_prop)
-get_prop(vendor_init, vendor_persist_sys_modem_prop)
 set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
 

From 10fda56cd13e84a8b5525a72f9a7d58755350b5e Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Thu, 18 Mar 2021 19:23:54 +0800
Subject: [PATCH 063/921] Allow fingerprint hal to access fingerprint device

Fixes the following avc denials:
03-18 10:57:10.612   947   947 I android.hardwar: type=1400 audit(0.0:8): avc: denied { open } for path="/dev/goodix_fp" dev="tmpfs" ino=482 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-18 10:57:10.632   947   947 I android.hardwar: type=1400 audit(0.0:9): avc: denied { ioctl } for path="/dev/goodix_fp" dev="tmpfs" ino=482 ioctlcmd=0x6707 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-18 10:57:13.672   947   947 I android.hardwar: type=1400 audit(0.0:14): avc: denied { ioctl } for path="/dev/goodix_fp" dev="tmpfs" ino=482 ioctlcmd=0x6706 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-18 10:57:32.704   947   947 I HwBinder:947_1: type=1400 audit(0.0:26): avc: denied { ioctl } for path="/dev/goodix_fp" dev="tmpfs" ino=482 ioctlcmd=0x6705 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Bug: 171943101
Test: No above avc denials in logcat.
Change-Id: I254a01a2c11fcaba9ad3f387862a8d0ddafffd38
---
 whitechapel/vendor/google/device.te                  | 3 +++
 whitechapel/vendor/google/file_contexts              | 3 +++
 whitechapel/vendor/google/hal_fingerprint_default.te | 2 ++
 3 files changed, 8 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_fingerprint_default.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 9287dd13..6741c49b 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -53,3 +53,6 @@ type sscoredump_device, dev_type;
 
 # AOC device
 type aoc_device, dev_type;
+
+# Fingerprint device
+type fingerprint_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 0c1822ae..9777744e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -415,3 +415,6 @@
 
 # BigOcean
 /dev/bigocean                                                                  u:object_r:video_device:s0
+
+# Fingerprint
+/dev/goodix_fp                                                                 u:object_r:fingerprint_device:s0
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
new file mode 100644
index 00000000..9e2ecb96
--- /dev/null
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -0,0 +1,2 @@
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+

From fa11af6a07bcfb0ed19a1413bc5dcb44e451c23b Mon Sep 17 00:00:00 2001
From: David Li <dvdli@google.com>
Date: Thu, 18 Mar 2021 22:03:31 +0800
Subject: [PATCH 064/921] audio: add /dev/acd-audio_dcdoff_ref for audio effect
 visualizer

Set /dev/acd-audio_dcdoff_ref as u:object_r:aoc_device:s0
crw-rw---- 1 system audio u:object_r:aoc_device:s0  500,  29 2021-03-18 22:19 /dev/acd-audio_dcdoff_ref

Bug: 180984363
Bug: 165719427
Test: make -j128
Test: ls -alZ /dev/acd-audio_dcdoff_ref
Change-Id: If7cd3ef99885730287648afebb222d4f925d325e
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 573fa93a..0c635a3a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -302,6 +302,7 @@
 /dev/acd-model_data                 u:object_r:aoc_device:s0
 /dev/acd-debug                      u:object_r:aoc_device:s0
 /dev/acd-audio_tap[0-9]*            u:object_r:aoc_device:s0
+/dev/acd-audio_dcdoff_ref           u:object_r:aoc_device:s0
 
 # Trusty
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0

From 857ea2e0643525a4b766e574ef58cc2bd68c69bb Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 19 Mar 2021 10:52:09 +0800
Subject: [PATCH 065/921] update error on ROM 7219510

Bug: 183161715
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Id5c7856e7b77600f47df652a95ac342f11c924f5
---
 tracking_denials/priv_app.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
index 56a2bbe9..5d984478 100644
--- a/tracking_denials/priv_app.te
+++ b/tracking_denials/priv_app.te
@@ -1,3 +1,10 @@
 # b/180858511
 dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
 dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
+# b/183161715
+dontaudit priv_app vendor_default_prop:file { open };
+dontaudit priv_app vendor_default_prop:file { getattr };
+dontaudit priv_app vendor_default_prop:file { map };
+dontaudit priv_app vendor_default_prop:file { open };
+dontaudit priv_app vendor_default_prop:file { getattr };
+dontaudit priv_app vendor_default_prop:file { map };

From 9c3d77d0881a800396163f17ef2cb2ffc43b4f31 Mon Sep 17 00:00:00 2001
From: George Lee <geolee@google.com>
Date: Mon, 15 Mar 2021 09:16:37 -0700
Subject: [PATCH 066/921] power: Add policy to access sysfs_bcl

Bug: 180620276
Test: adb bugreport
dumpstate_board.txt shows:
------ BCL (/sys/devices/virtual/pmic/mitigation/triggered_stats) ------
Source    	Count	Last Triggered	Last SOC	Last Voltage
smpl_warn      	0	0		0		0
ocp_cpu1       	0	0		0		0
ocp_cpu2       	0	0		0		0
soft_ocp_cpu1  	0	0		0		0
soft_ocp_cpu2  	0	0		0		0
ocp_tpu        	0	0		0		0
soft_ocp_tpu   	0	0		0		0
pmic_120c      	0	0		0		0
pmic_140c      	0	0		0		0
pmic_overheat  	0	0		0		0
ocp_gpu        	0	0		0		0
soft_ocp_gpu   	0	0		0		0

------ IF PMIC (/sys/devices/virtual/pmic/max77759-mitigation/triggered_stats) ------
Source    	Count	Last Triggered	Last SOC	Last Voltage
VDROOP1        	0	0		0		0
VDROOP2        	0	0		0		0
BATOILO        	0	0		0		0

Signed-off-by: George Lee <geolee@google.com>
Change-Id: If7874e19b8202175071d474502e77748168565ce
---
 whitechapel/vendor/google/file.te                  | 3 +++
 whitechapel/vendor/google/genfs_contexts           | 8 ++++++++
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ++++
 3 files changed, 15 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 8a71cc1e..37fa6efb 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -159,6 +159,9 @@ type sysfs_chargelevel, sysfs_type, fs_type;
 type odpm_config_file, file_type, data_file_type;
 type sysfs_odpm, sysfs_type, fs_type;
 
+# bcl
+type sysfs_bcl, sysfs_type, fs_type;
+
 # Chosen
 type sysfs_chosen, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 096e780e..a48b4a1f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -127,6 +127,14 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-mete
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 
+# bcl sysfs files
+genfscon sysfs /devices/virtual/pmic/mitigation/triggered_stats                 u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/mpmm_settings                   u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/ppm_settings                    u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clk_ratio                       u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clk_stats                       u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/max77759-mitigation/triggered_stats        u:object_r:sysfs_bcl:s0
+
 # Chosen
 genfscon sysfs /firmware/devicetree/base/chosen                                u:object_r:sysfs_chosen:s0
 
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index a72f1257..ad7ec061 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -118,6 +118,10 @@ userdebug_or_eng(`
 
   allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
   allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms;
+  allow hal_dumpstate_default sysfs_bcl:file r_file_perms;
+  allow hal_dumpstate_default sysfs_bcl:lnk_file read;
 ')
 
 dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;

From 8d2feed7ed1f62bf8ef9c0059b8527194787e03e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 18 Mar 2021 10:50:35 +0800
Subject: [PATCH 067/921] label missing vibrator sys nodes

Bug: 182954060
Test: boot with no avc error found
Change-Id: I1ffd97c6646d106c88efe36bfb4483ae44415eaa
---
 tracking_denials/hal_vibrator_default.te | 13 -------------
 whitechapel/vendor/google/genfs_contexts |  1 +
 2 files changed, 1 insertion(+), 13 deletions(-)
 delete mode 100644 tracking_denials/hal_vibrator_default.te

diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
deleted file mode 100644
index 58df632c..00000000
--- a/tracking_denials/hal_vibrator_default.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# b/174961422
-dontaudit hal_vibrator_default property_type:file * ;
-# b/182954060
-dontaudit hal_vibrator_default sysfs:file { getattr };
-dontaudit hal_vibrator_default sysfs:file { getattr };
-dontaudit hal_vibrator_default sysfs:file { getattr };
-dontaudit hal_vibrator_default sysfs:file { getattr };
-dontaudit hal_vibrator_default sysfs:file { getattr };
-dontaudit hal_vibrator_default sysfs:file { open };
-dontaudit hal_vibrator_default sysfs:file { read write };
-dontaudit hal_vibrator_default sysfs:file { open };
-dontaudit hal_vibrator_default sysfs:file { read write };
-dontaudit hal_vibrator_default sysfs:file { getattr };
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index f375342d..d0b478a4 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -59,6 +59,7 @@ genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object
 # Vibrator
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
 
 # System_suspend
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0

From 09996bc81060567cad8bdca500b350eec1341bca Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Thu, 18 Mar 2021 19:34:42 +0800
Subject: [PATCH 068/921] Add sepolicy rules for fingerprint hal

Fixes the following avc denials:
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:7): avc: denied { read write } for name="trusty-ipc-dev0" dev="tmpfs" ino=691 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:8): avc: denied { open } for path="/dev/trusty-ipc-dev0" dev="tmpfs" ino=691 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:9): avc: denied { ioctl } for path="/dev/trusty-ipc-dev0" dev="tmpfs" ino=691 ioctlcmd=0x7280 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:39): avc: denied { search } for name="battery" dev="sysfs" ino=66502 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:40): avc: denied { read } for name="temp" dev="sysfs" ino=66520 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:41): avc: denied { open } for path="/sys/devices/platform/google,battery/power_supply/battery/temp" dev="sysfs" ino=66520 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
03-18 14:11:23.476   979   979 I fingerprint@2.1: type=1400 audit(0.0:13): avc: denied { search } for name="battery" dev="sysfs" ino=66502 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:9): avc: denied { create } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:10): avc: denied { bind } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:11): avc: denied { write } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:12): avc: denied { read } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:56:30.446   404   404 E SELinux : avc:  denied  { add } for interface=vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon sid=u:r:hal_fingerprint_default:s0 pid=967 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=1

Bug: 171943101
Test: No above avc denials in logcat.
Change-Id: I67b397f86c39625b77ebe6d32d37e42cd87b3f93
---
 tracking_denials/hal_fingerprint_default.te   | 52 -------------------
 .../vendor/google/hal_fingerprint_default.te  |  6 ++-
 whitechapel/vendor/google/hwservice.te        |  3 ++
 whitechapel/vendor/google/hwservice_contexts  |  3 ++
 4 files changed, 11 insertions(+), 53 deletions(-)
 delete mode 100644 tracking_denials/hal_fingerprint_default.te

diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
deleted file mode 100644
index 0fced323..00000000
--- a/tracking_denials/hal_fingerprint_default.te
+++ /dev/null
@@ -1,52 +0,0 @@
-# b/174438167
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default system_data_root_file:file { read };
-dontaudit hal_fingerprint_default system_data_root_file:file { open };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default tee_device:chr_file { open };
-dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default tee_device:chr_file { open };
-dontaudit hal_fingerprint_default tee_device:chr_file { read write };
-dontaudit hal_fingerprint_default device:chr_file { open };
-dontaudit hal_fingerprint_default device:chr_file { read write };
-dontaudit hal_fingerprint_default tee_device:chr_file { read write };
-dontaudit hal_fingerprint_default device:chr_file { ioctl };
-dontaudit hal_fingerprint_default device:chr_file { open };
-dontaudit hal_fingerprint_default system_data_root_file:file { read };
-dontaudit hal_fingerprint_default system_data_root_file:file { open };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default device:chr_file { ioctl };
-dontaudit hal_fingerprint_default device:chr_file { read write };
-# b/174714991
-dontaudit hal_fingerprint_default system_data_file:file { read };
-dontaudit hal_fingerprint_default system_data_file:file { open };
-dontaudit hal_fingerprint_default system_data_file:file { read };
-dontaudit hal_fingerprint_default system_data_file:file { open };
-# b/177966377
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-# b/180655836
-dontaudit hal_fingerprint_default system_data_root_file:dir { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
-dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 9e2ecb96..d22b6b0f 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -1,2 +1,6 @@
 allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
-
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms;
+allow hal_fingerprint_default sysfs_batteryinfo:dir search;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
index 0b489022..fc52990a 100644
--- a/whitechapel/vendor/google/hwservice.te
+++ b/whitechapel/vendor/google/hwservice.te
@@ -18,3 +18,6 @@ type hal_wlc_hwservice, hwservice_manager_type;
 
 # Bluetooth HAL extension
 type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
+
+# Fingerprint
+type hal_fingerprint_ext_hwservice, hwservice_manager_type;
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
index 64a59cb6..dfe9cfb5 100644
--- a/whitechapel/vendor/google/hwservice_contexts
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -26,3 +26,6 @@ vendor.google.wireless_charger::IWirelessCharger                u:object_r:hal_w
 # Bluetooth HAL extension
 hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
 hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
+
+# Fingerprint
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon  u:object_r:hal_fingerprint_ext_hwservice:s0

From ac6b1273e42be3e6639e6bde802d68d67e37a9a3 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 19 Mar 2021 11:58:39 +0800
Subject: [PATCH 069/921] remove workaround as vendor_init is ready

Bug: 171942789
Test: boot under enforcing ROM
Change-Id: If4bb070ecf2272dd927ceaeda1882d2fad62b4c3
---
 tracking_denials/vendor_init.te | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index b30930a8..1c9ed031 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -2,17 +2,5 @@
 dontaudit vendor_init tmpfs:dir { add_name write };
 # b/176528557
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
-userdebug_or_eng(`
-  permissive vendor_init;
-')
-# b/178980032
-dontaudit vendor_init unlabeled:dir { setattr };
-dontaudit vendor_init unlabeled:dir { read };
-dontaudit vendor_init unlabeled:dir { search };
-dontaudit vendor_init unlabeled:dir { search };
-dontaudit vendor_init unlabeled:dir { open };
-dontaudit vendor_init unlabeled:dir { read };
-dontaudit vendor_init unlabeled:dir { setattr };
-dontaudit vendor_init unlabeled:dir { open };
 # b/182954248
 dontaudit vendor_init default_prop:file { read };

From b64032615463fb5dc4803514c64fadd8505c2e0c Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Mon, 15 Mar 2021 20:05:06 +0800
Subject: [PATCH 070/921] Add the sepolicy for UWB hal

Bug: 182727934
Test: $ make selinux_policy
      Push SELinux modules and check the denials during boot
Change-Id: I630e6e353897a85d1b90c7d8a4250703a4c3a245
---
 whitechapel/vendor/google/file_contexts      | 4 ++++
 whitechapel/vendor/google/hal_uwb_default.te | 3 +++
 2 files changed, 7 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_uwb_default.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 3e0a509b..d9862336 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -330,6 +330,10 @@
 # GRIL
 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
 
+# Uwb
+# R4
+/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_default_exec:s0
+
 # Radio files.
 /data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
 
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
new file mode 100644
index 00000000..bb825e38
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_default.te
@@ -0,0 +1,3 @@
+type hal_uwb_default, domain;
+type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_uwb_default)

From a334f079ccaab052b95895fde13460ae6ab5a860 Mon Sep 17 00:00:00 2001
From: Christine Franks <christyfranks@google.com>
Date: Fri, 19 Mar 2021 15:31:20 -0700
Subject: [PATCH 071/921] Add uhid access for exo

This is required to write input events to /dev/uinput.

Bug: 182854143
Test: n/a
Change-Id: Icd9714a61be62d40d1b3e5e9d7dcb33ce5f0bf6b
---
 ambient/exo_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
index 941f09ae..f21b7cb2 100644
--- a/ambient/exo_app.te
+++ b/ambient/exo_app.te
@@ -12,6 +12,8 @@ allow exo_app fwk_stats_hwservice:hwservice_manager find;
 allow exo_app mediametrics_service:service_manager find;
 allow exo_app gpu_device:dir search;
 
+allow exo_app uhid_device:chr_file rw_file_perms;
+
 binder_call(exo_app, statsd)
 
 get_prop(exo_app, device_config_runtime_native_boot_prop)

From 38e55f2331bbddc82a797a6ee1f13967ca3f2f8c Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 22 Mar 2021 09:52:45 +0800
Subject: [PATCH 072/921] update error on ROM 7225160

Bug: 183338483
Bug: 183338543
Bug: 183338421
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I16548c00f2a2c38b190664a5cc20ae67d04a8454
---
 tracking_denials/flags_health_check.te      | 19 +++++++++++++++++++
 tracking_denials/hal_fingerprint_default.te | 13 +++++++++++++
 tracking_denials/pixelstats_vendor.te       |  5 +++++
 3 files changed, 37 insertions(+)
 create mode 100644 tracking_denials/flags_health_check.te
 create mode 100644 tracking_denials/hal_fingerprint_default.te
 create mode 100644 tracking_denials/pixelstats_vendor.te

diff --git a/tracking_denials/flags_health_check.te b/tracking_denials/flags_health_check.te
new file mode 100644
index 00000000..30e802b0
--- /dev/null
+++ b/tracking_denials/flags_health_check.te
@@ -0,0 +1,19 @@
+# b/183338483
+dontaudit flags_health_check aac_drc_prop:file { open };
+dontaudit flags_health_check adbd_config_prop:file { map };
+dontaudit flags_health_check adbd_config_prop:file { getattr };
+dontaudit flags_health_check adbd_config_prop:file { open };
+dontaudit flags_health_check ab_update_gki_prop:file { map };
+dontaudit flags_health_check ab_update_gki_prop:file { getattr };
+dontaudit flags_health_check aac_drc_prop:file { open };
+dontaudit flags_health_check aac_drc_prop:file { getattr };
+dontaudit flags_health_check aac_drc_prop:file { map };
+dontaudit flags_health_check ab_update_gki_prop:file { open };
+dontaudit flags_health_check ab_update_gki_prop:file { getattr };
+dontaudit flags_health_check ab_update_gki_prop:file { map };
+dontaudit flags_health_check adbd_config_prop:file { open };
+dontaudit flags_health_check adbd_config_prop:file { getattr };
+dontaudit flags_health_check adbd_config_prop:file { map };
+dontaudit flags_health_check ab_update_gki_prop:file { open };
+dontaudit flags_health_check aac_drc_prop:file { map };
+dontaudit flags_health_check aac_drc_prop:file { getattr };
diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
new file mode 100644
index 00000000..ed92cf9e
--- /dev/null
+++ b/tracking_denials/hal_fingerprint_default.te
@@ -0,0 +1,13 @@
+# b/183338543
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te
new file mode 100644
index 00000000..150de52c
--- /dev/null
+++ b/tracking_denials/pixelstats_vendor.te
@@ -0,0 +1,5 @@
+# b/183338421
+dontaudit pixelstats_vendor sysfs_dma_heap:dir { search };
+dontaudit pixelstats_vendor sysfs_dma_heap:file { read };
+dontaudit pixelstats_vendor sysfs_dma_heap:file { open };
+dontaudit pixelstats_vendor sysfs_dma_heap:file { getattr };

From f05cdba220549a210ef6facd3224dcadf3ffafc8 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 22 Mar 2021 16:10:22 +0800
Subject: [PATCH 073/921] allow bootctl to read devinfo

Bug: 182705986
Test: boot with no relevant log found
Change-Id: I6d4c699fe1492f8fbcd5b8a9ba98da2fade57bd7
---
 tracking_denials/hal_bootctl_default.te          | 3 ---
 whitechapel/vendor/google/hal_bootctl_default.te | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)
 delete mode 100644 tracking_denials/hal_bootctl_default.te

diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te
deleted file mode 100644
index 27271c57..00000000
--- a/tracking_denials/hal_bootctl_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/182705986
-dontaudit hal_bootctl_default devinfo_block_device:blk_file { open };
-dontaudit hal_bootctl_default devinfo_block_device:blk_file { read };
diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
index 63741aed..fd5063f9 100644
--- a/whitechapel/vendor/google/hal_bootctl_default.te
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -1 +1,2 @@
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
+allow hal_bootctl_default devinfo_block_device:blk_file r_file_perms;

From d02e73b96676209eea1783999709448914de82e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Mon, 22 Mar 2021 16:21:36 -0700
Subject: [PATCH 074/921] Add lazy service binary to hal_camera_default domain.

Avoids denial logs from init on service (re)start. See bug for
details.

Bug: 183441948
Test: Restarted the service
Change-Id: I9ee9b8099d2ffae4d6a115552800fa844c192132
---
 whitechapel/vendor/google/file_contexts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 3e0a509b..4009a55a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -165,7 +165,8 @@
 /data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
 
 # Camera
-/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google       u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google-lazy  u:object_r:hal_camera_default_exec:s0
 /vendor/lib64/camera                                                    u:object_r:vendor_camera_tuning_file:s0
 /vendor/lib64/camera/ghawb_para_lut\.bin                                u:object_r:vendor_camera_tuning_file:s0
 /vendor/lib64/camera/slider_.*\.binarypb                                u:object_r:vendor_camera_tuning_file:s0

From 7314a7b522a8a058a6f87bb0fe74507d477d6c3a Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 23 Mar 2021 09:49:02 +0800
Subject: [PATCH 075/921] permissions required for OTA

Bug: 183174452
Test: do OTA under enforcing mode
Change-Id: I0edf7703713e24351f57ef0e68096ca03c59e6f8
---
 whitechapel/vendor/google/file.te                | 1 +
 whitechapel/vendor/google/genfs_contexts         | 3 +++
 whitechapel/vendor/google/hal_bootctl_default.te | 1 +
 whitechapel/vendor/google/update_engine.te       | 3 +++
 4 files changed, 8 insertions(+)
 create mode 100644 whitechapel/vendor/google/update_engine.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 37fa6efb..7c1dae90 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -40,6 +40,7 @@ type vendor_battery_debugfs, fs_type, debugfs_type, sysfs_type;
 # Exynos sysfs
 type sysfs_exynos_bts, sysfs_type, fs_type;
 type sysfs_exynos_bts_stats, sysfs_type, fs_type;
+type sysfs_ota, sysfs_type, fs_type;
 
 # Exynos Firmware
 type vendor_fw_file, vendor_file_type, file_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index dee5a5ac..4659e1d2 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -181,6 +181,9 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
 
+# OTA
+genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0
+
 # subsystem-coredump
 genfscon sysfs /class/sscoredump/level                                                                  u:object_r:sscoredump_sysfs_level:s0
 
diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
index fd5063f9..0e0c3c24 100644
--- a/whitechapel/vendor/google/hal_bootctl_default.te
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -1,2 +1,3 @@
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default devinfo_block_device:blk_file r_file_perms;
+allow hal_bootctl_default sysfs_ota:file rw_file_perms;
diff --git a/whitechapel/vendor/google/update_engine.te b/whitechapel/vendor/google/update_engine.te
new file mode 100644
index 00000000..a403d9e4
--- /dev/null
+++ b/whitechapel/vendor/google/update_engine.te
@@ -0,0 +1,3 @@
+allow update_engine custom_ab_block_device:blk_file rw_file_perms;
+allow update_engine modem_block_device:blk_file rw_file_perms;
+allow update_engine proc_bootconfig:file r_file_perms;

From fd45b5ef27a418d2bd0f86c33467b8dee9967b1c Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 23 Mar 2021 14:17:23 +0800
Subject: [PATCH 076/921] permission required for adb sideload to work

Bug: 183174452
Test: do adb sideload under enforcing mode
Change-Id: I2ba05b22729894d2677859fd33a6370f2ff9d409
---
 whitechapel/vendor/google/recovery.te | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 whitechapel/vendor/google/recovery.te

diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te
new file mode 100644
index 00000000..6eb97aa3
--- /dev/null
+++ b/whitechapel/vendor/google/recovery.te
@@ -0,0 +1,3 @@
+recovery_only(`
+  allow recovery sysfs_ota:file rw_file_perms;
+')

From 01376cbe0656394432ea4ab12afc0aed3ff6746e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 23 Mar 2021 14:55:43 +0800
Subject: [PATCH 077/921] update error on ROM 7228492

Bug: 183467306
Bug: 183467321
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ia8473c1a4e1f56cc52bc765dea56e3bc497c7cc9
---
 tracking_denials/flags_health_check.te |  2 ++
 tracking_denials/modem_svc_sit.te      | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 tracking_denials/modem_svc_sit.te

diff --git a/tracking_denials/flags_health_check.te b/tracking_denials/flags_health_check.te
index 30e802b0..014fa7e8 100644
--- a/tracking_denials/flags_health_check.te
+++ b/tracking_denials/flags_health_check.te
@@ -17,3 +17,5 @@ dontaudit flags_health_check adbd_config_prop:file { map };
 dontaudit flags_health_check ab_update_gki_prop:file { open };
 dontaudit flags_health_check aac_drc_prop:file { map };
 dontaudit flags_health_check aac_drc_prop:file { getattr };
+# b/183467306
+dontaudit flags_health_check property_type:file *;
diff --git a/tracking_denials/modem_svc_sit.te b/tracking_denials/modem_svc_sit.te
new file mode 100644
index 00000000..dac076c7
--- /dev/null
+++ b/tracking_denials/modem_svc_sit.te
@@ -0,0 +1,19 @@
+# b/183467321
+dontaudit modem_svc_sit mnt_vendor_file:dir { search };
+dontaudit modem_svc_sit modem_userdata_file:file { write open };
+dontaudit modem_svc_sit modem_userdata_file:file { create };
+dontaudit modem_svc_sit modem_userdata_file:dir { add_name };
+dontaudit modem_svc_sit modem_userdata_file:dir { getattr };
+dontaudit modem_svc_sit modem_userdata_file:dir { search };
+dontaudit modem_svc_sit modem_userdata_file:dir { write };
+dontaudit modem_svc_sit modem_userdata_file:dir { remove_name };
+dontaudit modem_svc_sit modem_userdata_file:file { unlink };
+dontaudit modem_svc_sit modem_userdata_file:dir { getattr };
+dontaudit modem_svc_sit modem_userdata_file:dir { add_name };
+dontaudit modem_svc_sit modem_userdata_file:file { create };
+dontaudit modem_svc_sit modem_userdata_file:file { write open };
+dontaudit modem_svc_sit modem_userdata_file:file { unlink };
+dontaudit modem_svc_sit modem_userdata_file:dir { remove_name };
+dontaudit modem_svc_sit modem_userdata_file:dir { write };
+dontaudit modem_svc_sit modem_userdata_file:dir { search };
+dontaudit modem_svc_sit mnt_vendor_file:dir { search };

From b4fbecb9fbf3a23b615b828967188b2b90aed2da Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Tue, 23 Mar 2021 15:11:38 +0800
Subject: [PATCH 078/921] modem_svc_sit: Fix avc errors

avc: denied { search } for comm="modem_svc_sit" name="vendor" dev="tmpfs" ino=2 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir
avc: denied { write open } for path="/mnt/vendor/modem_userdata/replay/dds.bin" dev="sda7" ino=14 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=file
avc: denied { remove_name } for name="dds.bin" dev="sda7" ino=14 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir

Bug: 183467321
Change-Id: Ic5b8fcf324bb0a8b0f6312b3ae755d73a53f0e9c
---
 tracking_denials/modem_svc_sit.te          | 19 -------------------
 whitechapel/vendor/google/modem_svc_sit.te |  4 ++++
 2 files changed, 4 insertions(+), 19 deletions(-)
 delete mode 100644 tracking_denials/modem_svc_sit.te

diff --git a/tracking_denials/modem_svc_sit.te b/tracking_denials/modem_svc_sit.te
deleted file mode 100644
index dac076c7..00000000
--- a/tracking_denials/modem_svc_sit.te
+++ /dev/null
@@ -1,19 +0,0 @@
-# b/183467321
-dontaudit modem_svc_sit mnt_vendor_file:dir { search };
-dontaudit modem_svc_sit modem_userdata_file:file { write open };
-dontaudit modem_svc_sit modem_userdata_file:file { create };
-dontaudit modem_svc_sit modem_userdata_file:dir { add_name };
-dontaudit modem_svc_sit modem_userdata_file:dir { getattr };
-dontaudit modem_svc_sit modem_userdata_file:dir { search };
-dontaudit modem_svc_sit modem_userdata_file:dir { write };
-dontaudit modem_svc_sit modem_userdata_file:dir { remove_name };
-dontaudit modem_svc_sit modem_userdata_file:file { unlink };
-dontaudit modem_svc_sit modem_userdata_file:dir { getattr };
-dontaudit modem_svc_sit modem_userdata_file:dir { add_name };
-dontaudit modem_svc_sit modem_userdata_file:file { create };
-dontaudit modem_svc_sit modem_userdata_file:file { write open };
-dontaudit modem_svc_sit modem_userdata_file:file { unlink };
-dontaudit modem_svc_sit modem_userdata_file:dir { remove_name };
-dontaudit modem_svc_sit modem_userdata_file:dir { write };
-dontaudit modem_svc_sit modem_userdata_file:dir { search };
-dontaudit modem_svc_sit mnt_vendor_file:dir { search };
diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
index 9ee5976f..eeba9976 100644
--- a/whitechapel/vendor/google/modem_svc_sit.te
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -16,6 +16,10 @@ allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms;
 allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
 allow modem_svc_sit modem_stat_data_file:file create_file_perms;
 
+allow modem_svc_sit mnt_vendor_file:dir search;
+allow modem_svc_sit modem_userdata_file:dir create_dir_perms;
+allow modem_svc_sit modem_userdata_file:file create_file_perms;
+
 # RIL property
 get_prop(modem_svc_sit, vendor_rild_prop)
 

From 6516f369ff2b4a201104fcfa30bf79ef7ebe84d8 Mon Sep 17 00:00:00 2001
From: labib <labib@google.com>
Date: Mon, 22 Mar 2021 05:12:40 +0800
Subject: [PATCH 079/921] Add se-policy for new GRIL service and RadioExt hal
 APIs

Bug: 172294179
Change-Id: I556657928caa441b3530bb371902d5f4ce0be257
---
 whitechapel/vendor/google/genfs_contexts          | 2 ++
 whitechapel/vendor/google/grilservice_app.te      | 4 +++-
 whitechapel/vendor/google/hal_radioext_default.te | 5 +++++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index dee5a5ac..8a99abbb 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -103,6 +103,8 @@ genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
 
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
index 9eb8b8e0..9b4eb3d3 100644
--- a/whitechapel/vendor/google/grilservice_app.te
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -1,8 +1,10 @@
 type grilservice_app, domain;
 app_domain(grilservice_app)
 
+allow grilservice_app app_api_service:service_manager find;
+allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
 allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
 allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
-allow grilservice_app app_api_service:service_manager find;
+binder_call(grilservice_app, hal_bluetooth_btlinux)
 binder_call(grilservice_app, hal_radioext_default)
 binder_call(grilservice_app, hal_wifi_ext)
diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te
index 666d8db4..6ad0d042 100644
--- a/whitechapel/vendor/google/hal_radioext_default.te
+++ b/whitechapel/vendor/google/hal_radioext_default.te
@@ -10,3 +10,8 @@ binder_call(hal_radioext_default, grilservice_app)
 
 # RW /dev/oem_ipc0
 allow hal_radioext_default radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
+allow hal_radioext_default sysfs_display:file rw_file_perms;
\ No newline at end of file

From 421102574606c1d4feb4a3372051fe55c2e9a3ae Mon Sep 17 00:00:00 2001
From: Hongbo Zeng <hongbozeng@google.com>
Date: Tue, 23 Mar 2021 16:26:28 +0800
Subject: [PATCH 080/921] Fix denials for ril_config_service_app

- RilConfigService is a common google project in vendor/google/tools,
  sync related rules from the previous project(ag/6697240, ag/7153946)
  to allow it to:
  (1) receive intents
  (2) update database files under /data/vendor/radio
  (3) update RIL properties
- Two new denials found in this project only:
  avc: denied { search } for name="data" dev="dm-7" ino=93
      scontext=u:r:ril_config_service_app:s0
      tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=dir permissive=1
  avc: denied { search } for name="0" dev="dm-7" ino=192
      scontext=u:r:ril_config_service_app:s0
      tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1

Bug: 182715439
Test: apply these rules and check there is no denial for
      RilConfigService finally
Change-Id: Icfb0e121d0d11600bda900dff0511187518105ab
---
 whitechapel/vendor/google/ril_config_service.te | 9 +++++++++
 whitechapel/vendor/google/seapp_contexts        | 3 +++
 2 files changed, 12 insertions(+)
 create mode 100644 whitechapel/vendor/google/ril_config_service.te

diff --git a/whitechapel/vendor/google/ril_config_service.te b/whitechapel/vendor/google/ril_config_service.te
new file mode 100644
index 00000000..125c8c33
--- /dev/null
+++ b/whitechapel/vendor/google/ril_config_service.te
@@ -0,0 +1,9 @@
+type ril_config_service_app, domain;
+app_domain(ril_config_service_app)
+
+set_prop(ril_config_service_app, vendor_rild_prop)
+allow ril_config_service_app app_api_service:service_manager find;
+allow ril_config_service_app radio_vendor_data_file:dir rw_dir_perms;
+allow ril_config_service_app radio_vendor_data_file:file create_file_perms;
+dontaudit ril_config_service_app system_data_file:dir search;
+dontaudit ril_config_service_app user_profile_root_file:dir search;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f22516fa..c845ce09 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -37,3 +37,6 @@ user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_
 
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# RIL Config Service
+user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file

From 97bfa35d4f0c550bb3194546e9b9513420eabf07 Mon Sep 17 00:00:00 2001
From: LABIB MD RASHID <labib@google.com>
Date: Tue, 23 Mar 2021 19:00:57 +0000
Subject: [PATCH 081/921] Revert "Add se-policy for new GRIL service and
 RadioExt hal APIs"

Revert "BT SAR client implementation for GRIL"

Revert submission 13944227-gril-bt-sar

Reason for revert: TreeHugger builds failing due to changes requiring se-linux permissions for GRIL. Need to add permissions for more devices before attempting this change again.

Reverted Changes:
I556657928:Add se-policy for new GRIL service and RadioExt ha...
I96cf9176a:BT SAR client implementation for GRIL

Change-Id: Ib800962d07d305a5a42ee40f019535f663beacd1
---
 whitechapel/vendor/google/genfs_contexts          | 2 --
 whitechapel/vendor/google/grilservice_app.te      | 4 +---
 whitechapel/vendor/google/hal_radioext_default.te | 5 -----
 3 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8a99abbb..dee5a5ac 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -103,8 +103,6 @@ genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
 
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
index 9b4eb3d3..9eb8b8e0 100644
--- a/whitechapel/vendor/google/grilservice_app.te
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -1,10 +1,8 @@
 type grilservice_app, domain;
 app_domain(grilservice_app)
 
-allow grilservice_app app_api_service:service_manager find;
-allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
 allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
 allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
-binder_call(grilservice_app, hal_bluetooth_btlinux)
+allow grilservice_app app_api_service:service_manager find;
 binder_call(grilservice_app, hal_radioext_default)
 binder_call(grilservice_app, hal_wifi_ext)
diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te
index 6ad0d042..666d8db4 100644
--- a/whitechapel/vendor/google/hal_radioext_default.te
+++ b/whitechapel/vendor/google/hal_radioext_default.te
@@ -10,8 +10,3 @@ binder_call(hal_radioext_default, grilservice_app)
 
 # RW /dev/oem_ipc0
 allow hal_radioext_default radio_device:chr_file rw_file_perms;
-
-# RW MIPI Freq files
-allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
-allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
-allow hal_radioext_default sysfs_display:file rw_file_perms;
\ No newline at end of file

From fb862c088822b51580d59de9b9c180e4347dd5c9 Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Tue, 23 Mar 2021 12:43:37 -0700
Subject: [PATCH 082/921] Allow Exoplayer access to the vstream-secure heap for
 secure playback

Fixes the following denials:

avc: denied { read } for name="vstream-secure" dev="tmpfs"
ino=736 scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0 tclass=chr_file permissive=0
app=com.google.android.exoplayer.demo
avc: denied { read } for name="vstream-secure" dev="tmpfs" ino=736
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0
tclass=chr_file permissive=0 app=com.google.android.exoplayer.demo
avc: denied { read } for name="vstream-secure" dev="tmpfs" ino=736
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0
tclass=chr_file permissive=0 app=com.google.android.exoplayer.demo

Bug: 178865267
Test: no more denials
Change-Id: I6612bd56c49558b13e2ae72cfbf3552715729e7a
Signed-off-by: Hridya Valsaraju <hridya@google.com>
---
 whitechapel/vendor/google/file_contexts        | 2 ++
 whitechapel/vendor/google/untrusted_app_all.te | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f7d448fd..9f1940db 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -412,6 +412,8 @@
 /dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0
 
+/dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
+
 # Video sysfs files
 /sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
 /sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index 8e79515f..ae7386fc 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -4,3 +4,7 @@ allow untrusted_app_all edgetpu_service:service_manager find;
 # Allows applications to access the EdgeTPU device, except open, which is guarded
 # by the EdgeTPU service.
 allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
+# for secure video playback
+allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;

From a0c5ec23059def5e777121503d797cf626f60c30 Mon Sep 17 00:00:00 2001
From: labib <labib@google.com>
Date: Wed, 24 Mar 2021 06:16:03 +0800
Subject: [PATCH 083/921] Add se-policy for new GRIL service and RadioExt hal
 APIs

Bug: 172294179
Change-Id: Ief4c7ec7959676126f35037006016e1454a34f5e
---
 whitechapel/vendor/google/genfs_contexts          | 2 ++
 whitechapel/vendor/google/grilservice_app.te      | 4 +++-
 whitechapel/vendor/google/hal_radioext_default.te | 5 +++++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 4659e1d2..a4c1c58e 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -103,6 +103,8 @@ genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
 
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
index 9eb8b8e0..9b4eb3d3 100644
--- a/whitechapel/vendor/google/grilservice_app.te
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -1,8 +1,10 @@
 type grilservice_app, domain;
 app_domain(grilservice_app)
 
+allow grilservice_app app_api_service:service_manager find;
+allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
 allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
 allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
-allow grilservice_app app_api_service:service_manager find;
+binder_call(grilservice_app, hal_bluetooth_btlinux)
 binder_call(grilservice_app, hal_radioext_default)
 binder_call(grilservice_app, hal_wifi_ext)
diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te
index 666d8db4..ff22f224 100644
--- a/whitechapel/vendor/google/hal_radioext_default.te
+++ b/whitechapel/vendor/google/hal_radioext_default.te
@@ -10,3 +10,8 @@ binder_call(hal_radioext_default, grilservice_app)
 
 # RW /dev/oem_ipc0
 allow hal_radioext_default radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
+allow hal_radioext_default sysfs_display:file rw_file_perms;

From 77f6de6ea6c70983e893adde962b5edb014f82bd Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 23 Mar 2021 14:18:34 +0800
Subject: [PATCH 084/921] work around for uwb

Bug: 171943668
Test: dw3000 kthread and uwb service came up fine
Change-Id: I4288e07b9b9a2741bfe64b35bd4681ffe4a66039
---
 tracking_denials/kernel.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
index 7d36d7fe..37288bc8 100644
--- a/tracking_denials/kernel.te
+++ b/tracking_denials/kernel.te
@@ -1,3 +1,7 @@
 # b/182954062
 dontaudit kernel kernel:perf_event { cpu };
 dontaudit kernel kernel:perf_event { cpu };
+userdebug_or_eng(`
+  permissive kernel;
+  permissive hal_uwb_default;
+')

From d28724fdb124e350970bf44b19d9699819f450ec Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 24 Mar 2021 10:03:35 +0800
Subject: [PATCH 085/921] update error on ROM 7230950

Bug: 183560076
Bug: 183560282
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I329cd3f1e4c5eed986c21724bf42730bed46ab3b
---
 tracking_denials/crash_dump.te  |  7 +++++++
 tracking_denials/gmscore_app.te | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 tracking_denials/crash_dump.te
 create mode 100644 tracking_denials/gmscore_app.te

diff --git a/tracking_denials/crash_dump.te b/tracking_denials/crash_dump.te
new file mode 100644
index 00000000..d2c860dc
--- /dev/null
+++ b/tracking_denials/crash_dump.te
@@ -0,0 +1,7 @@
+# b/183560076
+dontaudit crash_dump proc_uptime:file { read };
+dontaudit crash_dump proc_uptime:file { open };
+dontaudit crash_dump proc_uptime:file { getattr };
+dontaudit crash_dump proc_uptime:file { getattr };
+dontaudit crash_dump proc_uptime:file { open };
+dontaudit crash_dump proc_uptime:file { read };
diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
new file mode 100644
index 00000000..e19fac87
--- /dev/null
+++ b/tracking_denials/gmscore_app.te
@@ -0,0 +1,19 @@
+# b/183560282
+dontaudit gmscore_app aac_drc_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { open };
+dontaudit gmscore_app ab_update_gki_prop:file { getattr };
+dontaudit gmscore_app ab_update_gki_prop:file { map };
+dontaudit gmscore_app apexd_config_prop:file { open };
+dontaudit gmscore_app apexd_config_prop:file { getattr };
+dontaudit gmscore_app aac_drc_prop:file { getattr };
+dontaudit gmscore_app aac_drc_prop:file { open };
+dontaudit gmscore_app modem_img_file:filesystem { getattr };
+dontaudit gmscore_app modem_img_file:filesystem { getattr };
+dontaudit gmscore_app aac_drc_prop:file { open };
+dontaudit gmscore_app aac_drc_prop:file { getattr };
+dontaudit gmscore_app aac_drc_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { open };
+dontaudit gmscore_app ab_update_gki_prop:file { getattr };
+dontaudit gmscore_app ab_update_gki_prop:file { map };
+dontaudit gmscore_app apexd_config_prop:file { open };
+dontaudit gmscore_app apexd_config_prop:file { getattr };

From 6efd563361d04440ee7c236a778e90466f15e865 Mon Sep 17 00:00:00 2001
From: Jesse Hall <jessehall@google.com>
Date: Tue, 23 Mar 2021 20:43:59 -0700
Subject: [PATCH 086/921] Remove tracking_denials/bootanim.te

The action that was being denied no longer occurs.

Bug: 180567480
Test: boot past bootanim, check audit log
Change-Id: I58a1b307538a1198d69120c0797a9e0542f30bdf
---
 tracking_denials/bootanim.te | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 tracking_denials/bootanim.te

diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te
deleted file mode 100644
index 2be251e3..00000000
--- a/tracking_denials/bootanim.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# b/180567480
-dontaudit bootanim traced_producer_socket:sock_file { write };
-dontaudit bootanim traced:unix_stream_socket { connectto };
-dontaudit bootanim traced:unix_stream_socket { connectto };
-dontaudit bootanim traced_producer_socket:sock_file { write };

From 14d068b6405219bc9b40630eeb86ca08aa6a6300 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 17 Mar 2021 19:07:15 +0800
Subject: [PATCH 087/921] vendor_init: Update tracking denials

Bug: 176528556
Change-Id: I1ad621c14a1705420f63aeb63b0c68452d991f93
---
 tracking_denials/vendor_init.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 1c9ed031..18aa0927 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,5 +1,3 @@
-# b/176528556
-dontaudit vendor_init tmpfs:dir { add_name write };
 # b/176528557
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
 # b/182954248

From 692faeedaf6e58fa0caa8abfa1118c6e3c7695dc Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 24 Mar 2021 13:56:18 +0800
Subject: [PATCH 088/921] fix reset problem caused by ims

Bug: 183209764
Test: unplug device, reboot, enter sim code and survived
Change-Id: I23c39290731a76ec4a364e4f92d3994254d70eae
---
 whitechapel/vendor/google/rild.te           | 1 +
 whitechapel/vendor/google/seapp_contexts    | 4 ++--
 whitechapel/vendor/google/vendor_ims_app.te | 8 ++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index edaa026b..d732e0ee 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -22,6 +22,7 @@ binder_call(rild, hal_audio_default)
 binder_call(rild, hal_secure_element_default)
 binder_call(rild, platform_app)
 binder_call(rild, modem_svc_sit)
+binder_call(rild, vendor_ims_app)
 
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index c845ce09..1d89e802 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -7,8 +7,8 @@ user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_tel
 user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all
 
 # Samsung S.LSI IMS
-user=system seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app
-user=system seinfo=platform name=com.shannon.imsservice:remote domain=vendor_ims_app
+user=_app seinfo=platform isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
+user=_app seinfo=platform isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
 user=system seinfo=platform name=com.shannon.dataservice domain=vendor_ims_app
 user=system seinfo=platform name=com.shannon.networkservice domain=vendor_ims_app
 user=system seinfo=platform name=com.shannon.qualifiednetworksservice domain=vendor_ims_app
diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index 058450d0..5f74bfdc 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -1,2 +1,10 @@
 type vendor_ims_app, domain;
 app_domain(vendor_ims_app)
+
+allow vendor_ims_app app_api_service:service_manager find;
+
+allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow vendor_ims_app radio_service:service_manager find;
+
+binder_call(vendor_ims_app, rild)
+set_prop(vendor_ims_app, vendor_rild_prop)

From 3a27f85dc8219aebcf376096cabace6118a6d93d Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 24 Mar 2021 11:56:03 +0800
Subject: [PATCH 089/921] mds: Update radio_vendor_data_file permission

Bug: 181174034
Change-Id: Ie22e19b179d41a97198c07cb922dd5c60f095ad4
---
 whitechapel/vendor/google/modem_diagnostics.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/modem_diagnostics.te b/whitechapel/vendor/google/modem_diagnostics.te
index c7ade412..7908be1b 100644
--- a/whitechapel/vendor/google/modem_diagnostics.te
+++ b/whitechapel/vendor/google/modem_diagnostics.te
@@ -18,8 +18,8 @@ userdebug_or_eng(`
 
   allow modem_diagnostic_app vendor_fw_file:file r_file_perms;
 
-  allow modem_diagnostic_app radio_vendor_data_file:dir r_dir_perms;
-  allow modem_diagnostic_app radio_vendor_data_file:file r_file_perms;
+  allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms;
+  allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms;
 
   allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms;
   allow modem_diagnostic_app mnt_vendor_file:file r_file_perms;

From 5b5a004593d329f0c9501450f9d9c734727bd963 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 24 Mar 2021 18:11:37 +0800
Subject: [PATCH 090/921] allow bootctl to access devinfo

[   22.798274] type=1400 audit(1616580486.404:10): avc:
denied { write } for comm="boot@1.2-servic" name="sdd1"
dev="tmpfs" ino=705 scontext=u:r:hal_bootctl_default:s0
tcontext=u:object_r:devinfo_block_device:s0 tclass=blk_file
permissive=1
Bug: 177882574
Test: boot to home after factory reset
Change-Id: I6774ffd46a74c75b2fee962757901ea97e9033fe
---
 whitechapel/vendor/google/hal_bootctl_default.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
index 0e0c3c24..30db79bd 100644
--- a/whitechapel/vendor/google/hal_bootctl_default.te
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -1,3 +1,3 @@
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default devinfo_block_device:blk_file r_file_perms;
+allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sysfs_ota:file rw_file_perms;

From 7e469b99411698c9b35e9af328be822e339c1ef9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Mon, 22 Mar 2021 18:49:25 -0700
Subject: [PATCH 091/921] Mark libGrallocWrapper.so as same-process HAL.

This library is indirectly loaded by lib_aion_buffer.so, which
is an ABI-stable wrapper for some vendor-specific APIs used by
GCA (the Pixel camera app)

Bug: 182962346
Test: ran GCA on oriole
Change-Id: Ida5171110081cac0ac13ea769f9d434499faebe6
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 675f90cf..539af0d3 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -174,6 +174,7 @@
 /mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
 /data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
 /vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGrallocWrapper\.so                                  u:object_r:same_process_hal_file:s0
 
 
 /dev/lwis-act0                                                          u:object_r:lwis_device:s0

From c6eca53b9e055544d6190c35d9f1a88f127a00a6 Mon Sep 17 00:00:00 2001
From: Steven Liu <steveliu@google.com>
Date: Wed, 24 Mar 2021 06:59:08 -0700
Subject: [PATCH 092/921] Add sepolicy for the wifi firmware config OTA feature

Bug: 177083009
Test: the OTA updated files can be updated and applied.
Change-Id: I2f269dbc146aae41cab57abd568af7e26fd23876
---
 whitechapel/vendor/google/file.te         | 3 +++
 whitechapel/vendor/google/file_contexts   | 3 +++
 whitechapel/vendor/google/hal_wifi.te     | 3 +++
 whitechapel/vendor/google/hal_wifi_ext.te | 8 ++++++++
 4 files changed, 17 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_wifi.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 7c1dae90..af79a1fa 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -71,6 +71,9 @@ type sysfs_sscoredump_level, sysfs_type, fs_type;
 # WiFi
 type sysfs_wifi, sysfs_type, fs_type;
 
+# All files under /data/vendor/firmware/wifi
+type updated_wifi_firmware_data_file, file_type, data_file_type;
+
 # Widevine DRM
 type mediadrm_vendor_data_file, file_type, data_file_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f7d448fd..fba3f408 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -421,3 +421,6 @@
 
 # Fingerprint
 /dev/goodix_fp                                                                 u:object_r:fingerprint_device:s0
+
+# Wifi Firmware config update
+/data/vendor/firmware/wifi(/.*)?                                               u:object_r:updated_wifi_firmware_data_file:s0
diff --git a/whitechapel/vendor/google/hal_wifi.te b/whitechapel/vendor/google/hal_wifi.te
new file mode 100644
index 00000000..e7f657ec
--- /dev/null
+++ b/whitechapel/vendor/google/hal_wifi.te
@@ -0,0 +1,3 @@
+# files in /data/vendor/firmware/wifi
+allow hal_wifi updated_wifi_firmware_data_file:dir r_dir_perms;
+allow hal_wifi updated_wifi_firmware_data_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_wifi_ext.te b/whitechapel/vendor/google/hal_wifi_ext.te
index 659239e8..959f71b6 100644
--- a/whitechapel/vendor/google/hal_wifi_ext.te
+++ b/whitechapel/vendor/google/hal_wifi_ext.te
@@ -3,3 +3,11 @@ binder_call(hal_wifi_ext, grilservice_app)
 
 # Write wlan driver/fw version into property
 set_prop(hal_wifi_ext, vendor_wifi_version)
+
+# Allow wifi_ext to read and write /data/vendor/firmware/wifi
+allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms;
+allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms;
+
+# Allow wifi_ext to read the updated firmware files from app
+allow hal_wifi_ext priv_app:fd use;
+allow hal_wifi_ext privapp_data_file:file { read map };

From 9818e25500a117245641380810f7b88f59fcfee2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Wed, 24 Mar 2021 15:59:55 +0000
Subject: [PATCH 093/921] Revert "Add lazy service binary to hal_camera_default
 domain."

This reverts commit d02e73b96676209eea1783999709448914de82e1.

Reason for revert: This HAL is actually not intended to be present
on GS101 devices. The denial logs come from people who did "adb sync"
after building binaries that are not included in the device image.
SELinux should not allow access to this HAL.

Change-Id: Id179023eeb79d749a0bde13e1d83af41fc42780e
---
 whitechapel/vendor/google/file_contexts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 4009a55a..3e0a509b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -165,8 +165,7 @@
 /data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
 
 # Camera
-/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google       u:object_r:hal_camera_default_exec:s0
-/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google-lazy  u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
 /vendor/lib64/camera                                                    u:object_r:vendor_camera_tuning_file:s0
 /vendor/lib64/camera/ghawb_para_lut\.bin                                u:object_r:vendor_camera_tuning_file:s0
 /vendor/lib64/camera/slider_.*\.binarypb                                u:object_r:vendor_camera_tuning_file:s0

From d3579bb3ec3855b6e96fbf236d8b79efa9971807 Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Wed, 24 Mar 2021 13:35:11 -0700
Subject: [PATCH 094/921] Allow init to set RIL properties.

Init sequence needs to set several properties under *vendor.ril*. Change
permission to set instead of get.

Bug: 183633407
Test: Check selinux denials.
Change-Id: Id7ecff48f36ee87f251ee6121f1782fa57b39844
---
 whitechapel/vendor/google/vendor_init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 3f650192..419fafa6 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -1,7 +1,7 @@
 set_prop(vendor_init, vendor_device_prop)
 set_prop(vendor_init, vendor_modem_prop)
 set_prop(vendor_init, vendor_cbd_prop)
-get_prop(vendor_init, vendor_rild_prop)
+set_prop(vendor_init, vendor_rild_prop)
 set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
 

From 8b3601f87d2e9897a2858d81f4a5e41e7cea81cb Mon Sep 17 00:00:00 2001
From: terrycrhuang <terrycrhuang@google.com>
Date: Thu, 25 Mar 2021 05:33:56 +0800
Subject: [PATCH 095/921] Fix hangup Volte call fail

03-24 19:45:59.920 I auditd  : type=1107 audit(0.0:35): uid=0
auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set }
for property=persist.radio.call.audio.output pid=2328 uid=10260
gid=10260 scontext=u:r:vendor_ims_app:s0:c4,c257,c512,c768
tcontext=u:object_r:radio_prop:s0 tclass=property_service permissive=0'

03-24 19:45:59.923 W libc    : Unable to set property
"persist.radio.call.audio.output" to "0": error code: 0x18

Bug: 183593669
Bug: 182978936
Test: Manual
Change-Id: I7f4491348ca6d97e0997f51359f1c42d98d61c75
---
 whitechapel/vendor/google/vendor_ims_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index 5f74bfdc..01308a65 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -8,3 +8,4 @@ allow vendor_ims_app radio_service:service_manager find;
 
 binder_call(vendor_ims_app, rild)
 set_prop(vendor_ims_app, vendor_rild_prop)
+set_prop(vendor_ims_app, radio_prop)

From d135bde241adea0ab46d98a377db8c23ec002aa1 Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Wed, 24 Mar 2021 12:06:24 +0800
Subject: [PATCH 096/921] Fix selinux errors for rild

03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:11): avc: denied { map } for path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:10): avc: denied { getattr } for path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:9): avc: denied { open } for path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
03-10 09:33:20.380   849   849 I rild_exynos: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.814981] type=1400 audit(1615340000.380:8): avc: denied { read } for comm="rild_exynos" name="u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.815057] type=1400 audit(1615340000.380:9): avc: denied { open } for comm="rild_exynos" path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.815089] type=1400 audit(1615340000.380:10): avc: denied { getattr } for comm="rild_exynos" path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1
[   16.815108] type=1400 audit(1615340000.380:11): avc: denied { map } for comm="rild_exynos" path="/dev/__properties__/u:object_r:sota_prop:s0" dev="tmpfs" ino=241 scontext=u:r:rild:s0 tcontext=u:object_r:sota_prop:s0 tclass=file permissive=1

Bug: 182320172
Test: verified with the forrest ROM and error log gone
Change-Id: Ib0300629de5a0186c4f9fd2f603be52aefd085bc
---
 tracking_denials/rild.te          | 9 ---------
 whitechapel/vendor/google/rild.te | 1 +
 2 files changed, 1 insertion(+), 9 deletions(-)
 delete mode 100644 tracking_denials/rild.te

diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
deleted file mode 100644
index c9a686c4..00000000
--- a/tracking_denials/rild.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# b/182320172
-dontaudit rild sota_prop:file { map };
-dontaudit rild sota_prop:file { getattr };
-dontaudit rild sota_prop:file { open };
-dontaudit rild sota_prop:file { read };
-dontaudit rild sota_prop:file { read };
-dontaudit rild sota_prop:file { open };
-dontaudit rild sota_prop:file { getattr };
-dontaudit rild sota_prop:file { map };
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index d732e0ee..5dab0eff 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -4,6 +4,7 @@ get_prop(rild, vendor_persist_config_default_prop)
 get_prop(rild, vendor_ro_config_default_prop)
 set_prop(rild, vendor_sys_default_prop)
 
+get_prop(rild, sota_prop)
 get_prop(rild, system_boot_reason_prop)
 
 allow rild proc_net:file rw_file_perms;

From 9778af3cefb06e024afba95c46c4e4a71fff1712 Mon Sep 17 00:00:00 2001
From: terrycrhuang <terrycrhuang@google.com>
Date: Thu, 25 Mar 2021 10:56:05 +0800
Subject: [PATCH 097/921] Fix avc denied for vendor_ims_app

03-25 09:24:16.810 E SELinux : avc:  denied  { find } for pid=3681
uid=10272 name=media.audio_flinger
scontext=u:r:vendor_ims_app:s0:c16,c257,c512,c768
tcontext=u:object_r:audioserver_service:s0 tclass=service_manager
permissive=0

Bug: 183593669
Test: Manual

Change-Id: I9d659b475d5d19ae5dd1642974f9064c152ee4b0
---
 whitechapel/vendor/google/vendor_ims_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index 01308a65..294f9700 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -2,6 +2,7 @@ type vendor_ims_app, domain;
 app_domain(vendor_ims_app)
 
 allow vendor_ims_app app_api_service:service_manager find;
+allow vendor_ims_app audioserver_service:service_manager find;
 
 allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find;
 allow vendor_ims_app radio_service:service_manager find;

From 3233492f78650aff00c72f6dee80fc8d49ec5f9e Mon Sep 17 00:00:00 2001
From: Ilya Matyukhin <ilyamaty@google.com>
Date: Wed, 24 Mar 2021 21:00:41 -0700
Subject: [PATCH 098/921] Add sepolicy for Goodix AIDL HAL

Bug: 183054007
Test: adb logcat | grep "avc: denied"
Change-Id: Iea9a652dbc78c488a72600b4226140ccf123b004
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 7b954d6b..929b1d14 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -374,6 +374,7 @@
 
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
 
 # ECC List

From 986fe49987acd08ca4a27127bc8553c0efaeb351 Mon Sep 17 00:00:00 2001
From: terrycrhuang <terrycrhuang@google.com>
Date: Thu, 25 Mar 2021 14:36:00 +0800
Subject: [PATCH 099/921] Fix vendor.pktrouter avc denied

03-24 19:45:17.324 E init : Do not have permissions to set
'vendor.pktrouter' to '1' in property file '/vendor/build.prop': SELinux
permission check failed

Bug: 183664765
Test: Manual

Change-Id: Ibf0f764c905c4797b179dff2cdd1faa98fae5bc0
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 419fafa6..dc629da0 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -4,6 +4,7 @@ set_prop(vendor_init, vendor_cbd_prop)
 set_prop(vendor_init, vendor_rild_prop)
 set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
+set_prop(vendor_init, vendor_ims_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From dbef5fe67858b20c7a4bf4135f00990ea37b28fc Mon Sep 17 00:00:00 2001
From: terrycrhuang <terrycrhuang@google.com>
Date: Thu, 25 Mar 2021 15:56:20 +0800
Subject: [PATCH 100/921] Fix pktrouter avc denied

03-25 15:28:05.656 I auditd  : type=1400 audit(0.0:48): avc: denied {
net_raw } for comm="wfc-pkt-router" capability=13
scontext=u:r:pktrouter:s0 tcontext=u:r:pktrouter:s0 tclass=capability
permissive=0

Bug: 183664765
Test: Manual

Change-Id: I378b2c0ed8af9e4ba1accfdcc5380a1f9f066b81
---
 whitechapel/vendor/google/pktrouter.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/pktrouter.te b/whitechapel/vendor/google/pktrouter.te
index 8c436f3f..e06c8db6 100644
--- a/whitechapel/vendor/google/pktrouter.te
+++ b/whitechapel/vendor/google/pktrouter.te
@@ -8,5 +8,6 @@ domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper);
 allow pktrouter pktrouter_device:chr_file rw_file_perms;
 allow pktrouter self:netlink_route_socket nlmsg_write;
 allow pktrouter self:packet_socket { bind create read write getattr shutdown};
+allow pktrouter self:capability net_raw;
 
 get_prop(pktrouter, vendor_ims_prop);

From 3316a7135d67df9d020f3faa5281a3a781cb279e Mon Sep 17 00:00:00 2001
From: terrycrhuang <terrycrhuang@google.com>
Date: Thu, 25 Mar 2021 21:02:05 +0800
Subject: [PATCH 101/921] Fix VT issue avc denied

03-25 19:59:12.604 E SELinux : avc:  denied  { find } for pid=3822
uid=10264 name=media.camera
scontext=u:r:vendor_ims_app:s0:c8,c257,c512,c768
tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager
permissive=0

03-25 19:59:19.283 E SELinux : avc:  denied  { find } for pid=3822
uid=10264 name=media.player
scontext=u:r:vendor_ims_app:s0:c8,c257,c512,c768
tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
permissive=0

Bug: 183698793
Test: Manual

Change-Id: I5ccff82df99b6bcb3883b880ef1fbfe8710b2e99
---
 whitechapel/vendor/google/vendor_ims_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index 294f9700..d2e671c3 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -7,6 +7,9 @@ allow vendor_ims_app audioserver_service:service_manager find;
 allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find;
 allow vendor_ims_app radio_service:service_manager find;
 
+allow vendor_ims_app mediaserver_service:service_manager find;
+allow vendor_ims_app cameraserver_service:service_manager find;
+
 binder_call(vendor_ims_app, rild)
 set_prop(vendor_ims_app, vendor_rild_prop)
 set_prop(vendor_ims_app, radio_prop)

From 9c8327de8dcc87499a180084b83bde122d51bcfb Mon Sep 17 00:00:00 2001
From: Kevin DuBois <kevindubois@google.com>
Date: Thu, 25 Mar 2021 11:10:40 -0700
Subject: [PATCH 102/921] hal_neuralnetworks_armnn: allow GPU access

Neuralnetworks for armnn driver needs GPU access in order to issue
OpenCL commands to GPU. Add rule that allows this.

Fixes: 183673130
Test: setenforce 1, stop and start hal, see that hal started.
Change-Id: I9be0ee4326e5e128a37f2c4df0878f8fbbea7f8d
---
 whitechapel/vendor/google/hal_neuralnetworks_armnn.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
index f81d617b..64ffc23e 100644
--- a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
+++ b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
@@ -1,4 +1,7 @@
 type hal_neuralnetworks_armnn, domain;
 type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
+
+allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms;
+
 init_daemon_domain(hal_neuralnetworks_armnn)
 

From eda148cd47b2ab35af53804b1ce36e4c6767c8cc Mon Sep 17 00:00:00 2001
From: Jidong Sun <jidong@google.com>
Date: Thu, 25 Mar 2021 13:00:00 -0700
Subject: [PATCH 103/921] SELinux: Grant camera HAL TEE access

Bug: 183714594
Signed-off-by: Jidong Sun <jidong@google.com>
Change-Id: I84fd3a7cf18bc3b574632b665be86c0fcb505704
---
 whitechapel/vendor/google/hal_camera_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 9938de38..5db0ed6e 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -41,3 +41,6 @@ binder_call(hal_camera_default, mediacodec);
 
 # grant access to hal_graphics_composer
 hal_client_domain(hal_camera_default, hal_graphics_composer)
+
+# grant access to Securea camera TA
+allow hal_camera_default tee_device:chr_file rw_file_perms;

From 6862b8e2399bfb9202a341d87b2586fc1d06013b Mon Sep 17 00:00:00 2001
From: Oleg Matcovschi <omatcovschi@google.com>
Date: Fri, 26 Mar 2021 13:39:44 -0700
Subject: [PATCH 104/921] vendor: remove sscoredump policies

Bug: 180760068
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: Ib8d360b227286bdea7de00125ef2ed6ad7978e67
---
 whitechapel/vendor/google/device.te      |  3 ---
 whitechapel/vendor/google/file.te        |  8 --------
 whitechapel/vendor/google/file_contexts  |  7 -------
 whitechapel/vendor/google/genfs_contexts |  3 ---
 whitechapel/vendor/google/sscoredump.te  | 17 -----------------
 5 files changed, 38 deletions(-)
 delete mode 100644 whitechapel/vendor/google/sscoredump.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 6741c49b..fef97187 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -48,9 +48,6 @@ type vframe_heap_device, dmabuf_heap_device_type, dev_type;
 #vscaler-secure DMA-BUF heap
 type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
 
-# subsystem-coredump
-type sscoredump_device, dev_type;
-
 # AOC device
 type aoc_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index af79a1fa..ea804182 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -66,7 +66,6 @@ type sysfs_iommu, sysfs_type, fs_type;
 
 type sysfs_devicetree, sysfs_type, fs_type;
 type sysfs_mem, sysfs_type, fs_type;
-type sysfs_sscoredump_level, sysfs_type, fs_type;
 
 # WiFi
 type sysfs_wifi, sysfs_type, fs_type;
@@ -77,10 +76,6 @@ type updated_wifi_firmware_data_file, file_type, data_file_type;
 # Widevine DRM
 type mediadrm_vendor_data_file, file_type, data_file_type;
 
-# Subsystem coredump
-type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject;
-type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject;
-
 # Storage Health HAL
 type sysfs_scsi_devices_0000, sysfs_type, fs_type;
 type debugfs_f2fs, debugfs_type, fs_type;
@@ -172,9 +167,6 @@ type sysfs_chosen, sysfs_type, fs_type;
 type sysfs_chip_id, sysfs_type, fs_type;
 type sysfs_spi, sysfs_type, fs_type;
 
-# subsystem-coredump
-type sscoredump_sysfs_level, sysfs_type, fs_type;
-
 # Battery
 type persist_battery_file, file_type, vendor_persist_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 6edb5ce0..c7621773 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -259,13 +259,6 @@
 /mnt/vendor/modem_userdata(/.*)?                              u:object_r:modem_userdata_file:s0
 /mnt/vendor/persist/modem(/.*)?                               u:object_r:persist_modem_file:s0
 
-
-# Subsystem coredump
-/vendor/bin/sscoredump                         u:object_r:sscoredump_exec:s0
-/data/vendor/ssrdump(/.*)?                     u:object_r:sscoredump_vendor_data_crashinfo_file:s0
-/data/vendor/ssrdump/coredump(/.*)?            u:object_r:sscoredump_vendor_data_coredump_file:s0
-/dev/sscd_.*                                   u:object_r:sscoredump_device:s0
-
 # Kernel modules related
 /vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index a4c1c58e..4da5adc8 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -186,9 +186,6 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-c
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0
 
-# subsystem-coredump
-genfscon sysfs /class/sscoredump/level                                                                  u:object_r:sscoredump_sysfs_level:s0
-
 # ACPM
 genfscon sysfs /devices/platform/acpm_stats                                                             u:object_r:sysfs_acpm_stats:s0
 
diff --git a/whitechapel/vendor/google/sscoredump.te b/whitechapel/vendor/google/sscoredump.te
deleted file mode 100644
index e66abc66..00000000
--- a/whitechapel/vendor/google/sscoredump.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type sscoredump, domain;
-type sscoredump_exec, vendor_file_type, exec_type, file_type;
-
-init_daemon_domain(sscoredump)
-
-set_prop(sscoredump, vendor_ssrdump_prop)
-
-allow sscoredump device:dir r_dir_perms;
-allow sscoredump sscoredump_device:chr_file rw_file_perms;
-allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
-allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms;
-
-userdebug_or_eng(`
-  allow sscoredump sscoredump_sysfs_level:file rw_file_perms;
-  allow sscoredump sscoredump_vendor_data_coredump_file:dir create_dir_perms;
-  allow sscoredump sscoredump_vendor_data_coredump_file:file create_file_perms;
-')

From c9f580b083971ac2b2f744522f76c028488ab063 Mon Sep 17 00:00:00 2001
From: Hsiaoan Hsu <hsiaoanhsu@google.com>
Date: Mon, 29 Mar 2021 11:58:18 +0800
Subject: [PATCH 105/921] Fix netutils_wrapper avc denied

avc denied log:
03-25 22:30:40.226  root 22962 22962 W iptables-wrappe: type=1400 audit(0.0:2269): avc: denied { read write } for path="/dev/umts_wfc1" dev="tmpfs" ino=748 scontext=u:r:netutils_wrapper:s0 tcontext=u:object_r:pktrouter_device:s0 tclass=chr_file permissive=0

03-25 22:30:40.226  root 22962 22962 W iptables-wrappe: type=1400 audit(0.0:2270): avc: denied { read write } for path="socket:[1017]" dev="sockfs" ino=1017 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:pktrouter:s0 tclass=netlink_route_socket permissive=0

03-25 22:30:40.226  root 22962 22962 W iptables-wrappe: type=1400 audit(0.0:2274): avc: denied { read write } for path="socket:[655847]" dev="sockfs" ino=655847 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:pktrouter:s0 tclass=udp_socket permissive=0

Bug: 183713618
Test: WFC/WFC handover

Change-Id: I363bf009c3b05ac2ceccb5580e786fcebf0f5631
---
 whitechapel/vendor/google/netutils_wrapper.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/netutils_wrapper.te b/whitechapel/vendor/google/netutils_wrapper.te
index a8090e37..ff1be58e 100644
--- a/whitechapel/vendor/google/netutils_wrapper.te
+++ b/whitechapel/vendor/google/netutils_wrapper.te
@@ -1,4 +1,7 @@
 allow netutils_wrapper pktrouter:fd use;
 allow netutils_wrapper pktrouter:fifo_file write;
+allow netutils_wrapper pktrouter:netlink_route_socket { read write };
 allow netutils_wrapper pktrouter:packet_socket { read write };
 allow netutils_wrapper pktrouter:rawip_socket { read write };
+allow netutils_wrapper pktrouter:udp_socket { read write };
+allow netutils_wrapper pktrouter_device:chr_file rw_file_perms;

From 522c283deeff3379665cc93b35cb08c9a8407b20 Mon Sep 17 00:00:00 2001
From: JohnCH Tsai <tsaijohn@google.com>
Date: Mon, 29 Mar 2021 15:11:55 +0800
Subject: [PATCH 106/921] Allowed Camera hal to create debug files

For steadiface and eis, they needs to create debug folders and files
under /data/vendor/camera.

Bug: 183708219
Test: GCA and check debug files
Change-Id: I5b87120702278199ac4f98cfa9114be47c760433
---
 whitechapel/vendor/google/hal_camera_default.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 5db0ed6e..b30ee5f8 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -44,3 +44,9 @@ hal_client_domain(hal_camera_default, hal_graphics_composer)
 
 # grant access to Securea camera TA
 allow hal_camera_default tee_device:chr_file rw_file_perms;
+
+# For camera debugging
+userdebug_or_eng(`
+  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
+  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+')

From 68569d8fe30baf04d026c358f12f2023dd0eb1a2 Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Mon, 29 Mar 2021 22:18:39 +0800
Subject: [PATCH 107/921] update error on ROM 7242124

Bug: 183935416
Bug: 183935302
Bug: 183935382
Bug: 183935443
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Iccdfc8a9eea3e8d52bebc89ca1eafcd2ec26e3c6
---
 tracking_denials/edgetpu_server.te             | 3 +++
 tracking_denials/hal_neuralnetworks_darwinn.te | 3 +++
 tracking_denials/vendor_ims_app.te             | 3 +++
 tracking_denials/vendor_init.te                | 3 +++
 4 files changed, 12 insertions(+)
 create mode 100644 tracking_denials/vendor_ims_app.te

diff --git a/tracking_denials/edgetpu_server.te b/tracking_denials/edgetpu_server.te
index c4c9dfd4..c187dfd8 100644
--- a/tracking_denials/edgetpu_server.te
+++ b/tracking_denials/edgetpu_server.te
@@ -5,3 +5,6 @@ dontaudit edgetpu_server tmpfs:file { getattr };
 dontaudit edgetpu_server tmpfs:file { read write };
 dontaudit edgetpu_server tmpfs:file { map };
 dontaudit edgetpu_server tmpfs:file { getattr };
+# b/183935416
+dontaudit edgetpu_server proc_version:file { read };
+dontaudit edgetpu_server proc_version:file { read };
diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te
index 52568fc6..54fa8a2f 100644
--- a/tracking_denials/hal_neuralnetworks_darwinn.te
+++ b/tracking_denials/hal_neuralnetworks_darwinn.te
@@ -9,3 +9,6 @@ dontaudit hal_neuralnetworks_darwinn tmpfs:file { map };
 dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
 dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
 dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
+# b/183935302
+dontaudit hal_neuralnetworks_darwinn proc_version:file { read };
+dontaudit hal_neuralnetworks_darwinn proc_version:file { read };
diff --git a/tracking_denials/vendor_ims_app.te b/tracking_denials/vendor_ims_app.te
new file mode 100644
index 00000000..e6a9dfd8
--- /dev/null
+++ b/tracking_denials/vendor_ims_app.te
@@ -0,0 +1,3 @@
+# b/183935382
+dontaudit vendor_ims_app default_prop:file { read };
+dontaudit vendor_ims_app default_prop:file { read };
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 18aa0927..57a0570d 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -2,3 +2,6 @@
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
 # b/182954248
 dontaudit vendor_init default_prop:file { read };
+# b/183935443
+dontaudit vendor_init system_data_file:dir { write };
+dontaudit vendor_init system_data_file:dir { write };

From 005fafff5bca81bbbd9c9c54cab354dcc1a8dae1 Mon Sep 17 00:00:00 2001
From: Oleg Matcovschi <omatcovschi@google.com>
Date: Mon, 29 Mar 2021 02:37:59 -0700
Subject: [PATCH 108/921] genfs_contexts: add sscoredump per-subsystem policies

Bug: 180760068
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: I448dd8d5ea1e11eb774c62e129eb4c7896a5bd15
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 4da5adc8..60b9cb2c 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -235,3 +235,11 @@ genfscon debugfs /google_battery
 
 # tracefs
 genfscon tracefs /events/dmabuf_heap/dma_heap_stat                                                        u:object_r:debugfs_tracing:s0
+
+# sscoredump (per device)
+genfscon sysfs /devices/platform/abrolhos/sscoredump/sscd_abrolhos/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count                                   u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count                       u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count                                 u:object_r:sysfs_sscoredump_subsystem_report_count:s0

From ffd2cf4eb7b83ee9a72cf9a2e8195ae0a6dbd04c Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Mon, 29 Mar 2021 14:59:24 -0700
Subject: [PATCH 109/921] Allow radioext to access bluetooth coex hal.

Allow radio extension hal to forward coexistence message from modem to
bluetooth hal.

Bug: 183978772
Test: Check selinux denials
Change-Id: Idc288ce2a1fdcf380301e2d7c10ea03af520e4d0
---
 whitechapel/vendor/google/hal_radioext_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te
index ff22f224..a5344993 100644
--- a/whitechapel/vendor/google/hal_radioext_default.te
+++ b/whitechapel/vendor/google/hal_radioext_default.te
@@ -15,3 +15,6 @@ allow hal_radioext_default radio_device:chr_file rw_file_perms;
 allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
 allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
 allow hal_radioext_default sysfs_display:file rw_file_perms;
+
+# Bluetooth
+allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;
\ No newline at end of file

From a91ba318081c4b11f9c4c5d6dbbcd85dbe1bdb42 Mon Sep 17 00:00:00 2001
From: Oleg Matcovschi <omatcovschi@google.com>
Date: Thu, 25 Mar 2021 16:51:22 -0700
Subject: [PATCH 110/921] vendor_init: allow set_prop for vendor_ssrdump_prop

Bug: 183686188
Change-Id: I6a22419909cd85c55bd1c7e500b06f0420d0ec86
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index dc629da0..a46f49de 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -5,6 +5,7 @@ set_prop(vendor_init, vendor_rild_prop)
 set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
 set_prop(vendor_init, vendor_ims_prop)
+set_prop(vendor_init, vendor_ssrdump_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From 181f1d3cd03d5783e2263acd1a1779e2673d9abe Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Tue, 30 Mar 2021 11:38:19 +0800
Subject: [PATCH 111/921] vendor_init: allow set_prop for
 vendor_ro_config_default_prop

03-29 15:18:56.425  root     1     1 E init    : Do not have permissions to set 'ro.vendor.config.build_carrier' to 'europen' in property file '/vendor/build.prop': SELinux permission check failed

Bug: 183919837
Test: verified with the forrest ROM and error log gone
Change-Id: I87cc05306f9c038df779040514a879fc2b8ab929
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index a46f49de..5ec3a895 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -6,6 +6,7 @@ set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
 set_prop(vendor_init, vendor_ims_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
+set_prop(vendor_init, vendor_ro_config_default_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From dffdeca76dde1f0a4b71752be8149cb76fb71381 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Wed, 24 Mar 2021 13:40:07 -0700
Subject: [PATCH 112/921] Improve camera HAL SELinux policy.

- Grant access to DMA system heap for Tuscany.
- Reorder statements for more logical grouping.
- Allow access to isolated tmpfs for google3 prebuilts.
- Remove fixed denials.

Bug: 181913550
Bug: 182705901
Test: Inspected logcat, no denials from hal_camera_default
Change-Id: I9bf1ce207c3bcae1b9f9ab0f0072bb7501201451
---
 tracking_denials/hal_camera_default.te        | 24 ----------
 .../vendor/google/hal_camera_default.te       | 46 +++++++++++--------
 2 files changed, 27 insertions(+), 43 deletions(-)

diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
index a4c93a04..6ab5a51c 100644
--- a/tracking_denials/hal_camera_default.te
+++ b/tracking_denials/hal_camera_default.te
@@ -1,29 +1,5 @@
 # b/178980085
 dontaudit hal_camera_default system_data_file:dir { search };
-dontaudit hal_camera_default system_data_file:dir { search };
 # b/180567725
 dontaudit hal_camera_default traced:unix_stream_socket { connectto };
-dontaudit hal_camera_default traced:unix_stream_socket { connectto };
 dontaudit hal_camera_default traced_producer_socket:sock_file { write };
-dontaudit hal_camera_default traced_producer_socket:sock_file { write };
-# b/181913550
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
-# b/182705901
-dontaudit hal_camera_default tmpfs:file { getattr };
-dontaudit hal_camera_default tmpfs:file { read };
-dontaudit hal_camera_default edgetpu_server:binder { call };
-dontaudit hal_camera_default tmpfs:file { write };
-dontaudit hal_camera_default tmpfs:file { map };
-dontaudit hal_camera_default tmpfs:file { read };
-dontaudit hal_camera_default tmpfs:file { getattr };
-dontaudit hal_camera_default tmpfs:file { map };
-dontaudit hal_camera_default tmpfs:file { write };
-dontaudit hal_camera_default edgetpu_server:binder { call };
-dontaudit hal_camera_default edgetpu_service:service_manager { find };
-dontaudit hal_camera_default edgetpu_server:fd { use };
-dontaudit hal_camera_default edgetpu_server:fd { use };
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index b30ee5f8..95f1b411 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -1,34 +1,54 @@
+type hal_camera_default_tmpfs, file_type;
+
 allow hal_camera_default self:global_capability_class_set sys_nice;
 
 vndbinder_use(hal_camera_default);
 
-allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;
-allow hal_camera_default vendor_camera_tuning_file:file r_file_perms;
-allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
-allow hal_camera_default vendor_camera_data_file:file create_file_perms;
 allow hal_camera_default lwis_device:chr_file rw_file_perms;
 allow hal_camera_default gpu_device:chr_file rw_file_perms;
-allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
-allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
-allow hal_camera_default sysfs_edgetpu:file r_file_perms;
 allow hal_camera_default sysfs_chip_id:file r_file_perms;
 
+# Tuscany (face auth) code that is part of the camera HAL needs to allocate
+# dma_bufs and access the Trusted Execution Environment device node
+allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_camera_default tee_device:chr_file rw_file_perms;
+
 # Allow the camera hal to access the EdgeTPU service and the
 # Android shared memory allocated by the EdgeTPU service for
 # on-device compilation.
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
+allow hal_camera_default sysfs_edgetpu:file r_file_perms;
 allow hal_camera_default edgetpu_server:fd use;
 allow hal_camera_default edgetpu_service:service_manager find;
 binder_call(hal_camera_default, edgetpu_server)
 
+# Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;
 allow hal_camera_default persist_file:dir search;
 allow hal_camera_default persist_camera_file:dir search;
 allow hal_camera_default persist_camera_file:file r_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;
+allow hal_camera_default vendor_camera_tuning_file:file r_file_perms;
 
+# Allow creating dump files for debugging in non-release builds
+userdebug_or_eng(`
+  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
+  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+')
+
+# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files
+# compiled into the shared libraries with cc_embed_data rules
+tmpfs_domain(hal_camera_default);
+
+# Allow access to camera-related system properties
 get_prop(hal_camera_default, vendor_camera_prop);
 get_prop(hal_camera_default, vendor_camera_debug_prop);
 
 hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_graphics_composer)
 hal_client_domain(hal_camera_default, hal_power);
 hal_client_domain(hal_camera_default, hal_thermal);
 
@@ -38,15 +58,3 @@ binder_call(hal_camera_default, system_server);
 # Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
 allow hal_camera_default eco_service:service_manager find;
 binder_call(hal_camera_default, mediacodec);
-
-# grant access to hal_graphics_composer
-hal_client_domain(hal_camera_default, hal_graphics_composer)
-
-# grant access to Securea camera TA
-allow hal_camera_default tee_device:chr_file rw_file_perms;
-
-# For camera debugging
-userdebug_or_eng(`
-  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
-  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
-')

From 93bf9b613b2bc5a6852370fb98138dd509484065 Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Mon, 29 Mar 2021 23:00:01 -0700
Subject: [PATCH 113/921] Labelled EdgeTPU service libraries as SP-HAL.

The EdgeTPU service libraries (libedgetpu_client.google.so and
com.google.edgetpu-V1-ndk.so) provide both the system_ext and
vendor variants.  Since these need to be linked by pre-built
applications from /product/, this change labelled them as
the same_process_hal_file in order to allow the applications
to link with the vendor variant.

Bug: 184008444
Test: tested on local Oriole with GCA.
Change-Id: I8c510f51ccc1a76d14978962d72fd91f15bf7a90
---
 whitechapel/vendor/google/file_contexts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 6edb5ce0..79e224dc 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -347,14 +347,22 @@
 
 # EdgeTPU device (DarwiNN)
 /dev/abrolhos                      u:object_r:edgetpu_device:s0
+
+# EdgeTPU logging service
 /vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
+
+# EdgeTPU service binary and libraries
 /system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU runtime libraries
 /vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
-/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
 
-# EdgeTPU data file
+# EdgeTPU data files
 /data/edgetpu(/.*)?                                                         u:object_r:edgetpu_service_data_file:s0
+/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
 
 # Tetheroffload Service
 /dev/dit2                      u:object_r:vendor_toe_device:s0

From 5f6e2635278cdf3135efb6994cf02bb0795039c5 Mon Sep 17 00:00:00 2001
From: Erik Cheng <erikcheng@google.com>
Date: Tue, 30 Mar 2021 17:34:38 +0800
Subject: [PATCH 114/921] Grant permission for more camera device nodes

Bug: 184004655
Test: aosp camera
Change-Id: I52fdb3f7f3d37537461c94b139e72add1a300bb2
---
 whitechapel/vendor/google/file_contexts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c7621773..5037d4f4 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -179,6 +179,7 @@
 /dev/lwis-act0                                                          u:object_r:lwis_device:s0
 /dev/lwis-act1                                                          u:object_r:lwis_device:s0
 /dev/lwis-act-ak7377                                                    u:object_r:lwis_device:s0
+/dev/lwis-act-lc898129                                                  u:object_r:lwis_device:s0
 /dev/lwis-act-sem1215sa                                                 u:object_r:lwis_device:s0
 /dev/lwis-csi                                                           u:object_r:lwis_device:s0
 /dev/lwis-dpm                                                           u:object_r:lwis_device:s0
@@ -186,7 +187,10 @@
 /dev/lwis-eeprom1                                                       u:object_r:lwis_device:s0
 /dev/lwis-eeprom2                                                       u:object_r:lwis_device:s0
 /dev/lwis-eeprom-lc898128                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898129                                               u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64s                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-imx355-inner                                   u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-imx355-outer                                   u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64x                                                u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64x-imx386                                         u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64x-imx663                                         u:object_r:lwis_device:s0
@@ -202,6 +206,7 @@
 /dev/lwis-itp                                                           u:object_r:lwis_device:s0
 /dev/lwis-mcsc                                                          u:object_r:lwis_device:s0
 /dev/lwis-ois-lc898128                                                  u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898129                                                  u:object_r:lwis_device:s0
 /dev/lwis-ois-sem1215sa                                                 u:object_r:lwis_device:s0
 /dev/lwis-pdp                                                           u:object_r:lwis_device:s0
 /dev/lwis-scsc                                                          u:object_r:lwis_device:s0
@@ -210,6 +215,9 @@
 /dev/lwis-sensor2                                                       u:object_r:lwis_device:s0
 /dev/lwis-sensor-gn1                                                    u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx355                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-inner                                           u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-outer                                           u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx363                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx386                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx586                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx663                                                 u:object_r:lwis_device:s0

From b07d84f0874bae11a2a9de193c4da9aba89db1da Mon Sep 17 00:00:00 2001
From: Ankit Goyal <layog@google.com>
Date: Tue, 30 Mar 2021 14:03:47 +0800
Subject: [PATCH 115/921] Fix SELinux denials for arm.graphics AIDL interface

Denial example:
03-30 05:44:44.468   490   490 W RenderEngine: type=1400 audit(0.0:4): avc: denied { read } for name="arm.graphics-V1-ndk_platform.so" dev="dm-9" ino=1923 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=0

Bug: 143246001
Test: Build and boot to home
Change-Id: Id7c2bd98aa634f852a21812fb2421a2e96ef7636
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c7621773..86dfdc2a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -365,6 +365,7 @@
 /vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so                               u:object_r:same_process_hal_file:s0
 
 # Touch
 /dev/touch_offload                                                               u:object_r:touch_offload_device:s0

From de30c5317792e8b33008b681af4c69e92f344349 Mon Sep 17 00:00:00 2001
From: Oleg Matcovschi <omatcovschi@google.com>
Date: Mon, 29 Mar 2021 23:15:20 -0700
Subject: [PATCH 116/921] gs101-sepolicy: add sscoredump

Bug: 183995288
Change-Id: I5363d0c45c183d809c03fe755835c1fc95a33159
---
 gs101-sepolicy.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index e623328a..c24beed1 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -24,3 +24,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
 
 # Micro sensor framework (usf)
 BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/usf
+
+# sscoredump
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
+

From 755a1de452d08618ffcb03db952fd78dce4f87c3 Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Tue, 30 Mar 2021 08:50:13 -0700
Subject: [PATCH 117/921] Allowed EdgeTPU service and the EdgeTPU NNAPI hal to
 read /proc/version.

Both services invoke InitGoogle in order to use google utilities (e.g.
file).  Since InitGoogle reads the kernel info from /proc/version,
this change added the corresponding selinux rules to allow that.

Bug: 183935416
Test: tested on Oriole.
Change-Id: Icb8f3a57e249774b5fad3284413661b04ff7dae6
---
 whitechapel/vendor/google/edgetpu_service.te            | 4 ++++
 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
index a30400ad..96e452ca 100644
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -34,3 +34,7 @@ binder_call(edgetpu_server, system_server);
 # Allow EdgeTPU service to access Android shared memory allocated
 # by the camera hal for on-device compilation.
 allow edgetpu_server hal_camera_default:fd use;
+
+# Allow EdgeTPU service to read the kernel version.
+# This is done inside the InitGoogle.
+allow edgetpu_server proc_version:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
index 9329a878..48848279 100644
--- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
+++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
@@ -18,3 +18,7 @@ allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir
 add_hwservice(hal_neuralnetworks_darwinn, hal_neuralnetworks_hwservice)
 hwbinder_use(hal_neuralnetworks_darwinn)
 get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop)
+
+# Allow TPU HAL to read the kernel version.
+# This is done inside the InitGoogle.
+allow hal_neuralnetworks_darwinn proc_version:file r_file_perms;

From 6932235e89e94e68482abd2963d8b132a0cf727f Mon Sep 17 00:00:00 2001
From: Xu Han <xuhanyz@google.com>
Date: Mon, 29 Mar 2021 20:29:56 -0700
Subject: [PATCH 118/921] Allow camera HAL access radioext service

Camera needs to query radioext for preferred MIPI clock rate.

Bug: 178038924
Test: camera CTS
Change-Id: Id1dbe8a12d07b5ccfb4fc7db69dda7ce78a163a7
---
 whitechapel/vendor/google/hal_camera_default.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 95f1b411..af666624 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -58,3 +58,8 @@ binder_call(hal_camera_default, system_server);
 # Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
 allow hal_camera_default eco_service:service_manager find;
 binder_call(hal_camera_default, mediacodec);
+
+# Allow camera HAL to query preferred camera frequencies from the radio HAL
+# extensions to avoid interference with cellular antennas.
+allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
+binder_call(hal_camera_default, hal_radioext_default);

From ef8172c028f564bb120ce9d65589dffb5e067148 Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Tue, 30 Mar 2021 12:30:27 -0700
Subject: [PATCH 119/921] Allow mediacodec to access the vstream-secure DMA-BUF
 heap

This patch fixes the following denial:

avc: denied { read } for comm="HwBinder:727_3" name="vstream-secure"
dev="tmpfs" ino=693 scontext=u:r:mediacodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=0

Bug: 183681871
Test: build
Change-Id: I018a8d42afe2bb58416b47864b8ffd53de9292cb
---
 whitechapel/vendor/google/mediacodec.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index 2264eac9..caaf5749 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -5,3 +5,4 @@ userdebug_or_eng(`
 add_service(mediacodec, eco_service)
 allow mediacodec hal_camera_default:binder call;
 allow mediacodec sysfs_video:file r_file_perms;
+allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;

From 4f5d60403da8c63cf9d11a6d65bdcd18e10bdc4c Mon Sep 17 00:00:00 2001
From: Kevin DuBois <kevindubois@google.com>
Date: Mon, 29 Mar 2021 12:43:16 -0700
Subject: [PATCH 120/921] sepolicy: allow hwservice to see armnn nnhal.

Allows hwservice to see armnn nnhal.

Fixes: 183917925
Test: build, check for absence of error msg in logcat.
Test: run_nnapi_tests for darwinn
Test: CtsNNAPITestCases64 --hal_service_instance=android.hardware.neuralnetworks@1.3::IDevice/google-edgetpu --gtest_filter="TestGenerated*"
Change-Id: I9778e92d6f15e9aa74774c6a8d143969951046eb
---
 whitechapel/vendor/google/hal_neuralnetworks_armnn.te   | 2 ++
 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
index 64ffc23e..c9872853 100644
--- a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
+++ b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
@@ -1,4 +1,6 @@
 type hal_neuralnetworks_armnn, domain;
+hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
+
 type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
 
 allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
index 9329a878..25ba9f28 100644
--- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
+++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
@@ -14,7 +14,7 @@ allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
 allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms;
 allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms;
 
-# Register to hwbinder service
-add_hwservice(hal_neuralnetworks_darwinn, hal_neuralnetworks_hwservice)
+# Register to hwbinder service.
+# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te
 hwbinder_use(hal_neuralnetworks_darwinn)
 get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop)

From 880dd700643a96fdd4be684f3a893caa1492ed12 Mon Sep 17 00:00:00 2001
From: Maurice Lam <yukl@google.com>
Date: Tue, 30 Mar 2021 22:18:45 +0000
Subject: [PATCH 121/921] Fix cuttlefish test fail due to sepolicy of
 Wirecutter

Need to grant gpu_device dir search permission to be able to render UI
on cuttlefish.

Fixes: 183995046
Test: atest WirecutterTests
Change-Id: I122e541188ce659381769339e3f9e6b720441a92
---
 ambient/exo_wirecutter_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ambient/exo_wirecutter_app.te b/ambient/exo_wirecutter_app.te
index c8b63b8f..4fb10062 100644
--- a/ambient/exo_wirecutter_app.te
+++ b/ambient/exo_wirecutter_app.te
@@ -4,4 +4,5 @@ app_domain(exo_wirecutter_app)
 
 allow exo_wirecutter_app app_api_service:service_manager find;
 allow exo_wirecutter_app fwk_stats_hwservice:hwservice_manager find;
+allow exo_wirecutter_app gpu_device:dir search;
 binder_call(exo_wirecutter_app, statsd)

From 98d890424d8fe07ed6afe2ade886cdec9f5d6b48 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 31 Mar 2021 08:32:56 +0800
Subject: [PATCH 122/921] update error on ROM

Bug: 184091381
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ia37d49cf2e347a22181058987b0edf8f93457c53
---
 tracking_denials/hal_camera_default.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
index 6ab5a51c..6390cc13 100644
--- a/tracking_denials/hal_camera_default.te
+++ b/tracking_denials/hal_camera_default.te
@@ -3,3 +3,5 @@ dontaudit hal_camera_default system_data_file:dir { search };
 # b/180567725
 dontaudit hal_camera_default traced:unix_stream_socket { connectto };
 dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+# b/184091381
+dontaudit hal_camera_default hal_radioext_hwservice:hwservice_manager { find };

From 44799a27ba91e083773341e3570b5e3279404362 Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Wed, 24 Mar 2021 19:06:34 -0700
Subject: [PATCH 123/921] Add sepolicy for CBRS setup app.

Bug: 182519609
Test: Test CBRS setup
Change-Id: I3ee27dd80eb0484c9cf2c6be0c63aee996383f7f
---
 whitechapel/vendor/google/cbrs_setup.te  | 13 +++++++++++++
 whitechapel/vendor/google/seapp_contexts |  3 +++
 2 files changed, 16 insertions(+)
 create mode 100644 whitechapel/vendor/google/cbrs_setup.te

diff --git a/whitechapel/vendor/google/cbrs_setup.te b/whitechapel/vendor/google/cbrs_setup.te
new file mode 100644
index 00000000..1abbcff1
--- /dev/null
+++ b/whitechapel/vendor/google/cbrs_setup.te
@@ -0,0 +1,13 @@
+# GoogleCBRS app
+type cbrs_setup_app, domain;
+
+userdebug_or_eng(`
+  app_domain(cbrs_setup_app)
+  net_domain(cbrs_setup_app)
+
+  allow cbrs_setup_app app_api_service:service_manager find;
+  allow cbrs_setup_app cameraserver_service:service_manager find;
+  allow cbrs_setup_app radio_service:service_manager find;
+  set_prop(cbrs_setup_app, radio_prop)
+  set_prop(cbrs_setup_app, vendor_rild_prop)
+')
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 1d89e802..43cd77a1 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -40,3 +40,6 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
 
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
+
+# CBRS setup app
+user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
\ No newline at end of file

From 1db99c759fb5685258fe921ec82fb5093eb8c81d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 31 Mar 2021 11:34:12 +0800
Subject: [PATCH 124/921] allow vendor_init to set logpersist

Bug: 184093803
Test: boot with the permission error gone
03-31 11:11:19.447     1     1 E init    : Do not have permissions to
set ...

Change-Id: Idc4023b2fa1b04ae4a4b95a2e105700e89e9dffa
---
 whitechapel/vendor/google/vendor_init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 5ec3a895..48ae4e78 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -12,6 +12,10 @@ allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;
 allow vendor_init bootdevice_sysdev:file create_file_perms;
 
+userdebug_or_eng(`
+  set_prop(vendor_init, logpersistd_logging_prop)
+')
+
 # NFC vendor property
 set_prop(vendor_init, vendor_nfc_prop)
 # SecureElement vendor property

From 7c926131853d7ae4c01d3403c83c822e6922550a Mon Sep 17 00:00:00 2001
From: Charlie Chen <yuchungchen@google.com>
Date: Thu, 25 Mar 2021 14:02:43 +0800
Subject: [PATCH 125/921] Allow Exoplayer access to the vstream-secure heap for
 secure playback

Fixes the following denials:

avc: denied { read } for name="name" dev="sysfs" ino=63727 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=63743 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=64010 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

Bug: 182525521
Test: no more denials and able to play video via ExoPlayer App
Change-Id: I21033bc78858fd407c16d2cd2df4549f97273221
---
 whitechapel/vendor/google/file_contexts  | 4 ----
 whitechapel/vendor/google/genfs_contexts | 3 +++
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 2a9aaf08..d1801efd 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -420,10 +420,6 @@
 
 /dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
 
-# Video sysfs files
-/sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
-/sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
-
 # BigOcean
 /dev/bigocean                                                                  u:object_r:video_device:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 60b9cb2c..69e9dd2c 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -243,3 +243,6 @@ genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count
 genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count                       u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count                                 u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+
+# mediacodec
+genfscon sysfs /devices/platform/mfc/video4linux/video                                                  u:object_r:sysfs_video:s0

From fc7c2e2c3a092b0d7c0a85544e33a392daba581a Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 31 Mar 2021 14:27:31 +0800
Subject: [PATCH 126/921] remove obsolete entries

Bug: 183560076
Bug: 183338483
Bug: 183467306
Bug: 171760597
Test: pts-tradefed run commandAndExit pts -m PtsSELinuxTest -t
com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: Ib35a05176fccd251dfea8b58304a68b0e9bd6412
---
 tracking_denials/crash_dump.te         |  7 -------
 tracking_denials/flags_health_check.te | 21 ---------------------
 tracking_denials/shell.te              |  2 --
 3 files changed, 30 deletions(-)
 delete mode 100644 tracking_denials/crash_dump.te
 delete mode 100644 tracking_denials/flags_health_check.te
 delete mode 100644 tracking_denials/shell.te

diff --git a/tracking_denials/crash_dump.te b/tracking_denials/crash_dump.te
deleted file mode 100644
index d2c860dc..00000000
--- a/tracking_denials/crash_dump.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/183560076
-dontaudit crash_dump proc_uptime:file { read };
-dontaudit crash_dump proc_uptime:file { open };
-dontaudit crash_dump proc_uptime:file { getattr };
-dontaudit crash_dump proc_uptime:file { getattr };
-dontaudit crash_dump proc_uptime:file { open };
-dontaudit crash_dump proc_uptime:file { read };
diff --git a/tracking_denials/flags_health_check.te b/tracking_denials/flags_health_check.te
deleted file mode 100644
index 014fa7e8..00000000
--- a/tracking_denials/flags_health_check.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# b/183338483
-dontaudit flags_health_check aac_drc_prop:file { open };
-dontaudit flags_health_check adbd_config_prop:file { map };
-dontaudit flags_health_check adbd_config_prop:file { getattr };
-dontaudit flags_health_check adbd_config_prop:file { open };
-dontaudit flags_health_check ab_update_gki_prop:file { map };
-dontaudit flags_health_check ab_update_gki_prop:file { getattr };
-dontaudit flags_health_check aac_drc_prop:file { open };
-dontaudit flags_health_check aac_drc_prop:file { getattr };
-dontaudit flags_health_check aac_drc_prop:file { map };
-dontaudit flags_health_check ab_update_gki_prop:file { open };
-dontaudit flags_health_check ab_update_gki_prop:file { getattr };
-dontaudit flags_health_check ab_update_gki_prop:file { map };
-dontaudit flags_health_check adbd_config_prop:file { open };
-dontaudit flags_health_check adbd_config_prop:file { getattr };
-dontaudit flags_health_check adbd_config_prop:file { map };
-dontaudit flags_health_check ab_update_gki_prop:file { open };
-dontaudit flags_health_check aac_drc_prop:file { map };
-dontaudit flags_health_check aac_drc_prop:file { getattr };
-# b/183467306
-dontaudit flags_health_check property_type:file *;
diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te
deleted file mode 100644
index 747394b1..00000000
--- a/tracking_denials/shell.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/171760597
-dontaudit shell property_type:file *;

From f01cb384d8031e6f202415567b83cf1ed419cdca Mon Sep 17 00:00:00 2001
From: millerliang <millerliang@google.com>
Date: Tue, 30 Mar 2021 09:10:37 +0000
Subject: [PATCH 127/921] Fix MMAP audio avc denied

03-30 16:45:16.840   738   738 I auditd  : type=1400 audit(0.0:76): avc:
denied { read } for comm="HwBinder:738_2"
name="u:object_r:audio_prop:s0" dev="tmpfs" ino=87
scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:audio_prop:s0
tclass=file permissive=0
03-30 16:45:16.980   644   644 I auditd  : type=1400 audit(0.0:78): avc:
denied { map } for comm="audioserver" path="/dev/snd/pcmC0D0p"
dev="tmpfs" ino=977 scontext=u:r:audioserver:s0
tcontext=u:object_r:audio_device:s0 tclass=chr_file permissive=0

Bug: 165737390
Test: verified with the forrest ROM and error log gone
Change-Id: I1c8721a051844d3410cffa23411a434c832b416e
---
 whitechapel/vendor/google/audioserver.te    | 2 ++
 whitechapel/vendor/google/property_contexts | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 whitechapel/vendor/google/audioserver.te

diff --git a/whitechapel/vendor/google/audioserver.te b/whitechapel/vendor/google/audioserver.te
new file mode 100644
index 00000000..69d7c1a4
--- /dev/null
+++ b/whitechapel/vendor/google/audioserver.te
@@ -0,0 +1,2 @@
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index d921e065..cfe71e25 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -66,6 +66,7 @@ persist.vendor.sys.          u:object_r:vendor_persist_sys_default_prop:s0
 # for audio
 vendor.audio_hal.period_multiplier      u:object_r:vendor_audio_prop:s0
 vendor.audiodump.enable                 u:object_r:vendor_audio_prop:s0
+persist.vendor.audio.                   u:object_r:vendor_audio_prop:s0
 
 # for display
 ro.vendor.hwc.drm.device                u:object_r:vendor_display_prop:s0

From ac3d49d41d84138258c0552c1e6ac6c216a7d043 Mon Sep 17 00:00:00 2001
From: Charlie Chen <yuchungchen@google.com>
Date: Wed, 31 Mar 2021 13:48:06 +0000
Subject: [PATCH 128/921] Revert "Allow Exoplayer access to the vstream-secure
 heap for secure playback"

This reverts commit 7c926131853d7ae4c01d3403c83c822e6922550a.

Reason for revert: This commit breaks camera recording

Bug: 184154831
Change-Id: Ia4286dab9c5d44c59a3b224e0e24c191eb2be84b
---
 whitechapel/vendor/google/file_contexts  | 4 ++++
 whitechapel/vendor/google/genfs_contexts | 3 ---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index d1801efd..2a9aaf08 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -420,6 +420,10 @@
 
 /dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
 
+# Video sysfs files
+/sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
+/sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
+
 # BigOcean
 /dev/bigocean                                                                  u:object_r:video_device:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 69e9dd2c..60b9cb2c 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -243,6 +243,3 @@ genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count
 genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count                       u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count                                 u:object_r:sysfs_sscoredump_subsystem_report_count:s0
-
-# mediacodec
-genfscon sysfs /devices/platform/mfc/video4linux/video                                                  u:object_r:sysfs_video:s0

From 022de778edfe574738a278c7326b218b7abfc00a Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Wed, 31 Mar 2021 13:55:56 -0700
Subject: [PATCH 129/921] Allow radio vendor apps to modify slog props.

Radio vendor silent logging app needs access to the vendor slog
properties in order to configure logging.

Bug: 184102091
Test: Check vendor silent logging app works.
Change-Id: I1a7c590b80d94c0b147743372ba3cd1a0817baf3
---
 whitechapel/vendor/google/vendor_telephony_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
index 1f114508..de486c88 100644
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -4,6 +4,7 @@ app_domain(vendor_telephony_app)
 get_prop(vendor_telephony_app, vendor_rild_prop)
 get_prop(vendor_telephony_app, vendor_persist_sys_default_prop)
 set_prop(vendor_telephony_app, vendor_modem_prop)
+set_prop(vendor_telephony_app, vendor_slog_prop)
 r_dir_file(vendor_telephony_app, system_app_data_file)
 r_dir_file(vendor_telephony_app, vendor_slog_file)
 

From 79304978aeba02f71f137f006a8b048fd9e3a283 Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Wed, 31 Mar 2021 10:40:09 -0700
Subject: [PATCH 130/921] Move vendor_kernel_modules to public.

Bug: 166559473
Bug: 183135316
Test: build
Change-Id: Ib62080d3d12aa197571a0697c17f6fd5d981d653
---
 whitechapel/vendor/google/file.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index ea804182..b66acb0c 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -120,9 +120,6 @@ allow modem_img_file self:filesystem associate;
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;
 
-# Kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
 # Camera
 type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;

From 52a776889c37a72d44b7d0455f8bc16bf3756264 Mon Sep 17 00:00:00 2001
From: gillianlin <gillianlin@google.com>
Date: Wed, 31 Mar 2021 16:41:41 +0800
Subject: [PATCH 131/921] Fix SELinux error from vendor_init

03-17 09:12:55.380     1     1 I /system/bin/init: type=1107 audit(0.0:3): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=mfgapi.touchpanel.permission pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1'

Bug: 182954248
Change-Id: I9ffff1aab20577950cb43c35d788e6a9c9acd571
---
 tracking_denials/vendor_init.te             | 2 --
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/vendor_init.te    | 1 +
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 57a0570d..ecaffc0e 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,7 +1,5 @@
 # b/176528557
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
-# b/182954248
-dontaudit vendor_init default_prop:file { read };
 # b/183935443
 dontaudit vendor_init system_data_file:dir { write };
 dontaudit vendor_init system_data_file:dir { write };
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 55d06df7..6d9ce98c 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -34,3 +34,6 @@ vendor_internal_prop(vendor_nfc_prop)
 
 # WiFi
 vendor_internal_prop(vendor_wifi_version)
+
+# Touchpanel
+vendor_internal_prop(vendor_touchpanel_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index cfe71e25..20bd556c 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -92,3 +92,6 @@ vendor.battery.defender.                        u:object_r:vendor_battery_defend
 # WiFi
 vendor.wlan.driver.version                      u:object_r:vendor_wifi_version:s0
 vendor.wlan.firmware.version                    u:object_r:vendor_wifi_version:s0
+
+# Touchpanel
+vendor.mfgapi.touchpanel.permission             u:object_r:vendor_touchpanel_prop:s0
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 48ae4e78..a5b7082b 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -7,6 +7,7 @@ set_prop(vendor_init, vendor_sys_default_prop)
 set_prop(vendor_init, vendor_ims_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)
+get_prop(vendor_init, vendor_touchpanel_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From 5602dfde45c2d68a5eb4594aa65c353c1db54f84 Mon Sep 17 00:00:00 2001
From: Charlie Chen <yuchungchen@google.com>
Date: Thu, 1 Apr 2021 10:01:14 +0800
Subject: [PATCH 132/921] SELinux error coming from mediacodec when using GCA
 and secure playback

Fixes the following denials:

avc: denied { read } for name="name" dev="sysfs" ino=63727 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=63743 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { read } for name="name" dev="sysfs" ino=64010 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file \
permissive=0

avc: denied { search } for name="video6" dev="sysfs" ino=64587 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_video:s0 \
tclass=dir permissive=0

Bug: 182525521
Bug: 184145552
Test: GCA recording works properly, \
      Netflix and ExoPlayer can play videos
Change-Id: Ib7220feedc5031fb0e5c05a2b487da2ddf8b98cd
---
 whitechapel/vendor/google/file_contexts  | 4 ----
 whitechapel/vendor/google/genfs_contexts | 3 +++
 whitechapel/vendor/google/mediacodec.te  | 1 +
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 99983880..8d550239 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -429,10 +429,6 @@
 
 /dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
 
-# Video sysfs files
-/sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
-/sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
-
 # BigOcean
 /dev/bigocean                                                                  u:object_r:video_device:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 60b9cb2c..69e9dd2c 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -243,3 +243,6 @@ genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count
 genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count                       u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count                                 u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+
+# mediacodec
+genfscon sysfs /devices/platform/mfc/video4linux/video                                                  u:object_r:sysfs_video:s0
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index caaf5749..ed7c1adf 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -5,4 +5,5 @@ userdebug_or_eng(`
 add_service(mediacodec, eco_service)
 allow mediacodec hal_camera_default:binder call;
 allow mediacodec sysfs_video:file r_file_perms;
+allow mediacodec sysfs_video:dir r_dir_perms;
 allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;

From f96f0c79a3f55aa2296b8b08c6defa10f640f64a Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 1 Apr 2021 15:01:51 +0800
Subject: [PATCH 133/921] remove obsolete entries

Bug: 183560282
Bug: 180858511
Bug: 183161715
Bug: 178331791
Bug: 178433597
Test: pts -m PtsSELinuxTest -t
com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: Iba208b69389450b8ef69aaecfb799ef696515669
---
 tracking_denials/gmscore_app.te   | 19 -------------------
 tracking_denials/priv_app.te      | 10 ----------
 tracking_denials/untrusted_app.te | 14 --------------
 3 files changed, 43 deletions(-)
 delete mode 100644 tracking_denials/gmscore_app.te
 delete mode 100644 tracking_denials/priv_app.te
 delete mode 100644 tracking_denials/untrusted_app.te

diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
deleted file mode 100644
index e19fac87..00000000
--- a/tracking_denials/gmscore_app.te
+++ /dev/null
@@ -1,19 +0,0 @@
-# b/183560282
-dontaudit gmscore_app aac_drc_prop:file { map };
-dontaudit gmscore_app ab_update_gki_prop:file { open };
-dontaudit gmscore_app ab_update_gki_prop:file { getattr };
-dontaudit gmscore_app ab_update_gki_prop:file { map };
-dontaudit gmscore_app apexd_config_prop:file { open };
-dontaudit gmscore_app apexd_config_prop:file { getattr };
-dontaudit gmscore_app aac_drc_prop:file { getattr };
-dontaudit gmscore_app aac_drc_prop:file { open };
-dontaudit gmscore_app modem_img_file:filesystem { getattr };
-dontaudit gmscore_app modem_img_file:filesystem { getattr };
-dontaudit gmscore_app aac_drc_prop:file { open };
-dontaudit gmscore_app aac_drc_prop:file { getattr };
-dontaudit gmscore_app aac_drc_prop:file { map };
-dontaudit gmscore_app ab_update_gki_prop:file { open };
-dontaudit gmscore_app ab_update_gki_prop:file { getattr };
-dontaudit gmscore_app ab_update_gki_prop:file { map };
-dontaudit gmscore_app apexd_config_prop:file { open };
-dontaudit gmscore_app apexd_config_prop:file { getattr };
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
deleted file mode 100644
index 5d984478..00000000
--- a/tracking_denials/priv_app.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# b/180858511
-dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
-dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
-# b/183161715
-dontaudit priv_app vendor_default_prop:file { open };
-dontaudit priv_app vendor_default_prop:file { getattr };
-dontaudit priv_app vendor_default_prop:file { map };
-dontaudit priv_app vendor_default_prop:file { open };
-dontaudit priv_app vendor_default_prop:file { getattr };
-dontaudit priv_app vendor_default_prop:file { map };
diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te
deleted file mode 100644
index 703cdf53..00000000
--- a/tracking_denials/untrusted_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# b/178331791
-dontaudit untrusted_app selinuxfs:file { open };
-dontaudit untrusted_app vendor_camera_prop:file { map };
-dontaudit untrusted_app vendor_camera_prop:file { open };
-dontaudit untrusted_app vendor_camera_prop:file { getattr };
-dontaudit untrusted_app selinuxfs:file { read };
-dontaudit untrusted_app selinuxfs:file { read };
-dontaudit untrusted_app selinuxfs:file { open };
-dontaudit untrusted_app vendor_camera_prop:file { open };
-dontaudit untrusted_app vendor_camera_prop:file { getattr };
-dontaudit untrusted_app vendor_camera_prop:file { map };
-# b/178433597
-dontaudit untrusted_app vendor_camera_prop:file { read };
-dontaudit untrusted_app vendor_camera_prop:file { read };

From f27370db656cbcb1daf425fbf6fda579e303fc6d Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Tue, 30 Mar 2021 18:55:03 -0700
Subject: [PATCH 134/921] Allowed EdgeTPU service to read system properties
 related to vendor.

The EdgeTPU service will read properties including
"vendor.edgetpu.service.allow_unlisted_app". This change added the
related SELinux rule for it.

Bug: 182209462
Test: tested on local Oriole + GCA
Change-Id: I8e7f7975bf144593d00a305554d75a5e0200a428
---
 whitechapel/vendor/google/edgetpu_service.te | 3 +++
 whitechapel/vendor/google/property.te        | 4 ++++
 whitechapel/vendor/google/property_contexts  | 3 +++
 whitechapel/vendor/google/vendor_init.te     | 1 +
 4 files changed, 11 insertions(+)

diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
index 96e452ca..107b4899 100644
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -38,3 +38,6 @@ allow edgetpu_server hal_camera_default:fd use;
 # Allow EdgeTPU service to read the kernel version.
 # This is done inside the InitGoogle.
 allow edgetpu_server proc_version:file r_file_perms;
+
+# Allow EdgeTPU service to read EdgeTPU service related system properties.
+get_prop(edgetpu_server, vendor_edgetpu_service_prop);
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 6d9ce98c..05cba796 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -26,6 +26,10 @@ vendor_internal_prop(vendor_camera_debug_prop)
 vendor_internal_prop(vendor_camera_fatp_prop)
 vendor_internal_prop(vendor_gps_prop)
 
+# EdgeTPU service requires system public properties
+# since it lives under /system_ext/.
+system_public_prop(vendor_edgetpu_service_prop)
+
 # Battery defender
 vendor_internal_prop(vendor_battery_defender_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 20bd556c..108d5d51 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -80,6 +80,9 @@ vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
 # for gps
 vendor.gps                   u:object_r:vendor_gps_prop:s0
 
+# for EdgeTPU
+vendor.edgetpu.service.                         u:object_r:vendor_edgetpu_service_prop:s0
+
 # SecureElement
 persist.vendor.se.                              u:object_r:vendor_secure_element_prop:s0
 
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index a5b7082b..4de85fdf 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -8,6 +8,7 @@ set_prop(vendor_init, vendor_ims_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
+set_prop(vendor_init, vendor_edgetpu_service_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From 765e8e2374baec527202884f4560ac003ae4ebdf Mon Sep 17 00:00:00 2001
From: Cheng Gu <gucheng@google.com>
Date: Thu, 1 Apr 2021 10:47:20 -0700
Subject: [PATCH 135/921] gs101-sepolicy: Allow binder call rlsservice from
 camera

This is to fix below avc denial:
  E SELinux : avc:  denied  { find } for pid=28954 uid=1000
  name=rlsservice scontext=u:r:hal_camera_default:s0
  tcontext=u:object_r:rls_service:s0 tclass=service_manager permissive=0

The solution is similar to ag/7253836 (coral) and ag/10232101 (redbull).

Fix: 183620858
Test: adb shell setprop persist.vendor.camera.dump_range_data 1 &&
      adb shell pkill -f camera, then retest camera
Change-Id: I6bb743c15ee64e3c4ecb8359126b238554aa649e
---
 whitechapel/vendor/google/hal_camera_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 5db0ed6e..98de1b23 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -28,6 +28,10 @@ allow hal_camera_default persist_camera_file:file r_file_perms;
 get_prop(hal_camera_default, vendor_camera_prop);
 get_prop(hal_camera_default, vendor_camera_debug_prop);
 
+# For camera hal to talk with rlsservice
+allow hal_camera_default rls_service:service_manager find;
+binder_call(hal_camera_default, rlsservice)
+
 hal_client_domain(hal_camera_default, hal_graphics_allocator);
 hal_client_domain(hal_camera_default, hal_power);
 hal_client_domain(hal_camera_default, hal_thermal);

From 98c223e8629b00d6c017a30c977f2244b6cb4d26 Mon Sep 17 00:00:00 2001
From: Michael Wright <michaelwr@google.com>
Date: Sat, 20 Mar 2021 11:32:02 +0000
Subject: [PATCH 136/921] Add new ITouchContextService interface to twoshay

Bug: 174626987
Test: boot, see no denials

Change-Id: I963d5b77969571182b94c4265653c5d22e124247
---
 whitechapel/vendor/google/platform_app.te  | 5 ++++-
 whitechapel/vendor/google/service.te       | 1 +
 whitechapel/vendor/google/service_contexts | 1 +
 whitechapel/vendor/google/twoshay.te       | 2 ++
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 3c7be060..dd8a627c 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -5,4 +5,7 @@ allow platform_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(platform_app, hal_wlc)
 
 allow platform_app fwk_stats_hwservice:hwservice_manager find;
-allow platform_app nfc_service:service_manager find;
\ No newline at end of file
+allow platform_app nfc_service:service_manager find;
+
+allow platform_app touch_context_service:service_manager find;
+binder_call(platform_app, twoshay)
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index e94b128e..f66b28c3 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,2 +1,3 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_service, service_manager_type;
+type touch_context_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 669a5166..8faa69bd 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,5 @@
 # EdgeTPU service
 com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
+com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb                                                        u:object_r:uwb_service:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
index 139294d6..ad239702 100644
--- a/whitechapel/vendor/google/twoshay.te
+++ b/whitechapel/vendor/google/twoshay.te
@@ -6,3 +6,5 @@ init_daemon_domain(twoshay)
 allow twoshay touch_offload_device:chr_file rw_file_perms;
 allow twoshay twoshay:capability sys_nice;
 
+binder_use(twoshay)
+add_service(twoshay, touch_context_service)

From e277259f086604090fa7db40db0ee88ee1a813eb Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Thu, 1 Apr 2021 15:28:07 +0800
Subject: [PATCH 137/921] e2fs: Fix avc errors

avc: denied { read } for comm="mke2fs" name="sda5" dev="tmpfs" ino=574 scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file
avc: denied { ioctl } for comm="mke2fs" path="/dev/block/sda5" dev="tmpfs" ino=510 ioctlcmd=0x127b scontext=u:r:e2fs:s0 tcontext=u:object_r:efs_block_device:s0 tclass=blk_file

Bug: 184221482
Change-Id: Ic0c697bb591135d9830cd9e32e110cb5b5eb1504
---
 whitechapel/vendor/google/e2fs.te | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 whitechapel/vendor/google/e2fs.te

diff --git a/whitechapel/vendor/google/e2fs.te b/whitechapel/vendor/google/e2fs.te
new file mode 100644
index 00000000..a6664594
--- /dev/null
+++ b/whitechapel/vendor/google/e2fs.te
@@ -0,0 +1,6 @@
+allow e2fs persist_block_device:blk_file rw_file_perms;
+allow e2fs efs_block_device:blk_file rw_file_perms;
+allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};

From 8a1f0bed011c2183b69cb41d64496306a797dafa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Thu, 1 Apr 2021 20:18:18 -0700
Subject: [PATCH 138/921] Mark libGralloc4Wrapper.so as same-process HAL.

Updating the library name after upgrade to gralloc version 4.

Bug: 178656396
Test: GCA on oriole
Change-Id: I638b3cd0d7f4759f89a62a1d102cc98d9a3db622
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 8d550239..0eb94c7a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -173,7 +173,7 @@
 /mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
 /data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
 /vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGrallocWrapper\.so                                  u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGralloc4Wrapper\.so                                 u:object_r:same_process_hal_file:s0
 
 
 /dev/lwis-act0                                                          u:object_r:lwis_device:s0

From ceafb82c02552e907d1d2485ab195131872ef07c Mon Sep 17 00:00:00 2001
From: Vova Sharaienko <sharaienko@google.com>
Date: Fri, 2 Apr 2021 00:45:08 +0000
Subject: [PATCH 139/921] exo: updated sepolicy

This allows the Exo to access AIDL Stats service

Bug: 181892307
Test: Build, flash, boot & and logcat | grep "IStats"
Change-Id: I6ae1c37505b312617376bc3c954720c8a1f223d2
---
 ambient/exo_app.te            | 2 ++
 ambient/exo_wirecutter_app.te | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
index f21b7cb2..b7a30e28 100644
--- a/ambient/exo_app.te
+++ b/ambient/exo_app.te
@@ -9,11 +9,13 @@ allow exo_app cameraserver_service:service_manager find;
 allow exo_app mediaserver_service:service_manager find;
 allow exo_app radio_service:service_manager find;
 allow exo_app fwk_stats_hwservice:hwservice_manager find;
+allow exo_app fwk_stats_service:service_manager find;
 allow exo_app mediametrics_service:service_manager find;
 allow exo_app gpu_device:dir search;
 
 allow exo_app uhid_device:chr_file rw_file_perms;
 
 binder_call(exo_app, statsd)
+binder_use(exo_app)
 
 get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/exo_wirecutter_app.te b/ambient/exo_wirecutter_app.te
index 4fb10062..1450b4cc 100644
--- a/ambient/exo_wirecutter_app.te
+++ b/ambient/exo_wirecutter_app.te
@@ -1,4 +1,4 @@
-type exo_wirecutter_app, domain;
+type exo_wirecutter_app, domain, coredomain;
 
 app_domain(exo_wirecutter_app)
 
@@ -6,3 +6,5 @@ allow exo_wirecutter_app app_api_service:service_manager find;
 allow exo_wirecutter_app fwk_stats_hwservice:hwservice_manager find;
 allow exo_wirecutter_app gpu_device:dir search;
 binder_call(exo_wirecutter_app, statsd)
+allow exo_wirecutter_app fwk_stats_service:service_manager find;
+binder_use(exo_wirecutter_app)

From 852d1dc3c1612b9a554f822d260ab3fe359ee362 Mon Sep 17 00:00:00 2001
From: Wei Wang <wvw@google.com>
Date: Fri, 2 Apr 2021 14:22:37 -0700
Subject: [PATCH 140/921] Grant GPU and Fabric node access

Bug: 183626384
Test: boot
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: Ibb700110795f81a2da4358352111f61ef987c29b
---
 whitechapel/vendor/google/file.te              | 6 ++++++
 whitechapel/vendor/google/genfs_contexts       | 6 ++++++
 whitechapel/vendor/google/hal_power_default.te | 2 ++
 3 files changed, 14 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index ea804182..64f01385 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -173,6 +173,12 @@ type persist_battery_file, file_type, vendor_persist_type;
 # CPU
 type sysfs_cpu, sysfs_type, fs_type;
 
+# GPU
+type sysfs_gpu, sysfs_type, fs_type;
+
+# Fabric
+type sysfs_fabric, sysfs_type, fs_type;
+
 # Memory
 type sysfs_memory, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 69e9dd2c..3502a1ed 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -208,6 +208,12 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
 
+# Fabric
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load  u:object_r:sysfs_fabric:s0
+
+# GPU
+genfscon sysfs /devices/platform/1c500000.mali/scaling_min_freq                                         u:object_r:sysfs_gpu:s0
+
 # nvmem (Non Volatile Memory layer)
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
 
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index c5aa154a..20c1ec35 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -3,6 +3,8 @@ allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms;
 allow hal_power_default sysfs_fs_f2fs:file rw_file_perms;
 allow hal_power_default sysfs_vendor_sched:file rw_file_perms;
 allow hal_power_default cpuctl_device:file rw_file_perms;
+allow hal_power_default sysfs_gpu:file rw_file_perms;
+allow hal_power_default sysfs_fabric:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
 set_prop(hal_power_default, vendor_camera_debug_prop)
 set_prop(hal_power_default, vendor_camera_fatp_prop)

From 72011a8a871d9604f5e434484bdb0f7d019d82d9 Mon Sep 17 00:00:00 2001
From: Cheng Gu <gucheng@google.com>
Date: Fri, 2 Apr 2021 12:10:05 -0700
Subject: [PATCH 141/921] gs101-sepolicy: Allow rlsservice to access range
 sensor

Fix: 184295618
Test: rlsservice_test
Change-Id: Iee4cc5376e0eb67e75ae94cd15b5211a7ec819ef
---
 whitechapel/vendor/google/device.te     | 3 +++
 whitechapel/vendor/google/file_contexts | 1 +
 whitechapel/vendor/google/rlsservice.te | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index fef97187..f9d422fc 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -36,6 +36,9 @@ type touch_offload_device, dev_type;
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
+# RLS device
+type rls_device, dev_type;
+
 # sensor direct DMA-BUF heap
 type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 0eb94c7a..91773613 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -175,6 +175,7 @@
 /vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libGralloc4Wrapper\.so                                 u:object_r:same_process_hal_file:s0
 
+/dev/stmvl53l1_ranging                                                  u:object_r:rls_device:s0
 
 /dev/lwis-act0                                                          u:object_r:lwis_device:s0
 /dev/lwis-act1                                                          u:object_r:lwis_device:s0
diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index 2217908d..10f76dcc 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -13,6 +13,9 @@ allow rlsservice persist_camera_file:dir search;
 allow rlsservice persist_camera_file:file r_file_perms;
 allow rlsservice mnt_vendor_file:dir search;
 
+# access device files
+allow rlsservice rls_device:chr_file rw_file_perms;
+
 binder_call(rlsservice, hal_sensors_default)
 binder_call(rlsservice, hal_camera_default)
 

From a4b253476ccfd1384bac25c8f2a4f2527b508cfc Mon Sep 17 00:00:00 2001
From: Grace Chen <chengrace@google.com>
Date: Sun, 28 Mar 2021 09:30:08 -0700
Subject: [PATCH 142/921] Add selinux permissions for NFC/eSIM fw upgrade

Bug: 183709811
Test: Confirm no selinux permissions errors.
Change-Id: Ibd98558a2446567d4beb1f6b88acafc05c3c1951
---
 tracking_denials/ofl_app.te              |  3 +++
 whitechapel/vendor/google/ofl_app.te     | 17 +++++++++++++++++
 whitechapel/vendor/google/seapp_contexts |  5 ++++-
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 tracking_denials/ofl_app.te
 create mode 100644 whitechapel/vendor/google/ofl_app.te

diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te
new file mode 100644
index 00000000..525ebdad
--- /dev/null
+++ b/tracking_denials/ofl_app.te
@@ -0,0 +1,3 @@
+# b/184005231
+dontaudit ofl_app default_prop:file { read };
+
diff --git a/whitechapel/vendor/google/ofl_app.te b/whitechapel/vendor/google/ofl_app.te
new file mode 100644
index 00000000..e3f61408
--- /dev/null
+++ b/whitechapel/vendor/google/ofl_app.te
@@ -0,0 +1,17 @@
+# OFLBasicAgent app
+
+type ofl_app, domain;
+
+userdebug_or_eng(`
+  app_domain(ofl_app)
+  net_domain(ofl_app)
+
+  allow ofl_app app_api_service:service_manager find;
+  allow ofl_app nfc_service:service_manager find;
+  allow ofl_app radio_service:service_manager find;
+  allow ofl_app surfaceflinger_service:service_manager find;
+
+  # Access to directly update firmware on secure_element
+  typeattribute secure_element_device mlstrustedobject;
+  allow ofl_app secure_element_device:chr_file rw_file_perms;
+')
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 43cd77a1..db3c3adc 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -42,4 +42,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 
 # CBRS setup app
-user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
\ No newline at end of file
+user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
+
+# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
+user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user

From 60872ac2e93af10091bb041aecf23e56d3f15110 Mon Sep 17 00:00:00 2001
From: Zhijun He <zhijunhe@google.com>
Date: Mon, 5 Apr 2021 15:50:10 -0700
Subject: [PATCH 143/921] camera: allow the camera hal to set fatp prop

Test: camera tests
Bug: 184572956
Change-Id: Ie8bc386aa60cf2e46732f2f68c8cb7e86733cb53
---
 whitechapel/vendor/google/hal_camera_default.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 13496af1..f03508e0 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -46,6 +46,11 @@ tmpfs_domain(hal_camera_default);
 # Allow access to camera-related system properties
 get_prop(hal_camera_default, vendor_camera_prop);
 get_prop(hal_camera_default, vendor_camera_debug_prop);
+userdebug_or_eng(`
+  set_prop(hal_camera_default, vendor_camera_fatp_prop);
+  set_prop(hal_camera_default, vendor_camera_debug_prop);
+')
+
 
 # For camera hal to talk with rlsservice
 allow hal_camera_default rls_service:service_manager find;

From 91c7813ea89b6bd9cd434ce2ac17c18d83062268 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 6 Apr 2021 10:31:16 +0800
Subject: [PATCH 144/921] remove obsolete mobicore operations

Bug: 183935443
Test: boot to home with no related avc error
Change-Id: Ief907a7a77f721e58820670e9f37570fd640b473
---
 tracking_denials/vendor_init.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index ecaffc0e..d2c20fe1 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,5 +1,2 @@
 # b/176528557
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
-# b/183935443
-dontaudit vendor_init system_data_file:dir { write };
-dontaudit vendor_init system_data_file:dir { write };

From fc69c665eed2f0e3eb490f77367bf2ff6de11448 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 6 Apr 2021 11:08:59 +0800
Subject: [PATCH 145/921] update error on ROM 7260355

Bug: 184593993
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I49fb702a81f2fcd17e395954f24cd69ab2d272fc
---
 tracking_denials/untrusted_app.te        | 4 ++++
 whitechapel/vendor/google/genfs_contexts | 1 +
 2 files changed, 5 insertions(+)
 create mode 100644 tracking_denials/untrusted_app.te

diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te
new file mode 100644
index 00000000..9b098f88
--- /dev/null
+++ b/tracking_denials/untrusted_app.te
@@ -0,0 +1,4 @@
+# b/184593993
+dontaudit untrusted_app vendor_camera_prop:file { read };
+dontaudit untrusted_app vendor_camera_prop:file { read };
+dontaudit untrusted_app vendor_camera_prop:file { read };
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 3502a1ed..1d252212 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -81,6 +81,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-s
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0

From 1a25f34051977fa9daa666f0106f078a5866bf9c Mon Sep 17 00:00:00 2001
From: yixuanjiang <yixuanjiang@google.com>
Date: Tue, 6 Apr 2021 12:41:24 +0800
Subject: [PATCH 146/921] audio: add support for aocdump to aceess audio state

check audio state for SSR usage

Test: local with enforcing mode
Bug: 184239981
Signed-off-by: yixuanjiang <yixuanjiang@google.com>
Change-Id: I45db556434251576a1d691f1aebf2940fff283fe
---
 whitechapel/vendor/google/aocdump.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/aocdump.te b/whitechapel/vendor/google/aocdump.te
index bfd11d48..dabc5ed6 100644
--- a/whitechapel/vendor/google/aocdump.te
+++ b/whitechapel/vendor/google/aocdump.te
@@ -9,6 +9,7 @@ userdebug_or_eng(`
     allow aocdump radio_vendor_data_file:dir rw_dir_perms;
     allow aocdump radio_vendor_data_file:file create_file_perms;
     set_prop(aocdump, vendor_audio_prop);
+    r_dir_file(aocdump, proc_asound)
 
     allow aocdump self:unix_stream_socket create_stream_socket_perms;
     allow aocdump property_socket:sock_file { write };

From 05825886f498ae010b29db63f231c2af08c47460 Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Wed, 31 Mar 2021 10:40:09 -0700
Subject: [PATCH 147/921] Move vendor_kernel_modules to public.

Bug: 166559473
Bug: 183135316
Test: build
Change-Id: Ib62080d3d12aa197571a0697c17f6fd5d981d653
---
 whitechapel/vendor/google/file.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 64f01385..9f59c21e 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -120,9 +120,6 @@ allow modem_img_file self:filesystem associate;
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;
 
-# Kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
 # Camera
 type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;

From 8066a9f4719a3a44f2a312c0d17797909cfec94a Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Tue, 6 Apr 2021 16:40:55 -0700
Subject: [PATCH 148/921] Fix modem logging configuration.

Missing binder configuration for dmd to return responses to modem
logging control binary, for cases when it needs to get log mask
configuration information.

Bug: 184605350
Test: Check logging works with selinux enabled.
Change-Id: Ia9a80870927fd890266f702b091343b4b4018673
---
 whitechapel/vendor/google/dmd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te
index 8c9a2fc0..0b5ff5a9 100644
--- a/whitechapel/vendor/google/dmd.te
+++ b/whitechapel/vendor/google/dmd.te
@@ -28,3 +28,4 @@ get_prop(dmd, hwservicemanager_prop)
 add_hwservice(dmd, hal_vendor_oem_hwservice)
 binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
+binder_call(dmd, modem_logging_control)
\ No newline at end of file

From 59ba0f97aa1d193969f45498a2293d890e65df48 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 7 Apr 2021 11:56:49 +0800
Subject: [PATCH 149/921] grant debugfs access to insmod under userdebug

Bug: 182086611
Test: boot with the error gone
Change-Id: I555c12b4ccbb61266dc289aac577d0240bde4d28
---
 tracking_denials/init-insmod-sh.te          | 4 ----
 whitechapel/vendor/google/init-insmod-sh.te | 4 ++++
 2 files changed, 4 insertions(+), 4 deletions(-)
 delete mode 100644 tracking_denials/init-insmod-sh.te

diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
deleted file mode 100644
index 9f615fab..00000000
--- a/tracking_denials/init-insmod-sh.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/182086611
-dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
-dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
-dontaudit init-insmod-sh vendor_regmap_debugfs:dir { search };
diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
index e8424941..c4d29945 100644
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -8,4 +8,8 @@ allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans;
 
 set_prop(init-insmod-sh, vendor_device_prop)
 
+userdebug_or_eng(`
+  allow init-insmod-sh vendor_regmap_debugfs:dir search;
+')
+
 dontaudit init-insmod-sh proc_cmdline:file r_file_perms;

From dcd42938da21d625b72bc8cabd1d0ae383792e2c Mon Sep 17 00:00:00 2001
From: Sriram Kashyap M S <sriramkashyap@google.com>
Date: Mon, 5 Apr 2021 20:14:50 +0000
Subject: [PATCH 150/921] Allow EdgeTPU NNAPI HAL to access socket files for
 IPC.

Bug: 182524105
Test: ./scripts/run_tests.sh on Oriole.
Change-Id: I85106f004fcee2cccc44609584165a0e2ce654e3
---
 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
index 2791a525..d2b8fa3c 100644
--- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
+++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
@@ -14,6 +14,9 @@ allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
 allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms;
 allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms;
 
+# Allow DarwiNN service to access unix sockets for IPC.
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms };
+
 # Register to hwbinder service.
 # add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te
 hwbinder_use(hal_neuralnetworks_darwinn)

From a346a7fa34c9bfe06ce8b9c5a40c4ce1a42c7f56 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 7 Apr 2021 14:10:00 +0800
Subject: [PATCH 151/921] remove wildcard on kernel modules

Bug: 170786122
Test: Boot with all kernal modules loaded
Change-Id: I0d1d861af290181231223630497788c051c83ecb
---
 whitechapel/vendor/google/file_contexts | 222 +++++++++++++++++++++++-
 1 file changed, 220 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 91773613..8f1f3652 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -374,8 +374,226 @@
 /vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
 
 # Vendor_kernel_modules
-/vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/.*\.ko                                               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/abrolhos\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/acpm_flexpmu_dbg\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/acpm_mbox_test\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_alsa_dev\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_alsa_dev_util\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_channel_dev\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_char_dev\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_control_dev\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_core\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_usb_driver\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_uwb_platform_drv\.ko       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/aoc_uwb_service_dev\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/arm_dsu_pmu\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/at24\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/audiometrics\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/bbd\.ko                        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/bcm47765\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/bc_max77759\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/bcm_dbg\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/bcmdhd43752\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/bcmdhd4389\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/bigocean\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/boot_device_spi\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/clk_exynos\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/cmupmucal\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/cpif\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/cp_thermal_zone\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dbgcore-dump\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/debug-reboot\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/debug-snapshot-debug-kinfo\.ko u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/debug-snapshot-qd\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/debug-snapshot-sfrdump\.ko     u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/deferred-free-helper\.ko       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/drv2624\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dss\.ko                        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dw3000\.ko                     u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dwc3-exynos-usb\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dwc3-haps\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dwc3\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dwc3-of-simple\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/dwc3-qcom\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/ect_parser\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/eh\.ko                         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/eh_test\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-acme\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-adv-tracer\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-adv-tracer-s2d\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-bcm_dbg-dump\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-bts\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-btsopsgs101\.ko         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-coresight-etm\.ko       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-coresight\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-cpuhp\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-cpupm\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-debug-test\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos_devfreq\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos_dit\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-dm\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-drm\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-ecc-handler\.ko         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos_mct\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos_mfc\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-pd-dbg\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-pd_el3\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-pd\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-pm\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos_pm_qos\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-pmu-if\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-reboot\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos-seclog\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exynos_tty\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/exyswd-rng\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/ftm5\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/g2d\.ko                        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/goodixfp\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/google-battery\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/google-bms\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/google-charger\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/google-cpm\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/google_dual_batt_gauge\.ko     u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gpu_cooling\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gs101_bcl\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gs101-itmon\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gs101_spmic_thermal\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gs101_thermal\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gs_acpm\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gsa_gsc\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gsa\.ko                        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gs-chipid\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gsc-spi\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/gvotable\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/haptics-cs40l2x\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/hardlockup-debug\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/hardlockup-watchdog\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/heatmap\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/i2c-acpm\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/i2c-dev\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/i2c-exynos5\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/ion_exynos_mod\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/keycombo\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/keydebug\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/logbuffer\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/lwis\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/lzo\.ko                        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/lzo-rle\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/mailbox-wc\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/mali_kbase\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/mali_pixel\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max1720x-battery\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max20339\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max77729_charger\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max77729-pmic\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max77729_uic\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max77759_charger\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max77759_contaminant\.ko       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max77759_helper\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/max77826-gs-regulator\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/mcps802154\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/mcps802154_region_fira\.ko     u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/memlat-devfreq\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/nitrous\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/odpm\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/overheat_mitigation\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/p9221\.ko                      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/page_pool\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-boe-tv080wumng0\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-boe-tv101wumng0\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-samsung-drv\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-samsung-emul\.ko         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-samsung-s6e3fc3\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-samsung-s6e3hc2\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-samsung-s6e3hc3\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/panel-samsung-sofef01\.ko      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pca9468\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pcie-exynos-core\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pcie-exynos-gs101-rc-cal\.ko   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/phy-exynos-mipi-dsim\.ko       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/phy-exynos-mipi\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/phy-exynos-usbdrd-super\.ko    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pinctrl-samsung-core\.ko       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pinctrl-slg51000\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pixel-debug-test\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pixel_stat_mm\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pixel_stat_sysfs\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pktgen\.ko                     u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pl330\.ko                      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/pmic_class\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/power_stats\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/rtc-s2mpg10\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpg10-mfd\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpg10-powermeter\.ko         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpg10-regulator\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpg11-mfd\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpg11-powermeter\.ko         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpg11-regulator\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpg1x-gpio\.ko               u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s2mpu\.ko                      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/s3c2410_wdt\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/samsung_dma_heap\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/samsung-dma\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/samsung-iommu-group\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/samsung_iommu\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/samsung-secure-iova\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/sbb-mux\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/sched_tp\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/sec_touch\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/sg\.ko                         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/shm_ipc\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/slc_acpm\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/slc_dummy\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/slc_pmon\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/slc_pt\.ko                     u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/slg46826\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/slg51000-core\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/slg51000-regulator\.ko         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/smfc\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-cs35l41-i2c\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-cs35l41\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-cs35l41-spi\.ko        u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-max98357a\.ko          u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-rl6231\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-rt5682-i2c\.ko         u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-rt5682\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/snd-soc-wm-adsp\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/softdog\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/spidev\.ko                     u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/spi-s3c64xx\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/sscoredump\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/st21nfc\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/st33spi\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/st54spi\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/stmvl53l1\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/systrace\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/tcpci_fusb307\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/tcpci_max77759\.ko             u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/touch_bus_negotiator\.ko       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/touch_offload\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/trusty-core\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/trusty-ipc\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/trusty-irq\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/trusty-log\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/trusty-test\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/trusty-virtio\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/ufs-exynos-core\.ko            u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/usb_f_dm1\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/usb_f_dm\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/usb_f_etr_miu\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/usb_psy\.ko                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/vh_fs\.ko                      u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/vh_sched\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/vh_thermal\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/videobuf2-dma-sg\.ko           u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/xhci-exynos\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/xhci-hcd\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/xhci-pci\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/xhci-plat-hcd\.ko              u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/zcomp_cpu\.ko                  u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/zcomp_eh\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/zram\.ko                       u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/zsmalloc\.ko                   u:object_r:vendor_kernel_modules:s0
 
 # Display
 /vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0

From 7e8fca80415c80b447003b042120a7f27d1aa3ef Mon Sep 17 00:00:00 2001
From: yixuanjiang <yixuanjiang@google.com>
Date: Wed, 7 Apr 2021 15:01:29 +0800
Subject: [PATCH 152/921] whitechapel: add permission for pixellogger set audio
 property

Bug: 184708066
Test: local test
Signed-off-by: yixuanjiang <yixuanjiang@google.com>
Change-Id: I6a43959fc3565db8d2a1679ce722c11f58398794
---
 whitechapel/vendor/google/logger_app.te     | 1 +
 whitechapel/vendor/google/property_contexts | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index ce9c473b..4c672447 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -15,4 +15,5 @@ userdebug_or_eng(`
 
   set_prop(logger_app, vendor_modem_prop)
   set_prop(logger_app, vendor_gps_prop)
+  set_prop(logger_app, vendor_audio_prop)
 ')
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 108d5d51..6f6c083f 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -67,6 +67,10 @@ persist.vendor.sys.          u:object_r:vendor_persist_sys_default_prop:s0
 vendor.audio_hal.period_multiplier      u:object_r:vendor_audio_prop:s0
 vendor.audiodump.enable                 u:object_r:vendor_audio_prop:s0
 persist.vendor.audio.                   u:object_r:vendor_audio_prop:s0
+vendor.audiodump.log.ondemand           u:object_r:vendor_audio_prop:s0
+vendor.audiodump.log.config             u:object_r:vendor_audio_prop:s0
+vendor.audiodump.output.dir             u:object_r:vendor_audio_prop:s0
+
 
 # for display
 ro.vendor.hwc.drm.device                u:object_r:vendor_display_prop:s0

From d57865ec05677eae790545dc285afe303b482117 Mon Sep 17 00:00:00 2001
From: chasewu <chasewu@google.com>
Date: Tue, 30 Mar 2021 19:37:39 +0800
Subject: [PATCH 153/921] update label missing vibrator sys nodes for dual part

Bug: 184026143
Test: no Permission denied logs
Signed-off-by: chasewu <chasewu@google.com>
Change-Id: Id75f89f5d0f1568942ef787be295b2fa5b0ca2a2
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1d252212..840c871d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -59,6 +59,7 @@ genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object
 # Vibrator
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
 
 # System_suspend

From 7376656ff46e8b1e2944ebb0660110aac02a46ea Mon Sep 17 00:00:00 2001
From: chenpaul <chenpaul@google.com>
Date: Fri, 5 Feb 2021 10:03:46 +0800
Subject: [PATCH 154/921] logger_app: Remove Pixelize rule

In original design, pixellogger was included in Pixelize mk file,
but the sepolicy are defined by the product specific te file.
These are not aligned and have dependency concern if add new sepolicy rule
in Pixelize te file.

This change remove the Pixelize rule from the device specifc te file.
And the Pixelize rule will be defined by
hardware/google/pixel-sepolicy/logger_app/logger_app.te

Bug: 159650456
Test: Pixel Logger is workable
Change-Id: If13e05b7979f7be02a728b40f8032b81f7c53e06
---
 whitechapel/vendor/google/logger_app.te  | 8 --------
 whitechapel/vendor/google/seapp_contexts | 3 ---
 2 files changed, 11 deletions(-)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index ce9c473b..5f33ce3a 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -1,12 +1,4 @@
-type logger_app, domain;
-
 userdebug_or_eng(`
-  app_domain(logger_app)
-  net_domain(logger_app)
-
-  allow logger_app app_api_service:service_manager find;
-  allow logger_app surfaceflinger_service:service_manager find;
-
   allow logger_app radio_vendor_data_file:file create_file_perms;
   allow logger_app radio_vendor_data_file:dir create_dir_perms;
   allow logger_app vendor_slog_file:file {r_file_perms unlink};
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index db3c3adc..54db7be1 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -20,9 +20,6 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# PixelLogger
-user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all
-
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
 

From c0b806fd2d8e8a9e70120015060b6d5a07a12929 Mon Sep 17 00:00:00 2001
From: Cliff Wu <cliffwu@google.com>
Date: Wed, 7 Apr 2021 23:06:18 +0800
Subject: [PATCH 155/921] [Bug] Change the sepolicy name for
 exo_camera_injection

- Change the sepolicy name from platfrom_app to exo_app.
- Selinux avc log:
E/SELinux: avc:  denied  { find } for interface=vendor.google.exo_camera_injection::IExoCameraInjection sid=u:r:exo_app:s0:c248,c256,c512,c768 pid=11479 scontext=u:r:exo_app:s0:c248,c256,c512,c768 tcontext=u:object_r:hal_exo_camera_injection_hwservice:s0 tclass=hwservice_manager permissive=0

Bug: 184736718
Test: Verified exo_camera_injection provider service use cases function as expected; no denials.
Change-Id: I08887b8b6020cb7b3fb3da77cea9a1f453655bea
---
 whitechapel/vendor/google/exo_camera_injection/exo_app.te      | 3 +++
 whitechapel/vendor/google/exo_camera_injection/platform_app.te | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 whitechapel/vendor/google/exo_camera_injection/exo_app.te
 delete mode 100644 whitechapel/vendor/google/exo_camera_injection/platform_app.te

diff --git a/whitechapel/vendor/google/exo_camera_injection/exo_app.te b/whitechapel/vendor/google/exo_camera_injection/exo_app.te
new file mode 100644
index 00000000..a90de48e
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/exo_app.te
@@ -0,0 +1,3 @@
+# Allow exo app to find and bind exo camera injection hal.
+allow exo_app hal_exo_camera_injection_hwservice:hwservice_manager find;
+binder_call(exo_app, hal_exo_camera_injection)
diff --git a/whitechapel/vendor/google/exo_camera_injection/platform_app.te b/whitechapel/vendor/google/exo_camera_injection/platform_app.te
deleted file mode 100644
index b4dee87f..00000000
--- a/whitechapel/vendor/google/exo_camera_injection/platform_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Allow exo app to find and bind exo camera injection hal.
-allow platform_app hal_exo_camera_injection_hwservice:hwservice_manager find;
-binder_call(platform_app, hal_exo_camera_injection)

From 82d7164b5cb4131d0cba130415059d93725ca7fa Mon Sep 17 00:00:00 2001
From: Mat Bevilacqua <matbev@google.com>
Date: Mon, 5 Apr 2021 16:23:34 -0700
Subject: [PATCH 156/921] Fix selinux permissions errors for UwbService

Fixes gmscore access to UwbManager APIs, fixes UwbService access to UWB
HAL APIs, and fixes CTS UwbService presence test.

Bug: 184402100
Test: atest CtsUwbTestCases
Change-Id: I7450242f8b35570c3d5a676c5835b01f74995202
---
 tracking_denials/kernel.te                     | 1 -
 whitechapel/vendor/google/gmscore_app.te       | 3 +++
 whitechapel/vendor/google/hal_uwb_default.te   | 2 ++
 whitechapel/vendor/google/service.te           | 1 +
 whitechapel/vendor/google/service_contexts     | 1 +
 whitechapel/vendor/google/untrusted_app_all.te | 4 ++++
 whitechapel/vendor/google/uwb_service.te       | 1 +
 7 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 whitechapel/vendor/google/gmscore_app.te
 create mode 100644 whitechapel/vendor/google/uwb_service.te

diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
index 37288bc8..aab20563 100644
--- a/tracking_denials/kernel.te
+++ b/tracking_denials/kernel.te
@@ -3,5 +3,4 @@ dontaudit kernel kernel:perf_event { cpu };
 dontaudit kernel kernel:perf_event { cpu };
 userdebug_or_eng(`
   permissive kernel;
-  permissive hal_uwb_default;
 ')
diff --git a/whitechapel/vendor/google/gmscore_app.te b/whitechapel/vendor/google/gmscore_app.te
new file mode 100644
index 00000000..d2394b77
--- /dev/null
+++ b/whitechapel/vendor/google/gmscore_app.te
@@ -0,0 +1,3 @@
+# Allow gmscore to use UwbService APIs
+# TODO (b/183904955): remove
+allow gmscore_app uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
index bb825e38..f066aa4d 100644
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ b/whitechapel/vendor/google/hal_uwb_default.te
@@ -1,3 +1,5 @@
 type hal_uwb_default, domain;
 type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_uwb_default)
+
+add_service(hal_uwb_default, hal_uwb_service)
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index f66b28c3..debd8bd9 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,3 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_service, service_manager_type;
 type touch_context_service, service_manager_type, vendor_service;
+type hal_uwb_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 8faa69bd..f3a6acb8 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -3,3 +3,4 @@ com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_se
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb                                                        u:object_r:uwb_service:s0
+hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index ae7386fc..01206d90 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -8,3 +8,7 @@ allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }
 # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allows cts tests to test for UwbService presence
+# TODO (b/183904955): remove
+allow untrusted_app_all uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/uwb_service.te b/whitechapel/vendor/google/uwb_service.te
new file mode 100644
index 00000000..7360278d
--- /dev/null
+++ b/whitechapel/vendor/google/uwb_service.te
@@ -0,0 +1 @@
+allow uwb_service hal_uwb_service:service_manager find;

From b2fb9cdace45113273bbe2ef85dae5a19d78cbac Mon Sep 17 00:00:00 2001
From: Eddie Tashjian <etashjian@google.com>
Date: Wed, 7 Apr 2021 15:07:49 -0700
Subject: [PATCH 157/921] Add TCP dump permissions.

Copy selinux policy for tcp dump binary from previous Pixel to support
TCP logging on P21 through PixelLogger.

Bug: 184777243
Test: Check PixelLogger TCP dump works.
Change-Id: Id958c8a3e6375a7aae569d6fc94deb9f8072b57b
---
 whitechapel/vendor/google/file.te           |  3 +++
 whitechapel/vendor/google/file_contexts     |  4 ++++
 whitechapel/vendor/google/logger_app.te     |  1 +
 whitechapel/vendor/google/property.te       |  3 +++
 whitechapel/vendor/google/property_contexts |  6 ++++++
 whitechapel/vendor/google/tcpdump_logger.te | 18 ++++++++++++++++++
 6 files changed, 35 insertions(+)
 create mode 100644 whitechapel/vendor/google/tcpdump_logger.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 9f59c21e..05efcc19 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -117,6 +117,9 @@ type persist_modem_file, file_type, vendor_persist_type;
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
 
+# TCP logging
+type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 8f1f3652..89ac5d62 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -254,6 +254,10 @@
 # Modem logging
 /vendor/bin/modem_logging_control   u:object_r:modem_logging_control_exec:s0
 
+# TCP logging
+/vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
+/data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
+
 # Audio logging
 /vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
 
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 4c672447..051b1e64 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -16,4 +16,5 @@ userdebug_or_eng(`
   set_prop(logger_app, vendor_modem_prop)
   set_prop(logger_app, vendor_gps_prop)
   set_prop(logger_app, vendor_audio_prop)
+  set_prop(logger_app, vendor_tcpdump_log_prop)
 ')
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 05cba796..cbef105b 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -41,3 +41,6 @@ vendor_internal_prop(vendor_wifi_version)
 
 # Touchpanel
 vendor_internal_prop(vendor_touchpanel_prop)
+
+# TCP logging
+vendor_internal_prop(vendor_tcpdump_log_prop)
\ No newline at end of file
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 6f6c083f..a8dd0afd 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -102,3 +102,9 @@ vendor.wlan.firmware.version                    u:object_r:vendor_wifi_version:s
 
 # Touchpanel
 vendor.mfgapi.touchpanel.permission             u:object_r:vendor_touchpanel_prop:s0
+
+# Tcpdump_logger
+persist.vendor.tcpdump.log.alwayson             u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump.log.ondemand                     u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump.log.alwayson                     u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_prop:s0
\ No newline at end of file
diff --git a/whitechapel/vendor/google/tcpdump_logger.te b/whitechapel/vendor/google/tcpdump_logger.te
new file mode 100644
index 00000000..329414b6
--- /dev/null
+++ b/whitechapel/vendor/google/tcpdump_logger.te
@@ -0,0 +1,18 @@
+type tcpdump_logger, domain;
+type tcpdump_logger_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+  # make transition from init to its domain
+  init_daemon_domain(tcpdump_logger)
+
+  allow tcpdump_logger self:capability net_raw;
+  allow tcpdump_logger self:packet_socket create_socket_perms;
+  allowxperm tcpdump_logger self:packet_socket ioctl 0x8933;
+  allow tcpdump_logger tcpdump_exec:file rx_file_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger radio_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms;
+
+  set_prop(tcpdump_logger, vendor_tcpdump_log_prop)
+')

From 1c64cd89a263e2ac12a1718275bcff0e999ac918 Mon Sep 17 00:00:00 2001
From: Speth Chang <spethchang@google.com>
Date: Wed, 7 Apr 2021 13:44:30 +0800
Subject: [PATCH 158/921] allow camera to connect stats service

Bug: 177076189
Test: build pass
Change-Id: I1132e8a6794d09306b70fe902fc82fbdb7bf9bb4
---
 whitechapel/vendor/google/hal_camera_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index f03508e0..aca56403 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -72,3 +72,6 @@ binder_call(hal_camera_default, mediacodec);
 # extensions to avoid interference with cellular antennas.
 allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
 binder_call(hal_camera_default, hal_radioext_default);
+
+# Allow camera HAL to connect stats service.
+allow hal_camera_default fwk_stats_service:service_manager find;

From 3d4d9159c9e02317b53be2a24f0d1fcacdefa1f6 Mon Sep 17 00:00:00 2001
From: Craig Dooley <dooleyc@google.com>
Date: Tue, 6 Apr 2021 23:44:45 +0000
Subject: [PATCH 159/921] Fix SELinux errors with aocd

Add inotify support for /dev
Fix the aoc vendor property

Bug: 184173298
Change-Id: I40a71edd56b2d51f848085c43ae1d10a4c2c0c4b
---
 tracking_denials/aocd.te                    | 8 --------
 whitechapel/vendor/google/aocd.te           | 7 +++++++
 whitechapel/vendor/google/file.te           | 3 ++-
 whitechapel/vendor/google/file_contexts     | 1 +
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 6 files changed, 16 insertions(+), 9 deletions(-)
 delete mode 100644 tracking_denials/aocd.te

diff --git a/tracking_denials/aocd.te b/tracking_denials/aocd.te
deleted file mode 100644
index ce3c3365..00000000
--- a/tracking_denials/aocd.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# b/171267323
-dontaudit aocd device:dir r_dir_perms;
-# b/182218891
-dontaudit aocd property_socket:sock_file { write };
-dontaudit aocd init:unix_stream_socket { connectto };
-dontaudit aocd vendor_default_prop:property_service { set };
-dontaudit aocd property_socket:sock_file { write };
-dontaudit aocd init:unix_stream_socket { connectto };
diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te
index 4cab55af..79add165 100644
--- a/whitechapel/vendor/google/aocd.te
+++ b/whitechapel/vendor/google/aocd.te
@@ -5,6 +5,7 @@ init_daemon_domain(aocd)
 # access persist files
 allow aocd mnt_vendor_file:dir search;
 allow aocd persist_file:dir search;
+r_dir_file(aocd, persist_aoc_file);
 
 # sysfs operations
 allow aocd sysfs_aoc:dir search;
@@ -12,3 +13,9 @@ allow aocd sysfs_aoc_firmware:file w_file_perms;
 
 # dev operations
 allow aocd aoc_device:chr_file r_file_perms;
+
+# allow inotify to watch for additions/removals from /dev
+allow aocd device:dir r_dir_perms;
+
+# set properties
+set_prop(aocd, vendor_aoc_prop)
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 64f01385..e09ea104 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -96,7 +96,8 @@ type sysfs_aoc_firmware, sysfs_type, fs_type;
 type sysfs_aoc, sysfs_type, fs_type;
 
 # Audio
-type persist_audio_file, file_type , vendor_persist_type;
+type persist_audio_file, file_type, vendor_persist_type;
+type persist_aoc_file, file_type, vendor_persist_type;
 type audio_vendor_data_file, file_type, data_file_type;
 type aoc_audio_file, file_type, vendor_file_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 91773613..b6e5fac2 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -291,6 +291,7 @@
 /dev/ttySAC16                       u:object_r:hci_attach_dev:s0
 
 # Audio
+/mnt/vendor/persist/aoc(/.*)?       u:object_r:persist_aoc_file:s0
 /mnt/vendor/persist/audio(/.*)?     u:object_r:persist_audio_file:s0
 /data/vendor/audio(/.*)?            u:object_r:audio_vendor_data_file:s0
 /vendor/etc/aoc(/.*)?               u:object_r:aoc_audio_file:s0
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 05cba796..4e376118 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -33,6 +33,9 @@ system_public_prop(vendor_edgetpu_service_prop)
 # Battery defender
 vendor_internal_prop(vendor_battery_defender_prop)
 
+# AoC
+vendor_internal_prop(vendor_aoc_prop)
+
 # NFC
 vendor_internal_prop(vendor_nfc_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 108d5d51..f018e61b 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -92,6 +92,9 @@ persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
 # Battery
 vendor.battery.defender.                        u:object_r:vendor_battery_defender_prop:s0
 
+# AoC
+vendor.aoc.firmware.version                     u:object_r:vendor_aoc_prop:s0
+
 # WiFi
 vendor.wlan.driver.version                      u:object_r:vendor_wifi_version:s0
 vendor.wlan.firmware.version                    u:object_r:vendor_wifi_version:s0

From 1d379dfbc9b4fcb9843051f3eb6f9cfdbefda085 Mon Sep 17 00:00:00 2001
From: Chris Fries <cfries@google.com>
Date: Thu, 8 Apr 2021 09:34:26 -0500
Subject: [PATCH 160/921] Give hal_dumpstate_default read access to slog files

Bug: 184821900

Bugreports require access to "silent log" files.

cp      : type=1400 audit(0.0:20): avc: denied { getattr } for path="/data/vendor/radio/logs/always-on/sbuff_20210408191538.sdm" dev="dm-11" ino=9075 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=file permissive=0

Change-Id: Iacc4778d1242f304e9519180437ceb0f0e9d350d
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 061dcf8e..16d925de 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -53,9 +53,11 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
 allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 
+# Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
 allow hal_dumpstate_default modem_stat_data_file:file r_file_perms;
+allow hal_dumpstate_default vendor_slog_file:file r_file_perms;
 
 allow hal_dumpstate_default block_device:dir r_dir_perms;
 

From b9e10feefb1d7b5781094d27693b8fc96c0bc05d Mon Sep 17 00:00:00 2001
From: Ilya Matyukhin <ilyamaty@google.com>
Date: Wed, 7 Apr 2021 01:17:03 +0000
Subject: [PATCH 161/921] Create sepolicy for the fingerprint GHBM sysprop

Bug: 184761756
Bug: 183728349
Test: adb logcat | grep "avc: denied"
Change-Id: I5209bdf859e86a83ac3fa29ecf8bfd8d5b6d88ce
---
 gs101-sepolicy.mk                             | 19 +++++++++++--------
 system_ext/private/property_contexts          |  2 ++
 system_ext/public/property.te                 |  2 ++
 .../vendor/google/hal_fingerprint_default.te  |  1 +
 whitechapel/vendor/google/platform_app.te     |  3 +++
 5 files changed, 19 insertions(+), 8 deletions(-)
 create mode 100644 system_ext/private/property_contexts
 create mode 100644 system_ext/public/property.te

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index c24beed1..6f46edc7 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -6,6 +6,17 @@ BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/tracking_denials
 
 PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/private
 
+# Display
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
+
+# Micro sensor framework (usf)
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/usf
+
+# system_ext
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/private
+
 #
 # Pixel-wide
 #
@@ -18,13 +29,5 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext
 #   PowerStats HAL
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 
-# Display
-BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
-BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
-
-# Micro sensor framework (usf)
-BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/usf
-
 # sscoredump
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
-
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
new file mode 100644
index 00000000..9f462bda
--- /dev/null
+++ b/system_ext/private/property_contexts
@@ -0,0 +1,2 @@
+# Fingerprint (UDFPS) GHBM/LHBM toggle
+persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
new file mode 100644
index 00000000..8908e485
--- /dev/null
+++ b/system_ext/public/property.te
@@ -0,0 +1,2 @@
+# Fingerprint (UDFPS) GHBM/LHBM toggle
+system_vendor_config_prop(fingerprint_ghbm_prop)
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index d22b6b0f..da7748f3 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -3,4 +3,5 @@ allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms;
 allow hal_fingerprint_default sysfs_batteryinfo:dir search;
 allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
 add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index dd8a627c..246ec357 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -9,3 +9,6 @@ allow platform_app nfc_service:service_manager find;
 
 allow platform_app touch_context_service:service_manager find;
 binder_call(platform_app, twoshay)
+
+# Fingerprint (UDFPS) GHBM/LHBM toggle
+get_prop(platform_app, fingerprint_ghbm_prop)

From d59ea41ac85d55b1ba286551d4e8a73e2f697637 Mon Sep 17 00:00:00 2001
From: Nick Sanders <nsanders@google.com>
Date: Mon, 5 Apr 2021 22:27:10 +0000
Subject: [PATCH 162/921] gs101-sepolicy: Allow platform_app to call uwb

This is to fix below avc denial:
  SELinux : avc: denied { find } for pid=10783 uid=10294 name=uwb
  scontext=u:r:platform_app:s0:c512,c768
  tcontext=u:object_r:uwb_service:s0 tclass=service_manager permissive=0

Bug: 184286788
Test: Run Qorvo app without failure
Change-Id: I9673a3eef3f0b0bedb50ef2a5c336d8bfe7620e7
---
 whitechapel/vendor/google/platform_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index dd8a627c..c40db7bc 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -6,6 +6,7 @@ binder_call(platform_app, hal_wlc)
 
 allow platform_app fwk_stats_hwservice:hwservice_manager find;
 allow platform_app nfc_service:service_manager find;
+allow platform_app uwb_service:service_manager find;
 
 allow platform_app touch_context_service:service_manager find;
 binder_call(platform_app, twoshay)

From 5feb916e47b9b684d16c484661e24fefe6ac7feb Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Fri, 9 Apr 2021 10:46:45 +0800
Subject: [PATCH 163/921] init: allow to set tcpdump property

init: Unable to set property 'persist.vendor.tcpdump.log.alwayson' from uid:10273 gid:10273 pid:7074: SELinux permission check failed

Bug: 184411489

Change-Id: If449e0d883fa4cbf8dd5ac3a6a84d205e7ac1f31
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 4de85fdf..2bfca5d1 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -9,6 +9,7 @@ set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
 set_prop(vendor_init, vendor_edgetpu_service_prop)
+set_prop(vendor_init, vendor_tcpdump_log_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From 17f08b3cbad3232e76e24f47603899887b7bb077 Mon Sep 17 00:00:00 2001
From: jimsun <jimsun@google.com>
Date: Tue, 16 Mar 2021 14:29:26 +0800
Subject: [PATCH 164/921] gs101: fix grilservice context

The app is no longer signed with the platform key.

Bug: 162313924
Test: verify gril service function works normally
Change-Id: I9bf0494e65cafca9432665be199c30508d36417e
---
 whitechapel/vendor/google/seapp_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index db3c3adc..655cef4f 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -18,7 +18,7 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detecto
 user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
 
 # grilservice
-user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all
+user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
 # PixelLogger
 user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all

From 6dd6d9872e90d127e7cb15d18d034bc4eee8475b Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Thu, 8 Apr 2021 11:44:28 +0800
Subject: [PATCH 165/921] cbd: Grant to access slog file

Bug: 184646743
Change-Id: I06ecfbc8b9276b3801725f0965b03b849eddbdfc
---
 whitechapel/vendor/google/cbd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index d888deb5..23c4e576 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -53,6 +53,8 @@ allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
 allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
 
 userdebug_or_eng(`
+  r_dir_file(cbd, vendor_slog_file)
+
   allow cbd kernel:system syslog_read;
 
   allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;

From 06b410dc4a2c7122ecfff888259aa74c9181e4f9 Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Tue, 6 Apr 2021 22:16:01 +0800
Subject: [PATCH 166/921] Fix avc denied for Silent Logging

04-06 15:18:31.513  root     1     1 E init    : Do not have permissions to set 'persist.vendor.sys.silentlog.tcp' to 'On' in property file '/vendor/build.prop': SELinux permission check failed
04-06 15:20:17.988  root     1     1 W /system/bin/init: type=1107 audit(0.0:33): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog.ap pid=8917 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0'
04-06 15:20:23.256  root     1     1 W /system/bin/init: type=1107 audit(0.0:38): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog.cp pid=9025 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0'
04-06 15:20:51.340  root     1     1 W /system/bin/init: type=1107 audit(0.0:43): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog pid=9291 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0'
04-06 15:21:03.608  root     1     1 W /system/bin/init: type=1107 audit(0.0:54): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.sys.silentlog.tcp pid=9473 uid=1000 gid=1000 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_persist_sys_default_prop:s0 tclass=property_service permissive=0'

04-06 20:17:08.060  1000  5754  5754 W Thread-3: type=1400 audit(0.0:21): avc: denied { write } for name="slog" dev="dm-7" ino=245 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=0
04-06 20:17:09.194  1000   398   398 E SELinux : avc:  denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 pid=5754 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=0
04-06 21:07:18.376  7458  7458 I auditd  : type=1400 audit(0.0:20): avc: denied { call } for comm="y.silentlogging" scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:r:dmd:s0 tclass=binder permissive=0

04-06 21:16:53.200  8873  8873 W Thread-4: type=1400 audit(0.0:85): avc: denied { create } for name="NNEXT_PROFILE.nprf" scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:vendor_slog_file:s0:c232,c259,c512,c768 tclass=file permissive=0


Bug: 184608648
Test: verified with the forrest ROM and error log gone
Change-Id: Id9cdf15478c751de92a9a84bcfdc8233d6e9d294
---
 whitechapel/vendor/google/dmd.te                  |  3 ++-
 whitechapel/vendor/google/property_contexts       |  5 +++--
 whitechapel/vendor/google/vendor_init.te          |  1 +
 whitechapel/vendor/google/vendor_telephony_app.te | 13 ++++++++++---
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te
index 0b5ff5a9..4dff6f71 100644
--- a/whitechapel/vendor/google/dmd.te
+++ b/whitechapel/vendor/google/dmd.te
@@ -28,4 +28,5 @@ get_prop(dmd, hwservicemanager_prop)
 add_hwservice(dmd, hal_vendor_oem_hwservice)
 binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
-binder_call(dmd, modem_logging_control)
\ No newline at end of file
+binder_call(dmd, modem_logging_control)
+binder_call(dmd, vendor_telephony_app)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 2770f23e..23e83f4a 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -45,8 +45,9 @@ vendor.cbd.                  u:object_r:vendor_cbd_prop:s0
 persist.vendor.cbd.          u:object_r:vendor_cbd_prop:s0
 
 # for slog
-vendor.sys.silentlog.        u:object_r:vendor_slog_prop:s0
-vendor.sys.exynos.slog.      u:object_r:vendor_slog_prop:s0
+vendor.sys.silentlog.            u:object_r:vendor_slog_prop:s0
+vendor.sys.exynos.slog.          u:object_r:vendor_slog_prop:s0
+persist.vendor.sys.silentlog     u:object_r:vendor_slog_prop:s0
 
 # for dmd
 persist.vendor.sys.dm.       u:object_r:vendor_diag_prop:s0
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 4de85fdf..274a3907 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -3,6 +3,7 @@ set_prop(vendor_init, vendor_modem_prop)
 set_prop(vendor_init, vendor_cbd_prop)
 set_prop(vendor_init, vendor_rild_prop)
 set_prop(vendor_init, vendor_usb_config_prop)
+set_prop(vendor_init, vendor_slog_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
 set_prop(vendor_init, vendor_ims_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
index de486c88..65b12869 100644
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -2,10 +2,17 @@ type vendor_telephony_app, domain;
 app_domain(vendor_telephony_app)
 
 get_prop(vendor_telephony_app, vendor_rild_prop)
-get_prop(vendor_telephony_app, vendor_persist_sys_default_prop)
+set_prop(vendor_telephony_app, vendor_persist_sys_default_prop)
 set_prop(vendor_telephony_app, vendor_modem_prop)
 set_prop(vendor_telephony_app, vendor_slog_prop)
-r_dir_file(vendor_telephony_app, system_app_data_file)
-r_dir_file(vendor_telephony_app, vendor_slog_file)
+
+# [TODO] Need to check further about the system data permission
+# allow vendor_telephony_app system_app_data_file:dir create_dir_perms;
+# allow vendor_telephony_app system_app_data_file:file create_file_perms;
+
+allow vendor_telephony_app vendor_slog_file:dir create_dir_perms;
+allow vendor_telephony_app vendor_slog_file:file create_file_perms;
 
 allow vendor_telephony_app app_api_service:service_manager find;
+allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find;
+binder_call(vendor_telephony_app, dmd)

From b370d9d2c38b9fafa30514e5808bdfd25dbdbd35 Mon Sep 17 00:00:00 2001
From: andychou <andychou@google.com>
Date: Fri, 9 Apr 2021 17:06:51 +0800
Subject: [PATCH 167/921] Remove sepolicy of Wirecutter

Bug: 184886787
Test: build pass
Change-Id: Ibe539d31dc70cc4ea478f074ef4bf75d918bcb67
---
 ambient/exo_wirecutter_app.te | 10 ----------
 ambient/keys.conf             |  2 --
 ambient/mac_permissions.xml   | 26 --------------------------
 ambient/seapp_contexts        |  3 ---
 4 files changed, 41 deletions(-)
 delete mode 100644 ambient/exo_wirecutter_app.te
 delete mode 100644 ambient/keys.conf
 delete mode 100644 ambient/mac_permissions.xml

diff --git a/ambient/exo_wirecutter_app.te b/ambient/exo_wirecutter_app.te
deleted file mode 100644
index 1450b4cc..00000000
--- a/ambient/exo_wirecutter_app.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type exo_wirecutter_app, domain, coredomain;
-
-app_domain(exo_wirecutter_app)
-
-allow exo_wirecutter_app app_api_service:service_manager find;
-allow exo_wirecutter_app fwk_stats_hwservice:hwservice_manager find;
-allow exo_wirecutter_app gpu_device:dir search;
-binder_call(exo_wirecutter_app, statsd)
-allow exo_wirecutter_app fwk_stats_service:service_manager find;
-binder_use(exo_wirecutter_app)
diff --git a/ambient/keys.conf b/ambient/keys.conf
deleted file mode 100644
index 9be4f7f5..00000000
--- a/ambient/keys.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[@EXO_WIRECUTTER]
-ALL : vendor/google/dev-keystore/certs/com_google_pixel_wirecutter/com_google_pixel_wirecutter.x509.pem
diff --git a/ambient/mac_permissions.xml b/ambient/mac_permissions.xml
deleted file mode 100644
index d1ba106a..00000000
--- a/ambient/mac_permissions.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
-    * A signature is a hex encoded X.509 certificate or a tag defined in
-      keys.conf and is required for each signer tag.
-    * A signer tag may contain a seinfo tag and multiple package stanzas.
-    * A default tag is allowed that can contain policy for all apps not signed with a
-      previously listed cert. It may not contain any inner package stanzas.
-    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
-      represents additional info that each app can use in setting a SELinux security
-      context on the eventual process.
-    * When a package is installed the following logic is used to determine what seinfo
-      value, if any, is assigned.
-      - All signatures used to sign the app are checked first.
-      - If a signer stanza has inner package stanzas, those stanza will be checked
-        to try and match the package name of the app. If the package name matches
-        then that seinfo tag is used. If no inner package matches then the outer
-        seinfo tag is assigned.
-      - The default tag is consulted last if needed.
--->
-    <signer signature="@EXO_WIRECUTTER" >
-        <seinfo value="wirecutter" />
-    </signer>
-</policy>
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
index 4ee10805..8024688c 100644
--- a/ambient/seapp_contexts
+++ b/ambient/seapp_contexts
@@ -1,5 +1,2 @@
 # Domain for Exo app
 user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
-
-# Domain for Exo Wirecutter app
-user=_app seinfo=wirecutter name=com.google.pixel.wirecutter domain=exo_wirecutter_app type=app_data_file levelFrom=all

From b94e7586cef3064f9ee61284b78404fe2825f1e5 Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Fri, 9 Apr 2021 18:24:32 +0800
Subject: [PATCH 168/921] Fix avc denied for maxfg_base/flip and wireless dump

Bug: 184780667
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: Ice4102cf541dc80c85beb05ad5c523a4306a77bc
---
 whitechapel/vendor/google/file_contexts  | 2 ++
 whitechapel/vendor/google/genfs_contexts | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index ff7ee6f1..f1b0ee1c 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -99,6 +99,8 @@
 /dev/logbuffer_maxq            u:object_r:logbuffer_device:s0
 /dev/logbuffer_rtx             u:object_r:logbuffer_device:s0
 /dev/logbuffer_maxfg           u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_base      u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_flip      u:object_r:logbuffer_device:s0
 
 # DM tools device
 /dev/umts_dm0                  u:object_r:radio_device:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 840c871d..b31a7d0b 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -26,6 +26,8 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
 
 #   O6
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
@@ -78,6 +80,7 @@ genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
@@ -231,6 +234,8 @@ genfscon sysfs /devices/platform/14520000.pcie/power_stats
 # debugfs
 
 genfscon debugfs /maxfg                                                                                   u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_base                                                                              u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_flip                                                                              u:object_r:vendor_maxfg_debugfs:s0
 genfscon debugfs /dma_buf/bufinfo                                                                         u:object_r:vendor_dmabuf_debugfs:s0
 genfscon debugfs /dri/0/crtc-                                                                             u:object_r:vendor_dri_debugfs:s0
 genfscon debugfs /ion                                                                                     u:object_r:vendor_ion_debugfs:s0

From b4bab832f9e9be8d8ce457a8699337fc285a97ee Mon Sep 17 00:00:00 2001
From: millerliang <millerliang@google.com>
Date: Thu, 1 Apr 2021 17:21:33 +0800
Subject: [PATCH 169/921] Fix avc denied in MMAP audio exclusive mode

04-01 15:26:30.936 16390 16390 I auditd  : type=1400 audit(0.0:55): avc:
denied { read } for comm="HwBinder:16390_" name="aaudio_playback_heap"
dev="tmpfs" ino=400 scontext=u:r:hal_audio_default:s0
tcontext=u:object_r:dmabuf_heap_device:s0 tclass=chr_file permissive=1

Bug: 165737390
Test: Build and use OboeTester to run MMAP audio
Change-Id: I22201dfd4a3f579b52d4cfbc86fc6148dc481cb0
---
 whitechapel/vendor/google/hal_audio_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
index 079d6bdf..16d49f96 100644
--- a/whitechapel/vendor/google/hal_audio_default.te
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -14,6 +14,9 @@ allow hal_audio_default aoc_device:chr_file rw_file_perms;
 
 allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add };
 
+#allow access to DMABUF Heaps for AAudio API
+allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;
+
 get_prop(hal_audio_default, vendor_audio_prop);
 
 userdebug_or_eng(`

From 1082e886c0aa8c0b1dfdd212c24a7488d2095ff1 Mon Sep 17 00:00:00 2001
From: Erik Staats <estaats@google.com>
Date: Fri, 9 Apr 2021 12:58:12 -0700
Subject: [PATCH 170/921] Add policy for USF low latency transport gralloc
 usage.

Bug: 183233052
Test: Verified regular and direct report sampling on Raven with shared
 memory transport enabled.
Test: See details in testing done comment in
 https://googleplex-android-review.git.corp.google.com/14144079 .
Change-Id: Ia852a4a9ca6e8eacb0fb465884d17f95445a6822
---
 usf/sensor_hal.te                       |  3 +++
 usf/te_macros                           | 14 ++++++++++++++
 whitechapel/vendor/google/chre.te       |  4 ++++
 whitechapel/vendor/google/rlsservice.te |  4 ++++
 4 files changed, 25 insertions(+)
 create mode 100644 usf/te_macros

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 84d1caff..f1105928 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -41,6 +41,9 @@ allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
 # Allow access to the sysfs_aoc.
 allow hal_sensors_default sysfs_aoc:dir search;
 
+# Allow use of the USF low latency transport.
+usf_low_latency_transport(hal_sensors_default)
+
 #
 # Suez type enforcements.
 #
diff --git a/usf/te_macros b/usf/te_macros
new file mode 100644
index 00000000..01ac13c1
--- /dev/null
+++ b/usf/te_macros
@@ -0,0 +1,14 @@
+#
+# USF SELinux type enforcement macros.
+#
+
+#
+# usf_low_latency_transport(domain)
+#
+# Allows domain use of the USF low latency transport.
+#
+define(`usf_low_latency_transport', `
+  allow $1 hal_graphics_mapper_hwservice:hwservice_manager find;
+  hal_client_domain($1, hal_graphics_allocator)
+')
+
diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index f8d395fc..7eca5e43 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -11,3 +11,7 @@ allow chre sysfs_aoc_boottime:file r_file_perms;
 
 # Allow CHRE to create thread to watch AOC's device
 allow chre device:dir r_dir_perms;
+
+# Allow CHRE to use the USF low latency transport
+usf_low_latency_transport(chre)
+
diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index 10f76dcc..113ef312 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -22,3 +22,7 @@ binder_call(rlsservice, hal_camera_default)
 # Allow access to always-on compute device node
 allow rlsservice device:dir { read watch };
 allow rlsservice aoc_device:chr_file rw_file_perms;
+
+# Allow use of the USF low latency transport
+usf_low_latency_transport(rlsservice)
+

From 2c1b29b494d13dbe04d4de47b2256140d8d95938 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Mon, 12 Apr 2021 15:05:50 +0800
Subject: [PATCH 171/921] logger_app: Grant to access new logger properties

avc: denied { read } for comm="oid.pixellogger" name="u:object_r:vendor_ssrdump_prop:s0" dev="tmpfs" ino=308 scontext=u:r:logger_app:s0:c24,c257,c512,c768 tcontext=u:object_r:vendor_ssrdump_prop:s0 tclass=file permissive=1
avc: denied { set } for property=vendor.debug.ramdump.full pid=5081 uid=10280 gid=10280 scontext=u:r:logger_app:s0:c24,c257,c512,c768 tcontext=u:object_r:vendor_ramdump_prop:s0 tclass=property_service permissive=1
avc: denied { set } for property=persist.logd.logpersistd.count pid=5081 uid=10280 gid=10280 scontext=u:r:logger_app:s0:c24,c257,c512,c768 tcontext=u:object_r:logpersistd_logging_prop:s0 tclass=property_service permissive=1
avc: denied { set } for property=persist.vendor.ril.crash_handling_mode pid=5081 uid=10280 gid=10280 scontext=u:r:logger_app:s0:c24,c257,c512,c768 tcontext=u:object_r:vendor_rild_prop:s0 tclass=property_service permissive=1
avc: denied { set } for property=persist.logd.size pid=5081 uid=10280 gid=10280 scontext=u:r:logger_app:s0:c24,c257,c512,c768 tcontext=u:object_r:logd_prop:s0 tclass=property_service permissive=1

Bug: 178744858
Change-Id: I42629335e82565fbf305be242098870aef6ea317
---
 whitechapel/vendor/google/logger_app.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 051b1e64..8e3391e7 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -17,4 +17,9 @@ userdebug_or_eng(`
   set_prop(logger_app, vendor_gps_prop)
   set_prop(logger_app, vendor_audio_prop)
   set_prop(logger_app, vendor_tcpdump_log_prop)
+  set_prop(logger_app, vendor_ramdump_prop)
+  set_prop(logger_app, vendor_ssrdump_prop)
+  set_prop(logger_app, vendor_rild_prop)
+  set_prop(logger_app, logpersistd_logging_prop)
+  set_prop(logger_app, logd_prop)
 ')

From cd12670940ea5c3651ebfd4803a07ea58b124aea Mon Sep 17 00:00:00 2001
From: Ted Lin <tedlin@google.com>
Date: Mon, 12 Apr 2021 18:23:23 +0800
Subject: [PATCH 172/921] Allow to dump pps-dc

Bug:185041587
Test: adb bugreport
Change-Id: Ia4adcc335b05f5f7d06625c274842e6a9f5d2637
Signed-off-by: Ted Lin <tedlin@google.com>
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f1b0ee1c..a715b06f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -101,6 +101,7 @@
 /dev/logbuffer_maxfg           u:object_r:logbuffer_device:s0
 /dev/logbuffer_maxfg_base      u:object_r:logbuffer_device:s0
 /dev/logbuffer_maxfg_flip      u:object_r:logbuffer_device:s0
+/dev/logbuffer_pca9468_tcpm    u:object_r:logbuffer_device:s0
 
 # DM tools device
 /dev/umts_dm0                  u:object_r:radio_device:s0

From 7c8d4d86e85072b5ef9a0d0fe6a75366ba0d30c6 Mon Sep 17 00:00:00 2001
From: Sidath Senanayake <sidaths@google.com>
Date: Mon, 12 Apr 2021 17:37:59 +0100
Subject: [PATCH 173/921] Fix Android GPU Inspector (AGI) support

In order for AGI to work, it needs to dlopen the libgpudataproducer.so
shared object.

Bug: 185127179
Bug: 175593589
Change-Id: I9ad9c587f10e0fd6e27c4743c1d4cb85c896c41d
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f1b0ee1c..d005a4e8 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -13,6 +13,7 @@
 /(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so                                            u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libdmabufheap\.so                                              u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so                                         u:object_r:same_process_hal_file:s0
 
 /vendor/bin/usf_stats                                                                           u:object_r:vendor_usf_stats:s0
 /vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0

From 06cc3ee882f7676724147ba64ed4feeefa7e23b7 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 13 Apr 2021 10:55:33 +0800
Subject: [PATCH 174/921] update error on ROM 7278058

Bug: 185186743
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I40066584800e1a40fbd75dc2d97ee44f9e6dde89
---
 tracking_denials/init.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/init.te b/tracking_denials/init.te
index 6ecb2c0c..e34f3ae6 100644
--- a/tracking_denials/init.te
+++ b/tracking_denials/init.te
@@ -6,3 +6,6 @@ dontaudit init vendor_file:file { execute };
 dontaudit init vendor_file:file { execute };
 dontaudit init sysfs:file { setattr };
 dontaudit init sysfs:file { setattr };
+# b/185186743
+dontaudit init sysfs_scsi_devices_0000:file { write };
+dontaudit init sysfs_scsi_devices_0000:file { write };

From 7e60d3a032421dd4a82ae23a8a11256558a73de2 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 13 Apr 2021 11:17:31 +0800
Subject: [PATCH 175/921] allow init to set readahead_size

Bug: 185186743
Test: boot with no error found during boot
Change-Id: I7c06977023a1125d0187b96103e94c355a9d17a2
---
 tracking_denials/init.te          | 8 --------
 whitechapel/vendor/google/init.te | 1 +
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/tracking_denials/init.te b/tracking_denials/init.te
index e34f3ae6..27d6f882 100644
--- a/tracking_denials/init.te
+++ b/tracking_denials/init.te
@@ -1,11 +1,3 @@
 # b/180963348
 dontaudit init overlayfs_file:chr_file { unlink };
 dontaudit init overlayfs_file:file { rename };
-# b/182954138
-dontaudit init vendor_file:file { execute };
-dontaudit init vendor_file:file { execute };
-dontaudit init sysfs:file { setattr };
-dontaudit init sysfs:file { setattr };
-# b/185186743
-dontaudit init sysfs_scsi_devices_0000:file { write };
-dontaudit init sysfs_scsi_devices_0000:file { write };
diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te
index 9cf7d73f..5d6a6810 100644
--- a/whitechapel/vendor/google/init.te
+++ b/whitechapel/vendor/google/init.te
@@ -17,3 +17,4 @@ allow init modem_userdata_file:dir mounton;
 allow init ram_device:blk_file w_file_perms;
 allow init per_boot_file:file ioctl;
 allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE };
+allow init sysfs_scsi_devices_0000:file w_file_perms;

From 7e071d6cb258a1a172a458f53d293ea082c3c591 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 13 Apr 2021 11:57:54 +0800
Subject: [PATCH 176/921] dump hal_graphics_composer

Bug: 179310854
Bug: 176868159
Bug: 177176812
Bug: 177389412
Bug: 177614642
Bug: 177778217
Bug: 177860841
Bug: 178752460
Bug: 179310909
Bug: 179437463
Bug: 180963481
Bug: 181177909
Bug: 174961421
Test: do bugreport with no relevant error logs
Change-Id: Ieac81e9d684044fbd649b4fec608f393627c34cb
---
 tracking_denials/dumpstate.te          |   5 -
 tracking_denials/incidentd.te          | 139 -------------------------
 tracking_denials/update_engine.te      |   5 -
 whitechapel/vendor/google/dumpstate.te |   7 ++
 4 files changed, 7 insertions(+), 149 deletions(-)
 delete mode 100644 tracking_denials/dumpstate.te
 delete mode 100644 tracking_denials/incidentd.te
 delete mode 100644 tracking_denials/update_engine.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
deleted file mode 100644
index 1f3ef62e..00000000
--- a/tracking_denials/dumpstate.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# b/179310854
-dontaudit dumpstate hal_neuralnetworks_armnn:process signal;
-dontaudit dumpstate hal_power_stats_vendor_service:service_manager find;
-dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr open read };
-dontaudit dumpstate vold:binder call;
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
deleted file mode 100644
index 61223df0..00000000
--- a/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,139 +0,0 @@
-# b/176868159
-dontaudit incidentd apk_verity_prop:file getattr ;
-dontaudit incidentd apk_verity_prop:file map ;
-dontaudit incidentd apk_verity_prop:file getattr ;
-dontaudit incidentd apk_verity_prop:file open ;
-dontaudit incidentd apexd_prop:file map ;
-dontaudit incidentd apexd_prop:file getattr ;
-dontaudit incidentd apexd_prop:file getattr ;
-dontaudit incidentd apexd_prop:file map ;
-dontaudit incidentd apk_verity_prop:file open ;
-dontaudit incidentd apk_verity_prop:file map ;
-# b/177176812
-dontaudit incidentd audio_config_prop:file open ;
-dontaudit incidentd ab_update_gki_prop:file open ;
-dontaudit incidentd ab_update_gki_prop:file map ;
-dontaudit incidentd ab_update_gki_prop:file getattr ;
-dontaudit incidentd audio_config_prop:file open ;
-dontaudit incidentd aac_drc_prop:file map ;
-dontaudit incidentd aac_drc_prop:file getattr ;
-dontaudit incidentd aac_drc_prop:file open ;
-dontaudit incidentd aac_drc_prop:file open ;
-dontaudit incidentd ab_update_gki_prop:file map ;
-dontaudit incidentd aac_drc_prop:file map ;
-dontaudit incidentd ab_update_gki_prop:file getattr ;
-dontaudit incidentd aac_drc_prop:file getattr ;
-dontaudit incidentd ab_update_gki_prop:file open ;
-# b/177389412
-dontaudit incidentd audio_config_prop:file { getattr };
-dontaudit incidentd audio_config_prop:file { getattr };
-dontaudit incidentd audio_config_prop:file { map };
-dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
-dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
-dontaudit incidentd nfc_service:service_manager { find };
-dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
-dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
-dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
-dontaudit incidentd audio_config_prop:file { map };
-dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
-# b/177614642
-dontaudit incidentd bluetooth_audio_hal_prop:file { map };
-dontaudit incidentd bluetooth_audio_hal_prop:file { open };
-dontaudit incidentd bluetooth_prop:file { map };
-dontaudit incidentd bluetooth_prop:file { getattr };
-dontaudit incidentd bluetooth_prop:file { open };
-dontaudit incidentd bluetooth_audio_hal_prop:file { map };
-dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
-dontaudit incidentd boottime_prop:file { open };
-dontaudit incidentd bluetooth_prop:file { map };
-dontaudit incidentd bluetooth_prop:file { getattr };
-dontaudit incidentd bluetooth_prop:file { open };
-dontaudit incidentd bluetooth_audio_hal_prop:file { open };
-dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
-dontaudit incidentd boottime_prop:file { open };
-# b/177778217
-dontaudit incidentd boottime_public_prop:file { getattr };
-dontaudit incidentd boottime_prop:file { getattr };
-dontaudit incidentd bpf_progs_loaded_prop:file { open };
-dontaudit incidentd boottime_public_prop:file { map };
-dontaudit incidentd boottime_public_prop:file { getattr };
-dontaudit incidentd boottime_public_prop:file { open };
-dontaudit incidentd boottime_prop:file { map };
-dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
-dontaudit incidentd bpf_progs_loaded_prop:file { open };
-dontaudit incidentd boottime_public_prop:file { map };
-dontaudit incidentd boottime_prop:file { getattr };
-dontaudit incidentd boottime_prop:file { map };
-dontaudit incidentd boottime_public_prop:file { open };
-dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
-# b/177860841
-dontaudit incidentd build_bootimage_prop:file { map };
-dontaudit incidentd build_config_prop:file { getattr };
-dontaudit incidentd build_config_prop:file { open };
-dontaudit incidentd bpf_progs_loaded_prop:file { map };
-dontaudit incidentd build_bootimage_prop:file { open };
-dontaudit incidentd build_bootimage_prop:file { getattr };
-dontaudit incidentd build_bootimage_prop:file { map };
-dontaudit incidentd build_bootimage_prop:file { getattr };
-dontaudit incidentd build_config_prop:file { getattr };
-dontaudit incidentd build_config_prop:file { map };
-dontaudit incidentd bpf_progs_loaded_prop:file { map };
-dontaudit incidentd build_bootimage_prop:file { open };
-dontaudit incidentd build_config_prop:file { open };
-dontaudit incidentd build_config_prop:file { map };
-# b/178752460
-dontaudit incidentd camera_calibration_prop:file { open };
-dontaudit incidentd charger_config_prop:file { getattr };
-dontaudit incidentd charger_config_prop:file { open };
-dontaudit incidentd camera_calibration_prop:file { map };
-dontaudit incidentd camera_calibration_prop:file { getattr };
-dontaudit incidentd charger_config_prop:file { getattr };
-dontaudit incidentd camera_calibration_prop:file { open };
-dontaudit incidentd camera_calibration_prop:file { getattr };
-dontaudit incidentd camera_calibration_prop:file { map };
-dontaudit incidentd charger_config_prop:file { open };
-# b/179310909
-dontaudit incidentd charger_status_prop:file { open };
-dontaudit incidentd charger_prop:file { open };
-dontaudit incidentd charger_prop:file { getattr };
-dontaudit incidentd charger_prop:file { map };
-dontaudit incidentd charger_status_prop:file { open };
-dontaudit incidentd charger_status_prop:file { getattr };
-dontaudit incidentd charger_status_prop:file { map };
-dontaudit incidentd charger_config_prop:file { map };
-dontaudit incidentd charger_status_prop:file { map };
-dontaudit incidentd charger_status_prop:file { getattr };
-dontaudit incidentd charger_config_prop:file { map };
-dontaudit incidentd charger_prop:file { open };
-dontaudit incidentd charger_prop:file { getattr };
-dontaudit incidentd charger_prop:file { map };
-# b/179437463
-dontaudit incidentd cold_boot_done_prop:file { map };
-dontaudit incidentd cold_boot_done_prop:file { getattr };
-dontaudit incidentd cpu_variant_prop:file { map };
-dontaudit incidentd cpu_variant_prop:file { getattr };
-dontaudit incidentd cold_boot_done_prop:file { map };
-dontaudit incidentd cpu_variant_prop:file { map };
-dontaudit incidentd cpu_variant_prop:file { open };
-dontaudit incidentd cold_boot_done_prop:file { getattr };
-dontaudit incidentd cold_boot_done_prop:file { open };
-dontaudit incidentd cold_boot_done_prop:file { open };
-dontaudit incidentd cpu_variant_prop:file { open };
-dontaudit incidentd cpu_variant_prop:file { getattr };
-# b/180963481
-dontaudit incidentd ctl_bootanim_prop:file { open };
-dontaudit incidentd ctl_adbd_prop:file { open };
-dontaudit incidentd ctl_adbd_prop:file { getattr };
-dontaudit incidentd ctl_adbd_prop:file { map };
-dontaudit incidentd ctl_apexd_prop:file { getattr };
-dontaudit incidentd ctl_apexd_prop:file { map };
-dontaudit incidentd ctl_adbd_prop:file { open };
-dontaudit incidentd ctl_adbd_prop:file { getattr };
-dontaudit incidentd ctl_adbd_prop:file { map };
-dontaudit incidentd ctl_apexd_prop:file { open };
-dontaudit incidentd ctl_apexd_prop:file { getattr };
-dontaudit incidentd ctl_apexd_prop:file { map };
-dontaudit incidentd ctl_bootanim_prop:file { open };
-dontaudit incidentd ctl_apexd_prop:file { open };
-# b/181177909
-dontaudit incidentd property_type:file *;
diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te
deleted file mode 100644
index e1f320af..00000000
--- a/tracking_denials/update_engine.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# b/174961421
-dontaudit update_engine dumpstate:fifo_file write ;
-dontaudit update_engine dumpstate:fifo_file write ;
-dontaudit update_engine dumpstate:fd use ;
-dontaudit update_engine dumpstate:fd use ;
diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index 462492cc..d9cc1d5c 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -1,4 +1,9 @@
 dump_hal(hal_telephony)
+dump_hal(hal_graphics_composer)
+
+userdebug_or_eng(`
+  allow dumpstate vendor_dmabuf_debugfs:file r_file_perms;
+')
 
 allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
 allow dumpstate persist_file:dir r_dir_perms;
@@ -7,3 +12,5 @@ allow dumpstate modem_efs_file:dir getattr;
 allow dumpstate modem_img_file:dir getattr;
 allow dumpstate modem_userdata_file:dir getattr;
 allow dumpstate fuse:dir search;
+
+dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms;

From c14f02da5de8fbcd3a9971f95f33b048bb100b63 Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Wed, 7 Apr 2021 20:08:32 +0800
Subject: [PATCH 177/921] Allow fingerprint hal to access
 dmabuf_system_heap_device

Fixes the following avc denial:
android.hardwar: type=1400 audit(0.0:1207): avc: denied { read } for name="system" dev="tmpfs" ino=689 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0

Bug: 171791180
Bug: 184034094
Test: Enroll and authenticate fingerprints.
Change-Id: Ie86143ac2484d8909b1070829ff20cf02572f17d
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index da7748f3..4c248981 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -3,5 +3,6 @@ allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms;
 allow hal_fingerprint_default sysfs_batteryinfo:dir search;
 allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
 get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
 add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)

From e541cce49bb30a74f27848880a7cbbb361743b53 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 13 Apr 2021 15:08:13 +0800
Subject: [PATCH 178/921] change assigned bug

Bug: 182531832
Test: take bugreport and see no relevant log
Change-Id: I33911bf652c7d21eb2a153e6b6129162434be72f
---
 tracking_denials/hal_dumpstate_default.te | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
index 80494570..8e364d35 100644
--- a/tracking_denials/hal_dumpstate_default.te
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -1,13 +1,3 @@
-# b/181915591
-dontaudit hal_dumpstate_default aac_drc_prop:file { open };
-dontaudit hal_dumpstate_default sysfs:dir { read };
-dontaudit hal_dumpstate_default sysfs:dir { open };
-dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
-dontaudit hal_dumpstate_default aac_drc_prop:file { map };
-dontaudit hal_dumpstate_default aac_drc_prop:file { open };
-dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
-dontaudit hal_dumpstate_default aac_drc_prop:file { map };
-dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
-dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
+# b/182531832
 dontaudit hal_dumpstate_default sysfs:dir { read };
 dontaudit hal_dumpstate_default sysfs:dir { open };

From cbc7709c1020d31d8b46756ddda67df8a7bf9122 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Tue, 13 Apr 2021 13:59:49 +0800
Subject: [PATCH 179/921] hal_dumpstate_default: Fix avc error

avc: denied { set } for property=vendor.sys.modem.logging.enable pid=9743 uid=1000 gid=1000 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_modem_prop:s0 tclass=property_service permissive=0

Bug: 185196642
Change-Id: I955271fa4d2d9bc2ef4b306068623f79f5b37c74
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 16d925de..0d981cfb 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -88,7 +88,7 @@ userdebug_or_eng(`
 
 get_prop(hal_dumpstate_default, boottime_public_prop)
 get_prop(hal_dumpstate_default, vendor_gps_prop)
-get_prop(hal_dumpstate_default, vendor_modem_prop)
+set_prop(hal_dumpstate_default, vendor_modem_prop)
 get_prop(hal_dumpstate_default, vendor_rild_prop)
 
 userdebug_or_eng(`

From acf6b1f5ae550c37055ecde6effb08331a53c8fc Mon Sep 17 00:00:00 2001
From: Ilya Matyukhin <ilyamaty@google.com>
Date: Mon, 12 Apr 2021 16:47:20 -0700
Subject: [PATCH 180/921] Add sepolicy for SystemUIGoogle to write to lhbm

Bug: 184768835
Bug: 182520014
Test: adb logcat | grep "avc: denied"
Change-Id: Ia200983c87e0b826a0b62052e65cc731453a632f
---
 whitechapel/vendor/google/file.te         | 4 ++++
 whitechapel/vendor/google/genfs_contexts  | 4 ++++
 whitechapel/vendor/google/platform_app.te | 7 +++++++
 3 files changed, 15 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e6419b61..e7b7d513 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -188,3 +188,7 @@ type sysfs_bcmdhd, sysfs_type, fs_type;
 
 # Video
 type sysfs_video, sysfs_type, fs_type;
+
+# TODO(b/184768835): remove this once the bug is fixed
+# LHBM (Local High Brightness Mode)
+type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b31a7d0b..47b98d42 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -111,6 +111,10 @@ genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
 
+# TODO(b/184768835): remove this once the bug is fixed
+# Display / LHBM (Local High Brightness Mode)
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_lhbm:s0
+
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
 
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 246ec357..b10c994c 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -12,3 +12,10 @@ binder_call(platform_app, twoshay)
 
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 get_prop(platform_app, fingerprint_ghbm_prop)
+
+# TODO(b/184768835): remove this once the bug is fixed
+# Fingerprint (UDFPS) LHBM access
+userdebug_or_eng(`
+  allow platform_app sysfs_leds:dir search;
+  allow platform_app sysfs_lhbm:file rw_file_perms;
+')

From 72f80a3c9096e14faf510f1ea2bf374cddd5fdc8 Mon Sep 17 00:00:00 2001
From: Vova Sharaienko <sharaienko@google.com>
Date: Tue, 13 Apr 2021 19:26:01 +0000
Subject: [PATCH 181/921] wirelesscharger-adapter: updated sepolicy

This allows the wirelesscharger-adapter to access AIDL Stats service

Bug: 181892307
Test: Build, flash, boot & and logcat | grep "platform_app"
Change-Id: I801e801133e4c7a0977f6c1e816b7c64135f59a3
---
 whitechapel/vendor/google/platform_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 246ec357..b2dba7e2 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -7,6 +7,9 @@ binder_call(platform_app, hal_wlc)
 allow platform_app fwk_stats_hwservice:hwservice_manager find;
 allow platform_app nfc_service:service_manager find;
 
+allow platform_app fwk_stats_service:service_manager find;
+binder_use(platform_app)
+
 allow platform_app touch_context_service:service_manager find;
 binder_call(platform_app, twoshay)
 

From 8119d482ed646b2e08057e1b183f28c0ef0e9617 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Wed, 31 Mar 2021 15:01:48 -0700
Subject: [PATCH 182/921] Uwb: Create a new Uwb system service

Move the vendor service to a different name which will be used by AOSP
uwb service.

Also, create a new domain for the UWB vendor app which can expose this
vendor service.

Denials:
04-12 16:38:38.282   411   411 E SELinux : avc:  denied  { find } for pid=2964
uid=1000 name=tethering scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768
tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=0

04-12 17:56:49.320   411   411 E SELinux : avc:  denied  { find } for pid=2964
uid=1000 name=hardware.qorvo.uwb.IUwb/default scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768
tcontext=u:object_r:hal_uwb_service:s0 tclass=service_manager permissive=0

04-12 20:13:37.952  3034  3034 W com.qorvo.uwb: type=1400 audit(0.0:8): avc: denied
{ getattr } for path="/data/user/0/com.qorvo.uwb" dev="dm-11" ino=7176
scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0
tclass=dir permissive=0

04-12 20:13:38.003   408   408 E SELinux : avc:  denied  { find } for pid=3034
uid=1000 name=content_capture scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768
tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=0

04-12 21:25:03.244  2992  2992 W com.qorvo.uwb: type=1400 audit(0.0:7): avc: denied
{ getattr } for path="/data/user/0/com.qorvo.uwb" dev="dm-11" ino=7176
scontext=u:r:uwb_vendor_app:s0:c232,c259,c512,c768 tcontext=u:object_r:
system_app_data_file:s0:c232,c259,c512,c768 tclass=dir permissive=0

Bug: 183904955
Test: atest android.uwb.cts.UwbManagerTest
Change-Id: Iecb871902ebe7d110f2deb9ddb960c1a3945d8e9
---
 whitechapel/vendor/google/file.te              |  3 +++
 whitechapel/vendor/google/gmscore_app.te       |  3 ---
 whitechapel/vendor/google/seapp_contexts       |  3 +++
 whitechapel/vendor/google/service.te           |  2 +-
 whitechapel/vendor/google/service_contexts     |  2 +-
 whitechapel/vendor/google/system_app.te        |  2 --
 whitechapel/vendor/google/system_server.te     |  2 ++
 whitechapel/vendor/google/untrusted_app_all.te |  4 ----
 whitechapel/vendor/google/uwb_service.te       |  1 -
 whitechapel/vendor/google/uwb_vendor_app.te    | 10 ++++++++++
 10 files changed, 20 insertions(+), 12 deletions(-)
 delete mode 100644 whitechapel/vendor/google/gmscore_app.te
 delete mode 100644 whitechapel/vendor/google/uwb_service.te
 create mode 100644 whitechapel/vendor/google/uwb_vendor_app.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e7b7d513..a83e7817 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -192,3 +192,6 @@ type sysfs_video, sysfs_type, fs_type;
 # TODO(b/184768835): remove this once the bug is fixed
 # LHBM (Local High Brightness Mode)
 type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject;
+
+# UWB vendor
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
diff --git a/whitechapel/vendor/google/gmscore_app.te b/whitechapel/vendor/google/gmscore_app.te
deleted file mode 100644
index d2394b77..00000000
--- a/whitechapel/vendor/google/gmscore_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Allow gmscore to use UwbService APIs
-# TODO (b/183904955): remove
-allow gmscore_app uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index c88dfbde..94bf35f7 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -43,3 +43,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=
 
 # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
 user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
+
+# Qorvo UWB system app
+user=system seinfo=platform name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index debd8bd9..99e99483 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
-type uwb_service, service_manager_type;
+type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index f3a6acb8..e0455372 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -2,5 +2,5 @@
 com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
-uwb                                                        u:object_r:uwb_service:s0
+uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
index 043d4bb1..b7542fd6 100644
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@@ -4,5 +4,3 @@ allow system_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(system_app, hal_wlc)
 
 allow system_app fwk_stats_hwservice:hwservice_manager find;
-
-add_service(system_app, uwb_service)
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
index 329a693a..001b8556 100644
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@@ -1,3 +1,5 @@
 # Allow system server to send sensor data callbacks to GPS and camera HALs
 binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
+# Allow system server to find vendor uwb service
+allow system_server uwb_vendor_service:service_manager find;
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index 01206d90..ae7386fc 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -8,7 +8,3 @@ allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }
 # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allows cts tests to test for UwbService presence
-# TODO (b/183904955): remove
-allow untrusted_app_all uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/uwb_service.te b/whitechapel/vendor/google/uwb_service.te
deleted file mode 100644
index 7360278d..00000000
--- a/whitechapel/vendor/google/uwb_service.te
+++ /dev/null
@@ -1 +0,0 @@
-allow uwb_service hal_uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
new file mode 100644
index 00000000..ef771dd5
--- /dev/null
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -0,0 +1,10 @@
+type uwb_vendor_app, domain;
+
+app_domain(uwb_vendor_app)
+
+add_service(uwb_vendor_app, uwb_vendor_service)
+
+allow uwb_vendor_app app_api_service:service_manager find;
+allow uwb_vendor_app hal_uwb_service:service_manager find;
+
+allow uwb_vendor_app uwb_vendor_data_file:dir { getattr search };

From f23a4423c4dcc9b1bd3783bca6380d8e6d764425 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 14 Apr 2021 10:58:07 +0800
Subject: [PATCH 183/921] Add more modem properties

init    : Do not have permissions to set 'ro.vendor.sys.modem.logging.loc' to '/data/vendor/slog' in property file '/vendor/build.prop': SELinux permission check failed

Bug: 184101903
Change-Id: I8c2dfd48e177e4a5127c1efd977c0f6c18b50379
---
 whitechapel/vendor/google/property_contexts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 23e83f4a..b03a6340 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -37,6 +37,7 @@ vendor.usb.            u:object_r:vendor_usb_config_prop:s0
 persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
 vendor.modem.                u:object_r:vendor_modem_prop:s0
 vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
+ro.vendor.sys.modem.         u:object_r:vendor_modem_prop:s0
 vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
 persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
 
@@ -111,4 +112,4 @@ vendor.mfgapi.touchpanel.permission             u:object_r:vendor_touchpanel_pro
 persist.vendor.tcpdump.log.alwayson             u:object_r:vendor_tcpdump_log_prop:s0
 vendor.tcpdump.log.ondemand                     u:object_r:vendor_tcpdump_log_prop:s0
 vendor.tcpdump.log.alwayson                     u:object_r:vendor_tcpdump_log_prop:s0
-vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_prop:s0
\ No newline at end of file
+vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_prop:s0

From f4589fecba2e56f37adbcef67dbc459f601496db Mon Sep 17 00:00:00 2001
From: Ray Chi <raychi@google.com>
Date: Wed, 14 Apr 2021 14:36:44 +0800
Subject: [PATCH 184/921] usb: Add sepolicy for extcon access

USB gadget hal will access extcon folder so that this patch
will add new rule to allow USB gadget hal to access extcon.

Bug: 185302867
Test: apply the rule and verify it
Change-Id: I0bc44dbf89a02c4fa5b561baf1c0c1c43d5183e9
---
 whitechapel/vendor/google/hal_usb_impl.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index 6c48682a..14abf59c 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -10,3 +10,4 @@ set_prop(hal_usb_impl, vendor_usb_config_prop)
 
 allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
 allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;
+allow hal_usb_impl sysfs_extcon:dir search;

From 204dc05aa453342972195744d37ccff268e87fb8 Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Wed, 14 Apr 2021 16:17:12 +0800
Subject: [PATCH 185/921] Fix avc denied for Silent Logging

04-08 23:18:20.684   920   920 I HwBinder:920_1: type=1400 audit(0.0:486): avc: denied { call } for scontext=u:r:sced:s0 tcontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tclass=binder permissive=1
04-08 22:51:36.312  1000  6890  6890 I Thread-2: type=1400 audit(0.0:1390): avc: denied { call } for scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:r:sced:s0 tclass=binder permissive=1

04-08 23:18:20.684  7099  7099 I auditd  : type=1400 audit(0.0:487): avc: denied { execute } for comm="HwBinder:920_1" name="sh" dev="dm-0" ino=464 scontext=u:r:sced:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
04-08 23:18:20.684  7099  7099 I auditd  : type=1400 audit(0.0:488): avc: denied { read open } for comm="HwBinder:920_1" path="/system/bin/sh" dev="overlay" ino=464 scontext=u:r:sced:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1

04-08 22:51:36.312  1000  8554  8554 I HwBinder:908_1: type=1400 audit(0.0:1391): avc: denied { execute_no_trans } for path="/vendor/bin/sh" dev="overlay" ino=377 scontext=u:r:sced:s0 tcontext=u:object_r:vendor_shell_exec:s0 tclass=file permissive=1
04-08 22:51:36.324  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1392): avc: denied { search } for name="slog" dev="dm-7" ino=245 scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1
04-08 22:51:36.324  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1393): avc: denied { write } for name="slog" dev="dm-7" ino=245 scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1
04-08 22:51:36.324  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1394): avc: denied { add_name } for name="tcplog_20210408225136.pcap" scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1
04-08 22:52:24.720  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1427): avc: denied { create } for name="tcplog_20210408225224.pcap" scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=file permissive=1

04-08 23:18:23.160  7099  7099 I auditd  : type=1400 audit(0.0:505): avc: denied { getopt } for comm="tcpdump" scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:18:23.160  7099  7099 I tcpdump : type=1400 audit(0.0:505): avc: denied { getopt } for scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:18:23.160  7099  7099 I auditd  : type=1400 audit(0.0:506): avc: denied { setopt } for comm="tcpdump" scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:18:23.160  7099  7099 I tcpdump : type=1400 audit(0.0:506): avc: denied { setopt } for scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1

04-08 23:58:53.664  8514  8514 I auditd  : type=1400 audit(0.0:500): avc: denied { getattr } for comm="sh" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.664  8514  8514 I auditd  : type=1400 audit(0.0:501): avc: denied { execute } for comm="sh" name="tcpdump" dev="dm-0" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.664  8514  8514 I auditd  : type=1400 audit(0.0:502): avc: denied { read open } for comm="sh" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.668  8514  8514 I auditd  : type=1400 audit(0.0:503): avc: denied { execute_no_trans } for comm="sh" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.668  8514  8514 I auditd  : type=1400 audit(0.0:504): avc: denied { map } for comm="tcpdump" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1

04-08 23:58:53.680  8514  8514 I auditd  : type=1400 audit(0.0:505): avc: denied { create } for comm="tcpdump" scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:58:53.680  8514  8514 I auditd  : type=1400 audit(0.0:506): avc: denied { net_raw } for comm="tcpdump" capability=13 scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=capability permissive=1
04-08 23:58:53.680  8514  8514 I auditd  : type=1400 audit(0.0:507): avc: denied { ioctl } for comm="tcpdump" path="socket:[96140]" dev="sockfs" ino=96140 ioctlcmd=0x8933 scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1

04-13 19:19:38.493  1000   403   403 I auditd  : avc:  denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:sced:s0 pid=909 scontext=u:r:sced:s0 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=0
04-13 21:40:13.054   404   404 I auditd  : avc:  denied  { add } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:sced:s0 pid=911 scontext=u:r:sced:s0 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=1
04-13 21:40:13.055   404   404 I auditd  : avc:  denied  { add } for interface=android.hidl.base::IBase sid=u:r:sced:s0 pid=911 scontext=u:r:sced:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1


Bug: 184921478
Test: manual test
Change-Id: I39eb403272a8a4fba0728c9f8eab5ea23096a540
---
 tracking_denials/sced.te                          |  4 ----
 whitechapel/vendor/google/dmd.te                  |  3 ++-
 whitechapel/vendor/google/sced.te                 | 15 ++++++++++++++-
 whitechapel/vendor/google/vendor_telephony_app.te |  1 +
 4 files changed, 17 insertions(+), 6 deletions(-)
 delete mode 100644 tracking_denials/sced.te

diff --git a/tracking_denials/sced.te b/tracking_denials/sced.te
deleted file mode 100644
index 00243ca3..00000000
--- a/tracking_denials/sced.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/171760846
-dontaudit sced hidl_base_hwservice:hwservice_manager { add };
-dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { add };
-dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { find };
diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te
index 4dff6f71..4f9cef1d 100644
--- a/whitechapel/vendor/google/dmd.te
+++ b/whitechapel/vendor/google/dmd.te
@@ -25,7 +25,8 @@ get_prop(dmd, vendor_persist_config_default_prop)
 
 # Grant to access hwservice manager
 get_prop(dmd, hwservicemanager_prop)
-add_hwservice(dmd, hal_vendor_oem_hwservice)
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
 binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
 binder_call(dmd, modem_logging_control)
diff --git a/whitechapel/vendor/google/sced.te b/whitechapel/vendor/google/sced.te
index 52c2b2b6..827ac057 100644
--- a/whitechapel/vendor/google/sced.te
+++ b/whitechapel/vendor/google/sced.te
@@ -2,9 +2,22 @@ type sced, domain;
 type sced_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(sced)
 
+typeattribute sced vendor_executes_system_violators;
+
 userdebug_or_eng(`
 hwbinder_use(sced)
 binder_call(sced, dmd)
+binder_call(sced, vendor_telephony_app)
 
 get_prop(sced, hwservicemanager_prop)
-')
\ No newline at end of file
+allow sced self:packet_socket create_socket_perms_no_ioctl;
+
+allow sced self:capability net_raw;
+allow sced shell_exec:file rx_file_perms;
+allow sced tcpdump_exec:file rx_file_perms;
+allow sced vendor_shell_exec:file x_file_perms;
+allow sced vendor_slog_file:dir create_dir_perms;
+allow sced vendor_slog_file:file create_file_perms;
+allow sced hidl_base_hwservice:hwservice_manager add;
+allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
+')
diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
index 65b12869..5b4c4604 100644
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -16,3 +16,4 @@ allow vendor_telephony_app vendor_slog_file:file create_file_perms;
 allow vendor_telephony_app app_api_service:service_manager find;
 allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find;
 binder_call(vendor_telephony_app, dmd)
+binder_call(vendor_telephony_app, sced)

From a791d93318c5006d9b50bdae1816364a150abd87 Mon Sep 17 00:00:00 2001
From: Benjamin Schwartz <bsschwar@google.com>
Date: Wed, 14 Apr 2021 15:35:53 -0700
Subject: [PATCH 186/921] Allow power stats HAL read uwb power_stats sysfs node

Bug: 180956351
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: Id157c1e10f4d9491ae54dd1babb82e6f282c257c
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 47b98d42..7d154e67 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -28,6 +28,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
 
 #   O6
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0

From dde4b6bf1f659c9a465a15213947fab9f285bc76 Mon Sep 17 00:00:00 2001
From: Benjamin Schwartz <bsschwar@google.com>
Date: Tue, 6 Apr 2021 16:01:59 -0700
Subject: [PATCH 187/921] Allow power stats HAL to read gnss stats

Bug: 181577366
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: Iea8c332f9b73358e1a6464d69cbef6af4a603f84
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index d005a4e8..d7e056a9 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -80,6 +80,7 @@
 #
 /dev/gnss_ipc                  u:object_r:vendor_gnss_device:s0
 /dev/bbd_control               u:object_r:vendor_gnss_device:s0
+/dev/bbd_pwrstat               u:object_r:power_stats_device:s0
 /dev/ttyBCM                    u:object_r:vendor_gnss_device:s0
 /dev/nanohub                   u:object_r:vendor_nanohub_device:s0
 /dev/nanohub_comms             u:object_r:vendor_nanohub_device:s0

From a0a8cb2dff3de9c17c9107ce78f0e5f44fdcd7a2 Mon Sep 17 00:00:00 2001
From: Vova Sharaienko <sharaienko@google.com>
Date: Thu, 15 Apr 2021 01:37:08 +0000
Subject: [PATCH 188/921] Stats: removed obsolete IStats HIDL sepolicies

Bug: 181887265
Test: Build, flash, and logcat for sepolicies messages
Change-Id: I702a8d59fadf04658addd6e3acf3a126a0a4cae7
---
 ambient/exo_app.te                             | 1 -
 usf/sensor_hal.te                              | 3 ---
 whitechapel/vendor/google/pixelstats_vendor.te | 1 -
 whitechapel/vendor/google/platform_app.te      | 1 -
 4 files changed, 6 deletions(-)

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
index b7a30e28..ef928f65 100644
--- a/ambient/exo_app.te
+++ b/ambient/exo_app.te
@@ -8,7 +8,6 @@ allow exo_app audioserver_service:service_manager find;
 allow exo_app cameraserver_service:service_manager find;
 allow exo_app mediaserver_service:service_manager find;
 allow exo_app radio_service:service_manager find;
-allow exo_app fwk_stats_hwservice:hwservice_manager find;
 allow exo_app fwk_stats_service:service_manager find;
 allow exo_app mediametrics_service:service_manager find;
 allow exo_app gpu_device:dir search;
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index f1105928..f8213133 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -35,9 +35,6 @@ allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
 # Allow access to sensor service for sensor_listener.
 binder_call(hal_sensors_default, system_server);
 
-# Allow access to the stats service.
-allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
-
 # Allow access to the sysfs_aoc.
 allow hal_sensors_default sysfs_aoc:dir search;
 
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index c4c1c275..d207699a 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -9,7 +9,6 @@ unix_socket_connect(pixelstats_vendor, chre, chre)
 get_prop(pixelstats_vendor, hwservicemanager_prop)
 hwbinder_use(pixelstats_vendor)
 
-allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
 binder_call(pixelstats_vendor, stats_service_server)
 binder_use(pixelstats_vendor);
 allow pixelstats_vendor fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 4d20f6d1..f6bc2de8 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -4,7 +4,6 @@ allow platform_app hal_exynos_rild_hwservice:hwservice_manager find;
 allow platform_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(platform_app, hal_wlc)
 
-allow platform_app fwk_stats_hwservice:hwservice_manager find;
 allow platform_app nfc_service:service_manager find;
 
 allow platform_app fwk_stats_service:service_manager find;

From 86582e6ce051c78a39992e3e3fb1d2c10171a8b0 Mon Sep 17 00:00:00 2001
From: Chris Lu <luchris@google.com>
Date: Wed, 14 Apr 2021 23:24:01 +0800
Subject: [PATCH 189/921] display: remove dontaudit for hal_memtrack_default

Bug: 181913683
Test: make pts -j60 pts-tradefed run pts -m PtsSELinuxTest -t
com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: I72963aed5aff9bcbf2de16b11b16033ca594d7f0
---
 tracking_denials/hal_memtrack_default.te | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 tracking_denials/hal_memtrack_default.te

diff --git a/tracking_denials/hal_memtrack_default.te b/tracking_denials/hal_memtrack_default.te
deleted file mode 100644
index 8bb56ce2..00000000
--- a/tracking_denials/hal_memtrack_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/181913683
-dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };
-dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };

From 9d20b9753496360b23173612a6e8bb4b3d694b0f Mon Sep 17 00:00:00 2001
From: Taehwan Kim <t_h.kim@samsung.com>
Date: Thu, 15 Apr 2021 11:33:01 +0900
Subject: [PATCH 190/921] remove video_system_heap

Test: Youtube playback, video recording, ExoPlayer playback
Bug: 181380463
Signed-off-by: Taehwan Kim <t_h.kim@samsung.com>
Change-Id: If2aad557365755156e4c088048dc351bc66df281
---
 whitechapel/vendor/google/file_contexts | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index d005a4e8..0ba475e5 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -650,9 +650,6 @@
 # vscaler-secure DMA-BUF heap
 /dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
 
-# video system DMA-BUF heap
-/dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0
 
 /dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
 

From 01a33d0cb752fcda99c3aba31082213626f0d024 Mon Sep 17 00:00:00 2001
From: Charlie Chen <yuchungchen@google.com>
Date: Thu, 15 Apr 2021 11:05:39 +0800
Subject: [PATCH 191/921] Formatting file_contexts

Test: Youtube playback, video recording, ExoPlayer playback
Bug: 181380463
Change-Id: I9eeb08987794336aafa7945a9d648a38f0e7989a
---
 whitechapel/vendor/google/file_contexts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 0ba475e5..eb7576e2 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -650,8 +650,8 @@
 # vscaler-secure DMA-BUF heap
 /dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
 
-
-/dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
+# vstream-secure DMA-BUF heap
+/dev/dma_heap/vstream-secure                                                   u:object_r:dmabuf_system_secure_heap_device:s0
 
 # BigOcean
 /dev/bigocean                                                                  u:object_r:video_device:s0

From 66fd237730d460134dc77afc7fef3a3384d1b6e0 Mon Sep 17 00:00:00 2001
From: TeYuan Wang <kamewang@google.com>
Date: Wed, 14 Apr 2021 14:25:05 +0800
Subject: [PATCH 192/921] thermal: add sepolicy rule to access ODPM sysfs

Bug: 170653634
Test: test thermal behavior under enforcing mode
Change-Id: I37500de957cc2375213f1d0416a88356f36d2367
---
 whitechapel/vendor/google/hal_thermal_default.te | 2 ++
 whitechapel/vendor/google/vendor_init.te         | 1 +
 2 files changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te
index 66c3af87..491035ee 100644
--- a/whitechapel/vendor/google/hal_thermal_default.te
+++ b/whitechapel/vendor/google/hal_thermal_default.te
@@ -1 +1,3 @@
 allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms;
+allow hal_thermal_default sysfs_odpm:file r_file_perms;
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 0f20f4b5..fa4d5de8 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -11,6 +11,7 @@ set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
 set_prop(vendor_init, vendor_edgetpu_service_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
+set_prop(vendor_init, vendor_thermal_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From da8122c86778891abeee8744d6b176543a84e7a8 Mon Sep 17 00:00:00 2001
From: Roger Wang <wangroger@google.com>
Date: Thu, 15 Apr 2021 18:04:53 +0800
Subject: [PATCH 193/921] ssr_detector: provide wlan firmware version

In this commit, we allow ssr_detector to collect
wlan firmware version from property. This information
is useful for doing SSR statistic.

avc log:
avc: denied { read } for comm="FileObserver" name="u:object_r:vendor_wifi_version:s0" dev="tmpfs" ino=324 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_wifi_version:s0 tclass=file permissive=0

Bug: 185457155
Test: check firmware version can be collected.
ssrInfo SSRInfo{mSubsystem='wlan', mCrashReason='Dongle_Trap_traptest+0x8_pcidev_handle_user_disconnect+0xbb', mRamdumpFile='coredump_wlan_2021-04-15_18-01-54.bin', mTimeStamp='2021-04-15_18-01-54', mBuildVersion='20.25.423.4', mUID='05a6029c-4f74-3172-9a3f-7fa8e8bcc6c4', mExtraBuildVersion=''}, uid 05a6029c-4f74-3172-9a3f-7fa8e8bcc6c4

Change-Id: Ibf2ce8f0c7a7dd752963c738bf28da14034cc209
---
 whitechapel/vendor/google/ssr_detector.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 48361bd8..cda0c3eb 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -14,3 +14,4 @@ userdebug_or_eng(`
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)
+get_prop(ssr_detector_app, vendor_wifi_version)

From a0a4a7f2a26106736d4a67b85ae7d2362c8768fc Mon Sep 17 00:00:00 2001
From: rioskao <rioskao@google.com>
Date: Thu, 15 Apr 2021 13:40:17 +0800
Subject: [PATCH 194/921] Allow ssr_detector to read aoc version property

sst_detector would need firmware version in order to
parse dump information with corresponding symbol of the version

04-15 13:05:39.196 28845 28864 W libc    : Access denied finding property "vendor.aoc.firmware.version"

Bug: 185473950
Test: validate by force ramdump of aoc.

Change-Id: Iebf62b97897ccc2a84a174dafca90f446b771915
---
 whitechapel/vendor/google/ssr_detector.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 48361bd8..b07bc208 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -11,6 +11,7 @@ allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
 userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
+  get_prop(ssr_detector_app, vendor_aoc_prop)
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)

From 55bd05960fbe1ede48c15a1371e9cc959cb23756 Mon Sep 17 00:00:00 2001
From: Max Shi <meixuanshi@google.com>
Date: Mon, 12 Apr 2021 23:02:31 -0700
Subject: [PATCH 195/921] Add sepolicy for sensor HAL accessing AOC reset sysfs
 node.

Bug: 184858369
Test: Verify sensor HAL process can write to the sysfs node.
Change-Id: I9700323bafa413b88f25e4117499bcc936bce9c6
---
 usf/sensor_hal.te                        | 3 +++
 whitechapel/vendor/google/file.te        | 1 +
 whitechapel/vendor/google/genfs_contexts | 1 +
 3 files changed, 5 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index f8213133..f10cd46a 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -41,6 +41,9 @@ allow hal_sensors_default sysfs_aoc:dir search;
 # Allow use of the USF low latency transport.
 usf_low_latency_transport(hal_sensors_default)
 
+# Allow sensor HAL to reset AOC.
+allow hal_sensors_default sysfs_aoc_reset:file w_file_perms;
+
 #
 # Suez type enforcements.
 #
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index a83e7817..ea239081 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -94,6 +94,7 @@ type sysfs_touch, sysfs_type, fs_type;
 type sysfs_aoc_boottime, sysfs_type, fs_type;
 type sysfs_aoc_firmware, sysfs_type, fs_type;
 type sysfs_aoc, sysfs_type, fs_type;
+type sysfs_aoc_reset, sysfs_type, fs_type;
 
 # Audio
 type persist_audio_file, file_type, vendor_persist_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 7d154e67..8d63ee7f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -2,6 +2,7 @@
 genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0
 genfscon sysfs /devices/platform/19000000.aoc/firmware                      u:object_r:sysfs_aoc_firmware:s0
 genfscon sysfs /devices/platform/19000000.aoc                               u:object_r:sysfs_aoc:s0
+genfscon sysfs /devices/platform/19000000.aoc/reset                         u:object_r:sysfs_aoc_reset:s0
 
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0

From 4585613637a85e1c4e71241673a394703af96a04 Mon Sep 17 00:00:00 2001
From: qinyiyan <qinyiyan@google.com>
Date: Wed, 14 Apr 2021 20:54:12 -0700
Subject: [PATCH 196/921] Update sepolicy for the egetpu_logging service to
 access the sysfs.

Test: make selinux_policy -j128 and pushed sepolicy modules to the
device. The avc denials are gone.
Bug:185448476

Change-Id: Ibff482b64a6cdbc5a7967bb8cc4281c8bd0b5b98
---
 whitechapel/vendor/google/edgetpu_logging.te | 4 ++++
 whitechapel/vendor/google/genfs_contexts     | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te
index 021338f4..ab67126f 100644
--- a/whitechapel/vendor/google/edgetpu_logging.te
+++ b/whitechapel/vendor/google/edgetpu_logging.te
@@ -4,3 +4,7 @@ init_daemon_domain(edgetpu_logging)
 
 # The logging service accesses /dev/abrolhos
 allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;
+
+# Allows the logging service to access /sys/class/edgetpu
+allow edgetpu_logging sysfs_edgetpu:dir search;
+allow edgetpu_logging sysfs_edgetpu:file r_file_perms;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 7d154e67..ba6bd0e2 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -96,7 +96,8 @@ genfscon proc  /fts_ext/driver_test
 genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
 
 # EdgeTPU
-genfscon sysfs /class/edgetpu                                                   u:object_r:sysfs_edgetpu:s0
+genfscon sysfs /devices/platform/1ce00000.abrolhos                              u:object_r:sysfs_edgetpu:s0
+genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
 
 # Vendor sched files
 genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0

From 0790114826252585a6469d13377b915ce75feccd Mon Sep 17 00:00:00 2001
From: Hsiaoan Hsu <hsiaoanhsu@google.com>
Date: Fri, 16 Apr 2021 13:37:04 +0800
Subject: [PATCH 197/921] Add sepolicy rules when PowerAnomalyDataDetection
 service enabled

- Fix avc denied when Power anomaly data detection enable.

Bug: 185544799
Test: Verified Pass
Change-Id: I7b81e09842acb71767f60df18fd0ca4a95e0ff09
---
 whitechapel/vendor/google/con_monitor.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index f630b455..8695ccaa 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -5,3 +5,6 @@ app_domain(con_monitor_app)
 
 set_prop(con_monitor_app, radio_prop)
 allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
+allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
+allow con_monitor_app radio_vendor_data_file:file create_file_perms;

From 3c692b942a4b7dfddd95bfbd0a81f08ffd9be2c6 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Fri, 16 Apr 2021 10:49:40 +0800
Subject: [PATCH 198/921] Create vendor_logger_prop

Bug: 178744858
Change-Id: I4abb6f73b068c5ed265979c3190bcc2feac76f94
---
 whitechapel/vendor/google/logger_app.te     | 1 +
 whitechapel/vendor/google/property.te       | 5 ++++-
 whitechapel/vendor/google/property_contexts | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index a7b19922..d8a940c6 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -5,6 +5,7 @@ userdebug_or_eng(`
   allow logger_app vendor_gps_file:file create_file_perms;
   allow logger_app vendor_gps_file:dir create_dir_perms;
 
+  set_prop(logger_app, vendor_logger_prop)
   set_prop(logger_app, vendor_modem_prop)
   set_prop(logger_app, vendor_gps_prop)
   set_prop(logger_app, vendor_audio_prop)
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index b661ad78..16d2acb6 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -36,6 +36,9 @@ vendor_internal_prop(vendor_battery_defender_prop)
 # AoC
 vendor_internal_prop(vendor_aoc_prop)
 
+# Logger
+vendor_internal_prop(vendor_logger_prop)
+
 # NFC
 vendor_internal_prop(vendor_nfc_prop)
 
@@ -46,4 +49,4 @@ vendor_internal_prop(vendor_wifi_version)
 vendor_internal_prop(vendor_touchpanel_prop)
 
 # TCP logging
-vendor_internal_prop(vendor_tcpdump_log_prop)
\ No newline at end of file
+vendor_internal_prop(vendor_tcpdump_log_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index b03a6340..477b56be 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -41,6 +41,10 @@ ro.vendor.sys.modem.         u:object_r:vendor_modem_prop:s0
 vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
 persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
 
+# for logger app
+vendor.pixellogger.          u:object_r:vendor_logger_prop:s0
+persist.vendor.pixellogger.  u:object_r:vendor_logger_prop:s0
+
 # for cbd
 vendor.cbd.                  u:object_r:vendor_cbd_prop:s0
 persist.vendor.cbd.          u:object_r:vendor_cbd_prop:s0

From 75a9ea1ee46062943714d97c65aba3d30cf927f9 Mon Sep 17 00:00:00 2001
From: eddielan <eddielan@google.com>
Date: Fri, 16 Apr 2021 13:16:43 +0800
Subject: [PATCH 199/921] sepolicy: fix fingerprint sepolicy

04-16 01:56:07.948  1039  1039 W fingerprint@2.1: type=1400 audit(0.0:110):
avc: denied { write } for name="wakeup_enable" dev="sysfs" ino=69197
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:sysfs:s0
tclass=file permissive=0

Bug: 185538163
Test: Build Pass
Change-Id: I8f75daf22577e6a68f3b2a0250eebebd1873ea28
---
 whitechapel/vendor/google/file.te                    | 3 +++
 whitechapel/vendor/google/genfs_contexts             | 3 +++
 whitechapel/vendor/google/hal_fingerprint_default.te | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index ea239081..25d5b1da 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -58,6 +58,9 @@ type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 type sensors_cal_file, file_type;
 type sysfs_nanoapp_cmd, sysfs_type, fs_type;
 
+# Fingerprint
+type sysfs_fingerprint, sysfs_type, fs_type;
+
 # CHRE
 type chre_socket, file_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index a1755adc..fd043700 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -66,6 +66,9 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
 
+# Fingerprint
+genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
+
 # System_suspend
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/cpif/wakeup/wakeup                                           u:object_r:sysfs_wakeup:s0
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 4c248981..3d0f2298 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -4,5 +4,7 @@ allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms;
 allow hal_fingerprint_default sysfs_batteryinfo:dir search;
 allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
 get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
 add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)

From 59a1c3f04af5cbe2c26a4df67dcd61d3e90e8668 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 19 Apr 2021 09:52:55 +0800
Subject: [PATCH 200/921] update error on ROM 7293525

Bug: 185723618
Bug: 185723492
Bug: 185723694
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I5cc12384aca5dcc2658b914e5c7783f2e1e70b5d
---
 tracking_denials/dumpstate.te                     | 2 ++
 tracking_denials/hal_graphics_composer_default.te | 3 +++
 tracking_denials/vendor_telephony_app.te          | 4 ++++
 3 files changed, 9 insertions(+)
 create mode 100644 tracking_denials/dumpstate.te
 create mode 100644 tracking_denials/hal_graphics_composer_default.te
 create mode 100644 tracking_denials/vendor_telephony_app.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
new file mode 100644
index 00000000..ffb8518c
--- /dev/null
+++ b/tracking_denials/dumpstate.te
@@ -0,0 +1,2 @@
+# b/185723618
+dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
new file mode 100644
index 00000000..ef727b51
--- /dev/null
+++ b/tracking_denials/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+# b/185723492
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
diff --git a/tracking_denials/vendor_telephony_app.te b/tracking_denials/vendor_telephony_app.te
new file mode 100644
index 00000000..9100149a
--- /dev/null
+++ b/tracking_denials/vendor_telephony_app.te
@@ -0,0 +1,4 @@
+# b/185723694
+dontaudit vendor_telephony_app system_app_data_file:dir { getattr };
+dontaudit vendor_telephony_app system_app_data_file:dir { search };
+dontaudit vendor_telephony_app system_app_data_file:dir { search };

From 99988c4c5f18dbb1287d430165a31c23f9f45f60 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 19 Apr 2021 11:14:54 +0800
Subject: [PATCH 201/921] remove obsolete domains

Bug: 168013500
Test: Check that abox and rpmbd are not in ROM anywhere in oriole, raven user,
userdebug and factory ROM

Change-Id: Ie091a1036ba6c25a3c7f0ef0b8f69cc9fc4e306a
---
 whitechapel/vendor/google/abox.te       | 4 ----
 whitechapel/vendor/google/file.te       | 2 --
 whitechapel/vendor/google/file_contexts | 3 ---
 whitechapel/vendor/google/rpmbd.te      | 4 ----
 4 files changed, 13 deletions(-)
 delete mode 100644 whitechapel/vendor/google/abox.te
 delete mode 100644 whitechapel/vendor/google/rpmbd.te

diff --git a/whitechapel/vendor/google/abox.te b/whitechapel/vendor/google/abox.te
deleted file mode 100644
index eb2c3aaf..00000000
--- a/whitechapel/vendor/google/abox.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type abox, domain;
-type abox_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(abox)
-
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 25d5b1da..3df2a62e 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -5,7 +5,6 @@ type vendor_media_data_file, file_type, data_file_type;
 
 # Exynos Log Files
 type vendor_log_file, file_type, data_file_type;
-type vendor_abox_log_file, file_type, data_file_type;
 type vendor_cbd_log_file, file_type, data_file_type;
 type vendor_dmd_log_file, file_type, data_file_type;
 type vendor_rfsd_log_file, file_type, data_file_type;
@@ -24,7 +23,6 @@ type vendor_misc_data_file, file_type, data_file_type;
 type vendor_rpmbmock_data_file, file_type, data_file_type;
 
 # Exynos debugfs
-type vendor_abox_debugfs, fs_type, debugfs_type;
 type vendor_ion_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_dmabuf_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_mali_debugfs, fs_type, debugfs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 9b87c1a8..58c0617e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -133,9 +133,7 @@
 /(vendor|system/vendor)/bin/hw/gpsd            u:object_r:gpsd_exec:s0
 /(vendor|system/vendor)/bin/hw/lhd             u:object_r:lhd_exec:s0
 /(vendor|system/vendor)/bin/hw/rild_exynos     u:object_r:rild_exec:s0
-/(vendor|system/vendor)/bin/main_abox          u:object_r:abox_exec:s0
 /(vendor|system/vendor)/bin/rfsd               u:object_r:rfsd_exec:s0
-/(vendor|system/vendor)/bin/rpmbd              u:object_r:rpmbd_exec:s0
 /(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
 /(vendor|system/vendor)/bin/vcd                u:object_r:vcd_exec:s0
 /(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
@@ -153,7 +151,6 @@
 # Exynos Log Files
 #
 /data/vendor/log(/.*)?       u:object_r:vendor_log_file:s0
-/data/vendor/log/abox(/.*)?  u:object_r:vendor_abox_log_file:s0
 /data/vendor/log/cbd(/.*)?   u:object_r:vendor_cbd_log_file:s0
 /data/vendor/log/dmd(/.*)?   u:object_r:vendor_dmd_log_file:s0
 /data/vendor/log/rfsd(/.*)?  u:object_r:vendor_rfsd_log_file:s0
diff --git a/whitechapel/vendor/google/rpmbd.te b/whitechapel/vendor/google/rpmbd.te
deleted file mode 100644
index 4113c2d8..00000000
--- a/whitechapel/vendor/google/rpmbd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type rpmbd, domain;
-type rpmbd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(rpmbd)
-

From 8b9e2b383464bfc3c28e80861a88c6ae54774620 Mon Sep 17 00:00:00 2001
From: Hongbo Zeng <hongbozeng@google.com>
Date: Mon, 19 Apr 2021 16:26:59 +0800
Subject: [PATCH 202/921] allow RilConfigService to call oemrilhook api

04-15 21:19:42.312   373   373 E SELinux : avc:  denied  { find } for pid=10245 uid=1001 name=telephony.oem.oemrilhook scontext=u:r:ril_config_service_app:s0 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=0

Bug: 185747692
Test: after apply the rule, the denial log is gone
Change-Id: I447c9c695f48ee3b528190ff33261ca3e9cd69df
---
 whitechapel/vendor/google/ril_config_service.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/ril_config_service.te b/whitechapel/vendor/google/ril_config_service.te
index 125c8c33..0ac43317 100644
--- a/whitechapel/vendor/google/ril_config_service.te
+++ b/whitechapel/vendor/google/ril_config_service.te
@@ -3,6 +3,7 @@ app_domain(ril_config_service_app)
 
 set_prop(ril_config_service_app, vendor_rild_prop)
 allow ril_config_service_app app_api_service:service_manager find;
+allow ril_config_service_app radio_service:service_manager find;
 allow ril_config_service_app radio_vendor_data_file:dir rw_dir_perms;
 allow ril_config_service_app radio_vendor_data_file:file create_file_perms;
 dontaudit ril_config_service_app system_data_file:dir search;

From 1b17b0fbaa03e1bb014ddba4abc41b424a70a10f Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Fri, 16 Apr 2021 15:24:07 +0800
Subject: [PATCH 203/921] dumpstate/incident: Fix avc errors

avc: denied { append } for path="/storage/emulated/0/Android/data/com.android.pixellogger/files/bugreport-oriole-MASTER-2021-04-19-14-57-22.zip" dev="dm-7" ino=35424 scontext=u:r:dumpstate:s0 tcontext=u:object_r:media_rw_data_file:s0:c28,c257,c512,c768 tclass=file
avc: denied { use } for path="/storage/emulated/0/Android/data/com.android.pixellogger/files/bugreport-oriole-MASTER-2021-04-19-14-57-22.zip" dev="dm-7" ino=35424 scontext=u:r:incident:s0 tcontext=u:r:logger_app:s0:c28,c257,c512,c768 tclass=fd
avc: denied { append } for path="/storage/emulated/0/Android/data/com.android.pixellogger/files/bugreport-oriole-MASTER-2021-04-19-16-30-05.zip" dev="dm-7" ino=12639 scontext=u:r:incident:s0 tcontext=u:object_r:media_rw_data_file:s0:c30,c257,c512,c768 tclass=file

Bug: 178744858
Change-Id: I07eb1f4abf6cb9b399c773854ca6f47fcd5e2f37
---
 whitechapel/vendor/google/dumpstate.te | 1 +
 whitechapel/vendor/google/incident.te  | 4 ++++
 2 files changed, 5 insertions(+)
 create mode 100644 whitechapel/vendor/google/incident.te

diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index d9cc1d5c..9b5c0538 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -3,6 +3,7 @@ dump_hal(hal_graphics_composer)
 
 userdebug_or_eng(`
   allow dumpstate vendor_dmabuf_debugfs:file r_file_perms;
+  allow dumpstate media_rw_data_file:file append;
 ')
 
 allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/whitechapel/vendor/google/incident.te b/whitechapel/vendor/google/incident.te
new file mode 100644
index 00000000..672606df
--- /dev/null
+++ b/whitechapel/vendor/google/incident.te
@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+  allow incident logger_app:fd use;
+  allow incident media_rw_data_file:file append;
+')

From 3e824702f292b3230f65baceb2fb10aefad2ef39 Mon Sep 17 00:00:00 2001
From: Taeju Park <taeju@google.com>
Date: Tue, 20 Apr 2021 00:46:17 +0000
Subject: [PATCH 204/921] Grant Fabric node access for memory min frequency
 setting

Bug: 170510392
Signed-off-by: Taeju Park <taeju@google.com>
Change-Id: Ia96c8d9e890251a4f82bf8c8bb042ae6ce57182b
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 47b98d42..478063a8 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -219,6 +219,7 @@ genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_m
 
 # Fabric
 genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load  u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq                 u:object_r:sysfs_fabric:s0
 
 # GPU
 genfscon sysfs /devices/platform/1c500000.mali/scaling_min_freq                                         u:object_r:sysfs_gpu:s0

From f5277482c1e960f6f0569cdf2160c3bccb17dc0a Mon Sep 17 00:00:00 2001
From: Wenhao Wang <wenhaowang@google.com>
Date: Mon, 19 Apr 2021 17:26:53 -0700
Subject: [PATCH 205/921] Fix selinux for RPMB daemon

Secure persistent storage has been moved to persist root.
The corresponding pathes on SELinux policy has to be updated.

Bug: 173971240
Bug: 173032298
Test: Trusty storage tests
Change-Id: I0e7756f3b4d5c6be705a87e1d7d80247df1ec4bb
---
 tracking_denials/tee.te                    | 14 --------------
 whitechapel/vendor/google/file_contexts    |  2 +-
 whitechapel/vendor/google/storageproxyd.te |  5 +++++
 3 files changed, 6 insertions(+), 15 deletions(-)
 delete mode 100644 tracking_denials/tee.te

diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
deleted file mode 100644
index 3375948f..00000000
--- a/tracking_denials/tee.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# b/173971240
-dontaudit tee persist_file:file { open };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee persist_file:dir { search };
-dontaudit tee persist_file:file { open };
-dontaudit tee persist_file:file { read write };
-dontaudit tee persist_file:dir { search };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee persist_file:file { read write };
-userdebug_or_eng(`
-  permissive tee;
-')
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 58c0617e..79aa3f3f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -325,7 +325,7 @@
 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
-/mnt/vendor/persist/data/ss(/.*)?    u:object_r:tee_data_file:s0
+/mnt/vendor/persist/ss(/.*)?         u:object_r:tee_data_file:s0
 /dev/sg1                             u:object_r:sg_device:s0
 
 # Battery
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index ef9d93a8..315300c2 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -1,4 +1,9 @@
 type sg_device, dev_type;
+type persist_ss_file, file_type, vendor_persist_type;
 
+allow tee persist_ss_file:dir r_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };

From a2f8a45c4615d6574148ba8b2db7c8830b37ff55 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 20 Apr 2021 14:15:13 +0800
Subject: [PATCH 206/921] suppress logs created by userdebug-only features

Bug: 185439604
Test: cts-tradefed run commandAndExit cts -m CtsSecurityHostTestCases
Change-Id: I8d993154e8e6c3205e1e83c6b81d4d9064dc3171
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 0d981cfb..c0871bb2 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -154,3 +154,12 @@ dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
 
 dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
 dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default mnt_vendor_file:dir r_dir_perms;
+dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir search;
+dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms;
+
+dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms;
+dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms;
+
+dontaudit hal_dumpstate_default rootfs:dir r_dir_perms;

From 42333362962409a3c6f61379eb91dd7287580e8b Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Tue, 30 Mar 2021 17:40:42 +0800
Subject: [PATCH 207/921] Grant sepolicy for Bluetooth Ccc Timesync feature

Add sepolicy rules for Bluetooth Ccc Timessync

Bug: 175836015
Test: make
Change-Id: If2d3f953a5899cd5ea0695a57132dd69a2a29675
---
 whitechapel/vendor/google/genfs_contexts     | 1 +
 whitechapel/vendor/google/hwservice_contexts | 1 +
 2 files changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 840c871d..d9984c08 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -118,6 +118,7 @@ genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state
 genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0
 genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
 genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/timesync                                                               u:object_r:proc_bluetooth_writable:s0
 
 # ODPM
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
index dfe9cfb5..8b46fcd4 100644
--- a/whitechapel/vendor/google/hwservice_contexts
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -26,6 +26,7 @@ vendor.google.wireless_charger::IWirelessCharger                u:object_r:hal_w
 # Bluetooth HAL extension
 hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
 hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.ccc::IBluetoothCcc                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
 
 # Fingerprint
 vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon  u:object_r:hal_fingerprint_ext_hwservice:s0

From 93b498ea78b685a0ff7419899b0245a94c9cafef Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 20 Apr 2021 14:42:55 +0800
Subject: [PATCH 208/921] remove obsolete entry

Bug: 182531832
Test: do bugreport with no dumpstate related error
Change-Id: I3f19f82f37b11221f4816d958797336da23b14b4
---
 tracking_denials/hal_dumpstate_default.te | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
deleted file mode 100644
index 8e364d35..00000000
--- a/tracking_denials/hal_dumpstate_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/182531832
-dontaudit hal_dumpstate_default sysfs:dir { read };
-dontaudit hal_dumpstate_default sysfs:dir { open };

From 0e9abb4ef2df3b034e370b5b394706879e48f9ec Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Tue, 20 Apr 2021 01:36:32 +0800
Subject: [PATCH 209/921] sepolicy: add cs40l26 haptics modules

Fix the following avc denial:
avc: denied { module_load } for comm="insmod" path="/vendor_dlkm/lib/modules/cl_dsp.ko" dev="overlay" ino=41 scontext=u:r:init-insmod-sh:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1

Bug: 184610991
Test: Full built. Check if the avc denial was gone.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Ic41ea6a6add818bfdf95e71e20df77b9e06db6c1
---
 whitechapel/vendor/google/file_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 58c0617e..b08314f8 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -405,6 +405,7 @@
 /vendor_dlkm/lib/modules/bigocean\.ko                   u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/boot_device_spi\.ko            u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/clk_exynos\.ko                 u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/cl_dsp\.ko                     u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/cmupmucal\.ko                  u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/cpif\.ko                       u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/cp_thermal_zone\.ko            u:object_r:vendor_kernel_modules:s0
@@ -479,6 +480,7 @@
 /vendor_dlkm/lib/modules/i2c-acpm\.ko                   u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/i2c-dev\.ko                    u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/i2c-exynos5\.ko                u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/input-cs40l26-i2c\.ko          u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/ion_exynos_mod\.ko             u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/keycombo\.ko                   u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/keydebug\.ko                   u:object_r:vendor_kernel_modules:s0

From f5bb17ab49b89d287bb4098569870a3cf9770a27 Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Tue, 13 Apr 2021 09:31:09 -0700
Subject: [PATCH 210/921] Allowed EdgeTPU service to generate Perfetto trace.

Bug: 185238493
Test: tested on local Oriole
Change-Id: I2973ccedd05d5f6dd06c3044adeb983ffb4628aa
---
 whitechapel/vendor/google/edgetpu_service.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
index 107b4899..9912ac3b 100644
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -41,3 +41,6 @@ allow edgetpu_server proc_version:file r_file_perms;
 
 # Allow EdgeTPU service to read EdgeTPU service related system properties.
 get_prop(edgetpu_server, vendor_edgetpu_service_prop);
+
+# Allow EdgeTPU service to generate Perfetto traces.
+perfetto_producer(edgetpu_server);

From 90ead0f9cbe147c741545349b20235091eea72ac Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Fri, 16 Apr 2021 11:02:26 +0800
Subject: [PATCH 211/921] Update tracking error for Silent Logging tool

04-06 20:16:59.772  1000  5754  5754 W RenderThread: type=1400 audit(0.0:17): avc: denied { write } for name="code_cache" dev="dm-7" ino=4477 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0
[   65.233590] type=1400 audit(1618796326.840:4): avc: denied { getattr } for comm="y.silentlogging" path="/data/user/0/com.samsung.slsi.telephony.silentlogging" dev="dm-11" ino=6338 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0
[   65.280798] type=1400 audit(1618796326.888:6): avc: denied { search } for comm="y.silentlogging" name="com.samsung.slsi.telephony.silentlogging" dev="dm-11" ino=6338 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=dir permissive=0

04-06 21:07:23.576  7458  7458 I auditd  : type=1400 audit(0.0:64): avc: denied { create } for comm="RenderThread" name="com.android.skia.shaders_cache" scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=0
04-13 14:14:38.572  1000  8875  8875 I SharedPreferenc: type=1400 audit(0.0:524): avc: denied { read } for name="SHARED_PREF.xml" dev="dm-7" ino=16734 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=1
04-13 14:14:38.572  1000  8875  8875 I SharedPreferenc: type=1400 audit(0.0:525): avc: denied { read } for name="com.samsung.slsi.telephony.silentlogging_preferences.xml" dev="dm-7" ino=17227 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=1
04-13 14:14:38.572  1000  8875  8875 I SharedPreferenc: type=1400 audit(0.0:526): avc: denied { getattr } for path="/data/user/0/com.samsung.slsi.telephony.silentlogging/shared_prefs/com.samsung.slsi.telephony.silentlogging_preferences.xml" dev="dm-7" ino=17227 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=1
04-13 14:14:38.572  1000  8875  8875 I SharedPreferenc: type=1400 audit(0.0:527): avc: denied { getattr } for path="/data/user/0/com.samsung.slsi.telephony.silentlogging/shared_prefs/SHARED_PREF.xml" dev="dm-7" ino=16734 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:system_app_data_file:s0:c232,c259,c512,c768 tclass=file permissive=1

04-06 12:02:03.460  1000  9117  9117 W si.sysdebugmode: type=1400 audit(0.0:35): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=139 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
04-06 12:02:03.465  1000  9117  9117 W libc    : Access denied finding property "persist.input.velocitytracker.strategy"

04-13 15:01:12.636  1000  8718  8718 W y.silentlogging: type=1400 audit(0.0:60): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=131 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
04-13 15:01:12.638  1000  8718  8718 W libc    : Access denied finding property "ro.input.resampling"

04-13 15:01:12.724  1000  8718  8718 W y.silentlogging: type=1400 audit(0.0:61): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=131 scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
04-13 15:01:12.726  1000  8718  8718 W libc    : Access denied finding property "viewroot.profile_rendering"


Bug: 184921478
Test: manual
Change-Id: Ia842b3dcfd8ec2ad30acc065f9caceafdc0458cd
---
 tracking_denials/vendor_telephony_app.te          |  4 ----
 whitechapel/vendor/google/vendor_telephony_app.te | 11 +++++++----
 2 files changed, 7 insertions(+), 8 deletions(-)
 delete mode 100644 tracking_denials/vendor_telephony_app.te

diff --git a/tracking_denials/vendor_telephony_app.te b/tracking_denials/vendor_telephony_app.te
deleted file mode 100644
index 9100149a..00000000
--- a/tracking_denials/vendor_telephony_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/185723694
-dontaudit vendor_telephony_app system_app_data_file:dir { getattr };
-dontaudit vendor_telephony_app system_app_data_file:dir { search };
-dontaudit vendor_telephony_app system_app_data_file:dir { search };
diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
index 5b4c4604..7d515a8a 100644
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -6,10 +6,6 @@ set_prop(vendor_telephony_app, vendor_persist_sys_default_prop)
 set_prop(vendor_telephony_app, vendor_modem_prop)
 set_prop(vendor_telephony_app, vendor_slog_prop)
 
-# [TODO] Need to check further about the system data permission
-# allow vendor_telephony_app system_app_data_file:dir create_dir_perms;
-# allow vendor_telephony_app system_app_data_file:file create_file_perms;
-
 allow vendor_telephony_app vendor_slog_file:dir create_dir_perms;
 allow vendor_telephony_app vendor_slog_file:file create_file_perms;
 
@@ -17,3 +13,10 @@ allow vendor_telephony_app app_api_service:service_manager find;
 allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find;
 binder_call(vendor_telephony_app, dmd)
 binder_call(vendor_telephony_app, sced)
+
+userdebug_or_eng(`
+# Silent Logging
+dontaudit vendor_telephony_app system_app_data_file:dir create_dir_perms;
+dontaudit vendor_telephony_app system_app_data_file:file create_file_perms;
+dontaudit vendor_telephony_app default_prop:file { getattr open read map };
+')

From 97b2c469fa1bdad5dfa5d52988008f0b96676d6b Mon Sep 17 00:00:00 2001
From: eddielan <eddielan@google.com>
Date: Fri, 16 Apr 2021 23:31:45 +0800
Subject: [PATCH 212/921] fingerprint: fps hal can connect Stats service

04-16 23:23:42.746   402   402 E
SELinux : avc:  denied  { find } for pid=4314 uid=1000
name=android.frameworks.stats.IStats/default
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:fwk_stats_service:s0
tclass=service_manager permissive=0

Bug: 183486186
Test: Build Pass
Change-Id: Ie685db6ffd27bb2ad7936f55b70c3e2e5189b0ed
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 3d0f2298..a9bfbfc9 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -6,5 +6,6 @@ allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
 allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint_default fwk_stats_service:service_manager find;
 get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
 add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)

From 5293925c65a0b845921ccded68058e7212f898d3 Mon Sep 17 00:00:00 2001
From: Benjamin Schwartz <bsschwar@google.com>
Date: Wed, 21 Apr 2021 11:30:55 -0700
Subject: [PATCH 213/921] Allow access to NFC power stats

Bug: 184722506
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: Ie4b5a6823aacf5e5a84760b1d4872fbb4cc2826d
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b3acd6cd..a403bfee 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -239,6 +239,7 @@ genfscon sysfs /module/bcmdhd4389
 # Power Stats
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/power_stats                                u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/power_stats                                u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 

From 89e016d436f2d28017f9cbe1d6045e1a58275605 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Thu, 22 Apr 2021 11:19:49 +0800
Subject: [PATCH 214/921] Update avc error on ROM 7302474

avc: denied { call } for scontext=u:r:servicemanager:s0 tcontext=u:r:hal_camera_default:s0 tclass=binder permissive=0

Bug: 186067463
Test: PTS SELinuxTest
Change-Id: I2792875a195fa3ca75d6fa57537f81e7dbeb5bac
---
 tracking_denials/servicemanager.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
index 0900dcdf..b8955575 100644
--- a/tracking_denials/servicemanager.te
+++ b/tracking_denials/servicemanager.te
@@ -1,3 +1,5 @@
 # b/182086688
 dontaudit servicemanager hal_sensors_default:binder { call };
 dontaudit servicemanager hal_sensors_default:binder { call };
+# b/186067463
+dontaudit servicemanager hal_camera_default:binder call;

From d17f3bad0f9007a6ebb9fc514e2225c77f7f389c Mon Sep 17 00:00:00 2001
From: Michael Ayoubi <mayoubi@google.com>
Date: Thu, 22 Apr 2021 05:38:21 +0000
Subject: [PATCH 215/921] gs101: Remove kernel.te after UWB fixes

tracking_denials/kernel.te is no longer needed after fixes from b/182954062.

Bug: 171943668
Test: Add dw3000 module back into build
      Compile and test image on Raven
      Confirm no avc denial logs are seen and that the dw3000 driver
      loads successfully.
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I9a8510ed3852c053319a3395871728048a57ecb5
---
 tracking_denials/kernel.te | 6 ------
 1 file changed, 6 deletions(-)
 delete mode 100644 tracking_denials/kernel.te

diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
deleted file mode 100644
index aab20563..00000000
--- a/tracking_denials/kernel.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# b/182954062
-dontaudit kernel kernel:perf_event { cpu };
-dontaudit kernel kernel:perf_event { cpu };
-userdebug_or_eng(`
-  permissive kernel;
-')

From 09e529d78c41832792baf930d7c1451e2cf59594 Mon Sep 17 00:00:00 2001
From: eddielan <eddielan@google.com>
Date: Thu, 22 Apr 2021 22:01:32 +0800
Subject: [PATCH 216/921] Add sepolicy for fpc AIDL HAL

Bug: 185464439
Test: Build Pass
Change-Id: I7ac26b2bf50fdfc1d32fb88efc2bee07f0525b0c
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 81135ec4..c97bc614 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -619,6 +619,7 @@
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc                u:object_r:hal_fingerprint_default_exec:s0
 
 # ECC List
 /vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0

From 4605f4b82c5ee79494c7b7ec5dfc917d1f576623 Mon Sep 17 00:00:00 2001
From: Victor Liu <victorliu@google.com>
Date: Thu, 22 Apr 2021 08:30:47 -0700
Subject: [PATCH 217/921] uwb: allow uwb service to access nfc service

04-22 00:47:16.771  9777  9777 V UwbService: Service: Getting Nfc
adapter 04-22 00:47:16.771   412   412 E SELinux : avc:  denied
{ find } for pid=9777 uid=1000 name=nfc scontext=u:r:uwb_vendor_app:
s0:c232,c259,c512,c768 tcontext=u:object_r:nfc_service:s0
tclass=service_manager permissive=1

Bug: 185389669
Test: on device, no avc: denied message
Change-Id: Ib31385d88a68878eaca5e53b4ddeddc5a6e7c87d
---
 whitechapel/vendor/google/uwb_vendor_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index ef771dd5..e9f5a7cc 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -6,5 +6,6 @@ add_service(uwb_vendor_app, uwb_vendor_service)
 
 allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_service:service_manager find;
+allow uwb_vendor_app nfc_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:dir { getattr search };

From de973d797a5e5cf69e725e01f00e88d8fa1bbbb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Thu, 22 Apr 2021 13:43:25 -0700
Subject: [PATCH 218/921] Mark GS101 camera HAL as using Binder.

The service implements a public API, so it will communicate over
Binder in both the framework domain and the vendor domain.

Bug: 186067463
Test: boot on oriole & check logs
Change-Id: If5bee474f79b7d14f65351580544c0dcb701d604
---
 tracking_denials/hal_camera_default.te          | 2 --
 tracking_denials/servicemanager.te              | 2 --
 whitechapel/vendor/google/hal_camera_default.te | 3 ++-
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
index 6390cc13..6ab5a51c 100644
--- a/tracking_denials/hal_camera_default.te
+++ b/tracking_denials/hal_camera_default.te
@@ -3,5 +3,3 @@ dontaudit hal_camera_default system_data_file:dir { search };
 # b/180567725
 dontaudit hal_camera_default traced:unix_stream_socket { connectto };
 dontaudit hal_camera_default traced_producer_socket:sock_file { write };
-# b/184091381
-dontaudit hal_camera_default hal_radioext_hwservice:hwservice_manager { find };
diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
index b8955575..0900dcdf 100644
--- a/tracking_denials/servicemanager.te
+++ b/tracking_denials/servicemanager.te
@@ -1,5 +1,3 @@
 # b/182086688
 dontaudit servicemanager hal_sensors_default:binder { call };
 dontaudit servicemanager hal_sensors_default:binder { call };
-# b/186067463
-dontaudit servicemanager hal_camera_default:binder call;
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index aca56403..b1c76b56 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -2,6 +2,7 @@ type hal_camera_default_tmpfs, file_type;
 
 allow hal_camera_default self:global_capability_class_set sys_nice;
 
+binder_use(hal_camera_default);
 vndbinder_use(hal_camera_default);
 
 allow hal_camera_default lwis_device:chr_file rw_file_perms;
@@ -73,5 +74,5 @@ binder_call(hal_camera_default, mediacodec);
 allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
 binder_call(hal_camera_default, hal_radioext_default);
 
-# Allow camera HAL to connect stats service.
+# Allow camera HAL to connect to the stats service.
 allow hal_camera_default fwk_stats_service:service_manager find;

From 22f18adb268c1d16d0f50a00cd8075886800ad4e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 26 Apr 2021 08:41:02 +0800
Subject: [PATCH 219/921] move vendor_executes_system_violators to userdebug

Bug: 186189967
Test: com.google.android.security.gts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore
Change-Id: I277cec72377b647c9af40e32b5582e30e9e3730e
---
 whitechapel/vendor/google/sced.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/sced.te b/whitechapel/vendor/google/sced.te
index 827ac057..43292621 100644
--- a/whitechapel/vendor/google/sced.te
+++ b/whitechapel/vendor/google/sced.te
@@ -2,9 +2,9 @@ type sced, domain;
 type sced_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(sced)
 
+userdebug_or_eng(`
 typeattribute sced vendor_executes_system_violators;
 
-userdebug_or_eng(`
 hwbinder_use(sced)
 binder_call(sced, dmd)
 binder_call(sced, vendor_telephony_app)

From e03291c6af3d001a3065288702ab90affc315ef8 Mon Sep 17 00:00:00 2001
From: David Massoud <davidmassoud@google.com>
Date: Thu, 15 Apr 2021 11:09:45 +0800
Subject: [PATCH 220/921] Add gs101 specific sysfs_devfreq_cur entries

Device specific implementation for go/oag/1676945

Bug: 181850306
Test: See go/oag/1676945
Change-Id: I8a973f400c89ada880edb5566ec31fc6ee7b97c1
---
 whitechapel/vendor/google/genfs_contexts | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index a403bfee..410b6138 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -223,6 +223,19 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
 
+# Devfreq directory
+genfscon sysfs /class/devfreq                                                                           u:object_r:sysfs_devfreq_dir:s0
+
+# Devfreq current frequency
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq             u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq             u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq       u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq           u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq             u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq             u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq             u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq               u:object_r:sysfs_devfreq_cur:s0
+
 # Fabric
 genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load  u:object_r:sysfs_fabric:s0
 genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq                 u:object_r:sysfs_fabric:s0

From b3dfc87e03fb54a8a6cb7a03f61cb495cc5e51ad Mon Sep 17 00:00:00 2001
From: Nicole Lee <nicoleytlee@google.com>
Date: Mon, 26 Apr 2021 11:48:28 +0800
Subject: [PATCH 221/921] logger_app: Grant access to control usb debug port

avc: denied { read } for comm="oid.pixellogger" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=325 scontext=u:r:logger_app:s0:c22,c257,c512,c768 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 app=com.android.pixellogger
avc: denied { open } for comm="oid.pixellogger" path="/dev/__properties__/u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=325 scontext=u:r:logger_app:s0:c22,c257,c512,c768 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=1 app=com.android.pixellogger
avc: denied { set } for property=vendor.usb.config pid=8892 uid=10278 gid=10278 scontext=u:r:logger_app:s0:c22,c257,c512,c768 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=property_service permissive=1

Bug: 186365435
Change-Id: Ie7aef49eee1dd66a6ca6ca9a1a4f8d31cc793551
---
 whitechapel/vendor/google/logger_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index d8a940c6..8c0c5834 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -15,4 +15,5 @@ userdebug_or_eng(`
   set_prop(logger_app, vendor_rild_prop)
   set_prop(logger_app, logpersistd_logging_prop)
   set_prop(logger_app, logd_prop)
+  set_prop(logger_app, vendor_usb_config_prop)
 ')

From 72ca81757ab3b7ae2bc07907436f2be791490872 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 27 Apr 2021 15:30:55 +0800
Subject: [PATCH 222/921] update wakeup node

Bug: 186492032
Test: pts-tradefed run pts -m PtsSELinuxTest
-t com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: I9bac40334001d4073dae1846a2cd0310d59ebfe7
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 410b6138..05a826c3 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -197,6 +197,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0
 
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0

From 920b0e11a92874300375044da8b0fa4518e93287 Mon Sep 17 00:00:00 2001
From: chenpaul <chenpaul@google.com>
Date: Sat, 24 Apr 2021 13:24:57 +0800
Subject: [PATCH 223/921] Add sepolicy for wlan logger and sniffer logger

Bug: 186069127
Test: Sniffer logger can be start by Pixel Logger app
      wlan logger is workable.
Change-Id: I1e7a75a08de37668316b06e066c080e837d7896b
---
 gs101-sepolicy.mk                         | 6 ++++++
 whitechapel/vendor/google/logger_app.te   | 1 +
 whitechapel/vendor/google/wifi_sniffer.te | 5 +++++
 3 files changed, 12 insertions(+)
 create mode 100644 whitechapel/vendor/google/wifi_sniffer.te

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 6f46edc7..ffe102f8 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -31,3 +31,9 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 
 # sscoredump
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
+
+# Sniffer Logger
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer
+
+# Wifi Logger
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 8c0c5834..0926df35 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -16,4 +16,5 @@ userdebug_or_eng(`
   set_prop(logger_app, logpersistd_logging_prop)
   set_prop(logger_app, logd_prop)
   set_prop(logger_app, vendor_usb_config_prop)
+  set_prop(logger_app, vendor_wifi_sniffer_prop)
 ')
diff --git a/whitechapel/vendor/google/wifi_sniffer.te b/whitechapel/vendor/google/wifi_sniffer.te
new file mode 100644
index 00000000..b576f158
--- /dev/null
+++ b/whitechapel/vendor/google/wifi_sniffer.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+  allow wifi_sniffer sysfs_wifi:dir search;
+  allow wifi_sniffer sysfs_wifi:file w_file_perms;
+  allow wifi_sniffer self:capability sys_module;
+')

From 3fefc8a57b30f0261cff2e147316837300831e4d Mon Sep 17 00:00:00 2001
From: chiayupei <chiayupei@google.com>
Date: Wed, 28 Apr 2021 03:48:01 +0800
Subject: [PATCH 224/921] Add sepolicy for sensor HAL accessing AOC sysfs node.

Bug: 177943509
Test: make selinux_policy -j128 and push to device.
      No hal_sensors_default related avc deined log while suez polling.

Signed-off-by: chiayupei <chiayupei@google.com>
Change-Id: Ie32eaccf551fcb9f2d7bc763c801891f637ccc1a
---
 usf/sensor_hal.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index f10cd46a..22561fb2 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -37,6 +37,7 @@ binder_call(hal_sensors_default, system_server);
 
 # Allow access to the sysfs_aoc.
 allow hal_sensors_default sysfs_aoc:dir search;
+allow hal_sensors_default sysfs_aoc:file r_file_perms;
 
 # Allow use of the USF low latency transport.
 usf_low_latency_transport(hal_sensors_default)

From 09d5fc647de0cc0163398e797efbd8e903e09eed Mon Sep 17 00:00:00 2001
From: Jia-yi Chen <jychen@google.com>
Date: Tue, 27 Apr 2021 16:16:02 -0700
Subject: [PATCH 225/921] Grant powerhal access to sysfs_devfreq_dir

Bug: 186576303
Test: Boot & check logcat
Change-Id: Ia07991c3a8a7dfd8388a228fbdec1f28d2f5b4c3
---
 whitechapel/vendor/google/hal_power_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index 20c1ec35..e1a32b85 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -4,6 +4,7 @@ allow hal_power_default sysfs_fs_f2fs:file rw_file_perms;
 allow hal_power_default sysfs_vendor_sched:file rw_file_perms;
 allow hal_power_default cpuctl_device:file rw_file_perms;
 allow hal_power_default sysfs_gpu:file rw_file_perms;
+allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms;
 allow hal_power_default sysfs_fabric:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
 set_prop(hal_power_default, vendor_camera_debug_prop)

From 66634d4d200b69235fcb14900c661a1b0694c6d8 Mon Sep 17 00:00:00 2001
From: Roger Fang <rogerfang@google.com>
Date: Wed, 21 Apr 2021 05:36:42 +0000
Subject: [PATCH 226/921] sepolicy: gs101: allows pixelstat to access audio
 metrics  nodes

audio.service: type=1400 audit(0.0:30): avc: denied { read write } for name="amcs" dev="tmpfs" ino=739 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:amcs_device:s0 tclass=chr_file permissive=0

pixelstats-vend: type=1400 audit(0.0:9): avc: denied { read } for name="speaker_impedance" dev="sysfs" ino=67611 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

HwBinder:696_2: type=1400 audit(0.0:8): avc: denied { open } for path="/dev/amcs" dev="tmpfs" ino=766 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:amcs_device:s0 tclass=chr_file permissive=0

Bug: 171854614
Test: manually test, no avc: denied.
Change-Id: I82ebd22f167200ab3cf59e6525ef43c0be8f722a
---
 whitechapel/vendor/google/device.te            | 4 ++++
 whitechapel/vendor/google/file.te              | 3 +++
 whitechapel/vendor/google/file_contexts        | 1 +
 whitechapel/vendor/google/genfs_contexts       | 9 +++++++++
 whitechapel/vendor/google/hal_audio_default.te | 4 ++++
 whitechapel/vendor/google/pixelstats_vendor.te | 1 +
 6 files changed, 22 insertions(+)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index f9d422fc..5c6a2d88 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -56,3 +56,7 @@ type aoc_device, dev_type;
 
 # Fingerprint device
 type fingerprint_device, dev_type;
+
+# AMCS device
+type amcs_device, dev_type;
+
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 3df2a62e..a2b0a4fd 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -197,3 +197,6 @@ type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject;
 
 # UWB vendor
 type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
+
+# PixelStats_vendor
+type sysfs_pixelstats, fs_type, sysfs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 81135ec4..19637146 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -315,6 +315,7 @@
 /dev/acd-debug                      u:object_r:aoc_device:s0
 /dev/acd-audio_tap[0-9]*            u:object_r:aoc_device:s0
 /dev/acd-audio_dcdoff_ref           u:object_r:aoc_device:s0
+/dev/amcs                           u:object_r:amcs_device:s0
 
 # Trusty
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 05a826c3..33e2492a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -285,3 +285,12 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count
 
 # mediacodec
 genfscon sysfs /devices/platform/mfc/video4linux/video                                                  u:object_r:sysfs_video:s0
+
+# pixelstat_vendor
+genfscon sysfs /devices/platform/audiometrics/codec_state              u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/hs_codec_state           u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/speaker_impedance        u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/speaker_excursion        u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat        u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/speaker_temp             u:object_r:sysfs_pixelstats:s0
+
diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
index 16d49f96..87d1d15a 100644
--- a/whitechapel/vendor/google/hal_audio_default.te
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -14,6 +14,10 @@ allow hal_audio_default aoc_device:chr_file rw_file_perms;
 
 allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add };
 
+allow hal_audio_default amcs_device:file rw_file_perms;
+allow hal_audio_default amcs_device:chr_file rw_file_perms;
+allow hal_audio_default sysfs_pixelstats:file rw_file_perms;
+
 #allow access to DMABUF Heaps for AAudio API
 allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;
 
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index d207699a..ba063193 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -14,3 +14,4 @@ binder_use(pixelstats_vendor);
 allow pixelstats_vendor fwk_stats_service:service_manager find;
 
 allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
+allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;

From 2d2adb3e5682e145e86395cc23a674dcfc8e127b Mon Sep 17 00:00:00 2001
From: Chris Fries <cfries@google.com>
Date: Wed, 28 Apr 2021 14:40:02 -0500
Subject: [PATCH 227/921] Fix android.hardware.drm@1.4-service.clearkey label

Bug: 186617617
Change-Id: Icad8008686ef57d4b6c3fca27af41e2b2991f74f
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 19637146..aeb6e747 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -2,7 +2,7 @@
 # Exynos HAL
 #
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine                    u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.clearkey                    u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service               u:object_r:hal_power_default_exec:s0

From 3f91d6417ab1b25f6e95540a089144f7a9021d2e Mon Sep 17 00:00:00 2001
From: Chia-Ching Yu <ethanyu@google.com>
Date: Mon, 26 Apr 2021 04:22:34 +0800
Subject: [PATCH 228/921] Add sepolicy for sensor HAL to read lhbm

04-23 08:54:18.000   742   742 I /vendor/bin/hw/android.hardware.sensors@2.0-service.multihal: type=1400 audit(0.0:23): avc: denied { read } for comm=504F5349582074696D6572203430 name="local_hbm_mode" dev="sysfs" ino=70515 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_lhbm:s0 tclass=file permissive=1

Bug: 181617640
Test: Forrest build with this patch(ab/P22167685).
      No local_hbm_mode related avc deined log.
Change-Id: Ibac3317cbca8652885310b1f5af8f4ea4d44a5c4
---
 usf/sensor_hal.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index f10cd46a..ce088a9c 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -54,3 +54,6 @@ allow hal_sensors_default fwk_stats_service:service_manager find;
 
 # Allow access to CHRE socket to connect to nanoapps.
 unix_socket_connect(hal_sensors_default, chre, chre)
+
+# Allow sensor HAL to read lhbm.
+allow hal_sensors_default sysfs_lhbm:file r_file_perms;

From b6f2b0bad96ac65ffa8c4bb4c4ff0e60e6d8ef46 Mon Sep 17 00:00:00 2001
From: Taesoon Park <ts89.park@samsung.com>
Date: Tue, 27 Apr 2021 17:57:07 +0900
Subject: [PATCH 229/921] Remove platform certification from imsservice

The platform certification is removed form com.shannon.imsservice.
So, remove seinfo from com.shannon.imsservice item.

Bug: 186135657
Test: VoLTE and VoWiFi

Signed-off-by: Taesoon Park <ts89.park@samsung.com>
Change-Id: Ie493abfd7a146766ad819bb7a5240d9f1e2f1d0e
---
 whitechapel/vendor/google/seapp_contexts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 94bf35f7..e966e3d6 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -7,8 +7,8 @@ user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_tel
 user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all
 
 # Samsung S.LSI IMS
-user=_app seinfo=platform isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
-user=_app seinfo=platform isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
 user=system seinfo=platform name=com.shannon.dataservice domain=vendor_ims_app
 user=system seinfo=platform name=com.shannon.networkservice domain=vendor_ims_app
 user=system seinfo=platform name=com.shannon.qualifiednetworksservice domain=vendor_ims_app

From 836f25d64b62e6e00ef5e7788ecffe977d56c696 Mon Sep 17 00:00:00 2001
From: Anthony Stange <stange@google.com>
Date: Thu, 29 Apr 2021 16:59:36 +0000
Subject: [PATCH 230/921] Update gs101 sepolicy for contexthub HAL

Bug: 168941570
Test: Load nanoapp via HAL
Change-Id: If133a3290e4fc02677523d737980ee5944885c36
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index aeb6e747..658f0754 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -249,7 +249,7 @@
 /dev/aoc                               u:object_r:aoc_device:s0
 
 # Contexthub
-/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.small_fragments  u:object_r:hal_contexthub_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic  u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/chre                                            u:object_r:chre_exec:s0
 /dev/socket/chre                                                            u:object_r:chre_socket:s0
 

From bb7ae85a0d5c3a1f77dfc6539b3c4b450d92de2d Mon Sep 17 00:00:00 2001
From: Lida Wang <lidawang@google.com>
Date: Thu, 29 Apr 2021 13:18:01 -0700
Subject: [PATCH 231/921] change persist.camera to persit.vendor.camera

Bug: 186670529
Change-Id: I3a6d4202ec2b90cc0ce9cc9ba62d2cf2ce3a5c29
---
 whitechapel/vendor/google/property_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 477b56be..cc8fa27c 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -82,7 +82,7 @@ vendor.audiodump.output.dir             u:object_r:vendor_audio_prop:s0
 ro.vendor.hwc.drm.device                u:object_r:vendor_display_prop:s0
 
 # for camera
-persist.camera.                      u:object_r:vendor_camera_prop:s0
+persist.vendor.camera.               u:object_r:vendor_camera_prop:s0
 vendor.camera.                       u:object_r:vendor_camera_prop:s0
 vendor.camera.debug.                 u:object_r:vendor_camera_debug_prop:s0
 vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0

From 963848fdaaf83d34268124ec5a8848df12e5256b Mon Sep 17 00:00:00 2001
From: Oleg Matcovschi <omatcovschi@google.com>
Date: Thu, 29 Apr 2021 14:34:55 -0700
Subject: [PATCH 232/921] sepolicy:gs101: allow init-insmod-sh to access
 sysfs_leds nodes

Bug: 186788772
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: I9cc44571eb5c8f52d6307bff9cb77f08712c5404
---
 whitechapel/vendor/google/init-insmod-sh.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
index c4d29945..9b2da73d 100644
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -3,6 +3,7 @@ type init-insmod-sh_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(init-insmod-sh)
 
 allow init-insmod-sh self:capability sys_module;
+allow init-insmod-sh sysfs_leds:dir r_dir_perms;
 allow init-insmod-sh vendor_kernel_modules:system module_load;
 allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans;
 

From 1711a2d5c7b85e4c33f63398210e71b4f564c781 Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Fri, 30 Apr 2021 14:36:27 -0700
Subject: [PATCH 233/921] Provide fastbootd permissions to invoke the
 set_active command

These permissions fix the following denials:
[   66.641731][   T59] audit: type=1400 audit(1619815760.952:17): avc:
denied  { open } for  pid=360 comm="fastbootd" path="/dev/block/sdd1"
dev="tmpfs" ino=416 scontext=u:r:fastbootd:s0
tcontext=u:object_r:devinfo_block_device:s0 tclass=blk_file permissive=1
[   66.664509][   T59] audit: type=1400 audit(1619815760.952:18): avc:
denied  { write } for  pid=360 comm="fastbootd" name="sdd1" dev="tmpfs"
ino=416 scontext=u:r:fastbootd:s0
tcontext=u:object_r:devinfo_block_device:s0 tclass=blk_file permissive=1
[   66.686431][   T59] audit: type=1400 audit(1619815760.952:19): avc:
denied  { read write } for  pid=360 comm="fastbootd"
name="boot_lun_enabled" dev="sysfs" ino=57569 scontext=u:r:fastbootd:s0
tcontext=u:object_r:sysfs_ota:s0 tclass=file permissive=1
[   66.708623][   T59] audit: type=1400 audit(1619815760.952:20): avc:
denied  { open } for  pid=360 comm="fastbootd"
path="/sys/devices/platform/14700000.ufs/pixel/boot_lun_enabled"
dev="sysfs" ino=57569 scontext=u:r:fastbootd:s0
tcontext=u:object_r:sysfs_ota:s0 tclass=file permissive=1
[   56.680861][   T59] audit: type=1400 audit(1619806507.020:10): avc:
denied  { read write } for  pid=357 comm="fastbootd" name="sda"
dev="tmpfs" ino=476 scontext=u:r:fastbootd:s0
tcontext=u:object_r:sda_block_device:s0 tclass=blk_file permissive=0

Test: fastboot set_active
Bug: 185955438
Change-Id: I9339b2a5f2a00c9e1768f479fdeac2e1f27f04bc
---
 whitechapel/vendor/google/fastbootd.te | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 whitechapel/vendor/google/fastbootd.te

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
new file mode 100644
index 00000000..c1c4de7b
--- /dev/null
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -0,0 +1,6 @@
+# Required by the bootcontrol HAL for the 'set_active' command.
+recovery_only(`
+allow fastbootd devinfo_block_device:blk_file rw_file_perms;
+allow fastbootd sda_block_device:blk_file rw_file_perms;
+allow fastbootd sysfs_ota:file rw_file_perms;
+')

From 58238158ab6433a3e403fd055061cc6f8daff570 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Mon, 3 May 2021 15:24:34 +0800
Subject: [PATCH 234/921] Update avc error on ROM 7330059

Bug: 187014717
Bug: 187015705
Bug: 187015816
Test: PtsSELinuxTestCases
Change-Id: I2d79fee24d18865090cd350485daea4e66bb5184
---
 tracking_denials/dumpstate.te               | 2 ++
 tracking_denials/hal_fingerprint_default.te | 2 ++
 tracking_denials/incidentd.te               | 2 ++
 3 files changed, 6 insertions(+)
 create mode 100644 tracking_denials/incidentd.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index ffb8518c..05b010e0 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,2 +1,4 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
+# b/187014717
+dontaudit dumpstate twoshay:binder call;
diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
index ed92cf9e..e9c6ff2a 100644
--- a/tracking_denials/hal_fingerprint_default.te
+++ b/tracking_denials/hal_fingerprint_default.te
@@ -11,3 +11,5 @@ dontaudit hal_fingerprint_default default_prop:file { getattr };
 dontaudit hal_fingerprint_default default_prop:file { open };
 dontaudit hal_fingerprint_default default_prop:file { read };
 dontaudit hal_fingerprint_default system_data_root_file:file { open };
+# b/187015705
+dontaudit hal_fingerprint_default property_socket:sock_file write;
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
new file mode 100644
index 00000000..a998712f
--- /dev/null
+++ b/tracking_denials/incidentd.te
@@ -0,0 +1,2 @@
+# b/187015816
+dontaudit incidentd apex_info_file:file getattr;

From 4510c550919019eb434f8f3f3b98396952ce7d55 Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Mon, 3 May 2021 15:47:14 +0800
Subject: [PATCH 235/921] set sepolicy for testing_battery_profile

need run /vendor/bin/sh before setprop

Bug: 180511460
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: I3dbaa984407c82662dea537da671745851035fa2
---
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/vendor_init.te    | 4 ++++
 whitechapel/vendor/google/vendor_shell.te   | 1 +
 4 files changed, 11 insertions(+)
 create mode 100644 whitechapel/vendor/google/vendor_shell.te

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 16d2acb6..739075b9 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -33,6 +33,9 @@ system_public_prop(vendor_edgetpu_service_prop)
 # Battery defender
 vendor_internal_prop(vendor_battery_defender_prop)
 
+# Battery profile for harness mode
+vendor_internal_prop(vendor_battery_profile_prop)
+
 # AoC
 vendor_internal_prop(vendor_aoc_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index cc8fa27c..c542d758 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -102,6 +102,9 @@ persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
 # Battery
 vendor.battery.defender.                        u:object_r:vendor_battery_defender_prop:s0
 
+# test battery profile
+persist.vendor.testing_battery_profile          u:object_r:vendor_battery_profile_prop:s0
+
 # AoC
 vendor.aoc.firmware.version                     u:object_r:vendor_aoc_prop:s0
 
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index fa4d5de8..7bcb38b6 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -25,3 +25,7 @@ userdebug_or_eng(`
 set_prop(vendor_init, vendor_nfc_prop)
 # SecureElement vendor property
 set_prop(vendor_init, vendor_secure_element_prop)
+# Battery defender/harness/profile
+get_prop(vendor_init, test_harness_prop)
+get_prop(vendor_init, vendor_battery_profile_prop)
+set_prop(vendor_init, vendor_battery_defender_prop)
diff --git a/whitechapel/vendor/google/vendor_shell.te b/whitechapel/vendor/google/vendor_shell.te
new file mode 100644
index 00000000..2ace587a
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_shell.te
@@ -0,0 +1 @@
+set_prop(vendor_shell, vendor_battery_profile_prop)

From 722b181dd36f666a6551c760f6371d35c3e4f260 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 3 May 2021 15:48:46 +0800
Subject: [PATCH 236/921] update error on ROM 7331131

Bug: 187016929
Bug: 187016930
Bug: 187016910
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I294a27fd272f73cc371a4a8dc9783ba5f60203ff
---
 private/dex2oat.te                | 59 +++++++++++++++++++++++++++++++
 tracking_denials/priv_app.te      |  2 ++
 tracking_denials/update_engine.te |  2 ++
 3 files changed, 63 insertions(+)
 create mode 100644 private/dex2oat.te
 create mode 100644 tracking_denials/priv_app.te
 create mode 100644 tracking_denials/update_engine.te

diff --git a/private/dex2oat.te b/private/dex2oat.te
new file mode 100644
index 00000000..50d7852c
--- /dev/null
+++ b/private/dex2oat.te
@@ -0,0 +1,59 @@
+# b/187016929
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat proc_filesystems:file read ;
+dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat proc_filesystems:file read ;
+dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
+dontaudit dex2oat vendor_overlay_file:file read ;
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
new file mode 100644
index 00000000..bebe3936
--- /dev/null
+++ b/tracking_denials/priv_app.te
@@ -0,0 +1,2 @@
+# b/187016930
+dontaudit priv_app fwk_stats_service:service_manager find ;
diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te
new file mode 100644
index 00000000..98e7b851
--- /dev/null
+++ b/tracking_denials/update_engine.te
@@ -0,0 +1,2 @@
+# b/187016910
+dontaudit update_engine mnt_vendor_file:dir search ;

From 4099f606812d218efd9a47e0aa97aeac35b9610f Mon Sep 17 00:00:00 2001
From: lucaslin <lucaslin@google.com>
Date: Mon, 3 May 2021 16:29:18 +0800
Subject: [PATCH 237/921] Add sepolicy for tcpdump_logger to access wlan_logs
 folder

tcpdump cannot be zipped into wlan logs when using tcpdump_logger
on-demand function is because tcpdump_logger doesn't have access
of wlan_logs folder.
Add related sepolicies to fix it.

Bug: 183467815
Test: 1. Set logger to wlan
      2. Enable tcpdump_logger on-demand
      3. Start logging
      4. Stop logging
      5. Pull wlan_logs
      6. Check if tcpdump.pcap is zipped into the zip file
Change-Id: Ib1b6c8cbd4512acdbe756d11bfe6f540e16c8db6
---
 whitechapel/vendor/google/tcpdump_logger.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/tcpdump_logger.te b/whitechapel/vendor/google/tcpdump_logger.te
index 329414b6..f017cedf 100644
--- a/whitechapel/vendor/google/tcpdump_logger.te
+++ b/whitechapel/vendor/google/tcpdump_logger.te
@@ -13,6 +13,8 @@ userdebug_or_eng(`
   allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms;
   allow tcpdump_logger radio_vendor_data_file:file create_file_perms;
   allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms;
+  allow tcpdump_logger wifi_logging_data_file:file create_file_perms;
+  allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms;
 
   set_prop(tcpdump_logger, vendor_tcpdump_log_prop)
 ')

From a3c0b2ba9e29c377abf750ff37c8f9671e06829e Mon Sep 17 00:00:00 2001
From: Daniel Mentz <danielmentz@google.com>
Date: Fri, 30 Apr 2021 16:16:18 -0700
Subject: [PATCH 238/921] Revert "remove wildcard on kernel modules"

This reverts commit a346a7fa34c9bfe06ce8b9c5a40c4ce1a42c7f56.

Let's move back to wildcards for kernel modules. This better supports
kernel pre-submit testing and local kernel development where the script
build.sh from the kernel repo is used to create the vendor_dlkm parition
image.  With build.sh, the path to a .ko file includes the kernel
version as well as additional directory components like "extra/" that
describe where in the kernel source key the module is located. Example:

/vendor_dlkm/lib/modules/5.10.33-g2f01cf4c7282-dirty/extra/ftm5.ko

Bug: 185184472
Bug: 186777291
Change-Id: I32f85dae7ca60d9063ad6c63f21ffdaecbb66039
---
 whitechapel/vendor/google/file_contexts | 224 +-----------------------
 1 file changed, 2 insertions(+), 222 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fe5e846e..6193494f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -382,228 +382,8 @@
 /vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
 
 # Vendor_kernel_modules
-/vendor_dlkm/lib/modules/abrolhos\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/acpm_flexpmu_dbg\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/acpm_mbox_test\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_alsa_dev\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_alsa_dev_util\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_channel_dev\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_char_dev\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_control_dev\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_core\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_usb_driver\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_uwb_platform_drv\.ko       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/aoc_uwb_service_dev\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/arm_dsu_pmu\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/at24\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/audiometrics\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/bbd\.ko                        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/bcm47765\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/bc_max77759\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/bcm_dbg\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/bcmdhd43752\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/bcmdhd4389\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/bigocean\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/boot_device_spi\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/clk_exynos\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/cl_dsp\.ko                     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/cmupmucal\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/cpif\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/cp_thermal_zone\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dbgcore-dump\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/debug-reboot\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/debug-snapshot-debug-kinfo\.ko u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/debug-snapshot-qd\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/debug-snapshot-sfrdump\.ko     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/deferred-free-helper\.ko       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/drv2624\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dss\.ko                        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dw3000\.ko                     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dwc3-exynos-usb\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dwc3-haps\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dwc3\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dwc3-of-simple\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/dwc3-qcom\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/ect_parser\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/eh\.ko                         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/eh_test\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-acme\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-adv-tracer\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-adv-tracer-s2d\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-bcm_dbg-dump\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-bts\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-btsopsgs101\.ko         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-coresight-etm\.ko       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-coresight\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-cpuhp\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-cpupm\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-debug-test\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos_devfreq\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos_dit\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-dm\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-drm\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-ecc-handler\.ko         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos_mct\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos_mfc\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-pd-dbg\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-pd_el3\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-pd\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-pm\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos_pm_qos\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-pmu-if\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-reboot\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos-seclog\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exynos_tty\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/exyswd-rng\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/ftm5\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/g2d\.ko                        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/goodixfp\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/google-battery\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/google-bms\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/google-charger\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/google-cpm\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/google_dual_batt_gauge\.ko     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gpu_cooling\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gs101_bcl\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gs101-itmon\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gs101_spmic_thermal\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gs101_thermal\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gs_acpm\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gsa_gsc\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gsa\.ko                        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gs-chipid\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gsc-spi\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/gvotable\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/haptics-cs40l2x\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/hardlockup-debug\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/hardlockup-watchdog\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/heatmap\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/i2c-acpm\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/i2c-dev\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/i2c-exynos5\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/input-cs40l26-i2c\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/ion_exynos_mod\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/keycombo\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/keydebug\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/logbuffer\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/lwis\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/lzo\.ko                        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/lzo-rle\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/mailbox-wc\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/mali_kbase\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/mali_pixel\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max1720x-battery\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max20339\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max77729_charger\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max77729-pmic\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max77729_uic\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max77759_charger\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max77759_contaminant\.ko       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max77759_helper\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/max77826-gs-regulator\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/mcps802154\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/mcps802154_region_fira\.ko     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/memlat-devfreq\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/nitrous\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/odpm\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/overheat_mitigation\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/p9221\.ko                      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/page_pool\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-boe-tv080wumng0\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-boe-tv101wumng0\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-samsung-drv\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-samsung-emul\.ko         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-samsung-s6e3fc3\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-samsung-s6e3hc2\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-samsung-s6e3hc3\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/panel-samsung-sofef01\.ko      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pca9468\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pcie-exynos-core\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pcie-exynos-gs101-rc-cal\.ko   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/phy-exynos-mipi-dsim\.ko       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/phy-exynos-mipi\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/phy-exynos-usbdrd-super\.ko    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pinctrl-samsung-core\.ko       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pinctrl-slg51000\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pixel-debug-test\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pixel_stat_mm\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pixel_stat_sysfs\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pktgen\.ko                     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pl330\.ko                      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/pmic_class\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/power_stats\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/rtc-s2mpg10\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpg10-mfd\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpg10-powermeter\.ko         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpg10-regulator\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpg11-mfd\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpg11-powermeter\.ko         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpg11-regulator\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpg1x-gpio\.ko               u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s2mpu\.ko                      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/s3c2410_wdt\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/samsung_dma_heap\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/samsung-dma\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/samsung-iommu-group\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/samsung_iommu\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/samsung-secure-iova\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/sbb-mux\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/sched_tp\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/sec_touch\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/sg\.ko                         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/shm_ipc\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/slc_acpm\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/slc_dummy\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/slc_pmon\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/slc_pt\.ko                     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/slg46826\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/slg51000-core\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/slg51000-regulator\.ko         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/smfc\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-cs35l41-i2c\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-cs35l41\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-cs35l41-spi\.ko        u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-max98357a\.ko          u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-rl6231\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-rt5682-i2c\.ko         u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-rt5682\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/snd-soc-wm-adsp\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/softdog\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/spidev\.ko                     u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/spi-s3c64xx\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/sscoredump\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/st21nfc\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/st33spi\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/st54spi\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/stmvl53l1\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/systrace\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/tcpci_fusb307\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/tcpci_max77759\.ko             u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/touch_bus_negotiator\.ko       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/touch_offload\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/trusty-core\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/trusty-ipc\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/trusty-irq\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/trusty-log\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/trusty-test\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/trusty-virtio\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/ufs-exynos-core\.ko            u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/usb_f_dm1\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/usb_f_dm\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/usb_f_etr_miu\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/usb_psy\.ko                    u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/vh_fs\.ko                      u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/vh_sched\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/vh_thermal\.ko                 u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/videobuf2-dma-sg\.ko           u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/xhci-exynos\.ko                u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/xhci-hcd\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/xhci-pci\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/xhci-plat-hcd\.ko              u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/zcomp_cpu\.ko                  u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/zcomp_eh\.ko                   u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/zram\.ko                       u:object_r:vendor_kernel_modules:s0
-/vendor_dlkm/lib/modules/zsmalloc\.ko                   u:object_r:vendor_kernel_modules:s0
+/vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
+/vendor_dlkm/lib/modules/.*\.ko                                               u:object_r:vendor_kernel_modules:s0
 
 # Display
 /vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0

From db03875ebe433a7431887d010e4222ab27836d07 Mon Sep 17 00:00:00 2001
From: Chris Kuiper <ckuiper@google.com>
Date: Mon, 3 May 2021 14:25:53 -0700
Subject: [PATCH 239/921] sepolicy: gs101: allow usf_reg_edit to run

Provide necessary permissions to run usf_reg_edit from bugreport.

Bug: 187081112
Test: Run "adb bugreport <zip>" and verify it contains the output
      from "usf_reg_edit save -".
Change-Id: Iade132d93105d461d51273d19fe570d48cce46fe
---
 whitechapel/vendor/google/file.te                  | 1 +
 whitechapel/vendor/google/file_contexts            | 1 +
 whitechapel/vendor/google/hal_dumpstate_default.te | 1 +
 3 files changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index a2b0a4fd..8fcba17d 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -48,6 +48,7 @@ type sysfs_acpm_stats, sysfs_type, fs_type;
 
 # Vendor tools
 type vendor_usf_stats, vendor_file_type, file_type;
+type vendor_usf_reg_edit, vendor_file_type, file_type;
 type vendor_dumpsys, vendor_file_type, file_type;
 
 # Sensors
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fe5e846e..bd148ba7 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -16,6 +16,7 @@
 /(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so                                         u:object_r:same_process_hal_file:s0
 
 /vendor/bin/usf_stats                                                                           u:object_r:vendor_usf_stats:s0
+/vendor/bin/usf_reg_edit                                                                        u:object_r:vendor_usf_reg_edit:s0
 /vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0
 
 #
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index c0871bb2..3b779998 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -26,6 +26,7 @@ allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
 allow hal_dumpstate_default vendor_log_file:dir search;
 
 allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;
+allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans;
 allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
 
 allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;

From 2fb432f08cdf0fd2b41e8b3859f4031b9d1c5b3f Mon Sep 17 00:00:00 2001
From: Daniel Mentz <danielmentz@google.com>
Date: Mon, 3 May 2021 18:16:05 -0700
Subject: [PATCH 240/921] Remove /vendor/lib/modules from file_contexts

Vendor kernel modules were moved to /vendor_dlkm/lib/modules. Let's
remove the old directory /vendor/lib/modules from file_contexts.

Bug: 185184472
Bug: 186777291
Change-Id: I38f1b25cb2d73a804f1cdb113edc9b11f8e516f7
---
 whitechapel/vendor/google/file_contexts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 6193494f..16bb7008 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -382,7 +382,6 @@
 /vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
 
 # Vendor_kernel_modules
-/vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
 /vendor_dlkm/lib/modules/.*\.ko                                               u:object_r:vendor_kernel_modules:s0
 
 # Display

From 69c8212a41c05b27e73094b6d065c63919da251b Mon Sep 17 00:00:00 2001
From: Ted Lin <tedlin@google.com>
Date: Thu, 1 Apr 2021 18:49:53 +0800
Subject: [PATCH 241/921] wlc fwupdate implementation

Fix sepolicy problems.

Bug: 183465596
Test: logcat/dmesg grep wlc.
Signed-off-by: Ted Lin <tedlin@google.com>
Change-Id: I834f4d83f822b8189a576ac198bae9a7d77a3e10
---
 whitechapel/vendor/google/file.te        |  3 +++
 whitechapel/vendor/google/file_contexts  |  4 ++++
 whitechapel/vendor/google/wlcfwupdate.te | 12 ++++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 whitechapel/vendor/google/wlcfwupdate.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index a2b0a4fd..ae4ec433 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -200,3 +200,6 @@ type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 
 # PixelStats_vendor
 type sysfs_pixelstats, fs_type, sysfs_type;
+
+# WLC FW
+type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fe5e846e..8a1b54a9 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -664,3 +664,7 @@
 
 # Wifi Firmware config update
 /data/vendor/firmware/wifi(/.*)?                                               u:object_r:updated_wifi_firmware_data_file:s0
+
+# WLC FW update
+/vendor/bin/wlc_upt/p9412_mtp            u:object_r:vendor_wlc_fwupdata_file:s0
+/vendor/bin/wlc_upt/wlc_fw_update\.sh    u:object_r:wlcfwupdate_exec:s0
diff --git a/whitechapel/vendor/google/wlcfwupdate.te b/whitechapel/vendor/google/wlcfwupdate.te
new file mode 100644
index 00000000..37c29484
--- /dev/null
+++ b/whitechapel/vendor/google/wlcfwupdate.te
@@ -0,0 +1,12 @@
+# wlcfwupdate service
+type wlcfwupdate, domain;
+type wlcfwupdate_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(wlcfwupdate)
+
+allow wlcfwupdate sysfs_batteryinfo:dir search;
+allow wlcfwupdate sysfs_batteryinfo:file r_file_perms;
+allow wlcfwupdate sysfs_wlc:dir search;
+allow wlcfwupdate sysfs_wlc:file rw_file_perms;
+allow wlcfwupdate vendor_toolbox_exec:file execute_no_trans;
+allow wlcfwupdate vendor_wlc_fwupdata_file:file execute_no_trans;

From 34278f05a06e10aa1417f57f2461bd5bb3f76ba0 Mon Sep 17 00:00:00 2001
From: lucaslin <lucaslin@google.com>
Date: Tue, 4 May 2021 10:30:22 +0800
Subject: [PATCH 242/921] Add sepolicy for dumpstate to access logs of
 tcpdump_logger

Bug: 183467815
Test: 1. Enable tcpdump_logger always-on function
      2. Dump bugreport
      3. Pull dumpstate_board.bin and chagne it to zip
      4. Unzip dumpstate_board.zip and check if tcpdump files
         are there.
Change-Id: I178aca40d94602994eef619f05a26ceb78eeff1f
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index c0871bb2..15a1ae5d 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -124,6 +124,9 @@ userdebug_or_eng(`
   allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms;
   allow hal_dumpstate_default sysfs_bcl:file r_file_perms;
   allow hal_dumpstate_default sysfs_bcl:lnk_file read;
+  allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms;
+  allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms;
+  set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop)
 ')
 
 dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
@@ -163,3 +166,7 @@ dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms;
 dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms;
 
 dontaudit hal_dumpstate_default rootfs:dir r_dir_perms;
+
+dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms;
+dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms;
+dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms;

From f5b47095beba9b21d76376522e71d6c62b12d5da Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Tue, 4 May 2021 15:24:38 +0800
Subject: [PATCH 243/921] add sepolicy for dump TRICKLE/TEMP/DWELL defend
 config

type=1400 audit(0.0:12): avc: denied { read } for name="google,charger" dev="sysfs" ino=25880 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0

Bug: 186872139
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: Id8868d2b12408d4a39ba42c8b0faf801923f73f3
---
 whitechapel/vendor/google/genfs_contexts           | 1 +
 whitechapel/vendor/google/hal_dumpstate_default.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 33e2492a..cf466876 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -9,6 +9,7 @@ genfscon sysfs /wifi                                                        u:ob
 # Battery
 genfscon sysfs /devices/platform/google,battery/power_supply/battery            u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply                        u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,charger                                 u:object_r:sysfs_batteryinfo:s0
 
 #   Slider
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050                    u:object_r:sysfs_batteryinfo:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 15a1ae5d..ecd58775 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -66,6 +66,7 @@ allow hal_dumpstate_default proc_f2fs:file r_file_perms;
 allow hal_dumpstate_default proc_touch:file rw_file_perms;
 
 allow hal_dumpstate_default sysfs_batteryinfo:dir search;
+allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms;
 allow hal_dumpstate_default sysfs_chip_id:file r_file_perms;
 

From ea5b597e3dd3aa52522fdbe851e42c720b4131e7 Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Tue, 4 May 2021 17:08:55 +0800
Subject: [PATCH 244/921] sepolicy: Update dumpstate HAL to V1.1

Test: $ make selinux_policy
      Check the label after boot completed
Bug: 186539439
Change-Id: I6690e2bc485aceb53dc607b8a7656a4f57edf70e
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 16bb7008..82f2f905 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -25,7 +25,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm                        u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm                        u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm                u:object_r:hal_gnss_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
 # Wireless charger HAL
 /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor             u:object_r:hal_wlc_exec:s0

From b844190a34feac519a85d8ceabf95c80168740a0 Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Fri, 23 Apr 2021 16:28:14 -0700
Subject: [PATCH 245/921] Added the SELinux rule for the EdgeTPU vendor
 service.

To comply with the GSI compliance test, this change
splits the compiler part of the edgetpu_service into a
separate edgetpu_vendor_service under vendor.

The edgetpu_service locates under /system_ext/ and used
to be connected by both applications and vendor clients.
With this change, vendor clients could talk to the vendor
part of this service directly without having to cross
the system and vendor boundary.

Applications will still talk to the system_ext one, which
will forward the requests to the vendor service.

Bug: 185432427
Test: tested on Oriole + GCA.
Change-Id: I1ee47946f1fc3694d5f8b5325c192d6bd720a76e
---
 whitechapel/vendor/google/edgetpu_service.te  | 18 ++++--------
 .../vendor/google/edgetpu_vendor_service.te   | 28 +++++++++++++++++++
 whitechapel/vendor/google/file.te             |  8 ++++--
 whitechapel/vendor/google/file_contexts       |  8 ++++--
 .../vendor/google/hal_camera_default.te       |  5 ++--
 whitechapel/vendor/google/service.te          |  1 +
 whitechapel/vendor/google/service_contexts    |  2 ++
 7 files changed, 49 insertions(+), 21 deletions(-)
 create mode 100644 whitechapel/vendor/google/edgetpu_vendor_service.te

diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
index 9912ac3b..28b364e2 100644
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -1,7 +1,7 @@
 # EdgeTPU server process which runs the EdgeTPU binder service.
 type edgetpu_server, coredomain, domain;
 type edgetpu_server_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(edgetpu_server, edgetpu_server_exec)
+init_daemon_domain(edgetpu_server)
 
 # The server will use binder calls.
 binder_use(edgetpu_server);
@@ -23,24 +23,16 @@ allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
 # Applications are not allowed to open the EdgeTPU device directly.
 neverallow appdomain edgetpu_device:chr_file { open };
 
-# Allow EdgeTPU service access to its data files.
-allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
-allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
-
 # Allow EdgeTPU service to access the Package Manager service.
 allow edgetpu_server package_native_service:service_manager find;
 binder_call(edgetpu_server, system_server);
 
-# Allow EdgeTPU service to access Android shared memory allocated
-# by the camera hal for on-device compilation.
-allow edgetpu_server hal_camera_default:fd use;
-
-# Allow EdgeTPU service to read the kernel version.
-# This is done inside the InitGoogle.
-allow edgetpu_server proc_version:file r_file_perms;
-
 # Allow EdgeTPU service to read EdgeTPU service related system properties.
 get_prop(edgetpu_server, vendor_edgetpu_service_prop);
 
 # Allow EdgeTPU service to generate Perfetto traces.
 perfetto_producer(edgetpu_server);
+
+# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
+allow edgetpu_server edgetpu_vendor_service:service_manager find;
+binder_call(edgetpu_server, edgetpu_vendor_server);
diff --git a/whitechapel/vendor/google/edgetpu_vendor_service.te b/whitechapel/vendor/google/edgetpu_vendor_service.te
new file mode 100644
index 00000000..538c47b9
--- /dev/null
+++ b/whitechapel/vendor/google/edgetpu_vendor_service.te
@@ -0,0 +1,28 @@
+# EdgeTPU vendor service.
+type edgetpu_vendor_server, domain;
+type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_vendor_server)
+
+# The vendor service will use binder calls.
+binder_use(edgetpu_vendor_server);
+
+# The vendor service will serve a binder service.
+binder_service(edgetpu_vendor_server);
+
+# EdgeTPU vendor service to register the service to service_manager.
+add_service(edgetpu_vendor_server, edgetpu_vendor_service);
+
+# Allow communications between other vendor services.
+allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map };
+
+# Allow EdgeTPU vendor service to access its data files.
+allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms;
+allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms;
+
+# Allow EdgeTPU vendor service to access Android shared memory allocated
+# by the camera hal for on-device compilation.
+allow edgetpu_vendor_server hal_camera_default:fd use;
+
+# Allow EdgeTPU vendor service to read the kernel version.
+# This is done inside the InitGoogle.
+allow edgetpu_vendor_server proc_version:file r_file_perms;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index a2b0a4fd..fe094149 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -131,11 +131,13 @@ type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;
 type vendor_camera_data_file, file_type, data_file_type;
 
-# EdgeTPU device (DarwiNN)
+# EdgeTPU hal data file
 type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
 
-# EdgeTPU
-type edgetpu_service_data_file, file_type, data_file_type, core_data_file_type;
+# EdgeTPU vendor service data file
+type edgetpu_vendor_service_data_file, file_type, data_file_type;
+
+# EdgeTPU sysfs
 type sysfs_edgetpu, sysfs_type, fs_type;
 
 # Vendor sched files
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 658f0754..6cad814e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -361,17 +361,21 @@
 # EdgeTPU logging service
 /vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
 
-# EdgeTPU service binary and libraries
+# EdgeTPU service binaries and libraries
 /system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
 /vendor/lib64/com\.google\.edgetpu-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
 
+# EdgeTPU vendor service
+/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+
 # EdgeTPU runtime libraries
 /vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files
-/data/edgetpu(/.*)?                                                         u:object_r:edgetpu_service_data_file:s0
+/data/vendor/edgetpu(/.*)?                              u:object_r:edgetpu_vendor_service_data_file:s0
 /data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
 
 # Tetheroffload Service
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index b1c76b56..df210f6f 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -20,9 +20,8 @@ allow hal_camera_default tee_device:chr_file rw_file_perms;
 allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
 allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
 allow hal_camera_default sysfs_edgetpu:file r_file_perms;
-allow hal_camera_default edgetpu_server:fd use;
-allow hal_camera_default edgetpu_service:service_manager find;
-binder_call(hal_camera_default, edgetpu_server)
+allow hal_camera_default edgetpu_vendor_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_vendor_server)
 
 # Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 99e99483..d775ff08 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -2,3 +2,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
+type edgetpu_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index e0455372..47b01ba4 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,5 +1,7 @@
 # EdgeTPU service
 com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
+com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
+
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0

From 9eeae92ade6f6cfc0d67846ad1a26bd6f91f6049 Mon Sep 17 00:00:00 2001
From: qinyiyan <qinyiyan@google.com>
Date: Tue, 4 May 2021 17:08:56 -0700
Subject: [PATCH 246/921] [SEPolicy] Allow EdgeTPU related service to log to
 stats service

We are collecting Suez metrics from TPU related services. This includes
NNAPI HAL, edgetput logging service, and edgetpu service.

This change allows them all to find stats_service.

Bug: 151063663
Test: Pushed selinx module to device and successfully logged Stats
service.

Change-Id: I80774485ae7c2a5f994d48a71b6406fac753a9f8
---
 whitechapel/vendor/google/edgetpu_logging.te            | 5 +++++
 whitechapel/vendor/google/edgetpu_service.te            | 3 +++
 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te
index ab67126f..5954fdd4 100644
--- a/whitechapel/vendor/google/edgetpu_logging.te
+++ b/whitechapel/vendor/google/edgetpu_logging.te
@@ -8,3 +8,8 @@ allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;
 # Allows the logging service to access /sys/class/edgetpu
 allow edgetpu_logging sysfs_edgetpu:dir search;
 allow edgetpu_logging sysfs_edgetpu:file r_file_perms;
+
+# Allow TPU logging service to log to stats service. (metrics)
+allow edgetpu_logging fwk_stats_service:service_manager find;
+binder_call(edgetpu_logging, system_server);
+binder_use(edgetpu_logging)
diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
index 28b364e2..a90d3fd9 100644
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -36,3 +36,6 @@ perfetto_producer(edgetpu_server);
 # Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
 allow edgetpu_server edgetpu_vendor_service:service_manager find;
 binder_call(edgetpu_server, edgetpu_vendor_server);
+
+# Allow EdgeTPU service to log to stats service. (metrics)
+allow edgetpu_server fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
index d2b8fa3c..5bfbd02a 100644
--- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
+++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
@@ -25,3 +25,8 @@ get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop)
 # Allow TPU HAL to read the kernel version.
 # This is done inside the InitGoogle.
 allow hal_neuralnetworks_darwinn proc_version:file r_file_perms;
+
+# Allow TPU NNAPI HAL to log to stats service. (metrics)
+allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find;
+binder_call(hal_neuralnetworks_darwinn, system_server);
+binder_use(hal_neuralnetworks_darwinn)

From 1dac39e83306d24b04add472586d5c0b38e83908 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 21 Apr 2021 23:26:27 -0700
Subject: [PATCH 247/921] trusty: sepolicy for metrics reporter

Bug: 173423860
Test: m
Change-Id: I42d646c6c9453662e670e7c22712f2bde2368bba
---
 whitechapel/vendor/google/file_contexts      |  1 +
 whitechapel/vendor/google/trusty_metricsd.te | 11 +++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 whitechapel/vendor/google/trusty_metricsd.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fe5e846e..3b2121b7 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -321,6 +321,7 @@
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
 /vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
+/vendor/bin/trusty_metricsd\.gs101    u:object_r:trusty_metricsd_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
diff --git a/whitechapel/vendor/google/trusty_metricsd.te b/whitechapel/vendor/google/trusty_metricsd.te
new file mode 100644
index 00000000..63fc85b6
--- /dev/null
+++ b/whitechapel/vendor/google/trusty_metricsd.te
@@ -0,0 +1,11 @@
+type trusty_metricsd, domain;
+type trusty_metricsd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(trusty_metricsd)
+
+allow trusty_metricsd tee_device:chr_file rw_file_perms;
+
+# For Suez metrics collection
+binder_use(trusty_metricsd)
+binder_call(trusty_metricsd, system_server)
+allow trusty_metricsd fwk_stats_service:service_manager find;

From 2c1ecf3a54fd02c9d7134b15d0fafb06976b075c Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Wed, 5 May 2021 21:50:16 +0800
Subject: [PATCH 248/921] sepolicy: gs101: Fix hal_health_default avc denials

01-01 12:00:08.752  1000   682   682 I android.hardwar: type=1400 audit(0.0:3): avc: denied { read } for name="type" dev="sysfs" ino=68812 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
01-01 12:00:08.752  1000   682   682 I android.hardwar: type=1400 audit(0.0:4): avc: denied { open } for path="/sys/devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/type" dev="sysfs" ino=68812 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
01-01 12:00:08.752  1000   682   682 I android.hardwar: type=1400 audit(0.0:5): avc: denied { getattr } for path="/sys/devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/type" dev="sysfs" ino=68812 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 184429394
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: If1253c902af1723ca80d31223f51ebf439404527
---
 whitechapel/vendor/google/genfs_contexts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index cf466876..baef90b9 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -42,6 +42,11 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+
 # Storage
 genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
 genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
@@ -199,6 +204,12 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/power_supply/tcpm-source-psy-7-0025/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
 
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0

From ab9765741093899acab3dfc9b2130d722f19265a Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 5 May 2021 16:46:12 +0800
Subject: [PATCH 249/921] logger_app: Fix avc errors

avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=141 scontext=u:r:logger_app:s0:c21,c257,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.android.pixellogger
Access denied finding property "viewroot.profile_rendering"
Access denied finding property "ro.input.resampling"
Access denied finding property "persist.input.velocitytracker.strategy"

avc: denied { read } for comm="oid.pixellogger" name="u:object_r:usb_control_prop:s0" dev="tmpfs" ino=281 scontext=u:r:logger_app:s0:c21,c257,c512,c768 tcontext=u:object_r:usb_control_prop:s0 tclass=file permissive=0 app=com.android.pixellogger

Bug: 186612284
Change-Id: I15f00d9ed3cc0c0657c854292caad60e3f7a3011
---
 whitechapel/vendor/google/logger_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 0926df35..527491b5 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -5,6 +5,7 @@ userdebug_or_eng(`
   allow logger_app vendor_gps_file:file create_file_perms;
   allow logger_app vendor_gps_file:dir create_dir_perms;
 
+  get_prop(logger_app, usb_control_prop)
   set_prop(logger_app, vendor_logger_prop)
   set_prop(logger_app, vendor_modem_prop)
   set_prop(logger_app, vendor_gps_prop)
@@ -17,4 +18,6 @@ userdebug_or_eng(`
   set_prop(logger_app, logd_prop)
   set_prop(logger_app, vendor_usb_config_prop)
   set_prop(logger_app, vendor_wifi_sniffer_prop)
+
+  dontaudit logger_app default_prop:file { read };
 ')

From 6a9a85cd07d77974fa7ee26b721456c5e561a0dc Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Mon, 3 May 2021 16:52:56 +0800
Subject: [PATCH 250/921] Fix avc denied for shannon-ims

04-01 19:10:22.956 10272  2327  2327 W Binder:2327_4: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=139 scontext=u:r:vendor_ims_app:s0:c16,c257,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.shannon.imsservice
04-01 19:10:22.960 10272  2327  4608 E libc    : Access denied finding property "persist.dbg.wfc_avail_ovr0"
04-01 19:10:22.981 10272  2327  4608 E libc    : Access denied finding property "persist.dbg.vt_avail_ovr0"
04-01 19:10:22.982 10272  2327  4980 E libc    : Access denied finding property "persist.dbg.volte_avail_ovr0"

Bug: 183935382
Bug: 184858478
Test: verified with the forrest ROM and error log goneFix
Change-Id: I0754c6be7f74ed73533e9570c7d1916320ab2897
---
 tracking_denials/vendor_ims_app.te | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 tracking_denials/vendor_ims_app.te

diff --git a/tracking_denials/vendor_ims_app.te b/tracking_denials/vendor_ims_app.te
deleted file mode 100644
index e6a9dfd8..00000000
--- a/tracking_denials/vendor_ims_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/183935382
-dontaudit vendor_ims_app default_prop:file { read };
-dontaudit vendor_ims_app default_prop:file { read };

From 43735f0fc316594ad9e016288dfbe3cf61d83dd2 Mon Sep 17 00:00:00 2001
From: JJ Lee <leejj@google.com>
Date: Thu, 6 May 2021 19:41:57 +0800
Subject: [PATCH 251/921] sepolicy: gs101: allow audio hal to use wakelock

Bug: 178789331
Test: build pass
Signed-off-by: JJ Lee <leejj@google.com>
Change-Id: I1d5c9ea8726f2e53bc05e0ecd5dedddede274794
---
 whitechapel/vendor/google/hal_audio_default.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
index 87d1d15a..5ee99469 100644
--- a/whitechapel/vendor/google/hal_audio_default.te
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -27,3 +27,5 @@ userdebug_or_eng(`
     allow hal_audio_default self:unix_stream_socket create_stream_socket_perms;
     allow hal_audio_default audio_vendor_data_file:sock_file { create unlink };
 ')
+
+wakelock_use(hal_audio_default);

From a27f8c4480c67afb8f58faad50805959cd875bab Mon Sep 17 00:00:00 2001
From: Labib <labib@google.com>
Date: Fri, 7 May 2021 09:20:02 +0800
Subject: [PATCH 252/921] Allow radioext to communicate with bt hal

Bug: 187447420
Change-Id: I1a1626502a6c3913846b957c3c0a31fdd99feb31
---
 whitechapel/vendor/google/hal_radioext_default.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te
index a5344993..eef71cf6 100644
--- a/whitechapel/vendor/google/hal_radioext_default.te
+++ b/whitechapel/vendor/google/hal_radioext_default.te
@@ -7,6 +7,7 @@ get_prop(hal_radioext_default, hwservicemanager_prop)
 add_hwservice(hal_radioext_default, hal_radioext_hwservice)
 
 binder_call(hal_radioext_default, grilservice_app)
+binder_call(hal_radioext_default, hal_bluetooth_btlinux)
 
 # RW /dev/oem_ipc0
 allow hal_radioext_default radio_device:chr_file rw_file_perms;
@@ -17,4 +18,4 @@ allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
 allow hal_radioext_default sysfs_display:file rw_file_perms;
 
 # Bluetooth
-allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;
\ No newline at end of file
+allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;

From 15c046878bf2f2e6aafe452453f809a986bc27e1 Mon Sep 17 00:00:00 2001
From: Jia-yi Chen <jychen@google.com>
Date: Thu, 6 May 2021 18:03:20 -0700
Subject: [PATCH 253/921] Add high_capacity_start_cpu to
 u:object_r:sysfs_vendor_sched:s0

Bug: 186564130
Test: Boot & check powerhal log
Change-Id: I1a828f113266d4b3386b2f6fa74df050255113a9
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 33e2492a..c1b08082 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -107,6 +107,7 @@ genfscon sysfs /devices/platform/abrolhos
 genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
 genfscon sysfs /kernel/vendor_sched/set_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
 genfscon sysfs /kernel/vendor_sched/prefer_high_cap_enable                     u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/high_capacity_start_cpu                    u:object_r:sysfs_vendor_sched:s0
 
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0

From 0e68aed1541379b3df41616d17892c6895f77a09 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Fri, 7 May 2021 13:14:25 +0800
Subject: [PATCH 254/921] Allow dumpstate to access twoshay

Bug: 173330981
Bug: 187014717
Test: no avc denials for twoshay was found.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Idcf38e0921fb4d6d617e7cd443425193aea3fe91
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 457335ac..97a419ce 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -54,6 +54,9 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
 allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 
+allow hal_dumpstate_default touch_context_service:service_manager find;
+binder_call(hal_dumpstate_default, twoshay)
+
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;

From 8e3aaa30ff3e15da6e2d10fb4ef42ac338ce5302 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Fri, 7 May 2021 14:24:52 +0800
Subject: [PATCH 255/921] Remove dumpstate AVC denials dontaudit for twoshay

Bug: 187014717
Test: pts-tradefed run pts -m PtsSELinuxTest -t \
  com.google.android.selinux.pts.SELinuxTest#scanBugreport
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Ic697ffe8f6ee15fb9d9330173a3c92aeca61de67
---
 tracking_denials/dumpstate.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 05b010e0..ffb8518c 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,4 +1,2 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/187014717
-dontaudit dumpstate twoshay:binder call;

From 72e6339123d8f2eaa775b2ad821e695c105d36d6 Mon Sep 17 00:00:00 2001
From: Seungah Lim <sss.lim@samsung.com>
Date: Fri, 23 Apr 2021 15:32:02 +0900
Subject: [PATCH 256/921] iwlan: update sepolicy for qualifiednetworksservice

Bug: 185942456
Test: VoLTE/VoWifi

Change-Id: I352bb933e577b11bb052a297d17776ff0a5f3a75
Signed-off-by: Seungah Lim <sss.lim@samsung.com>
---
 whitechapel/vendor/google/seapp_contexts | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e966e3d6..9c2f024f 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -9,9 +9,7 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma
 # Samsung S.LSI IMS
 user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
-user=system seinfo=platform name=com.shannon.dataservice domain=vendor_ims_app
-user=system seinfo=platform name=com.shannon.networkservice domain=vendor_ims_app
-user=system seinfo=platform name=com.shannon.qualifiednetworksservice domain=vendor_ims_app
+user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all
 
 # coredump/ramdump
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user

From 59161a57452d841517afec1629943fdd0f7dc7bb Mon Sep 17 00:00:00 2001
From: chasewu <chasewu@google.com>
Date: Fri, 7 May 2021 18:33:15 +0800
Subject: [PATCH 257/921] vibrator: Remove temporary method

Bug: 177176811
Test: no avc denied logs
Signed-off-by: chasewu <chasewu@google.com>
Change-Id: I424e15037b3e20824f5e072d88bdf71a50cfdabf
---
 private/hal_vibrator_default.te | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 private/hal_vibrator_default.te

diff --git a/private/hal_vibrator_default.te b/private/hal_vibrator_default.te
deleted file mode 100644
index f565173c..00000000
--- a/private/hal_vibrator_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/177176811
-dontaudit hal_vibrator adbd_prop:file *;

From 6297e8a5a7a71d888483a4df7bb3aa1dbd5081eb Mon Sep 17 00:00:00 2001
From: chenpaul <chenpaul@google.com>
Date: Mon, 10 May 2021 15:23:43 +0800
Subject: [PATCH 258/921] Sniffer Logger: Add dontaudit getattr for sysfs_wifi

05-10 15:04:37.376 12958 12958 I auditd  : type=1400 audit(0.0:14): avc: denied { getattr } for comm="wifi_sniffer" path="/sys/wifi/firmware_path" dev="sysfs" ino=81201 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:sysfs_wifi:s0 tclass=file permissive=0

Bug: 187583019
Test: Sniffer Logger is workable
Change-Id: I6bce0bb58d951b6be39f58340b6418b328ffe386
---
 whitechapel/vendor/google/wifi_sniffer.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/wifi_sniffer.te b/whitechapel/vendor/google/wifi_sniffer.te
index b576f158..491162a0 100644
--- a/whitechapel/vendor/google/wifi_sniffer.te
+++ b/whitechapel/vendor/google/wifi_sniffer.te
@@ -2,4 +2,5 @@ userdebug_or_eng(`
   allow wifi_sniffer sysfs_wifi:dir search;
   allow wifi_sniffer sysfs_wifi:file w_file_perms;
   allow wifi_sniffer self:capability sys_module;
+  dontaudit wifi_sniffer sysfs_wifi:file getattr;
 ')

From 1124aeaf32e10b9904a184b9283a8c2621bfb458 Mon Sep 17 00:00:00 2001
From: Kyle Lin <kylelin@google.com>
Date: Mon, 10 May 2021 16:09:22 +0800
Subject: [PATCH 259/921] Add policy for memlat governor needs create/delete
 perf events

[   31.756984] type=1400 audit(1620144320.436:11): avc: denied { perfmon } for comm="cpuhp/4" capability=38 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability2 permissive=0
[   31.757246] type=1400 audit(1620144320.436:12): avc: denied { sys_admin } for comm="cpuhp/4" capability=21 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0
[   31.757352] type=1400 audit(1620144320.436:13): avc: denied { perfmon } for comm="cpuhp/4" capability=38 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability2 permissive=0
[   31.757450] type=1400 audit(1620144320.436:14): avc: denied { sys_admin } for comm="cpuhp/4" capability=21 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0
...
...
[  215.584932] type=1400 audit(1620634018.936:191): avc: denied { cpu } for comm="cpuhp/4" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=0

Bug: 187437491
Bug: 170479743
Test: build, boot and suspend/resume test 200 times.

Change-Id: I4fd3d3fb915ca518ffa226f25298c94faaf867f1
---
 whitechapel/vendor/google/kernel.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index cab39fb5..0156784e 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -3,3 +3,7 @@ allow kernel vendor_fw_file:file r_file_perms;
 
 # ZRam
 allow kernel per_boot_file:file r_file_perms;
+
+# memlat needs permision to create/delete perf events when hotplug on/off
+allow kernel self:capability2 perfmon;
+allow kernel self:perf_event cpu;

From bc525e1a497c0e71e25469505a3173a6799bd472 Mon Sep 17 00:00:00 2001
From: Peter Csaszar <pcsaszar@google.com>
Date: Fri, 7 May 2021 16:50:00 -0700
Subject: [PATCH 260/921] pixel-selinux: add SJTAG policies

These are the SELinux policies for the DebugFS files of the SJTAG
kernel interface.

Bug: 184768605
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Change-Id: I36996d6fd5fe09adb7a36be573cf57f15ea35756
---
 whitechapel/vendor/google/file.te         | 1 +
 whitechapel/vendor/google/genfs_contexts  | 1 +
 whitechapel/vendor/google/shell.te        | 6 ++++++
 whitechapel/vendor/google/ssr_detector.te | 2 ++
 4 files changed, 10 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 4fae37ae..5868a14a 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -34,6 +34,7 @@ type vendor_maxfg_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_charger_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_votable_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_battery_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_sjtag_debugfs, fs_type, debugfs_type, sysfs_type;
 
 # Exynos sysfs
 type sysfs_exynos_bts, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 45ec1595..1aeee8bb 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -284,6 +284,7 @@ genfscon debugfs /usb
 genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
 genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
 genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0
+genfscon debugfs /sjtag                                                                                   u:object_r:vendor_sjtag_debugfs:s0
 
 # tracefs
 genfscon tracefs /events/dmabuf_heap/dma_heap_stat                                                        u:object_r:debugfs_tracing:s0
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index 29274f5f..484e1501 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -1 +1,7 @@
 allow shell eco_service:service_manager find;
+
+# Allow access to the SJTAG kernel interface from the shell
+userdebug_or_eng(`
+  allow shell vendor_sjtag_debugfs:dir r_dir_perms;
+  allow shell vendor_sjtag_debugfs:file rw_file_perms;
+')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index ff3c40f9..37f571cd 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -12,6 +12,8 @@ userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
   get_prop(ssr_detector_app, vendor_aoc_prop)
+  allow ssr_detector_app vendor_sjtag_debugfs:dir r_dir_perms;
+  allow ssr_detector_app vendor_sjtag_debugfs:file rw_file_perms;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)

From 638778c654d6f3a818ed0715b0f31543143a499c Mon Sep 17 00:00:00 2001
From: Taeju Park <taeju@google.com>
Date: Fri, 7 May 2021 03:38:55 +0000
Subject: [PATCH 261/921] Grant vendor_sched sysfs nodes access

Bug: 182509410
Signed-off-by: Taeju Park <taeju@google.com>
Change-Id: I53a879e904bef3c5b13127404f4f5c422abd46b4
---
 whitechapel/vendor/google/genfs_contexts | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 45ec1595..cf257668 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -110,10 +110,7 @@ genfscon sysfs /devices/platform/1ce00000.abrolhos
 genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
 
 # Vendor sched files
-genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/prefer_high_cap_enable                     u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/high_capacity_start_cpu                    u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched                                             u:object_r:sysfs_vendor_sched:s0
 
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0

From 60e0a18e2a48cc1b95ae093a83653ebaed59aac0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
Date: Tue, 11 May 2021 00:29:44 -0700
Subject: [PATCH 262/921] correctly label networking gadgets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is to pass system/netd/tests/netd_test.cpp:

TEST(NetdSELinuxTest, CheckProperMTULabels) {
    // Since we expect the egrep regexp to filter everything out,
    // we thus expect no matches and thus a return code of 1
    ASSERT_EQ(W_EXITCODE(1, 0), system("ls -Z /sys/class/net/*/mtu | egrep -q -v "
                                       "'^u:object_r:sysfs_net:s0 /sys/class/net/'"));
}

Test: atest, TreeHugger, manual observation of labeling
Bug: 185962988
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib4f8aa6cc2e0f5a5bd432bcfe473e550f5c68132
---
 whitechapel/vendor/google/genfs_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index baef90b9..65bda57f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -66,6 +66,9 @@ genfscon sysfs /devices/platform/14700000.ufs/health_descriptor         u:object
 genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:  u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object_r:sysfs_scsi_devices_0000:s0
 
+# Tethering
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net  u:object_r:sysfs_net:s0
+
 # Vibrator
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0

From 99853e483ba464815ec792cad2f1e0dc1d2382e3 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Tue, 11 May 2021 17:23:23 +0800
Subject: [PATCH 263/921] Update avc error on ROM 7349999

avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:twoshay:s0 tclass=binder permissive=0

Bug: 187795940
Test: PtsSELinuxTestCases
Change-Id: Ib85ee1d52915b292295b21df8df48c18761c088e
---
 tracking_denials/dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index ffb8518c..513736b9 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,2 +1,4 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
+# b/187795940
+dontaudit dumpstate twoshay:binder call;

From 873511167c64fabdb2b960f990acb0ada47791d2 Mon Sep 17 00:00:00 2001
From: Midas Chien <midaschieh@google.com>
Date: Mon, 26 Apr 2021 20:50:15 +0800
Subject: [PATCH 264/921] Allowed PowerHAL service access Display node

Bug: 164411401
Test: boot
Change-Id: Idcc1338bc66a7479aed9efd4d1ebc82efd1b7c4d
---
 display/gs101/genfs_contexts                   | 1 +
 whitechapel/vendor/google/hal_power_default.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts
index cc8eba70..6b155761 100644
--- a/display/gs101/genfs_contexts
+++ b/display/gs101/genfs_contexts
@@ -11,3 +11,4 @@ genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible
 genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
 
 genfscon sysfs /devices/platform/1c300000.drmdecon/dqe/atc                                     u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup                                u:object_r:sysfs_display:s0
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index e1a32b85..4b95db79 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -6,6 +6,7 @@ allow hal_power_default cpuctl_device:file rw_file_perms;
 allow hal_power_default sysfs_gpu:file rw_file_perms;
 allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms;
 allow hal_power_default sysfs_fabric:file rw_file_perms;
+allow hal_power_default sysfs_display:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
 set_prop(hal_power_default, vendor_camera_debug_prop)
 set_prop(hal_power_default, vendor_camera_fatp_prop)

From ab6df9cc18d886cf4741ceb8105f4480a729bfdd Mon Sep 17 00:00:00 2001
From: Qinchen Gu <guqinchen@google.com>
Date: Mon, 10 May 2021 17:06:01 -0700
Subject: [PATCH 265/921] Add SELinux policy for allowing dumping GSC info

Bug: 185939493
Test: adb bugreport. Look for GSC-related info.

Change-Id: I30dbb51781526d763205594283ca3b808f45d28f
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index c0871bb2..7d6d55df 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -77,6 +77,10 @@ allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
 
+allow hal_dumpstate_default citadeld_service:service_manager find;
+allow hal_dumpstate_default citadel_updater_exec:file execute_no_trans;
+binder_call(hal_dumpstate_default, citadeld);
+
 allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
 binder_call(hal_dumpstate_default, hal_graphics_composer_default);
 

From 9e6528da087efc6a3f550ab5e842cf2dc3a288a6 Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Mon, 10 May 2021 13:12:24 -0700
Subject: [PATCH 266/921] Label debugfs files correctly

A few debugfs files are labelled as belonging to both debugfs_type and
sysfs_type. Hence, any client that is provided access to sysfs_type will
automatically be provided access to these files. This patch corrects the
labelling for these files to prevent this.

Test: build
Bug: 186500818
Change-Id: I364a73a960824cc9051610032179fd5caeca09de
---
 whitechapel/vendor/google/file.te | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 5868a14a..532bb190 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -23,18 +23,18 @@ type vendor_misc_data_file, file_type, data_file_type;
 type vendor_rpmbmock_data_file, file_type, data_file_type;
 
 # Exynos debugfs
-type vendor_ion_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_dmabuf_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_ion_debugfs, fs_type, debugfs_type;
+type vendor_dmabuf_debugfs, fs_type, debugfs_type;
 type vendor_mali_debugfs, fs_type, debugfs_type;
-type vendor_dri_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_pm_genpd_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_regmap_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_usb_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_maxfg_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_charger_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_votable_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_battery_debugfs, fs_type, debugfs_type, sysfs_type;
-type vendor_sjtag_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_dri_debugfs, fs_type, debugfs_type;
+type vendor_pm_genpd_debugfs, fs_type, debugfs_type;
+type vendor_regmap_debugfs, fs_type, debugfs_type;
+type vendor_usb_debugfs, fs_type, debugfs_type;
+type vendor_maxfg_debugfs, fs_type, debugfs_type;
+type vendor_charger_debugfs, fs_type, debugfs_type;
+type vendor_votable_debugfs, fs_type, debugfs_type;
+type vendor_battery_debugfs, fs_type, debugfs_type;
+type vendor_sjtag_debugfs, fs_type, debugfs_type;
 
 # Exynos sysfs
 type sysfs_exynos_bts, sysfs_type, fs_type;

From 70551d2bc99d7e0fae671fa83cd689c831546f0c Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Mon, 10 May 2021 15:38:15 -0700
Subject: [PATCH 267/921] Let debugfs be accessed only for non-user builds

Since production devices(with user builds) must not mount debugfs,
provide dumpstate HAL permission to access debugfs only in userdebug/eng
builds.

Also, delete dumpstate domain's access to
vendor_dmabuf_debugfs(/d/dma_buf/bufinfo) since dumpstate now obtains
the same information from /sys/kernel/dmabuf.

Test: build
Bug: 186500818
Change-Id: I17007d495fba6332bbf17dc7d030e5c6e4d5248b
---
 whitechapel/vendor/google/dumpstate.te             | 1 -
 whitechapel/vendor/google/hal_dumpstate_default.te | 5 +++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index 9b5c0538..7c024e3d 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -2,7 +2,6 @@ dump_hal(hal_telephony)
 dump_hal(hal_graphics_composer)
 
 userdebug_or_eng(`
-  allow dumpstate vendor_dmabuf_debugfs:file r_file_perms;
   allow dumpstate media_rw_data_file:file append;
 ')
 
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 97a419ce..f7a4537c 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -77,8 +77,6 @@ allow hal_dumpstate_default sysfs_chip_id:file r_file_perms;
 allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
 allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
 
-allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms;
-allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
 
@@ -131,6 +129,9 @@ userdebug_or_eng(`
   allow hal_dumpstate_default sysfs_bcl:lnk_file read;
   allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms;
   allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms;
+  allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms;
+  allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
+
   set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop)
 ')
 

From 00e1b9a704abd57a160dd27d9caf8ad99bd6780a Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Fri, 7 May 2021 17:46:02 +0800
Subject: [PATCH 268/921] Add sepolicy for the UDFPS antispoof property

Fixes the following avc denial:
/system/bin/init: type=1107 audit(0.0:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=fingerprint.disable.fake pid=364 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
android.hardwar: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:vendor_fingerprint_fake_prop:s0" dev="tmpfs" ino=307 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_fingerprint_fake_prop:s0 tclass=file permissive=0

Bug: 187394838
Bug: 187562932
Test: Antispoof is disabled by default.
Test: Use the following adb command to manully turn on antispoof.
      "setprop persist.vendor.fingerprint.disable.fake.override 0"
Change-Id: I90d6ea70d5e0e1a125efb902f1fd61ff4b51baa2
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 3 +++
 whitechapel/vendor/google/property.te                | 3 +++
 whitechapel/vendor/google/property_contexts          | 3 +++
 whitechapel/vendor/google/vendor_init.te             | 5 +++++
 4 files changed, 14 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index a9bfbfc9..c6d64d5d 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -8,4 +8,7 @@ allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
 allow hal_fingerprint_default fwk_stats_service:service_manager find;
 get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
+userdebug_or_eng(`
+  get_prop(hal_fingerprint_default, vendor_fingerprint_fake_prop)
+')
 add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 739075b9..f1e377f0 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -53,3 +53,6 @@ vendor_internal_prop(vendor_touchpanel_prop)
 
 # TCP logging
 vendor_internal_prop(vendor_tcpdump_log_prop)
+
+# Fingerprint
+vendor_internal_prop(vendor_fingerprint_fake_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index c542d758..61497257 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -120,3 +120,6 @@ persist.vendor.tcpdump.log.alwayson             u:object_r:vendor_tcpdump_log_pr
 vendor.tcpdump.log.ondemand                     u:object_r:vendor_tcpdump_log_prop:s0
 vendor.tcpdump.log.alwayson                     u:object_r:vendor_tcpdump_log_prop:s0
 vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_prop:s0
+
+# Fingerprint
+vendor.fingerprint.disable.fake                 u:object_r:vendor_fingerprint_fake_prop:s0
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 7bcb38b6..dedeaa7e 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -29,3 +29,8 @@ set_prop(vendor_init, vendor_secure_element_prop)
 get_prop(vendor_init, test_harness_prop)
 get_prop(vendor_init, vendor_battery_profile_prop)
 set_prop(vendor_init, vendor_battery_defender_prop)
+
+# Fingerprint property
+userdebug_or_eng(`
+  set_prop(vendor_init, vendor_fingerprint_fake_prop)
+')

From 73b65a0f8b0ab5aeeee12ea4953e7e0bab4e4cf9 Mon Sep 17 00:00:00 2001
From: Wei Wang <wvw@google.com>
Date: Wed, 12 May 2021 03:53:17 +0000
Subject: [PATCH 269/921] Revert "Grant vendor_sched sysfs nodes access"

This reverts commit 638778c654d6f3a818ed0715b0f31543143a499c.

Reason for revert: b/187884708
Bug: 187884708
Change-Id: I60e80246345ca3e827d7b4749f25e2d5c4dddf9d
---
 whitechapel/vendor/google/genfs_contexts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index cf257668..45ec1595 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -110,7 +110,10 @@ genfscon sysfs /devices/platform/1ce00000.abrolhos
 genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
 
 # Vendor sched files
-genfscon sysfs /kernel/vendor_sched                                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/prefer_high_cap_enable                     u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/high_capacity_start_cpu                    u:object_r:sysfs_vendor_sched:s0
 
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0

From 1d0e8106f34f1cee1ccdbb3fc4f467f0b31442f7 Mon Sep 17 00:00:00 2001
From: Taeju Park <taeju@google.com>
Date: Fri, 7 May 2021 03:38:55 +0000
Subject: [PATCH 270/921] Grant vendor_sched sysfs nodes access

Bug: 182509410
Signed-off-by: Taeju Park <taeju@google.com>
Change-Id: I68bf0c6e4f7b53a871a3393cb317bf6c79ace5e3
---
 whitechapel/vendor/google/genfs_contexts | 52 ++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 3 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1aeee8bb..a9b2c111 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -110,10 +110,56 @@ genfscon sysfs /devices/platform/1ce00000.abrolhos
 genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
 
 # Vendor sched files
-genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/prefer_high_cap_enable                     u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/bg_prefer_high_cap                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/bg_prefer_idle                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/bg_task_spreading                          u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/bg_uclamp_max                              u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/bg_uclamp_min                              u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/cam_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/cam_prefer_idle                            u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/cam_task_spreading                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/cam_uclamp_max                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/cam_uclamp_min                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/fg_prefer_high_cap                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/fg_prefer_idle                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/fg_task_spreading                          u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/fg_uclamp_max                              u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/fg_uclamp_min                              u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/ta_prefer_high_cap                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/ta_prefer_idle                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/ta_task_spreading                          u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/ta_uclamp_max                              u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/ta_uclamp_min                              u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sys_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sys_prefer_idle                            u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sys_task_spreading                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sys_uclamp_max                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sys_uclamp_min                             u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sysbg_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sysbg_prefer_idle                          u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sysbg_task_spreading                       u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_max                           u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_min                           u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/nnapi_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/nnapi_prefer_idle                          u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/nnapi_task_spreading                       u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_max                           u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_min                           u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/clear_group                                u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_task_group_bg                          u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_task_group_cam                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_task_group_fg                          u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_task_group_nnapi                       u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_task_group_sys                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_task_group_sysbg                       u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_task_group_ta                          u:object_r:sysfs_vendor_sched:s0
 genfscon sysfs /kernel/vendor_sched/high_capacity_start_cpu                    u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/uclamp_effective_stats                     u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/reset_uclamp_stats                         u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/uclamp_stats                               u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/uclamp_threshold                           u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/uclamp_util_diff_stats                     u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/util_threshold                             u:object_r:sysfs_vendor_sched:s0
 
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0

From 03f4884884202e79e6960fd3efae0863b6c766f1 Mon Sep 17 00:00:00 2001
From: Thierry Strudel <tstrudel@google.com>
Date: Tue, 11 May 2021 14:50:36 -0700
Subject: [PATCH 271/921] com.qorvo.uwb: signed with dedicated key and running
 as android.uid.uwb uid

Test:
05-11 21:05:48.077   786   786 I qorvo.uwb.main: UWB HAL start
05-11 21:05:48.078   412   412 I servicemanager: Found hardware.qorvo.uwb.IUwb/default in device VINTF manifest.
05-11 21:05:50.960  1639  1639 W PackageSettings: Missing permission state for package: com.qorvo.uwbtestapp.system
05-11 21:05:53.530  1639  1639 V StorageManagerService: Package com.qorvo.uwb does not have legacy storage
05-11 21:05:53.548  1639  1639 V StorageManagerService: Package com.qorvo.uwbtestapp.system does not have legacy storage
05-11 21:05:56.571  1639  1902 I am_proc_start: [0,3055,1083,com.qorvo.uwb,added application,com.qorvo.uwb]
05-11 21:05:56.571  1639  1902 I ActivityManager: Start proc 3055:com.qorvo.uwb/1083 for added application com.qorvo.uwb
05-11 21:05:56.653  1639  2264 I am_proc_bound: [0,3055,com.qorvo.uwb]
05-11 21:05:56.709  3055  3055 I TetheringManager: registerTetheringEventCallback:com.qorvo.uwb
05-11 21:05:56.710  3055  3055 V GraphicsEnvironment: ANGLE Developer option for 'com.qorvo.uwb' set to: 'default'
05-11 21:06:05.045  1639  1900 I am_pss  : [3055,1083,com.qorvo.uwb,5719040,4239360,0,88702976,2,0,6]
05-11 21:06:07.233  1639  1981 I am_compact: [3055,com.qorvo.uwb,all,84816,39052,44628,0,-816,0,-816,816,26,0,0,-800,0,1921532,-768]
05-11 21:06:38.442   786   786 I qorvo.Uwb: open
05-11 21:06:38.443   786   786 I qorvo.uwb.McpsUtils: ListHardware
05-11 21:06:38.443   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse
05-11 21:06:38.443   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse: Read message
05-11 21:06:38.443   786   786 I qorvo.uwb.IeeeUtils: ListDevices
05-11 21:06:38.443   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse
05-11 21:06:38.443   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse: Read message
05-11 21:06:38.443   786   786 I qorvo.uwb.UwbIface: Load calibration on wpan0, hw index: 0
05-11 21:06:38.445   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse
05-11 21:06:38.445   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse: Read message
05-11 21:06:38.445   786   786 I qorvo.uwb.UwbIface: Load properties on wpan0, hw index: 0
05-11 21:06:38.446   786   786 I qorvo.Uwb: getIface
05-11 21:06:38.449   786   786 I qorvo.uwb.UwbIface: firaController
05-11 21:06:38.449   786   786 I qorvo.Uwb: listHardwareIndex
05-11 21:06:38.449   786   786 I qorvo.uwb.McpsUtils: ListHardware
05-11 21:06:38.449   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse
05-11 21:06:38.450   786   786 I qorvo.uwb.NlSocket: SendAndAwaitResponse: Read message
05-11 21:06:38.450   786   786 I qorvo.Uwb: getIface
05-11 21:06:38.450   786   786 I qorvo.uwb.UwbIface: cccController

Bug: 187766150
Signed-off-by: Thierry Strudel <tstrudel@google.com>
Change-Id: Ie667a666a445e907aa99542f1c52046522b5dd02
---
 .../google/certs/com_qorvo_uwb.x509.pem       | 29 +++++++++++++++++++
 whitechapel/vendor/google/keys.conf           |  3 ++
 whitechapel/vendor/google/mac_permissions.xml |  3 ++
 whitechapel/vendor/google/seapp_contexts      |  2 +-
 whitechapel/vendor/google/uwb_vendor_app.te   |  3 +-
 5 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100644 whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem

diff --git a/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem b/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem
new file mode 100644
index 00000000..0e7c9ed5
--- /dev/null
+++ b/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv
+X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds
+ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa
+IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW
+fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ
+KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW
+BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s
+ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X
+QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG
+gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj
+RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn
+iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ
+KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t
+fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z
+0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe
+cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0
+6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg
+NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY
+ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp
+BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh
+NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz
+lHV8gmlwBAuAx9ITcTJr
+-----END CERTIFICATE-----
diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index 00dd8e6f..d18ca65c 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -1,2 +1,5 @@
 [@MDS]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem
+
+[@UWB]
+ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index 4b997c27..6cf15728 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -24,4 +24,7 @@
     <signer signature="@MDS" >
         <seinfo value="mds" />
     </signer>
+    <signer signature="@UWB" >
+        <seinfo value="uwb" />
+    </signer>
 </policy>
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 9c2f024f..34007864 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -43,4 +43,4 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=
 user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
 
 # Qorvo UWB system app
-user=system seinfo=platform name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index e9f5a7cc..aee5c49f 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -8,4 +8,5 @@ allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 
-allow uwb_vendor_app uwb_vendor_data_file:dir { getattr search };
+allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
+allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;

From cb3f59b89e99a59e8ee8d7a9e5493729883b3dd6 Mon Sep 17 00:00:00 2001
From: jonerlin <jonerlin@google.com>
Date: Sat, 27 Mar 2021 13:50:48 +0800
Subject: [PATCH 272/921] bthal: allow bthal to access bluetooth kernel driver
 logbuffer_btlpm and logbuffer_btuart device node

* add sepolicy rules to let bthal can access bluetooth kernel device
  nodes dev/logbuffer_btlpm and dev/logbuffer_tty16 in engineer
  or user debug build

Bug: 177794127
Test: Manually
Change-Id: I5253719df82ca7ef8e64cbd3f2b0ff6d3f088edc
---
 whitechapel/vendor/google/file_contexts            | 2 ++
 whitechapel/vendor/google/hal_bluetooth_btlinux.te | 1 +
 2 files changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 08499a41..d479face 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -296,6 +296,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
 /dev/wbrc                           u:object_r:wb_coexistence_dev:s0
 /dev/ttySAC16                       u:object_r:hci_attach_dev:s0
+/dev/logbuffer_btlpm                  u:object_r:logbuffer_device:s0
+/dev/logbuffer_tty16                u:object_r:logbuffer_device:s0
 
 # Audio
 /mnt/vendor/persist/aoc(/.*)?       u:object_r:persist_aoc_file:s0
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
index 3299ffe8..f348099e 100644
--- a/whitechapel/vendor/google/hal_bluetooth_btlinux.te
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -18,4 +18,5 @@ allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_fi
 userdebug_or_eng(`
   allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
   allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
+  allow hal_bluetooth_btlinux logbuffer_device:chr_file r_file_perms;
 ')

From 4b59c5b98e363dc39f40af9f66765939cf8395a5 Mon Sep 17 00:00:00 2001
From: Grace Chen <chengrace@google.com>
Date: Sun, 25 Apr 2021 22:02:56 -0700
Subject: [PATCH 273/921] Add selinux permissions for NFC/eSIM firmware upgrade
 and recovery

Bug: 181246088
Test: Confirm selinux permissions.
Change-Id: I71c59d1afc50e273b840cd2df7600b4e806c0661
---
 .../google/certs/EuiccSupportPixel.x509.pem   | 29 +++++++++++++++++++
 whitechapel/vendor/google/euiccpixel_app.te   | 21 ++++++++++++++
 whitechapel/vendor/google/keys.conf           |  3 ++
 whitechapel/vendor/google/mac_permissions.xml |  3 ++
 whitechapel/vendor/google/seapp_contexts      |  4 +++
 5 files changed, 60 insertions(+)
 create mode 100644 whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
 create mode 100644 whitechapel/vendor/google/euiccpixel_app.te

diff --git a/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem b/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
new file mode 100644
index 00000000..d11ad3d0
--- /dev/null
+++ b/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw
+b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v
+Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb
+WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/
+amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK
+aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0
+oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho
++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td
+5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK
+rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki
+uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag
+ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV
+HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5
+FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9
+Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp
+ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL
+EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB
+GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U
+XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0
+IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj
+pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon
+A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU
+0JD1T1qdCm3aUSEmFgEA4rOL/0K3
+-----END CERTIFICATE-----
diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te
new file mode 100644
index 00000000..db3d0aed
--- /dev/null
+++ b/whitechapel/vendor/google/euiccpixel_app.te
@@ -0,0 +1,21 @@
+# EuiccSupportPixel app
+
+type euiccpixel_app, domain;
+app_domain(euiccpixel_app)
+
+allow euiccpixel_app app_api_service:service_manager find;
+allow euiccpixel_app radio_service:service_manager find;
+allow euiccpixel_app nfc_service:service_manager find;
+allow euiccpixel_app surfaceflinger_service:service_manager find;
+
+set_prop(euiccpixel_app, vendor_secure_element_prop)
+set_prop(euiccpixel_app, vendor_modem_prop)
+
+userdebug_or_eng(`
+    net_domain(euiccpixel_app)
+
+    # Access to directly upgrade firmware on secure_element used for engineering devices
+    typeattribute secure_element_device mlstrustedobject;
+    allow euiccpixel_app secure_element_device:chr_file rw_file_perms;
+')
+
diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index d18ca65c..fb6e52b6 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -3,3 +3,6 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_google_md
 
 [@UWB]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem
+
+[@EUICCSUPPORTPIXEL]
+ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index 6cf15728..6cb7113c 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -27,4 +27,7 @@
     <signer signature="@UWB" >
         <seinfo value="uwb" />
     </signer>
+    <signer signature="@EUICCSUPPORTPIXEL" >
+        <seinfo value="EuiccSupportPixel" />
+    </signer>
 </policy>
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 34007864..fbf19390 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -44,3 +44,7 @@ user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicag
 
 # Qorvo UWB system app
 user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+
+# Domain for EuiccSupportPixel
+user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
+

From a1bf959f13236c904502c64b965e566e13c52f33 Mon Sep 17 00:00:00 2001
From: Maurice Lam <yukl@google.com>
Date: Tue, 30 Mar 2021 04:45:53 +0000
Subject: [PATCH 274/921] DO NOT MERGE. Revert Exo selinux policies for S

Bug: 188074060
Test: Forrest
Change-Id: I3465d10c3731ae49fec6e6fb7f2873cf2e5b9c23
---
 ambient/exo_app.te     | 20 --------------------
 ambient/seapp_contexts |  2 --
 2 files changed, 22 deletions(-)
 delete mode 100644 ambient/exo_app.te
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
deleted file mode 100644
index ef928f65..00000000
--- a/ambient/exo_app.te
+++ /dev/null
@@ -1,20 +0,0 @@
-type exo_app, coredomain, domain;
-
-app_domain(exo_app)
-net_domain(exo_app)
-
-allow exo_app app_api_service:service_manager find;
-allow exo_app audioserver_service:service_manager find;
-allow exo_app cameraserver_service:service_manager find;
-allow exo_app mediaserver_service:service_manager find;
-allow exo_app radio_service:service_manager find;
-allow exo_app fwk_stats_service:service_manager find;
-allow exo_app mediametrics_service:service_manager find;
-allow exo_app gpu_device:dir search;
-
-allow exo_app uhid_device:chr_file rw_file_perms;
-
-binder_call(exo_app, statsd)
-binder_use(exo_app)
-
-get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all

From b08c98c2b4b4efb82679072f40ba00b3ab5c283f Mon Sep 17 00:00:00 2001
From: Manish Varma <varmam@google.com>
Date: Thu, 13 May 2021 15:58:34 -0700
Subject: [PATCH 275/921] genfs_contexts: fix path for p9412 i2c devices

Due to recent changes which modifies the device name for i2c devices,
p9412 device names are now changed from ?-003c to "i2c-p9412"

Bug: 188078957
Test: Verified wlc works and no avc denials when running following command:
$ dmesg | grep avc | grep sysfs

Signed-off-by: Manish Varma <varmam@google.com>
Change-Id: Id0af1122f7182a866ab28c5317db139d8083a45d
---
 whitechapel/vendor/google/genfs_contexts | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b5700448..d92db124 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -14,16 +14,16 @@ genfscon sysfs /devices/platform/google,charger
 #   Slider
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
 #   Whitefin
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
 #   R4 / P7 LunchBox
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
@@ -35,8 +35,8 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power
 #   O6
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
@@ -226,8 +226,8 @@ genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:
 genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
 
 # system_suspend wakeup nodes
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-5-0025/wakeup                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
@@ -238,10 +238,10 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/usb/wa
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                                             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-6-0025/wakeup                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0

From 3868f8aa886edc8c711f9a8fddb8995dd9c6e2ae Mon Sep 17 00:00:00 2001
From: Manish Varma <varmam@google.com>
Date: Thu, 13 May 2021 17:23:51 -0700
Subject: [PATCH 276/921] genfs_contexts: fix path for max77759tcpc i2c devices

Due to recent changes which modifies the device name for i2c devices,
max77759tcpc device names are now changed from ?-0025 to "i2c-max77759tcpc"

Bug: 188078957
Test: Verified charging works and no avc denials when running
$ dmesg | grep avc | grep sysfs

Signed-off-by: Manish Varma <varmam@google.com>
Change-Id: Ic1f6d018ce74348b4faa937720b50c7924bf9b7a
---
 whitechapel/vendor/google/genfs_contexts | 30 ++++++++++++------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index d92db124..67d69928 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -20,8 +20,8 @@ genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
 #   R4 / P7 LunchBox
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
@@ -33,8 +33,8 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
 
 #   O6
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
@@ -42,8 +42,8 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
 
@@ -229,23 +229,23 @@ genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-5-0025/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-6-0025/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
@@ -254,9 +254,9 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/power_supply/tcpm-source-psy-7-0025/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0025/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0

From 194fef8b5a50662446e1a22305961230ec8e1732 Mon Sep 17 00:00:00 2001
From: Manish Varma <varmam@google.com>
Date: Thu, 13 May 2021 17:31:49 -0700
Subject: [PATCH 277/921] genfs_contexts: fix path for cs40l25a i2c devices

Due to recent changes which modifies the device name for i2c devices,
cs40l25a device names are now changed from ?-0043 to "i2c-cs40l25a"

Bug: 188078957
Test: Verified haptic works and no avc denials when running following command:
$ dmesg | grep avc | grep sysfs

Signed-off-by: Manish Varma <varmam@google.com>
Change-Id: I47c423661d788c467d4cd1602fbc145bd715c67a
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 67d69928..b3c98bee 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -71,9 +71,9 @@ genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net  u:object
 
 # Vibrator
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a            u:object_r:sysfs_vibrator:s0
 
 # Fingerprint
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
@@ -233,7 +233,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_sup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                 u:object_r:sysfs_wakeup:s0
@@ -251,7 +251,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0

From fd2a6b9a7497c0ea1bf3d28c84f5bd9919a66ff0 Mon Sep 17 00:00:00 2001
From: Manish Varma <varmam@google.com>
Date: Thu, 13 May 2021 17:40:01 -0700
Subject: [PATCH 278/921] genfs_contexts: fix path for s2mpg1X i2c devices

Due to recent changes which modifies the device name for i2c devices,
s2mpg1xmfd device names are now changed from ?-00?f to "i2c-s2mpg10mfd" or
"i2c-s2mpg11mfd"

Bug: 188078957
Test: Verified no avc denials when running following command:
$ dmesg | grep avc | grep sysfs

Signed-off-by: Manish Varma <varmam@google.com>
Change-Id: I2c58773613071147336b4f338e4c4034ce90e9bd
---
 whitechapel/vendor/google/genfs_contexts | 48 ++++++++++++------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b3c98bee..a10e45f6 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -87,17 +87,17 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wa
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
 
@@ -189,23 +189,23 @@ genfscon proc /bluetooth/sleep/btwrite
 genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
 
 # ODPM
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation/triggered_stats                 u:object_r:sysfs_bcl:s0
@@ -240,16 +240,16 @@ genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup
 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0

From 705ecbe0ab4aad899b24b5a57452000788e2460c Mon Sep 17 00:00:00 2001
From: Manish Varma <varmam@google.com>
Date: Thu, 13 May 2021 17:43:26 -0700
Subject: [PATCH 279/921] genfs_contexts: fix path for st21nfc i2c devices

Due to recent changes which modifies the device name for i2c devices,
st21nfc device names are now changed from ?-0008 to "i2c-st21nfc"

Bug: 188078957
Test: Verified haptic works and no avc denials when running following command:
$ dmesg | grep avc | grep sysfs
Signed-off-by: Manish Varma <varmam@google.com>
Change-Id: I17464d2d01fb64447dd8828eb8f91e38717fac4c
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index a10e45f6..5c0f499a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -96,7 +96,7 @@ genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/ma
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
@@ -250,7 +250,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wak
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0
@@ -314,8 +314,8 @@ genfscon sysfs /module/bcmdhd4389
 
 # Power Stats
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/power_stats                                u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/4-0008/power_stats                                u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 

From 30b9f8f277e003eb781623f41bfa03141b67c4a7 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Fri, 7 May 2021 17:49:22 +0800
Subject: [PATCH 280/921] rfsd: fix permission error

[RfsService::File] Failed to open file (4) (reason:Permission denied)

Bug: 187148595
Change-Id: Ia553bbc1e1c86b7740b3925679a2da65d3314714
---
 whitechapel/vendor/google/rfsd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te
index 212b6700..2f7102fc 100644
--- a/whitechapel/vendor/google/rfsd.te
+++ b/whitechapel/vendor/google/rfsd.te
@@ -16,6 +16,8 @@ allow rfsd modem_efs_file:file create_file_perms;
 allow rfsd radio_vendor_data_file:dir r_dir_perms;
 allow rfsd radio_vendor_data_file:file r_file_perms;
 
+r_dir_file(rfsd, vendor_fw_file)
+
 # Allow to access rfsd log file/dir
 allow rfsd vendor_log_file:dir search;
 allow rfsd vendor_rfsd_log_file:dir create_dir_perms;
@@ -34,4 +36,4 @@ set_prop(rfsd, vendor_rild_prop)
 # Allow rfsd to access modem image file/dir
 allow rfsd modem_img_file:dir r_dir_perms;
 allow rfsd modem_img_file:file r_file_perms;
-allow rfsd modem_img_file:lnk_file r_file_perms;
\ No newline at end of file
+allow rfsd modem_img_file:lnk_file r_file_perms;

From 989855def7273fa84138c25aa28e44d41d84a890 Mon Sep 17 00:00:00 2001
From: qinyiyan <qinyiyan@google.com>
Date: Tue, 11 May 2021 13:40:35 -0700
Subject: [PATCH 281/921] Add the TPU AIDL NNAPI HAL to the sepolicy.

Test: Created Forrest build and flashed to phone.
Bug: 187846367
Change-Id: I3ada9ecf3f94a594185049ddb95f13a6853841ba
---
 whitechapel/vendor/google/file_contexts                 | 1 +
 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te | 3 +++
 whitechapel/vendor/google/priv_app.te                   | 3 +++
 whitechapel/vendor/google/service.te                    | 1 +
 whitechapel/vendor/google/service_contexts              | 3 +++
 5 files changed, 11 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 08499a41..8ac89dba 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -340,6 +340,7 @@
 # NeuralNetworks file contexts
 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0
+/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
 
 # GRIL
 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
index 5bfbd02a..88a24db9 100644
--- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
+++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
@@ -30,3 +30,6 @@ allow hal_neuralnetworks_darwinn proc_version:file r_file_perms;
 allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find;
 binder_call(hal_neuralnetworks_darwinn, system_server);
 binder_use(hal_neuralnetworks_darwinn)
+
+# TPU NNAPI to register the service to service_manager.
+add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service);
diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te
index aed639f7..a1bb0cce 100644
--- a/whitechapel/vendor/google/priv_app.te
+++ b/whitechapel/vendor/google/priv_app.te
@@ -1,6 +1,9 @@
 # Allows privileged applications to discover the EdgeTPU service.
 allow priv_app edgetpu_service:service_manager find;
 
+# Allows privileged applications to discover the NNAPI TPU service.
+allow priv_app edgetpu_nnapi_service:service_manager find;
+
 # Allows privileged applications to access the EdgeTPU device, except open,
 # which is guarded by the EdgeTPU service.
 allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index d775ff08..c47e63f9 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -3,3 +3,4 @@ type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
 type edgetpu_vendor_service, service_manager_type, vendor_service;
+type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 47b01ba4..4ce5c1bc 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -2,6 +2,9 @@
 com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
 com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
 
+# TPU NNAPI Service
+android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
+
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0

From 53c9a790023cb92b78c458d28dbae747058c86d8 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Fri, 14 May 2021 12:05:48 +0800
Subject: [PATCH 282/921] Update avc error on ROM 7358093

Bug: 188114822
Bug: 188114896
Test: PtsSELinuxTestCases
Change-Id: Ic5e865a921d0db981acfd936e1599a0ab220b975
---
 private/wait_for_keymaster.te         | 2 ++
 tracking_denials/pixelstats_vendor.te | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 private/wait_for_keymaster.te

diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
new file mode 100644
index 00000000..0e29999c
--- /dev/null
+++ b/private/wait_for_keymaster.te
@@ -0,0 +1,2 @@
+# b/188114822
+dontaudit wait_for_keymaster servicemanager:binder transfer;
diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te
index 150de52c..4bc5f01f 100644
--- a/tracking_denials/pixelstats_vendor.te
+++ b/tracking_denials/pixelstats_vendor.te
@@ -3,3 +3,5 @@ dontaudit pixelstats_vendor sysfs_dma_heap:dir { search };
 dontaudit pixelstats_vendor sysfs_dma_heap:file { read };
 dontaudit pixelstats_vendor sysfs_dma_heap:file { open };
 dontaudit pixelstats_vendor sysfs_dma_heap:file { getattr };
+# b/188114896
+dontaudit pixelstats_vendor debugfs_mgm:dir read;

From 82408c931b50634dae874b2afa568115dfa7c6a8 Mon Sep 17 00:00:00 2001
From: Kevin DuBois <kevindubois@google.com>
Date: Fri, 14 May 2021 10:52:27 -0700
Subject: [PATCH 283/921] sepolicy: update gpu nnhal file

GPU nnhal needed a file update when update upgrading to 1.3 revision,
modify this so the device uses all the 1.2 rules.

Fixes: 187981206
Test: make sure hal starts
Change-Id: Ie1054fc092f1aa459cd36b6eb0f0a1a5cc032dbc
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 08499a41..71774ac5 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -338,7 +338,7 @@
 /vendor/bin/aocd   u:object_r:aocd_exec:s0
 
 # NeuralNetworks file contexts
-/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0
 
 # GRIL

From bfbf29c18c89b0cc5d7c5cf4f07d362f8cc16c08 Mon Sep 17 00:00:00 2001
From: qinyiyan <qinyiyan@google.com>
Date: Fri, 14 May 2021 13:54:04 -0700
Subject: [PATCH 284/921] Allows the edgetpu_logging service to write to the
 edgetpu sysfs.

Test: make selinux_policy -j128
Bug: 151063663
Change-Id: I5ac619b34bb6fb17caa4c00ac62ac6802c776d84
---
 whitechapel/vendor/google/edgetpu_logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te
index 5954fdd4..8c2f0dc7 100644
--- a/whitechapel/vendor/google/edgetpu_logging.te
+++ b/whitechapel/vendor/google/edgetpu_logging.te
@@ -7,7 +7,7 @@ allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;
 
 # Allows the logging service to access /sys/class/edgetpu
 allow edgetpu_logging sysfs_edgetpu:dir search;
-allow edgetpu_logging sysfs_edgetpu:file r_file_perms;
+allow edgetpu_logging sysfs_edgetpu:file rw_file_perms;
 
 # Allow TPU logging service to log to stats service. (metrics)
 allow edgetpu_logging fwk_stats_service:service_manager find;

From 828114d4108063a744a1ef3c27914053acf6992f Mon Sep 17 00:00:00 2001
From: Sidath Senanayake <sidaths@google.com>
Date: Mon, 17 May 2021 15:44:19 +0100
Subject: [PATCH 285/921] genfs_contexts: Specify correct GPU clock hint node

Bug: 188404581
Bug: 188034128
Signed-off-by: Sidath Senanayake <sidaths@google.com>
Change-Id: Id69f5cf8c95081fea7784520838a3f85aa58589c
---
 whitechapel/vendor/google/genfs_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5c0f499a..93c2171f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -304,7 +304,7 @@ genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_m
 genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq                 u:object_r:sysfs_fabric:s0
 
 # GPU
-genfscon sysfs /devices/platform/1c500000.mali/scaling_min_freq                                         u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq                                            u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0

From 304a32c17e7cdbdeca46e0aeb69b631ade73f0f9 Mon Sep 17 00:00:00 2001
From: Minchan Kim <minchan@google.com>
Date: Fri, 7 May 2021 12:59:26 -0700
Subject: [PATCH 286/921] sepolicy: gs101: allow duump page_pinner

Provide necessary sepolicy for dumpreport to access page_pinner
information in /sys/kernel/debug/page_pinner/{longterm_pinner,
alloc_contig_failed}

Bug: 187552095
Test: Run "adb bugreport <zip>" and verify it contains the output
      from page_pinner.
Signed-off-by: Minchan Kim <minchan@google.com>
Change-Id: I2abc48f2a156718fd4bed3b51bdd285c6bf9f175
---
 whitechapel/vendor/google/file.te                  | 1 +
 whitechapel/vendor/google/genfs_contexts           | 1 +
 whitechapel/vendor/google/hal_dumpstate_default.te | 6 ++++++
 3 files changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 532bb190..5fd7861e 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -25,6 +25,7 @@ type vendor_rpmbmock_data_file, file_type, data_file_type;
 # Exynos debugfs
 type vendor_ion_debugfs, fs_type, debugfs_type;
 type vendor_dmabuf_debugfs, fs_type, debugfs_type;
+type vendor_page_pinner_debugfs, fs_type, debugfs_type, sysfs_type;
 type vendor_mali_debugfs, fs_type, debugfs_type;
 type vendor_dri_debugfs, fs_type, debugfs_type;
 type vendor_pm_genpd_debugfs, fs_type, debugfs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5c0f499a..615990a8 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -327,6 +327,7 @@ genfscon debugfs /maxfg_flip
 genfscon debugfs /dma_buf/bufinfo                                                                         u:object_r:vendor_dmabuf_debugfs:s0
 genfscon debugfs /dri/0/crtc-                                                                             u:object_r:vendor_dri_debugfs:s0
 genfscon debugfs /ion                                                                                     u:object_r:vendor_ion_debugfs:s0
+genfscon debugfs /page_pinner                                                                             u:object_r:vendor_page_pinner_debugfs:s0
 genfscon debugfs /pm_genpd/pm_genpd_summary                                                               u:object_r:vendor_pm_genpd_debugfs:s0
 genfscon debugfs /regmap                                                                                  u:object_r:vendor_regmap_debugfs:s0
 genfscon debugfs /usb                                                                                     u:object_r:vendor_usb_debugfs:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 6629fe85..52f8fe20 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -102,6 +102,9 @@ userdebug_or_eng(`
   allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
   allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
 
+  allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search;
+  allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms;
+
   allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
   allow hal_dumpstate_default vendor_dri_debugfs:dir search;
 
@@ -142,6 +145,9 @@ userdebug_or_eng(`
 dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
 dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
 
+dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search;
+dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms;
+
 dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
 dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search;
 

From a8ceb3a7515331cb05d8af5f449711051d952293 Mon Sep 17 00:00:00 2001
From: Zhijun He <zhijunhe@google.com>
Date: Mon, 17 May 2021 14:23:46 -0700
Subject: [PATCH 287/921] Grant dumpstate hal read permission of camera hal
 dump files

Test: Build and capture bugreport
Bug: 178737594
Change-Id: Iae9792a75dec574ff9fe0d246a7c166221565b16
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 6629fe85..811e23e6 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -23,6 +23,10 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
 allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
 
+# camera debugging dump file access
+allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms;
+
 allow hal_dumpstate_default vendor_log_file:dir search;
 
 allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;

From e8ee41f9af092f19bb4d31acaa12cac28ea87af7 Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Mon, 17 May 2021 15:38:24 -0700
Subject: [PATCH 288/921] Renamed edgetpu_service to edgetpu_app_service.

edgetpu_service was splitted into two in previous change:
edgetpu_service and edgetpu_vendor_service, where the new
vendor service for vendor clients, and the old service keeps
serving app clients.

This change updated the SELinux policy to rename the edgetpu_service
into edgetpu_app_service to make the purpose clearer.

Bug: 188463446
Test: Oriole + GCA
Change-Id: I3a133319edc84fc02ef211934d0542575580da14
---
 tracking_denials/edgetpu_server.te            | 10 -----
 .../vendor/google/edgetpu_app_service.te      | 41 +++++++++++++++++++
 whitechapel/vendor/google/edgetpu_service.te  | 41 -------------------
 whitechapel/vendor/google/file_contexts       |  4 +-
 whitechapel/vendor/google/priv_app.te         |  2 +-
 whitechapel/vendor/google/service_contexts    |  2 +-
 .../vendor/google/untrusted_app_all.te        |  2 +-
 7 files changed, 46 insertions(+), 56 deletions(-)
 delete mode 100644 tracking_denials/edgetpu_server.te
 create mode 100644 whitechapel/vendor/google/edgetpu_app_service.te
 delete mode 100644 whitechapel/vendor/google/edgetpu_service.te

diff --git a/tracking_denials/edgetpu_server.te b/tracking_denials/edgetpu_server.te
deleted file mode 100644
index c187dfd8..00000000
--- a/tracking_denials/edgetpu_server.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# b/183055762
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server tmpfs:file { map };
-dontaudit edgetpu_server tmpfs:file { getattr };
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server tmpfs:file { map };
-dontaudit edgetpu_server tmpfs:file { getattr };
-# b/183935416
-dontaudit edgetpu_server proc_version:file { read };
-dontaudit edgetpu_server proc_version:file { read };
diff --git a/whitechapel/vendor/google/edgetpu_app_service.te b/whitechapel/vendor/google/edgetpu_app_service.te
new file mode 100644
index 00000000..ffecdd1f
--- /dev/null
+++ b/whitechapel/vendor/google/edgetpu_app_service.te
@@ -0,0 +1,41 @@
+# EdgeTPU app server process which runs the EdgeTPU binder service.
+type edgetpu_app_server, coredomain, domain;
+type edgetpu_app_server_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(edgetpu_app_server)
+
+# The server will use binder calls.
+binder_use(edgetpu_app_server);
+
+# The server will serve a binder service.
+binder_service(edgetpu_app_server);
+
+# EdgeTPU binder service type declaration.
+type edgetpu_app_service, service_manager_type;
+
+# EdgeTPU server to register the service to service_manager.
+add_service(edgetpu_app_server, edgetpu_app_service);
+
+# EdgeTPU service needs to access /dev/abrolhos.
+allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms;
+allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms;
+allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms;
+
+# Applications are not allowed to open the EdgeTPU device directly.
+neverallow appdomain edgetpu_device:chr_file { open };
+
+# Allow EdgeTPU service to access the Package Manager service.
+allow edgetpu_app_server package_native_service:service_manager find;
+binder_call(edgetpu_app_server, system_server);
+
+# Allow EdgeTPU service to read EdgeTPU service related system properties.
+get_prop(edgetpu_app_server, vendor_edgetpu_service_prop);
+
+# Allow EdgeTPU service to generate Perfetto traces.
+perfetto_producer(edgetpu_app_server);
+
+# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
+allow edgetpu_app_server edgetpu_vendor_service:service_manager find;
+binder_call(edgetpu_app_server, edgetpu_vendor_server);
+
+# Allow EdgeTPU service to log to stats service. (metrics)
+allow edgetpu_app_server fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
deleted file mode 100644
index a90d3fd9..00000000
--- a/whitechapel/vendor/google/edgetpu_service.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# EdgeTPU server process which runs the EdgeTPU binder service.
-type edgetpu_server, coredomain, domain;
-type edgetpu_server_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(edgetpu_server)
-
-# The server will use binder calls.
-binder_use(edgetpu_server);
-
-# The server will serve a binder service.
-binder_service(edgetpu_server);
-
-# EdgeTPU binder service type declaration.
-type edgetpu_service, service_manager_type;
-
-# EdgeTPU server to register the service to service_manager.
-add_service(edgetpu_server, edgetpu_service);
-
-# EdgeTPU service needs to access /dev/abrolhos.
-allow edgetpu_server edgetpu_device:chr_file rw_file_perms;
-allow edgetpu_server sysfs_edgetpu:dir r_dir_perms;
-allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
-
-# Applications are not allowed to open the EdgeTPU device directly.
-neverallow appdomain edgetpu_device:chr_file { open };
-
-# Allow EdgeTPU service to access the Package Manager service.
-allow edgetpu_server package_native_service:service_manager find;
-binder_call(edgetpu_server, system_server);
-
-# Allow EdgeTPU service to read EdgeTPU service related system properties.
-get_prop(edgetpu_server, vendor_edgetpu_service_prop);
-
-# Allow EdgeTPU service to generate Perfetto traces.
-perfetto_producer(edgetpu_server);
-
-# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
-allow edgetpu_server edgetpu_vendor_service:service_manager find;
-binder_call(edgetpu_server, edgetpu_vendor_server);
-
-# Allow EdgeTPU service to log to stats service. (metrics)
-allow edgetpu_server fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 2be72002..9cdf164d 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -367,8 +367,8 @@
 /vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
 
 # EdgeTPU service binaries and libraries
-/system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU vendor service
diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te
index a1bb0cce..a9b49c33 100644
--- a/whitechapel/vendor/google/priv_app.te
+++ b/whitechapel/vendor/google/priv_app.te
@@ -1,5 +1,5 @@
 # Allows privileged applications to discover the EdgeTPU service.
-allow priv_app edgetpu_service:service_manager find;
+allow priv_app edgetpu_app_service:service_manager find;
 
 # Allows privileged applications to discover the NNAPI TPU service.
 allow priv_app edgetpu_nnapi_service:service_manager find;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 4ce5c1bc..4e005ec4 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,5 +1,5 @@
 # EdgeTPU service
-com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
+com.google.edgetpu.IEdgeTpuAppService/default              u:object_r:edgetpu_app_service:s0
 com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
 
 # TPU NNAPI Service
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index ae7386fc..cd7fb41a 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -1,5 +1,5 @@
 # Allows applications to discover the EdgeTPU service.
-allow untrusted_app_all edgetpu_service:service_manager find;
+allow untrusted_app_all edgetpu_app_service:service_manager find;
 
 # Allows applications to access the EdgeTPU device, except open, which is guarded
 # by the EdgeTPU service.

From b9e4f7a759bf656dd452f146d3545cccd7efe75a Mon Sep 17 00:00:00 2001
From: Gary Jian <garyjian@google.com>
Date: Tue, 27 Apr 2021 13:04:29 +0800
Subject: [PATCH 289/921] Add permission to access audiometricext hal for
 grilservice_app

Bug: 182526894
Test: Manual
Change-Id: I3ca85be7e5ab244e2dea2c6f7768f59c07b44525
---
 whitechapel/vendor/google/grilservice_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
index 9b4eb3d3..50ff22a5 100644
--- a/whitechapel/vendor/google/grilservice_app.te
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -5,6 +5,8 @@ allow grilservice_app app_api_service:service_manager find;
 allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
 allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
 allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find;
 binder_call(grilservice_app, hal_bluetooth_btlinux)
 binder_call(grilservice_app, hal_radioext_default)
 binder_call(grilservice_app, hal_wifi_ext)
+binder_call(grilservice_app, hal_audiometricext_default)

From 9de2688cd4395bd98eb47dacc093814c8cd3d954 Mon Sep 17 00:00:00 2001
From: Roger Fang <rogerfang@google.com>
Date: Thu, 22 Apr 2021 21:54:27 +0800
Subject: [PATCH 290/921] sepolicy: gs101: add IAudioMetricExt settings

E init    : Could not start service 'audiometricext' as part of class 'hal': File /vendor/bin/hw/vendor.google.audiometricext@1.0-service-vendor(labeled "u:object_r:vendor_file:s0")

vendor.google.a: type=1400 audit(0.0:3): avc: denied { read } for name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=188 scontext=u:r:hal_audiometricext_default:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1

E SELinux : avc:  denied  { find } for interface=vendor.google.audiometricext::IAudioMetricExt sid=u:r:hal_audiometricext_default:s0 pid=819 scontext=u:r:hal_audiometricext_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=1

E SELinux : avc:  denied  { add } for interface=android.hidl.base::IBase sid=u:r:hal_audiometricext_default:s0 pid=795 scontext=u:r:hal_audiometricext_default:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1

Bug: 180627405
Test: manually test passed
Signed-off-by: Roger Fang <rogerfang@google.com>
Change-Id: I91d76eb0ad5850e75ad865304d83f3025b981915
---
 whitechapel/vendor/google/file_contexts              |  4 ++++
 whitechapel/vendor/google/genfs_contexts             |  3 ++-
 .../vendor/google/hal_audiometricext_default.te      | 12 ++++++++++++
 whitechapel/vendor/google/hwservice.te               |  4 ++++
 whitechapel/vendor/google/hwservice_contexts         |  4 ++++
 5 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 whitechapel/vendor/google/hal_audiometricext_default.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 2be72002..a722d053 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -320,6 +320,10 @@
 /dev/acd-audio_dcdoff_ref           u:object_r:aoc_device:s0
 /dev/amcs                           u:object_r:amcs_device:s0
 
+# AudioMetric
+/(vendor|system/vendor)/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor     u:object_r:hal_audiometricext_default_exec:s0
+
+
 # Trusty
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
 /vendor/bin/storageproxyd            u:object_r:tee_exec:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 84388ff0..b9ad98e7 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -357,4 +357,5 @@ genfscon sysfs /devices/platform/audiometrics/speaker_impedance        u:object_
 genfscon sysfs /devices/platform/audiometrics/speaker_excursion        u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat        u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/speaker_temp             u:object_r:sysfs_pixelstats:s0
-
+genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade       u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter    u:object_r:sysfs_pixelstats:s0
diff --git a/whitechapel/vendor/google/hal_audiometricext_default.te b/whitechapel/vendor/google/hal_audiometricext_default.te
new file mode 100644
index 00000000..5358eac4
--- /dev/null
+++ b/whitechapel/vendor/google/hal_audiometricext_default.te
@@ -0,0 +1,12 @@
+type hal_audiometricext_default, domain;
+type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_audiometricext_default)
+
+allow hal_audiometricext_default amcs_device:chr_file rw_file_perms;
+allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms;
+
+get_prop(hal_audiometricext_default, vendor_audio_prop);
+get_prop(hal_audiometricext_default, hwservicemanager_prop);
+
+hwbinder_use(hal_audiometricext_default);
+add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice);
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
index fc52990a..7ac98578 100644
--- a/whitechapel/vendor/google/hwservice.te
+++ b/whitechapel/vendor/google/hwservice.te
@@ -21,3 +21,7 @@ type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservi
 
 # Fingerprint
 type hal_fingerprint_ext_hwservice, hwservice_manager_type;
+
+# AudioMetric
+type hal_audiometricext_hwservice, hwservice_manager_type;
+
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
index dfe9cfb5..c00e9572 100644
--- a/whitechapel/vendor/google/hwservice_contexts
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -29,3 +29,7 @@ hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r
 
 # Fingerprint
 vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon  u:object_r:hal_fingerprint_ext_hwservice:s0
+
+#Audio
+vendor.google.audiometricext::IAudioMetricExt             u:object_r:hal_audiometricext_hwservice:s0
+

From 3be06b2ec90a9b0ed8318cdeac7b90322fdaa935 Mon Sep 17 00:00:00 2001
From: jintinglin <jintinglin@google.com>
Date: Tue, 18 May 2021 18:46:00 +0800
Subject: [PATCH 291/921] logger_app: Fix avc errors

avc: denied { read } for name="level" dev="sysfs" ino=57112 scontext=u:r:logger_app:s0:c29,c257,c512,c768 tcontext=u:object_r:sysfs_sscoredump_level:s0 tclass=file permissive=0 app=com.android.pixellogger

Bug: 187909426
Change-Id: I2037b1d2613736c8e1789bc96bfd4be0168444e0
---
 whitechapel/vendor/google/logger_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 527491b5..93100f12 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -4,6 +4,7 @@ userdebug_or_eng(`
   allow logger_app vendor_slog_file:file {r_file_perms unlink};
   allow logger_app vendor_gps_file:file create_file_perms;
   allow logger_app vendor_gps_file:dir create_dir_perms;
+  allow logger_app sysfs_sscoredump_level:file r_file_perms;
 
   get_prop(logger_app, usb_control_prop)
   set_prop(logger_app, vendor_logger_prop)

From 970f15b13db7fae6214fb5d9772a397b7421b5cf Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Mon, 17 May 2021 20:03:29 +0000
Subject: [PATCH 292/921] Fix file_contexts path for trusty_metricsd

Bug: 188417701
Bug: 173423860
Test: trusty_metricsd starts
Change-Id: I212c2d449441ac4b9238c8f7171982b253d4b6e0
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 2be72002..f492ffe7 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -324,7 +324,7 @@
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
 /vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
-/vendor/bin/trusty_metricsd\.gs101    u:object_r:trusty_metricsd_exec:s0
+/vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0

From 494ac0cfe33b553adba5dc3f676cee04ec02dc72 Mon Sep 17 00:00:00 2001
From: yixuanjiang <yixuanjiang@google.com>
Date: Wed, 19 May 2021 14:11:42 +0800
Subject: [PATCH 293/921] Add sepolicy for aocdump to access wlan_logs folder

Add related sepolicies on aoc dump when pixel logger using
wlan config

Bug: 188411088
Signed-off-by: yixuanjiang <yixuanjiang@google.com>
Change-Id: I7a786f25b9094cc9ebeef79e4aff5522bde17d19
---
 whitechapel/vendor/google/aocdump.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/aocdump.te b/whitechapel/vendor/google/aocdump.te
index dabc5ed6..ca468a35 100644
--- a/whitechapel/vendor/google/aocdump.te
+++ b/whitechapel/vendor/google/aocdump.te
@@ -8,6 +8,8 @@ userdebug_or_eng(`
 
     allow aocdump radio_vendor_data_file:dir rw_dir_perms;
     allow aocdump radio_vendor_data_file:file create_file_perms;
+    allow aocdump wifi_logging_data_file:dir create_dir_perms;
+    allow aocdump wifi_logging_data_file:file create_file_perms;
     set_prop(aocdump, vendor_audio_prop);
     r_dir_file(aocdump, proc_asound)
 

From b486ddedc50d52784bd57460cddb1d9a0f5d6b6f Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 19 May 2021 15:26:00 +0800
Subject: [PATCH 294/921] logger_app: Fix avc error

avc: denied { search } for name="ramdump" dev="dm-7" ino=316 scontext=u:r:logger_app:s0:c17,c257,c512,c768 tcontext=u:object_r:ramdump_vendor_data_file:s0 tclass=dir permissive=0
avc: denied { search } for name="ssrdump" dev="dm-11" ino=292 scontext=u:r:logger_app:s0:c23,c257,c512,c768 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=0

Bug: 188601292
Bug: 188611595

Change-Id: If6b204bf0d5c502cf09c9fe70bcd572cfe2db016
---
 whitechapel/vendor/google/logger_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 93100f12..fac3b5ea 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -5,6 +5,9 @@ userdebug_or_eng(`
   allow logger_app vendor_gps_file:file create_file_perms;
   allow logger_app vendor_gps_file:dir create_dir_perms;
   allow logger_app sysfs_sscoredump_level:file r_file_perms;
+  r_dir_file(logger_app, ramdump_vendor_data_file)
+  r_dir_file(logger_app, sscoredump_vendor_data_coredump_file)
+  r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file)
 
   get_prop(logger_app, usb_control_prop)
   set_prop(logger_app, vendor_logger_prop)

From d733108c8f5b8c8654ee066ee04ee993457efb50 Mon Sep 17 00:00:00 2001
From: Maurice Lam <yukl@google.com>
Date: Tue, 30 Mar 2021 04:45:53 +0000
Subject: [PATCH 295/921] DO NOT MERGE. Revert Exo selinux policies for S

Bug: 188074060
Test: Forrest
Change-Id: I3465d10c3731ae49fec6e6fb7f2873cf2e5b9c23
---
 ambient/exo_app.te     | 20 --------------------
 ambient/seapp_contexts |  2 --
 2 files changed, 22 deletions(-)
 delete mode 100644 ambient/exo_app.te
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
deleted file mode 100644
index ef928f65..00000000
--- a/ambient/exo_app.te
+++ /dev/null
@@ -1,20 +0,0 @@
-type exo_app, coredomain, domain;
-
-app_domain(exo_app)
-net_domain(exo_app)
-
-allow exo_app app_api_service:service_manager find;
-allow exo_app audioserver_service:service_manager find;
-allow exo_app cameraserver_service:service_manager find;
-allow exo_app mediaserver_service:service_manager find;
-allow exo_app radio_service:service_manager find;
-allow exo_app fwk_stats_service:service_manager find;
-allow exo_app mediametrics_service:service_manager find;
-allow exo_app gpu_device:dir search;
-
-allow exo_app uhid_device:chr_file rw_file_perms;
-
-binder_call(exo_app, statsd)
-binder_use(exo_app)
-
-get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all

From 53aff191d2dc4c576baea3b68e4c43b9c3661821 Mon Sep 17 00:00:00 2001
From: iayara <iayara@google.com>
Date: Wed, 19 May 2021 17:08:21 -0700
Subject: [PATCH 296/921] Transition to using libedgetpu_util.so instead of
 libedgetpu_darwinn2.so. bug: b/182303547

Change-Id: Ia84e63fdfdeac5094752dfe9de84b75bd56aa131
---
 whitechapel/vendor/google/file_contexts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 93199325..01edb2a1 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -380,7 +380,6 @@
 /vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU runtime libraries
-/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files

From f7a97842544aef7e9759eb2ba31dcbd08da9174e Mon Sep 17 00:00:00 2001
From: George Lee <geolee@google.com>
Date: Wed, 19 May 2021 18:56:55 -0700
Subject: [PATCH 297/921] power: mod sysfs_bcl path

Recent change in kernel prompted path change.

Bug: 186879633
Test: adb bugreport
dumpstate_board.txt shows:
------ Mitigation Stats (/vendor/bin/sh -c echo "Source\t\tCount\tSOC\tTime\tVoltage"; for f in `ls /sys/devices/virtual/pmic/mitigation/last_triggered_count/*` ; do count=`cat $f`; a=${f/\/sys\/devices\/virtual\/pmic\/mitigation\/last_triggered_count\//}; b=${f/last_triggered_count/last_triggered_capacity}; c=${f/last_triggered_count/last_triggered_timestamp/}; d=${f/last_triggered_count/last_triggered_voltage/}; cnt=`cat $f`; cap=`cat ${b/count/cap}`; ti=`cat ${c/count/time}`; volt=`cat ${d/count/volt}`; echo "${a/_count/} \t$cnt\t$cap\t$ti\t$volt" ; done) ------
Source		Count	SOC	Time	Voltage
batoilo 	0	0	0	0
ocp_cpu1 	0	0	0	0
ocp_cpu2 	0	0	0	0
ocp_gpu 	0	0	0	0
ocp_tpu 	0	0	0	0
smpl_warn 	0	0	0	0
soft_ocp_cpu1 	0	0	0	0
soft_ocp_cpu2 	0	0	0	0
soft_ocp_gpu 	0	0	0	0
soft_ocp_tpu 	0	0	0	0
vdroop1 	0	0	0	0
vdroop2 	0	0	0	0
------ Clock Divider Ratio (/vendor/bin/sh -c echo "Source\t\tRatio"; for f in `ls /sys/devices/virtual/pmic/mitigation/clock_ratio/*` ; do ratio=`cat $f`; a=${f/\/sys\/devices\/virtual\/pmic\/mitigation\/clock_ratio\//}; echo "${a/_ratio/} \t$ratio" ; done) ------
Source		Ratio
cpu0_clk 	0xf041c3
cpu1_heavy_clk 	0xf041c3
cpu1_light_clk 	0xf041c5
cpu2_heavy_clk 	0xf041c3
cpu2_light_clk 	0xf041c5
gpu_heavy_clk 	off
gpu_light_clk 	off
tpu_heavy_clk 	off
tpu_light_clk 	off
------ Clock Stats (/vendor/bin/sh -c echo "Source\t\tStats"; for f in `ls /sys/devices/virtual/pmic/mitigation/clock_stats/*` ; do stats=`cat $f`; a=${f/\/sys\/devices\/virtual\/pmic\/mitigation\/clock_stats\//}; echo "${a/_stats/} \t$stats" ; done) ------
Source		Stats
cpu0_clk 	0x101
cpu1_clk 	0x101
cpu2_clk 	0x101
gpu_clk 	off
tpu_clk 	off
------ Triggered Level (/vendor/bin/sh -c echo "Source\t\tLevel"; for f in `ls /sys/devices/virtual/pmic/mitigation/triggered_lvl/*` ; do lvl=`cat $f`; a=${f/\/sys\/devices\/virtual\/pmic\/mitigation\/triggered_lvl\//}; echo "${a/_lvl/} \t$lvl" ; done) ------
Source		Level
ocp_cpu1 	7000mA
ocp_cpu2 	12000mA
ocp_gpu 	12000mA
ocp_tpu 	10500mA
smpl 	2900mV
soft_ocp_cpu1 	7000mA
soft_ocp_cpu2 	12000mA
soft_ocp_gpu 	12000mA
soft_ocp_tpu 	10500mA

Change-Id: Ibe303ad69ffb29f3c3bbd79d557d04138cd09bd7
---
 whitechapel/vendor/google/genfs_contexts | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8b6d018e..0f510427 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -156,12 +156,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-mete
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 
 # bcl sysfs files
-genfscon sysfs /devices/virtual/pmic/mitigation/triggered_stats                 u:object_r:sysfs_bcl:s0
-genfscon sysfs /devices/virtual/pmic/mitigation/mpmm_settings                   u:object_r:sysfs_bcl:s0
-genfscon sysfs /devices/virtual/pmic/mitigation/ppm_settings                    u:object_r:sysfs_bcl:s0
-genfscon sysfs /devices/virtual/pmic/mitigation/clk_ratio                       u:object_r:sysfs_bcl:s0
-genfscon sysfs /devices/virtual/pmic/mitigation/clk_stats                       u:object_r:sysfs_bcl:s0
-genfscon sysfs /devices/virtual/pmic/max77759-mitigation/triggered_stats        u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation                                 u:object_r:sysfs_bcl:s0
 
 # Chosen
 genfscon sysfs /firmware/devicetree/base/chosen                                u:object_r:sysfs_chosen:s0

From 8fd76cee445eb827c45703208fefc96fb46996a2 Mon Sep 17 00:00:00 2001
From: Peter Csaszar <pcsaszar@google.com>
Date: Fri, 7 May 2021 16:50:00 -0700
Subject: [PATCH 298/921] pixel-selinux: add SJTAG policies

These are the SELinux policies for the sysfs files of the SJTAG
kernel interface. The files are in the following directories:

  /sys/devices/platform/sjtag_ap/interface/
  /sys/devices/platform/sjtag_gsa/interface/

Bug: 184768605
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Change-Id: I4ecf5cec5bbd08a44d7dbf88de5f3bc58b6c4fe5
---
 whitechapel/vendor/google/file.te         | 4 +++-
 whitechapel/vendor/google/genfs_contexts  | 5 ++++-
 whitechapel/vendor/google/shell.te        | 4 ++--
 whitechapel/vendor/google/ssr_detector.te | 4 ++--
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 5fd7861e..257d1cea 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -35,7 +35,6 @@ type vendor_maxfg_debugfs, fs_type, debugfs_type;
 type vendor_charger_debugfs, fs_type, debugfs_type;
 type vendor_votable_debugfs, fs_type, debugfs_type;
 type vendor_battery_debugfs, fs_type, debugfs_type;
-type vendor_sjtag_debugfs, fs_type, debugfs_type;
 
 # Exynos sysfs
 type sysfs_exynos_bts, sysfs_type, fs_type;
@@ -208,3 +207,6 @@ type sysfs_pixelstats, fs_type, sysfs_type;
 
 # WLC FW
 type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
+
+# SJTAG
+type sysfs_sjtag, fs_type, sysfs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b9ad98e7..2b231c07 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -334,7 +334,6 @@ genfscon debugfs /usb
 genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
 genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
 genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0
-genfscon debugfs /sjtag                                                                                   u:object_r:vendor_sjtag_debugfs:s0
 
 # tracefs
 genfscon tracefs /events/dmabuf_heap/dma_heap_stat                                                        u:object_r:debugfs_tracing:s0
@@ -359,3 +358,7 @@ genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat        u:object_
 genfscon sysfs /devices/platform/audiometrics/speaker_temp             u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade       u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter    u:object_r:sysfs_pixelstats:s0
+
+# SJTAG
+genfscon sysfs /devices/platform/sjtag_ap/interface                    u:object_r:sysfs_sjtag:s0
+genfscon sysfs /devices/platform/sjtag_gsa/interface                   u:object_r:sysfs_sjtag:s0
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index 484e1501..3dd4a705 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -2,6 +2,6 @@ allow shell eco_service:service_manager find;
 
 # Allow access to the SJTAG kernel interface from the shell
 userdebug_or_eng(`
-  allow shell vendor_sjtag_debugfs:dir r_dir_perms;
-  allow shell vendor_sjtag_debugfs:file rw_file_perms;
+  allow shell sysfs_sjtag:dir r_dir_perms;
+  allow shell sysfs_sjtag:file rw_file_perms;
 ')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 37f571cd..a70edece 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -12,8 +12,8 @@ userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
   get_prop(ssr_detector_app, vendor_aoc_prop)
-  allow ssr_detector_app vendor_sjtag_debugfs:dir r_dir_perms;
-  allow ssr_detector_app vendor_sjtag_debugfs:file rw_file_perms;
+  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
+  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)

From ba92629794b7754a4342afe3194d4211db6ddcf9 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Thu, 20 May 2021 16:51:06 +0800
Subject: [PATCH 299/921] Update avc error on ROM 7380236

Bug: 188752787
Bug: 188752940
Test: PtsSELinuxTestCases
Change-Id: I5b674d4696ef470956301388f3d0fcc4883010c6
---
 tracking_denials/hal_dumpstate_default.te | 2 ++
 tracking_denials/hal_power_default.te     | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
new file mode 100644
index 00000000..cfc9c4eb
--- /dev/null
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/188752787
+dontaudit hal_dumpstate_default sysfs_aoc:dir search;
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
index ab5c7ecd..260747fc 100644
--- a/tracking_denials/hal_power_default.te
+++ b/tracking_denials/hal_power_default.te
@@ -10,3 +10,5 @@ dontaudit hal_power_default sysfs:file { read };
 dontaudit hal_power_default sysfs:file { getattr };
 dontaudit hal_power_default sysfs:file { read };
 dontaudit hal_power_default sysfs:file { getattr };
+# b/188752940
+dontaudit hal_power_default hal_power_default:capability dac_read_search;

From 560d12c3f15ec96b33045cb65b0a48ef24186d38 Mon Sep 17 00:00:00 2001
From: Ken Huang <kenbshuang@google.com>
Date: Tue, 18 May 2021 16:51:30 +0800
Subject: [PATCH 300/921] dumpstate: add sepolicy for hal_dumpstate to access
 sysfs_display

Allow dumpstate to read panel extra info.

Bug: 183061481
Test: adb bugreport
Change-Id: I1902f28c2edceeb5b74ce655f83c8aea7c60825b
---
 whitechapel/vendor/google/genfs_contexts           | 10 ++++++----
 whitechapel/vendor/google/hal_dumpstate_default.te |  2 ++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 84388ff0..ae081e4a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -168,10 +168,12 @@ genfscon sysfs /kernel/vendor_sched/util_threshold                             u
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
 
 # Display
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
 
 # TODO(b/184768835): remove this once the bug is fixed
 # Display / LHBM (Local High Brightness Mode)
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 38381b15..b109a5f8 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -90,6 +90,8 @@ binder_call(hal_dumpstate_default, citadeld);
 
 allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
 binder_call(hal_dumpstate_default, hal_graphics_composer_default);
+allow hal_dumpstate_default sysfs_display:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_display:file r_file_perms;
 
 userdebug_or_eng(`
   allow hal_dumpstate_default mnt_vendor_file:dir search;

From 168a6b0c7203df6842275b6a392eaa0fd81e4085 Mon Sep 17 00:00:00 2001
From: chasewu <chasewu@google.com>
Date: Fri, 21 May 2021 17:32:53 +0800
Subject: [PATCH 301/921] genfs_contexts: fix path for cs40l25a i2c devices

Due to recent changes which modifies the device name for i2c devices,
cs40l25a device names are now changed from ?-0043 and ?-0042 to
"i2c-cs40l25a" and "i2c-cs40l25a-dual"

Bug: 188078957
Bug: 188651116
Test: manual check avc denied logs
Signed-off-by: chasewu <chasewu@google.com>
Change-Id: I97d3a030c94166f8e2cda7daa38166b1532b6d9f
---
 whitechapel/vendor/google/genfs_contexts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1fa2a451..1f15f2f5 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -71,9 +71,9 @@ genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net  u:object
 
 # Vibrator
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 
 # Fingerprint
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0

From 5aeb1b9e4556177eb6d85b5458390a967a452d0a Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Sat, 22 May 2021 13:17:04 +0800
Subject: [PATCH 302/921] gs101-sepolicy: Allow dumping vendor groups values

Fix:
avc: denied { read } for name="vendor_sched" dev="sysfs" ino=45566 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0

avc: denied { read } for name="dump_task_group_ta" dev="proc" ino=4026532542 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 172112042
Test: dump data as expected
Change-Id: I9945953dba4afddd34c1535c12193b1f00fdcef9
---
 whitechapel/vendor/google/file.te                  | 1 +
 whitechapel/vendor/google/genfs_contexts           | 2 ++
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ++++
 3 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 257d1cea..2125c4be 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -144,6 +144,7 @@ type sysfs_edgetpu, sysfs_type, fs_type;
 
 # Vendor sched files
 type sysfs_vendor_sched, sysfs_type, fs_type;
+type proc_vendor_sched, proc_type, fs_type;
 
 # GPS
 type vendor_gps_file, file_type, data_file_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1fa2a451..6be99dbd 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -164,6 +164,8 @@ genfscon sysfs /kernel/vendor_sched/uclamp_threshold                           u
 genfscon sysfs /kernel/vendor_sched/uclamp_util_diff_stats                     u:object_r:sysfs_vendor_sched:s0
 genfscon sysfs /kernel/vendor_sched/util_threshold                             u:object_r:sysfs_vendor_sched:s0
 
+genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0
+
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
 
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 38381b15..a0bbd3a9 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -91,6 +91,10 @@ binder_call(hal_dumpstate_default, citadeld);
 allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
 binder_call(hal_dumpstate_default, hal_graphics_composer_default);
 
+allow hal_dumpstate_default sysfs_vendor_sched:file read;
+allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms;
+allow hal_dumpstate_default proc_vendor_sched:file r_file_perms;
+
 userdebug_or_eng(`
   allow hal_dumpstate_default mnt_vendor_file:dir search;
   allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search;

From a97bfcc1e1e96fbeca8b10bab0ecdc0bf4c4b427 Mon Sep 17 00:00:00 2001
From: Roger Fang <rogerfang@google.com>
Date: Mon, 24 May 2021 08:16:34 +0000
Subject: [PATCH 303/921] sepolicy: gs101: add permission for the hardware info
 dsp part number

Bug: 188757638
Test: Manually test passed

Signed-off-by: Roger Fang <rogerfang@google.com>
Change-Id: Id0c3226411b058b613b92e67174f14e64c6c3a2b
---
 whitechapel/vendor/google/genfs_contexts       | 1 +
 whitechapel/vendor/google/hardware_info_app.te | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1fa2a451..6fb52537 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -354,6 +354,7 @@ genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat        u:object_
 genfscon sysfs /devices/platform/audiometrics/speaker_temp             u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade       u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter    u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number       u:object_r:sysfs_pixelstats:s0
 
 # SJTAG
 genfscon sysfs /devices/platform/sjtag_ap/interface                    u:object_r:sysfs_sjtag:s0
diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
index c5bfb879..b94d1138 100644
--- a/whitechapel/vendor/google/hardware_info_app.te
+++ b/whitechapel/vendor/google/hardware_info_app.te
@@ -7,3 +7,7 @@ allow hardware_info_app app_api_service:service_manager find;
 # Display
 allow hardware_info_app sysfs_display:dir search;
 allow hardware_info_app sysfs_display:file r_file_perms;
+
+# Audio
+allow hardware_info_app sysfs_pixelstats:dir search;
+allow hardware_info_app sysfs_pixelstats:file r_file_perms;

From 68849437bdfcdebe6b02d8d7d7ecb3ec09ab9614 Mon Sep 17 00:00:00 2001
From: Vinay Kalia <vinaykalia@google.com>
Date: Mon, 24 May 2021 23:54:17 +0000
Subject: [PATCH 304/921] Allow mediacodec to access the vframe-secure DMA-BUF
 heap

This patch fixes the following denial:

HwBinder:751_2: type=1400 audit(0.0:9): avc: denied { open } for
path="/dev/dma_heap/vframe-secure" dev="tmpfs" ino=734
scontext=u:r:mediacodec:s0 tcontext=u:object_r:vframe_heap_device:s0
tclass=chr_file permissive=0

Bug: 188121584
Test: AV1 secure video playback

Signed-off-by: Vinay Kalia <vinaykalia@google.com>
Change-Id: I455b39914dd4316a427f5f756b4fb94a2c4db204
---
 whitechapel/vendor/google/mediacodec.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index ed7c1adf..07a0a5b4 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -7,3 +7,4 @@ allow mediacodec hal_camera_default:binder call;
 allow mediacodec sysfs_video:file r_file_perms;
 allow mediacodec sysfs_video:dir r_dir_perms;
 allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediacodec vframe_heap_device:chr_file r_file_perms;

From b8aebc85e17d38e3d1293ae3c80041832efd3ba3 Mon Sep 17 00:00:00 2001
From: Ocean Chen <oceanchen@google.com>
Date: Mon, 24 May 2021 14:57:33 +0800
Subject: [PATCH 305/921] storage: update sepolicy for hardwareinfoservice

avc: denied { search } for name="0:0:0:0" dev="sysfs" ino=57525 scontext=u:r:hardware_info_app:s0:c512,c768 avc: denied { search } for name="health_descriptor" dev="sysfs" ino=57017 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 app=com.google.android.hardwareinfo
avc: denied { search } for name="health_descriptor" dev="sysfs" ino=57017 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 app=com.google.android.hardwareinfo

avc: denied { read } for name="vpd_pg80" dev="sysfs" ino=57559 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 app=com.google.android.hardwareinfo
avc: denied { read } for name="model" dev="sysfs" ino=57534 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 app=com.google.android.hardwareinfo
avc: denied { read } for name="vendor" dev="sysfs" ino=57533 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 app=com.google.android.hardwareinfo
avc: denied { read } for name="rev" dev="sysfs" ino=57535 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 app=com.google.android.hardwareinfo
avc: denied { read } for name="eol_info" dev="sysfs" ino=57020 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 app=com.google.android.hardwareinfo
avc: denied { read } for name="life_time_estimation_a" dev="sysfs" ino=57021 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 app=com.google.android.hardwareinfo

Bug: 188755652
Test: reboot then check hardwareinfo and avc denined log
Change-Id: Ia03ebdd6b0b46b4c9ace5fbf1fc47a455a55abcb
---
 tracking_denials/hardware_info_app.te          | 4 ----
 whitechapel/vendor/google/hardware_info_app.te | 4 ++++
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te
index 810cb701..8e02952f 100644
--- a/tracking_denials/hardware_info_app.te
+++ b/tracking_denials/hardware_info_app.te
@@ -1,12 +1,8 @@
 # b/181177926
-dontaudit hardware_info_app sysfs_scsi_devices_0000:file { getattr };
-dontaudit hardware_info_app sysfs_scsi_devices_0000:file { open };
 dontaudit hardware_info_app sysfs_batteryinfo:file { read };
 dontaudit hardware_info_app sysfs:file { read };
 dontaudit hardware_info_app sysfs:file { open };
 dontaudit hardware_info_app sysfs:file { getattr };
-dontaudit hardware_info_app sysfs_scsi_devices_0000:dir { search };
-dontaudit hardware_info_app sysfs_scsi_devices_0000:file { read };
 dontaudit hardware_info_app sysfs_batteryinfo:dir { search };
 # b/181914888
 dontaudit hardware_info_app sysfs_batteryinfo:file { open };
diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
index b94d1138..90ed9a60 100644
--- a/whitechapel/vendor/google/hardware_info_app.te
+++ b/whitechapel/vendor/google/hardware_info_app.te
@@ -11,3 +11,7 @@ allow hardware_info_app sysfs_display:file r_file_perms;
 # Audio
 allow hardware_info_app sysfs_pixelstats:dir search;
 allow hardware_info_app sysfs_pixelstats:file r_file_perms;
+
+# Storage
+allow hardware_info_app sysfs_scsi_devices_0000:dir search;
+allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms;
\ No newline at end of file

From c5fdb5928728b297340f36baf9aa22b91e3c7af6 Mon Sep 17 00:00:00 2001
From: Shawn Willden <swillden@google.com>
Date: Thu, 22 Apr 2021 13:23:54 -0600
Subject: [PATCH 306/921] Add sepolicy for Trusty keymint

Bug: 177729159
Test: VtsAidlKeyMintTargetTest on P21
Change-Id: I993faa2a829d3ad4f1b920ff59ba4fd5ef8e7db7
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 01edb2a1..5c4b5209 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -331,6 +331,7 @@
 /vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0

From 073a0f5ed12e7bb6bade74e0a0bf2fe2aae322cc Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Wed, 26 May 2021 11:11:03 +0800
Subject: [PATCH 307/921] Update avc error on ROM 7395282

avc: denied { dac_override } for comm="rebalance_inter" capability=1 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:r:rebalance_interrupts_vendor:s0 tclass=capability permissive=0

Bug: 189275648
Test: PtsSELinuxTestCases
Change-Id: I637f1fcd901b8bf59096ba83c927b4d353f0405b
---
 tracking_denials/rebalance_interrupts_vendor.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/rebalance_interrupts_vendor.te

diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te
new file mode 100644
index 00000000..f6cec9e1
--- /dev/null
+++ b/tracking_denials/rebalance_interrupts_vendor.te
@@ -0,0 +1,2 @@
+# b/189275648
+dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability dac_override;

From e952c414eccc7b69cfedc6b2ebfd7d634c9b61fd Mon Sep 17 00:00:00 2001
From: Harpreet Eli Sangha <eliptus@google.com>
Date: Thu, 22 Apr 2021 11:50:12 +0900
Subject: [PATCH 308/921] Add CccDkTimeSyncService

Bug: 183676280
Test: Build and run example client.
Signed-off-by: Harpreet Eli Sangha <eliptus@google.com>
Change-Id: I862d5f3e8be3cf7d23489be374fabf26e29e0ca5
---
 whitechapel/vendor/google/cccdk_timesync_app.te | 10 ++++++++++
 whitechapel/vendor/google/seapp_contexts        |  2 ++
 2 files changed, 12 insertions(+)
 create mode 100644 whitechapel/vendor/google/cccdk_timesync_app.te

diff --git a/whitechapel/vendor/google/cccdk_timesync_app.te b/whitechapel/vendor/google/cccdk_timesync_app.te
new file mode 100644
index 00000000..f6e514d9
--- /dev/null
+++ b/whitechapel/vendor/google/cccdk_timesync_app.te
@@ -0,0 +1,10 @@
+type vendor_cccdktimesync_app, domain;
+app_domain(vendor_cccdktimesync_app)
+
+allow vendor_cccdktimesync_app app_api_service:service_manager find;
+
+binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux)
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+
+# allow the HAL to call our registered callbacks
+binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app)
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index fbf19390..09864396 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -48,3 +48,5 @@ user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
+# CccDkTimeSyncService
+user=_app seinfo=platform name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all

From 144b6b06b30ce9b602ca002f85ba05c8ffa2e19d Mon Sep 17 00:00:00 2001
From: Vova Sharaienko <sharaienko@google.com>
Date: Thu, 27 May 2021 01:48:04 +0000
Subject: [PATCH 309/921] hal_health_default: updated sepolicy

This allows the android.hardware.health service to access
AIDL Stats service

Bug: 186578402
Test: Build, flash, boot & and logcat | grep "avc"
Change-Id: I1bfd8dbca4a8a87387c5fc0cc47b9f09a6d07ea4
---
 whitechapel/vendor/google/hal_health_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
index a684dcc2..a28e5c12 100644
--- a/whitechapel/vendor/google/hal_health_default.te
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -6,6 +6,9 @@ allow hal_health_default persist_battery_file:dir rw_dir_perms;
 set_prop(hal_health_default, vendor_battery_defender_prop)
 r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
 
+allow hal_health_default fwk_stats_service:service_manager find;
+binder_use(hal_health_default)
+
 allow hal_health_default sysfs_wlc:dir search;
 allow hal_health_default sysfs_batteryinfo:file w_file_perms;
 allow hal_health_default sysfs_thermal:dir search;

From b078284e5d4a1f17b191a9753d10a165dc3fe2eb Mon Sep 17 00:00:00 2001
From: Aaron Ding <aaronding@google.com>
Date: Thu, 13 May 2021 15:44:26 +0800
Subject: [PATCH 310/921] Revert "pixel-selinux: add SJTAG policies"

This reverts commit bc525e1a497c0e71e25469505a3173a6799bd472.

Bug: 186500818
Change-Id: I0bab67d42530270a819598ac320a5946e5d7aa6d
Signed-off-by: Aaron Ding <aaronding@google.com>
---
 whitechapel/vendor/google/shell.te        | 6 ------
 whitechapel/vendor/google/ssr_detector.te | 2 --
 2 files changed, 8 deletions(-)

diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index 3dd4a705..29274f5f 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -1,7 +1 @@
 allow shell eco_service:service_manager find;
-
-# Allow access to the SJTAG kernel interface from the shell
-userdebug_or_eng(`
-  allow shell sysfs_sjtag:dir r_dir_perms;
-  allow shell sysfs_sjtag:file rw_file_perms;
-')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index a70edece..ff3c40f9 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -12,8 +12,6 @@ userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
   get_prop(ssr_detector_app, vendor_aoc_prop)
-  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
-  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)

From 6026cf5181ac62017748fecbfe848f013e140792 Mon Sep 17 00:00:00 2001
From: David Chao <davidchao@google.com>
Date: Thu, 27 May 2021 21:57:54 +0800
Subject: [PATCH 311/921] Grant powerhal access to thermal_link_device and
 sysfs_thermal

Bug: 188579571
Test: boot
Change-Id: I8e4675e2817fe3778236618e0dba76f1233e77e2
---
 whitechapel/vendor/google/hal_power_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index 4b95db79..87d62fe5 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -7,6 +7,10 @@ allow hal_power_default sysfs_gpu:file rw_file_perms;
 allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms;
 allow hal_power_default sysfs_fabric:file rw_file_perms;
 allow hal_power_default sysfs_display:file rw_file_perms;
+allow hal_power_default thermal_link_device:dir r_dir_perms;
+allow hal_power_default sysfs_thermal:dir r_dir_perms;
+allow hal_power_default sysfs_thermal:file rw_file_perms;
+allow hal_power_default sysfs_thermal:lnk_file r_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
 set_prop(hal_power_default, vendor_camera_debug_prop)
 set_prop(hal_power_default, vendor_camera_fatp_prop)

From 2dbe515943efdd3e639368850769cfce1d639129 Mon Sep 17 00:00:00 2001
From: Aaron Ding <aaronding@google.com>
Date: Tue, 1 Jun 2021 17:38:28 +0800
Subject: [PATCH 312/921] remove sysfs_type from vendor_page_pinner_debugfs

Bug: 186500818
Change-Id: If97126a3d46d96342faf89b9698218b6a480a84b
---
 whitechapel/vendor/google/file.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 2125c4be..4c1a2a1a 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -25,7 +25,7 @@ type vendor_rpmbmock_data_file, file_type, data_file_type;
 # Exynos debugfs
 type vendor_ion_debugfs, fs_type, debugfs_type;
 type vendor_dmabuf_debugfs, fs_type, debugfs_type;
-type vendor_page_pinner_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_page_pinner_debugfs, fs_type, debugfs_type;
 type vendor_mali_debugfs, fs_type, debugfs_type;
 type vendor_dri_debugfs, fs_type, debugfs_type;
 type vendor_pm_genpd_debugfs, fs_type, debugfs_type;

From 9f8d552411c9fab4ccf163db6d86b0795400809d Mon Sep 17 00:00:00 2001
From: Aaron Ding <aaronding@google.com>
Date: Wed, 2 Jun 2021 01:38:11 +0800
Subject: [PATCH 313/921] pixel-selinux: add SJTAG policies

This reverts commit b078284e5d4a1f17b191a9753d10a165dc3fe2eb.

Bug: 184768605
Change-Id: Ib0080e2ba3edf7fa654155fb4a7403d52ad2494a
---
 whitechapel/vendor/google/shell.te        | 6 ++++++
 whitechapel/vendor/google/ssr_detector.te | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index 29274f5f..3dd4a705 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -1 +1,7 @@
 allow shell eco_service:service_manager find;
+
+# Allow access to the SJTAG kernel interface from the shell
+userdebug_or_eng(`
+  allow shell sysfs_sjtag:dir r_dir_perms;
+  allow shell sysfs_sjtag:file rw_file_perms;
+')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index ff3c40f9..a70edece 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -12,6 +12,8 @@ userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
   get_prop(ssr_detector_app, vendor_aoc_prop)
+  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
+  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)

From 9e8bd699e9da6c7433963e888cb03440ad4317a4 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Mon, 31 May 2021 21:59:59 +0800
Subject: [PATCH 314/921] gs101-sepolicy: Refine policy for sysfs_vendor_sched

Chagne it to directory based.

Bug: 182509410
Test: device boot normally
Change-Id: I1cfaa95cf07e1e829e747eb99ed39ab64d3ddac1
---
 whitechapel/vendor/google/domain.te      |  1 +
 whitechapel/vendor/google/genfs_contexts | 52 +-----------------------
 whitechapel/vendor/google/system_app.te  |  1 +
 3 files changed, 3 insertions(+), 51 deletions(-)

diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te
index cffaf8cd..3e1cbbb7 100644
--- a/whitechapel/vendor/google/domain.te
+++ b/whitechapel/vendor/google/domain.te
@@ -1 +1,2 @@
+allow {domain -appdomain -rs} sysfs_vendor_sched:dir r_dir_perms;
 allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 287e92c2..998d6c6d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -113,57 +113,7 @@ genfscon sysfs /devices/platform/1ce00000.abrolhos
 genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
 
 # Vendor sched files
-genfscon sysfs /kernel/vendor_sched/bg_prefer_high_cap                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/bg_prefer_idle                             u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/bg_task_spreading                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/bg_uclamp_max                              u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/bg_uclamp_min                              u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/cam_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/cam_prefer_idle                            u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/cam_task_spreading                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/cam_uclamp_max                             u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/cam_uclamp_min                             u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/fg_prefer_high_cap                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/fg_prefer_idle                             u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/fg_task_spreading                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/fg_uclamp_max                              u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/fg_uclamp_min                              u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/ta_prefer_high_cap                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/ta_prefer_idle                             u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/ta_task_spreading                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/ta_uclamp_max                              u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/ta_uclamp_min                              u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sys_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sys_prefer_idle                            u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sys_task_spreading                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sys_uclamp_max                             u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sys_uclamp_min                             u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sysbg_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sysbg_prefer_idle                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sysbg_task_spreading                       u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_max                           u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/sysbg_uclamp_min                           u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/nnapi_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/nnapi_prefer_idle                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/nnapi_task_spreading                       u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_max                           u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/nnapi_uclamp_min                           u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/clear_group                                u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_task_group_bg                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_task_group_cam                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_task_group_fg                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_task_group_nnapi                       u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_task_group_sys                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_task_group_sysbg                       u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/set_task_group_ta                          u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/high_capacity_start_cpu                    u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/uclamp_effective_stats                     u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/reset_uclamp_stats                         u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/uclamp_stats                               u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/uclamp_threshold                           u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/uclamp_util_diff_stats                     u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /kernel/vendor_sched/util_threshold                             u:object_r:sysfs_vendor_sched:s0
-
+genfscon sysfs /kernel/vendor_sched                                            u:object_r:sysfs_vendor_sched:s0
 genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0
 
 # GPS
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
index b7542fd6..a9bab762 100644
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@@ -1,3 +1,4 @@
+allow system_app sysfs_vendor_sched:dir r_dir_perms;
 allow system_app sysfs_vendor_sched:file w_file_perms;
 
 allow system_app hal_wlc_hwservice:hwservice_manager find;

From 7ea6a447199f7456a8ff089df5301694c7aa8710 Mon Sep 17 00:00:00 2001
From: Peter Csaszar <pcsaszar@google.com>
Date: Fri, 28 May 2021 23:58:13 -0700
Subject: [PATCH 315/921] pixel-selinux: Add mlstrustedobject for SJTAG

This CL adds the "mlstrustedobject" to types for files involved in the
SJTAG authentication flow, in order to address MLS-based AVC denials.

Bug: 189466122
Test: No more AVC denials when activating SJTAG in BetterBug
Signed-off-by: Peter Csaszar <pcsaszar@google.com>
Change-Id: Ieb88653830ce95751eee5cf26c26fd6302067bce
---
 whitechapel/vendor/google/file.te         | 6 ++++++
 whitechapel/vendor/google/ssr_detector.te | 1 +
 2 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 4c1a2a1a..412f03d0 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -144,6 +144,9 @@ type sysfs_edgetpu, sysfs_type, fs_type;
 
 # Vendor sched files
 type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_vendor_sched mlstrustedobject;
+')
 type proc_vendor_sched, proc_type, fs_type;
 
 # GPS
@@ -211,3 +214,6 @@ type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
 
 # SJTAG
 type sysfs_sjtag, fs_type, sysfs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_sjtag mlstrustedobject;
+')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index a70edece..16e0e9f0 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
   get_prop(ssr_detector_app, vendor_aoc_prop)
   allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
   allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
+  allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)

From 9d5830ac19b1454188b5655629e8544a4cb00efa Mon Sep 17 00:00:00 2001
From: Chiawei Wang <chiaweiwang@google.com>
Date: Wed, 2 Jun 2021 14:48:22 +0800
Subject: [PATCH 316/921] pixelstats: fix permission errors

1. sysfs_dma_heap erros are fixed by ag/13926718
2. debugfs_mgm error is fixed by ag/14683912

Bug: 188114896
Bug: 183338421
Bug: 188495492
Test: pts-tradefed run pts -m PtsSELinuxTest
      http://sponge2/6cbd0af0-5414-4f2c-aea0-99b4981360a4

Signed-off-by: Chiawei Wang <chiaweiwang@google.com>
Change-Id: Icd2fa4e7f168d15fd4cec3000bc0e7a33eab4d3e
---
 tracking_denials/pixelstats_vendor.te | 7 -------
 1 file changed, 7 deletions(-)
 delete mode 100644 tracking_denials/pixelstats_vendor.te

diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te
deleted file mode 100644
index 4bc5f01f..00000000
--- a/tracking_denials/pixelstats_vendor.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/183338421
-dontaudit pixelstats_vendor sysfs_dma_heap:dir { search };
-dontaudit pixelstats_vendor sysfs_dma_heap:file { read };
-dontaudit pixelstats_vendor sysfs_dma_heap:file { open };
-dontaudit pixelstats_vendor sysfs_dma_heap:file { getattr };
-# b/188114896
-dontaudit pixelstats_vendor debugfs_mgm:dir read;

From a4dbe2ef4069bcb18eef32518c53554eb499c066 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Thu, 3 Jun 2021 17:52:36 +0800
Subject: [PATCH 317/921] gs101-sepolicy: Fix avc denials for
 sysfs_vendor_sched

Bug: 190011861
Bug: 190011862
Bug: 190011863
Bug: 190012301
Bug: 190012320
Test: boot to home
Change-Id: Icddb42fb194547211e33cf1d871e839a954b0919
---
 whitechapel/vendor/google/hbmsvmanager_app.te | 3 +++
 whitechapel/vendor/google/nfc.te              | 2 ++
 whitechapel/vendor/google/platform_app.te     | 3 +++
 whitechapel/vendor/google/radio.te            | 2 ++
 whitechapel/vendor/google/secure_element.te   | 2 ++
 5 files changed, 12 insertions(+)
 create mode 100644 whitechapel/vendor/google/nfc.te
 create mode 100644 whitechapel/vendor/google/secure_element.te

diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 534f6c82..2300a2a8 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -2,6 +2,9 @@ type hbmsvmanager_app, domain, coredomain;
 
 app_domain(hbmsvmanager_app);
 
+allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms;
+
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
 
diff --git a/whitechapel/vendor/google/nfc.te b/whitechapel/vendor/google/nfc.te
new file mode 100644
index 00000000..febd851a
--- /dev/null
+++ b/whitechapel/vendor/google/nfc.te
@@ -0,0 +1,2 @@
+allow nfc sysfs_vendor_sched:dir r_dir_perms;
+allow nfc sysfs_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 14cf0554..40556ded 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -4,6 +4,9 @@ allow platform_app hal_exynos_rild_hwservice:hwservice_manager find;
 allow platform_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(platform_app, hal_wlc)
 
+allow platform_app sysfs_vendor_sched:dir r_dir_perms;
+allow platform_app sysfs_vendor_sched:file w_file_perms;
+
 allow platform_app nfc_service:service_manager find;
 allow platform_app uwb_service:service_manager find;
 
diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te
index ffa43521..47a70dda 100644
--- a/whitechapel/vendor/google/radio.te
+++ b/whitechapel/vendor/google/radio.te
@@ -1 +1,3 @@
 allow radio hal_exynos_rild_hwservice:hwservice_manager find;
+allow radio sysfs_vendor_sched:dir r_dir_perms;
+allow radio sysfs_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/secure_element.te b/whitechapel/vendor/google/secure_element.te
new file mode 100644
index 00000000..831d360e
--- /dev/null
+++ b/whitechapel/vendor/google/secure_element.te
@@ -0,0 +1,2 @@
+allow secure_element sysfs_vendor_sched:dir r_dir_perms;
+allow secure_element sysfs_vendor_sched:file w_file_perms;

From 3d127f922415d92ca4554f7a483115b4cd5222e8 Mon Sep 17 00:00:00 2001
From: jznpark <jzn.park@samsung.com>
Date: Mon, 26 Apr 2021 12:38:31 +0900
Subject: [PATCH 318/921] [RCS] Add sepolicy for RCS as non-system app

As shannon-rcs has been changed from system app
to non-system app, sepolicy has to be updated.

Bug: 186135775
Bug: 189707387
Test: sanity test
Signed-off-by: jznpark <jzn.park@samsung.com>
Change-Id: I32cce90611c619494136a6b1d01b3fb48330d169
---
 tracking_denials/vendor_rcs_app.te          |  3 +++
 whitechapel/vendor/google/property.te       |  1 +
 whitechapel/vendor/google/rild.te           |  1 +
 whitechapel/vendor/google/seapp_contexts    |  2 ++
 whitechapel/vendor/google/vendor_init.te    |  1 +
 whitechapel/vendor/google/vendor_rcs_app.te | 18 ++++++++++++++++++
 6 files changed, 26 insertions(+)
 create mode 100644 tracking_denials/vendor_rcs_app.te
 create mode 100644 whitechapel/vendor/google/vendor_rcs_app.te

diff --git a/tracking_denials/vendor_rcs_app.te b/tracking_denials/vendor_rcs_app.te
new file mode 100644
index 00000000..4fdde216
--- /dev/null
+++ b/tracking_denials/vendor_rcs_app.te
@@ -0,0 +1,3 @@
+# b/183935382
+dontaudit vendor_rcs_app default_prop:file { read };
+dontaudit vendor_rcs_app default_prop:file { read };
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index f1e377f0..f540c88a 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -1,6 +1,7 @@
 # For Exynos Properties
 vendor_internal_prop(vendor_prop)
 vendor_internal_prop(vendor_ims_prop)
+vendor_internal_prop(vendor_rcs_prop)
 vendor_internal_prop(vendor_rild_prop)
 vendor_internal_prop(vendor_slog_prop)
 vendor_internal_prop(sensors_prop)
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index 5dab0eff..a39ab520 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -24,6 +24,7 @@ binder_call(rild, hal_secure_element_default)
 binder_call(rild, platform_app)
 binder_call(rild, modem_svc_sit)
 binder_call(rild, vendor_ims_app)
+binder_call(rild, vendor_rcs_app)
 
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index fbf19390..a6692190 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -9,6 +9,8 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma
 # Samsung S.LSI IMS
 user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.rcsservice:remote domain=vendor_rcs_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all
 
 # coredump/ramdump
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index dedeaa7e..5a86aded 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -6,6 +6,7 @@ set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_slog_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
 set_prop(vendor_init, vendor_ims_prop)
+set_prop(vendor_init, vendor_rcs_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
diff --git a/whitechapel/vendor/google/vendor_rcs_app.te b/whitechapel/vendor/google/vendor_rcs_app.te
new file mode 100644
index 00000000..292c95ee
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_rcs_app.te
@@ -0,0 +1,18 @@
+type vendor_rcs_app, domain;
+app_domain(vendor_rcs_app)
+net_domain(vendor_rcs_app)
+
+allow vendor_rcs_app app_api_service:service_manager find;
+allow vendor_rcs_app audioserver_service:service_manager find;
+allow vendor_rcs_app radio_service:service_manager find;
+allow vendor_rcs_app mediaserver_service:service_manager find;
+allow vendor_rcs_app cameraserver_service:service_manager find;
+
+allow vendor_rcs_app privapp_data_file:dir create_dir_perms;
+allow vendor_rcs_app privapp_data_file:file create_file_perms;
+
+allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+binder_call(vendor_rcs_app, rild)
+set_prop(vendor_rcs_app, vendor_rild_prop)
+set_prop(vendor_rcs_app, radio_prop)

From 729e8901ab919b944e531b5ca8dabdc2e894fee4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
Date: Wed, 7 Apr 2021 23:58:35 -0700
Subject: [PATCH 319/921] allow hal_usb_impl configfs:dir { create rmdir };
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is needed to allow USB HAL to create multi-config gadget
(ie. rndis + ncm).

Bug: 172793258
Test: built and booted on oriole
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifb98b23138122ad4e0aeea8dd9c93d7b3e16d3aa
---
 whitechapel/vendor/google/hal_usb_impl.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index 14abf59c..45ca9245 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -5,6 +5,7 @@ hal_server_domain(hal_usb_impl, hal_usb_gadget)
 type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_usb_impl)
 
+allow hal_usb_impl configfs:dir { create rmdir };
 allow hal_usb_impl functionfs:dir { watch watch_reads };
 set_prop(hal_usb_impl, vendor_usb_config_prop)
 

From 77432c5015668029ec4e5b69d7076ba1c899d448 Mon Sep 17 00:00:00 2001
From: Sean Callanan <spyffe@google.com>
Date: Fri, 2 Apr 2021 20:42:01 -0700
Subject: [PATCH 320/921] whitechapel: make vframe-secure a system heap

The GPU driver uses vframe-secure for secure allocations, so the
corresponding DMA heap file should be visible to all processes so
use the dmabuf_system_secure_heap_device type instead.

In order for this type to be used, we need to ensure that the HAL
Allocator has access to it, so update hal_graphics_allocator_default.te

Finally, since there are no longer any buffer types associated with the
vframe_heap_device type, remove it.

Bug: 182090311
Test: run cts-dev -m CtsDeqpTestCases --module-arg CtsDeqpTestCases:include-filter:dEQP-VK.protected_memory.stack.stacksize_64 and ensure secure allocations succeed
Test: Play DRM-protected video in ExoPlayer and ensure videos render correctly via MFC->DPU.
Change-Id: Id341e52322a438974d4634a4274a7be2ddb4c9fe
---
 whitechapel/vendor/google/device.te                         | 3 ---
 whitechapel/vendor/google/file_contexts                     | 2 +-
 whitechapel/vendor/google/hal_graphics_allocator_default.te | 2 +-
 whitechapel/vendor/google/mediacodec.te                     | 1 -
 4 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 5c6a2d88..63bd3191 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -45,9 +45,6 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
 #faceauth DMA-BUF heaps
 type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
 
-#vframe-secure DMA-BUF heap
-type vframe_heap_device, dmabuf_heap_device_type, dev_type;
-
 #vscaler-secure DMA-BUF heap
 type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 5c4b5209..f334be5f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -440,7 +440,7 @@
 /dev/dma_heap/farawimg-secure                                                  u:object_r:faceauth_heap_device:s0
 
 # vframe-secure DMA-BUF heap
-/dev/dma_heap/vframe-secure                                                    u:object_r:vframe_heap_device:s0
+/dev/dma_heap/vframe-secure                                                    u:object_r:dmabuf_system_secure_heap_device:s0
 
 # vscaler-secure DMA-BUF heap
 /dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
diff --git a/whitechapel/vendor/google/hal_graphics_allocator_default.te b/whitechapel/vendor/google/hal_graphics_allocator_default.te
index 63a7dcfb..9791dae6 100644
--- a/whitechapel/vendor/google/hal_graphics_allocator_default.te
+++ b/whitechapel/vendor/google/hal_graphics_allocator_default.te
@@ -1,4 +1,4 @@
 allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
 allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms;
-allow hal_graphics_allocator_default vframe_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms;
 allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index 07a0a5b4..ed7c1adf 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -7,4 +7,3 @@ allow mediacodec hal_camera_default:binder call;
 allow mediacodec sysfs_video:file r_file_perms;
 allow mediacodec sysfs_video:dir r_dir_perms;
 allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow mediacodec vframe_heap_device:chr_file r_file_perms;

From 724ea61092437858d1c7c653b7d8ee6e3e652857 Mon Sep 17 00:00:00 2001
From: Hui Wang <huiwang@google.com>
Date: Fri, 4 Jun 2021 14:03:31 -0700
Subject: [PATCH 321/921] Remove unnecessary rules for vendor rcs app

Bug: 190194610
Test: make, manual
Change-Id: I99f624a70a36ad6cf47806faf0eed693383dac5f
---
 whitechapel/vendor/google/vendor_rcs_app.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/vendor_rcs_app.te b/whitechapel/vendor/google/vendor_rcs_app.te
index 292c95ee..e67727cc 100644
--- a/whitechapel/vendor/google/vendor_rcs_app.te
+++ b/whitechapel/vendor/google/vendor_rcs_app.te
@@ -8,9 +8,6 @@ allow vendor_rcs_app radio_service:service_manager find;
 allow vendor_rcs_app mediaserver_service:service_manager find;
 allow vendor_rcs_app cameraserver_service:service_manager find;
 
-allow vendor_rcs_app privapp_data_file:dir create_dir_perms;
-allow vendor_rcs_app privapp_data_file:file create_file_perms;
-
 allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find;
 
 binder_call(vendor_rcs_app, rild)

From 7865bf8577d8debb0105f4704c311374bd7f2383 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Mon, 7 Jun 2021 09:38:47 +0800
Subject: [PATCH 322/921] cbd: Fix avc error

avc: denied { search } for comm="cbd" name="/" dev="sda1" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0

Bug: 180687795
Change-Id: I149163760fa47378d03dc2d8c8a00c590788796c
---
 whitechapel/vendor/google/cbd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index 23c4e576..cbd222ff 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -31,6 +31,7 @@ allow cbd proc_cmdline:file r_file_perms;
 
 allow cbd persist_modem_file:dir create_dir_perms;
 allow cbd persist_modem_file:file create_file_perms;
+allow cbd persist_file:dir search;
 
 allow cbd radio_vendor_data_file:dir create_dir_perms;
 allow cbd radio_vendor_data_file:file create_file_perms;

From 1064df0f269c71b5fb946b46acba600e1132d797 Mon Sep 17 00:00:00 2001
From: Long Ling <longling@google.com>
Date: Sun, 6 Jun 2021 22:18:37 -0700
Subject: [PATCH 323/921] sepolicy: gs101: display: fix dumpstate of
 displaycolor

displaycolor service runs in HW Composer. This change allow displaycolor
to output to dumpstate via pipe fd.

Bug: 189846843
Test: adb bugreport and check displaycolor dump in dumpstate_board.txt
Change-Id: I109db9374124caf9053a9fd7ba6159f83c372038
---
 display/gs101/hal_graphics_composer_default.te    | 4 ++++
 tracking_denials/hal_graphics_composer_default.te | 3 ---
 2 files changed, 4 insertions(+), 3 deletions(-)
 delete mode 100644 tracking_denials/hal_graphics_composer_default.te

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index b5139133..0b4c26e8 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -36,3 +36,7 @@ get_prop(hal_graphics_composer_default, boot_status_prop);
 
 # allow HWC to access vendor log file
 allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
+
+# allow HWC to output to dumpstate via pipe fd
+allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
+allow hal_graphics_composer_default hal_dumpstate_default:fd use;
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
deleted file mode 100644
index ef727b51..00000000
--- a/tracking_denials/hal_graphics_composer_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/185723492
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };

From d45ada475b469976ca03e98482cbebf3f5473e1b Mon Sep 17 00:00:00 2001
From: "Yu(Swim) Chih Ren" <ychihren@google.com>
Date: Fri, 4 Jun 2021 06:57:10 +0000
Subject: [PATCH 324/921] Add sysfs_camera label for powerhint flow to access
 intcam & tnr clock

Test: 1. build selinux and push related files to phone
      2. Use ls -Z "file" to check if selinux content of file is
      expected
      3. P21 camera checklist
Bug: 168654554

Change-Id: Ie757dd3e8adc151c6340e9ca662efbdf0ccb6110
---
 whitechapel/vendor/google/file.te              | 1 +
 whitechapel/vendor/google/genfs_contexts       | 4 ++++
 whitechapel/vendor/google/hal_power_default.te | 1 +
 3 files changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 412f03d0..863f4903 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -132,6 +132,7 @@ type sysfs_wlc, sysfs_type, fs_type;
 type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;
 type vendor_camera_data_file, file_type, data_file_type;
+type sysfs_camera, sysfs_type, fs_type;
 
 # EdgeTPU hal data file
 type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 998d6c6d..28a3f6f1 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -313,3 +313,7 @@ genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number       u:object_
 # SJTAG
 genfscon sysfs /devices/platform/sjtag_ap/interface                    u:object_r:sysfs_sjtag:s0
 genfscon sysfs /devices/platform/sjtag_gsa/interface                   u:object_r:sysfs_sjtag:s0
+
+# Camera
+genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq       u:object_r:sysfs_camera:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq             u:object_r:sysfs_camera:s0
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index 4b95db79..85cb3018 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -6,6 +6,7 @@ allow hal_power_default cpuctl_device:file rw_file_perms;
 allow hal_power_default sysfs_gpu:file rw_file_perms;
 allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms;
 allow hal_power_default sysfs_fabric:file rw_file_perms;
+allow hal_power_default sysfs_camera:file rw_file_perms;
 allow hal_power_default sysfs_display:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
 set_prop(hal_power_default, vendor_camera_debug_prop)

From c8b02fc4c324d2aac867621c450b230a4b0a14a8 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 8 Jun 2021 10:06:54 +0800
Subject: [PATCH 325/921] Remove obsolete context

Bug: 190330778
Test: make selinux_policy with such entry gone
Change-Id: I28844c361a951de35d509ce042e64e090188e755
---
 whitechapel/vendor/google/file_contexts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f334be5f..81ceb723 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -346,7 +346,6 @@
 
 # NeuralNetworks file contexts
 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
-/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0
 /vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
 
 # GRIL

From 02f93b60969b0c3622e54b2aade0565cd9fe98a9 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 8 Jun 2021 11:10:45 +0800
Subject: [PATCH 326/921] modulize hal_neuralnetwork_armnn

Bug: 189895314
Bug: 171160755
Bug: 171670122
Bug: 180858476
Test: make sure all affected devices' armnn module has the right label
Change-Id: I6ca736f156497738167ba5eea5606a0e654611b9
---
 neuralnetworks/file_contexts                  |  1 +
 .../hal_neuralnetworks_armnn.te               |  0
 tracking_denials/hal_neuralnetworks_armnn.te  | 30 -------------------
 whitechapel/vendor/google/file_contexts       |  1 -
 4 files changed, 1 insertion(+), 31 deletions(-)
 create mode 100644 neuralnetworks/file_contexts
 rename {whitechapel/vendor/google => neuralnetworks}/hal_neuralnetworks_armnn.te (100%)

diff --git a/neuralnetworks/file_contexts b/neuralnetworks/file_contexts
new file mode 100644
index 00000000..fc151ab9
--- /dev/null
+++ b/neuralnetworks/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te b/neuralnetworks/hal_neuralnetworks_armnn.te
similarity index 100%
rename from whitechapel/vendor/google/hal_neuralnetworks_armnn.te
rename to neuralnetworks/hal_neuralnetworks_armnn.te
diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
index 9ebda637..04941460 100644
--- a/tracking_denials/hal_neuralnetworks_armnn.te
+++ b/tracking_denials/hal_neuralnetworks_armnn.te
@@ -1,33 +1,3 @@
-# b/171160755
-dontaudit hal_neuralnetworks_armnn traced:unix_stream_socket connectto ;
-dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager add ;
-dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager find ;
-dontaudit hal_neuralnetworks_armnn hwservicemanager:binder transfer ;
-dontaudit hal_neuralnetworks_armnn hwservicemanager:binder call ;
-dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file map ;
-dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file getattr ;
-dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file open ;
-dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file read ;
-dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
-dontaudit hal_neuralnetworks_armnn gpu_device:chr_file open ;
-dontaudit hal_neuralnetworks_armnn gpu_device:chr_file getattr ;
-dontaudit hal_neuralnetworks_armnn gpu_device:chr_file ioctl ;
-dontaudit hal_neuralnetworks_armnn gpu_device:chr_file map ;
-dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
-dontaudit hal_neuralnetworks_armnn traced_producer_socket:sock_file write ;
-dontaudit hal_neuralnetworks_armnn hidl_base_hwservice:hwservice_manager add ;
-# b/171670122
-dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { read };
-dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { open };
 # b/180550063
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
-# b/180858476
-dontaudit hal_neuralnetworks_armnn default_prop:file { read };
-dontaudit hal_neuralnetworks_armnn default_prop:file { read };
-dontaudit hal_neuralnetworks_armnn default_prop:file { open };
-dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
-dontaudit hal_neuralnetworks_armnn default_prop:file { map };
-dontaudit hal_neuralnetworks_armnn default_prop:file { open };
-dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
-dontaudit hal_neuralnetworks_armnn default_prop:file { map };
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 81ceb723..45d9d762 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -345,7 +345,6 @@
 /vendor/bin/aocd   u:object_r:aocd_exec:s0
 
 # NeuralNetworks file contexts
-/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
 /vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
 
 # GRIL

From b22c6cd04a0dba909d58f6c99c483857e4785357 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
Date: Mon, 7 Jun 2021 20:33:22 -0700
Subject: [PATCH 327/921] R4/raven: correctly label wpan0 device as networking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Test: atest, TreeHugger, manual observation of labeling
Bug: 185962988
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I068b7da17590fc9dc914db80263b72cc7536c095
---
 whitechapel/vendor/google/genfs_contexts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 998d6c6d..3a31a33a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -66,8 +66,9 @@ genfscon sysfs /devices/platform/14700000.ufs/health_descriptor         u:object
 genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:  u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object_r:sysfs_scsi_devices_0000:s0
 
-# Tethering
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net  u:object_r:sysfs_net:s0
+# Networking / Tethering
+genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee802154/phy0/net  u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net                      u:object_r:sysfs_net:s0
 
 # Vibrator
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0

From bb8b462d7a8bf465fba5aefd35e1a6a1d2b2f33a Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Mon, 7 Jun 2021 14:05:42 +0800
Subject: [PATCH 328/921] Update avc error on ROM 7432667

Bug: b/190337281
Bug: b/190337282
Bug: b/190336524
Bug: b/190337295
Bug: b/190337296
Bug: b/190337283
Bug: b/190336723
Bug: b/190336841
Bug: b/190337297
Bug: b/190336525
Test: PtsSELinuxTestCases
Change-Id: I2edda1bf554c0239953b8a31152a09045fb1f15a
---
 tracking_denials/dumpstate.te        | 2 ++
 tracking_denials/incidentd.te        | 2 ++
 tracking_denials/logger_app.te       | 2 ++
 tracking_denials/mediaprovider.te    | 2 ++
 tracking_denials/shell.te            | 2 ++
 tracking_denials/untrusted_app.te    | 2 ++
 tracking_denials/untrusted_app_29.te | 2 ++
 tracking_denials/vendor_init.te      | 4 ++++
 vendor/google/bug_map                | 2 ++
 9 files changed, 20 insertions(+)
 create mode 100644 tracking_denials/logger_app.te
 create mode 100644 tracking_denials/mediaprovider.te
 create mode 100644 tracking_denials/shell.te
 create mode 100644 tracking_denials/untrusted_app_29.te
 create mode 100644 vendor/google/bug_map

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 513736b9..1a3571bf 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -2,3 +2,5 @@
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
 # b/187795940
 dontaudit dumpstate twoshay:binder call;
+# b/190337283
+dontaudit dumpstate debugfs_wakeup_sources:file read;
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
index a998712f..2187eab4 100644
--- a/tracking_denials/incidentd.te
+++ b/tracking_denials/incidentd.te
@@ -1,2 +1,4 @@
 # b/187015816
 dontaudit incidentd apex_info_file:file getattr;
+# b/190337296
+dontaudit incidentd debugfs_wakeup_sources:file read;
diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te
new file mode 100644
index 00000000..c927c3a5
--- /dev/null
+++ b/tracking_denials/logger_app.te
@@ -0,0 +1,2 @@
+# b/190337281
+dontaudit logger_app sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/mediaprovider.te b/tracking_denials/mediaprovider.te
new file mode 100644
index 00000000..db311ea3
--- /dev/null
+++ b/tracking_denials/mediaprovider.te
@@ -0,0 +1,2 @@
+# b/190336723
+dontaudit mediaprovider sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te
new file mode 100644
index 00000000..dd01cb38
--- /dev/null
+++ b/tracking_denials/shell.te
@@ -0,0 +1,2 @@
+# b/190336524
+dontaudit shell sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te
index 9b098f88..d81c48d3 100644
--- a/tracking_denials/untrusted_app.te
+++ b/tracking_denials/untrusted_app.te
@@ -2,3 +2,5 @@
 dontaudit untrusted_app vendor_camera_prop:file { read };
 dontaudit untrusted_app vendor_camera_prop:file { read };
 dontaudit untrusted_app vendor_camera_prop:file { read };
+# b/190337295
+dontaudit untrusted_app sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/untrusted_app_29.te b/tracking_denials/untrusted_app_29.te
new file mode 100644
index 00000000..bf68b841
--- /dev/null
+++ b/tracking_denials/untrusted_app_29.te
@@ -0,0 +1,2 @@
+# b/190336841
+dontaudit untrusted_app_29 sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index d2c20fe1..70579511 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,2 +1,6 @@
 # b/176528557
 dontaudit vendor_init debugfs_trace_marker:file { getattr };
+# b/190337297
+dontaudit vendor_init vendor_maxfg_debugfs:file setattr;
+dontaudit vendor_init vendor_page_pinner_debugfs:file setattr;
+dontaudit vendor_init vendor_regmap_debugfs:file setattr;
diff --git a/vendor/google/bug_map b/vendor/google/bug_map
new file mode 100644
index 00000000..370a3354
--- /dev/null
+++ b/vendor/google/bug_map
@@ -0,0 +1,2 @@
+bluetooth sysfs_vendor_sched file b/190336525
+mediaprovider_app sysfs_vendor_sched file b/190336723

From 1eb6bfcd3edc28f46cfb71b5cb40b34798528997 Mon Sep 17 00:00:00 2001
From: Denny cy Lee <dennycylee@google.com>
Date: Tue, 18 May 2021 15:08:58 +0800
Subject: [PATCH 329/921] Hardwareinfo: battery info porting

Test: No read error in logcat
Bug: 171947164
Bug: 181915166
Bug: 181177926
Bug: 181914888
Bug: 188627513
Change-Id: Ibbed06cc7e6eb00c8611cdc8bc95356b17c7e043
Signed-off-by: Denny cy Lee <dennycylee@google.com>
---
 tracking_denials/hardware_info_app.te          | 10 ----------
 whitechapel/vendor/google/hardware_info_app.te |  9 ++++++++-
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te
index 8e02952f..dd3c4647 100644
--- a/tracking_denials/hardware_info_app.te
+++ b/tracking_denials/hardware_info_app.te
@@ -1,14 +1,4 @@
-# b/181177926
-dontaudit hardware_info_app sysfs_batteryinfo:file { read };
-dontaudit hardware_info_app sysfs:file { read };
-dontaudit hardware_info_app sysfs:file { open };
-dontaudit hardware_info_app sysfs:file { getattr };
-dontaudit hardware_info_app sysfs_batteryinfo:dir { search };
 # b/181914888
-dontaudit hardware_info_app sysfs_batteryinfo:file { open };
-dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
 dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
 # b/181915166
-dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
-dontaudit hardware_info_app sysfs_batteryinfo:file { open };
 dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
index 90ed9a60..80b53377 100644
--- a/whitechapel/vendor/google/hardware_info_app.te
+++ b/whitechapel/vendor/google/hardware_info_app.te
@@ -14,4 +14,11 @@ allow hardware_info_app sysfs_pixelstats:file r_file_perms;
 
 # Storage
 allow hardware_info_app sysfs_scsi_devices_0000:dir search;
-allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms;
\ No newline at end of file
+allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms;
+
+# Battery
+allow hardware_info_app sysfs_batteryinfo:file r_file_perms;
+allow hardware_info_app sysfs_batteryinfo:dir search;
+
+# SoC
+allow hardware_info_app sysfs:file r_file_perms;

From a457b1d6400f922525b293cb453bd4424eb388b7 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Tue, 8 Jun 2021 15:40:42 +0800
Subject: [PATCH 330/921] gs101-sepolicy: Fix tracking_denials of
 sysfs_vendor_sched

Bug: 190368350
Test: build pass
Change-Id: Id742e8328f63c04e5448225975897d8f6adc1e13
---
 tracking_denials/logger_app.te                                  | 2 --
 tracking_denials/shell.te                                       | 2 --
 tracking_denials/untrusted_app.te                               | 2 --
 whitechapel/vendor/google/logger_app.te                         | 1 +
 .../vendor/google}/mediaprovider.te                             | 1 -
 whitechapel/vendor/google/shell.te                              | 2 ++
 whitechapel/vendor/google/untrusted_app.te                      | 1 +
 .../vendor/google}/untrusted_app_29.te                          | 1 -
 8 files changed, 4 insertions(+), 8 deletions(-)
 delete mode 100644 tracking_denials/logger_app.te
 delete mode 100644 tracking_denials/shell.te
 rename {tracking_denials => whitechapel/vendor/google}/mediaprovider.te (79%)
 create mode 100644 whitechapel/vendor/google/untrusted_app.te
 rename {tracking_denials => whitechapel/vendor/google}/untrusted_app_29.te (80%)

diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te
deleted file mode 100644
index c927c3a5..00000000
--- a/tracking_denials/logger_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190337281
-dontaudit logger_app sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te
deleted file mode 100644
index dd01cb38..00000000
--- a/tracking_denials/shell.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190336524
-dontaudit shell sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te
index d81c48d3..9b098f88 100644
--- a/tracking_denials/untrusted_app.te
+++ b/tracking_denials/untrusted_app.te
@@ -2,5 +2,3 @@
 dontaudit untrusted_app vendor_camera_prop:file { read };
 dontaudit untrusted_app vendor_camera_prop:file { read };
 dontaudit untrusted_app vendor_camera_prop:file { read };
-# b/190337295
-dontaudit untrusted_app sysfs_vendor_sched:dir search;
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index fac3b5ea..8c8f5197 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -24,4 +24,5 @@ userdebug_or_eng(`
   set_prop(logger_app, vendor_wifi_sniffer_prop)
 
   dontaudit logger_app default_prop:file { read };
+  dontaudit logger_app sysfs_vendor_sched:dir search;
 ')
diff --git a/tracking_denials/mediaprovider.te b/whitechapel/vendor/google/mediaprovider.te
similarity index 79%
rename from tracking_denials/mediaprovider.te
rename to whitechapel/vendor/google/mediaprovider.te
index db311ea3..a1b629f8 100644
--- a/tracking_denials/mediaprovider.te
+++ b/whitechapel/vendor/google/mediaprovider.te
@@ -1,2 +1 @@
-# b/190336723
 dontaudit mediaprovider sysfs_vendor_sched:dir search;
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index 3dd4a705..aa4dfa44 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -5,3 +5,5 @@ userdebug_or_eng(`
   allow shell sysfs_sjtag:dir r_dir_perms;
   allow shell sysfs_sjtag:file rw_file_perms;
 ')
+
+dontaudit shell sysfs_vendor_sched:dir search;
diff --git a/whitechapel/vendor/google/untrusted_app.te b/whitechapel/vendor/google/untrusted_app.te
new file mode 100644
index 00000000..4fbfe935
--- /dev/null
+++ b/whitechapel/vendor/google/untrusted_app.te
@@ -0,0 +1 @@
+dontaudit untrusted_app sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/untrusted_app_29.te b/whitechapel/vendor/google/untrusted_app_29.te
similarity index 80%
rename from tracking_denials/untrusted_app_29.te
rename to whitechapel/vendor/google/untrusted_app_29.te
index bf68b841..844bb6a4 100644
--- a/tracking_denials/untrusted_app_29.te
+++ b/whitechapel/vendor/google/untrusted_app_29.te
@@ -1,2 +1 @@
-# b/190336841
 dontaudit untrusted_app_29 sysfs_vendor_sched:dir search;

From e7ed46c52cbbc6ddc482dfd2b8009a1c03544733 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 9 Jun 2021 10:37:14 +0800
Subject: [PATCH 331/921] organize EdgeTPU modules and sepolicy

Bug: 190331327
Bug: 190331548
Bug: 189895600
Bug: 190331108
Bug: 182524105
Bug: 183935302
Test: build ROM and check if the modules and sepolicy are still there
Change-Id: I40391a239a16c4fe79d58fab209dcbd1a8f25ede
---
 edgetpu/device.te                             |  2 ++
 .../google => edgetpu}/edgetpu_app_service.te |  3 ---
 .../google => edgetpu}/edgetpu_logging.te     |  0
 .../edgetpu_vendor_service.te                 |  0
 edgetpu/file.te                               |  9 +++++++
 edgetpu/file_contexts                         | 25 +++++++++++++++++++
 edgetpu/genfs_contexts                        |  4 +++
 .../hal_neuralnetworks_darwinn.te             |  0
 .../vendor/google => edgetpu}/priv_app.te     |  0
 edgetpu/property.te                           |  4 +++
 edgetpu/property_contexts                     |  3 +++
 edgetpu/service.te                            |  5 ++++
 edgetpu/service_contexts                      |  7 ++++++
 edgetpu/untrusted_app_all.te                  |  7 ++++++
 edgetpu/vendor_init.te                        |  1 +
 .../hal_neuralnetworks_darwinn.te             | 14 -----------
 whitechapel/vendor/google/device.te           |  3 ---
 whitechapel/vendor/google/file.te             |  9 -------
 whitechapel/vendor/google/file_contexts       | 25 -------------------
 whitechapel/vendor/google/genfs_contexts      |  4 ---
 whitechapel/vendor/google/property.te         |  4 ---
 whitechapel/vendor/google/property_contexts   |  3 ---
 whitechapel/vendor/google/service.te          |  2 --
 whitechapel/vendor/google/service_contexts    |  7 ------
 .../vendor/google/untrusted_app_all.te        |  7 ------
 whitechapel/vendor/google/vendor_init.te      |  1 -
 26 files changed, 67 insertions(+), 82 deletions(-)
 create mode 100644 edgetpu/device.te
 rename {whitechapel/vendor/google => edgetpu}/edgetpu_app_service.te (94%)
 rename {whitechapel/vendor/google => edgetpu}/edgetpu_logging.te (100%)
 rename {whitechapel/vendor/google => edgetpu}/edgetpu_vendor_service.te (100%)
 create mode 100644 edgetpu/file.te
 create mode 100644 edgetpu/file_contexts
 create mode 100644 edgetpu/genfs_contexts
 rename {whitechapel/vendor/google => edgetpu}/hal_neuralnetworks_darwinn.te (100%)
 rename {whitechapel/vendor/google => edgetpu}/priv_app.te (100%)
 create mode 100644 edgetpu/property.te
 create mode 100644 edgetpu/property_contexts
 create mode 100644 edgetpu/service.te
 create mode 100644 edgetpu/service_contexts
 create mode 100644 edgetpu/untrusted_app_all.te
 create mode 100644 edgetpu/vendor_init.te
 delete mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te

diff --git a/edgetpu/device.te b/edgetpu/device.te
new file mode 100644
index 00000000..9296ba50
--- /dev/null
+++ b/edgetpu/device.te
@@ -0,0 +1,2 @@
+# EdgeTPU device (DarwiNN)
+type edgetpu_device, dev_type, mlstrustedobject;
diff --git a/whitechapel/vendor/google/edgetpu_app_service.te b/edgetpu/edgetpu_app_service.te
similarity index 94%
rename from whitechapel/vendor/google/edgetpu_app_service.te
rename to edgetpu/edgetpu_app_service.te
index ffecdd1f..58ce2464 100644
--- a/whitechapel/vendor/google/edgetpu_app_service.te
+++ b/edgetpu/edgetpu_app_service.te
@@ -9,9 +9,6 @@ binder_use(edgetpu_app_server);
 # The server will serve a binder service.
 binder_service(edgetpu_app_server);
 
-# EdgeTPU binder service type declaration.
-type edgetpu_app_service, service_manager_type;
-
 # EdgeTPU server to register the service to service_manager.
 add_service(edgetpu_app_server, edgetpu_app_service);
 
diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/edgetpu/edgetpu_logging.te
similarity index 100%
rename from whitechapel/vendor/google/edgetpu_logging.te
rename to edgetpu/edgetpu_logging.te
diff --git a/whitechapel/vendor/google/edgetpu_vendor_service.te b/edgetpu/edgetpu_vendor_service.te
similarity index 100%
rename from whitechapel/vendor/google/edgetpu_vendor_service.te
rename to edgetpu/edgetpu_vendor_service.te
diff --git a/edgetpu/file.te b/edgetpu/file.te
new file mode 100644
index 00000000..2482dbf3
--- /dev/null
+++ b/edgetpu/file.te
@@ -0,0 +1,9 @@
+# EdgeTPU sysfs
+type sysfs_edgetpu, sysfs_type, fs_type;
+
+# EdgeTPU hal data file
+type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
+
+# EdgeTPU vendor service data file
+type edgetpu_vendor_service_data_file, file_type, data_file_type;
+
diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
new file mode 100644
index 00000000..e0439c40
--- /dev/null
+++ b/edgetpu/file_contexts
@@ -0,0 +1,25 @@
+# EdgeTPU logging service
+/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
+
+# EdgeTPU device (DarwiNN)
+/dev/abrolhos                      u:object_r:edgetpu_device:s0
+
+# EdgeTPU service binaries and libraries
+/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU vendor service
+/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU runtime libraries
+/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU data files
+/data/vendor/edgetpu(/.*)?                              u:object_r:edgetpu_vendor_service_data_file:s0
+/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
+
+# NeuralNetworks file contexts
+/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
+
diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts
new file mode 100644
index 00000000..345d2990
--- /dev/null
+++ b/edgetpu/genfs_contexts
@@ -0,0 +1,4 @@
+# EdgeTPU
+genfscon sysfs /devices/platform/1ce00000.abrolhos                              u:object_r:sysfs_edgetpu:s0
+genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
+
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
similarity index 100%
rename from whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
rename to edgetpu/hal_neuralnetworks_darwinn.te
diff --git a/whitechapel/vendor/google/priv_app.te b/edgetpu/priv_app.te
similarity index 100%
rename from whitechapel/vendor/google/priv_app.te
rename to edgetpu/priv_app.te
diff --git a/edgetpu/property.te b/edgetpu/property.te
new file mode 100644
index 00000000..ed93d448
--- /dev/null
+++ b/edgetpu/property.te
@@ -0,0 +1,4 @@
+# EdgeTPU service requires system public properties
+# since it lives under /system_ext/.
+system_public_prop(vendor_edgetpu_service_prop)
+
diff --git a/edgetpu/property_contexts b/edgetpu/property_contexts
new file mode 100644
index 00000000..130cfefe
--- /dev/null
+++ b/edgetpu/property_contexts
@@ -0,0 +1,3 @@
+# for EdgeTPU
+vendor.edgetpu.service.                         u:object_r:vendor_edgetpu_service_prop:s0
+
diff --git a/edgetpu/service.te b/edgetpu/service.te
new file mode 100644
index 00000000..46bee033
--- /dev/null
+++ b/edgetpu/service.te
@@ -0,0 +1,5 @@
+# EdgeTPU binder service type declaration.
+type edgetpu_app_service, service_manager_type;
+
+type edgetpu_vendor_service, service_manager_type, vendor_service;
+type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
diff --git a/edgetpu/service_contexts b/edgetpu/service_contexts
new file mode 100644
index 00000000..76fe43da
--- /dev/null
+++ b/edgetpu/service_contexts
@@ -0,0 +1,7 @@
+# EdgeTPU service
+com.google.edgetpu.IEdgeTpuAppService/default              u:object_r:edgetpu_app_service:s0
+com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
+
+# TPU NNAPI Service
+android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
+
diff --git a/edgetpu/untrusted_app_all.te b/edgetpu/untrusted_app_all.te
new file mode 100644
index 00000000..9abec616
--- /dev/null
+++ b/edgetpu/untrusted_app_all.te
@@ -0,0 +1,7 @@
+# Allows applications to discover the EdgeTPU service.
+allow untrusted_app_all edgetpu_app_service:service_manager find;
+
+# Allows applications to access the EdgeTPU device, except open, which is guarded
+# by the EdgeTPU service.
+allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
+
diff --git a/edgetpu/vendor_init.te b/edgetpu/vendor_init.te
new file mode 100644
index 00000000..aec79583
--- /dev/null
+++ b/edgetpu/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_edgetpu_service_prop)
diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te
deleted file mode 100644
index 54fa8a2f..00000000
--- a/tracking_denials/hal_neuralnetworks_darwinn.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# b/182524105
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { open };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { write };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { map };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { write };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { open };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { map };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-# b/183935302
-dontaudit hal_neuralnetworks_darwinn proc_version:file { read };
-dontaudit hal_neuralnetworks_darwinn proc_version:file { read };
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 63bd3191..68a73c6f 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -21,9 +21,6 @@ type tui_device, dev_type;
 # usbpd
 type logbuffer_device, dev_type;
 
-# EdgeTPU device (DarwiNN)
-type edgetpu_device, dev_type, mlstrustedobject;
-
 #cpuctl
 type cpuctl_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 412f03d0..3518beaa 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -133,15 +133,6 @@ type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;
 type vendor_camera_data_file, file_type, data_file_type;
 
-# EdgeTPU hal data file
-type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
-
-# EdgeTPU vendor service data file
-type edgetpu_vendor_service_data_file, file_type, data_file_type;
-
-# EdgeTPU sysfs
-type sysfs_edgetpu, sysfs_type, fs_type;
-
 # Vendor sched files
 type sysfs_vendor_sched, sysfs_type, fs_type;
 userdebug_or_eng(`
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 45d9d762..d04d3abe 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -344,9 +344,6 @@
 # AoC file contexts.
 /vendor/bin/aocd   u:object_r:aocd_exec:s0
 
-# NeuralNetworks file contexts
-/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
-
 # GRIL
 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
 
@@ -363,28 +360,6 @@
 # Citadel StrongBox
 /dev/gsc0                                                                   u:object_r:citadel_device:s0
 
-# EdgeTPU device (DarwiNN)
-/dev/abrolhos                      u:object_r:edgetpu_device:s0
-
-# EdgeTPU logging service
-/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
-
-# EdgeTPU service binaries and libraries
-/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
-/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU vendor service
-/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU runtime libraries
-/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU data files
-/data/vendor/edgetpu(/.*)?                              u:object_r:edgetpu_vendor_service_data_file:s0
-/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
-
 # Tetheroffload Service
 /dev/dit2                      u:object_r:vendor_toe_device:s0
 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service     u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 3a31a33a..f384ae6a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -109,10 +109,6 @@ genfscon proc  /fts/driver_test
 genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
 genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
 
-# EdgeTPU
-genfscon sysfs /devices/platform/1ce00000.abrolhos                              u:object_r:sysfs_edgetpu:s0
-genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
-
 # Vendor sched files
 genfscon sysfs /kernel/vendor_sched                                            u:object_r:sysfs_vendor_sched:s0
 genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index f540c88a..9454c2eb 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -27,10 +27,6 @@ vendor_internal_prop(vendor_camera_debug_prop)
 vendor_internal_prop(vendor_camera_fatp_prop)
 vendor_internal_prop(vendor_gps_prop)
 
-# EdgeTPU service requires system public properties
-# since it lives under /system_ext/.
-system_public_prop(vendor_edgetpu_service_prop)
-
 # Battery defender
 vendor_internal_prop(vendor_battery_defender_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 61497257..94d4065f 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -90,9 +90,6 @@ vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
 # for gps
 vendor.gps                   u:object_r:vendor_gps_prop:s0
 
-# for EdgeTPU
-vendor.edgetpu.service.                         u:object_r:vendor_edgetpu_service_prop:s0
-
 # SecureElement
 persist.vendor.se.                              u:object_r:vendor_secure_element_prop:s0
 
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index c47e63f9..99e99483 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -2,5 +2,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
-type edgetpu_vendor_service, service_manager_type, vendor_service;
-type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 4e005ec4..687f8cc8 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,10 +1,3 @@
-# EdgeTPU service
-com.google.edgetpu.IEdgeTpuAppService/default              u:object_r:edgetpu_app_service:s0
-com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
-
-# TPU NNAPI Service
-android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
-
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index cd7fb41a..a4d8beb8 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -1,10 +1,3 @@
-# Allows applications to discover the EdgeTPU service.
-allow untrusted_app_all edgetpu_app_service:service_manager find;
-
-# Allows applications to access the EdgeTPU device, except open, which is guarded
-# by the EdgeTPU service.
-allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
-
 # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 5a86aded..8e3e369c 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -10,7 +10,6 @@ set_prop(vendor_init, vendor_rcs_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
-set_prop(vendor_init, vendor_edgetpu_service_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
 set_prop(vendor_init, vendor_thermal_prop)
 

From 6ce3aa9d7540f379e4694bda1afa1ba3be0dc496 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Wed, 9 Jun 2021 14:07:19 +0800
Subject: [PATCH 332/921] Update avc error on ROM 7440434

Bug: b/190563838
Bug: b/190563916
Bug: b/190563896
Bug: b/190563897
Test: Test: PtsSELinuxTestCases
Change-Id: Idbd0bc0f9a4770b3f976196058a311820e6e3c11
---
 tracking_denials/bluetooth.te                | 2 ++
 tracking_denials/hal_neuralnetworks_armnn.te | 2 ++
 tracking_denials/priv_app.te                 | 2 ++
 vendor/google/bug_map                        | 1 +
 4 files changed, 7 insertions(+)
 create mode 100644 tracking_denials/bluetooth.te

diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te
new file mode 100644
index 00000000..ff6d7f9b
--- /dev/null
+++ b/tracking_denials/bluetooth.te
@@ -0,0 +1,2 @@
+# b/190563916
+dontaudit bluetooth sysfs_vendor_sched:dir search;
diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
index 04941460..120510fd 100644
--- a/tracking_denials/hal_neuralnetworks_armnn.te
+++ b/tracking_denials/hal_neuralnetworks_armnn.te
@@ -1,3 +1,5 @@
 # b/180550063
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
+# b/190563897
+dontaudit hal_neuralnetworks_armnn default_prop:file read;
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
index bebe3936..f3e34533 100644
--- a/tracking_denials/priv_app.te
+++ b/tracking_denials/priv_app.te
@@ -1,2 +1,4 @@
 # b/187016930
 dontaudit priv_app fwk_stats_service:service_manager find ;
+# b/190563838
+dontaudit priv_app sysfs_chip_id:file getattr;
diff --git a/vendor/google/bug_map b/vendor/google/bug_map
index 370a3354..664a7160 100644
--- a/vendor/google/bug_map
+++ b/vendor/google/bug_map
@@ -1,2 +1,3 @@
 bluetooth sysfs_vendor_sched file b/190336525
 mediaprovider_app sysfs_vendor_sched file b/190336723
+hal_graphics_composer_default sysfs_lhbm file b/190563896

From 8947d2dfebea6f3fe2be1ac87492e67ee72b5915 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 9 Jun 2021 13:59:09 +0800
Subject: [PATCH 333/921] reorganize trusty_metricsd settings

Bug: 190331503
Test: build ROM and see the file and sepolicy settings are still there
Change-Id: Ib157f64428166232c3bbbd176d3c1fbed4ac31d6
---
 trusty_metricsd/file_contexts                                    | 1 +
 .../vendor/google => trusty_metricsd}/trusty_metricsd.te         | 0
 whitechapel/vendor/google/file_contexts                          | 1 -
 3 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 trusty_metricsd/file_contexts
 rename {whitechapel/vendor/google => trusty_metricsd}/trusty_metricsd.te (100%)

diff --git a/trusty_metricsd/file_contexts b/trusty_metricsd/file_contexts
new file mode 100644
index 00000000..bedf7437
--- /dev/null
+++ b/trusty_metricsd/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0
diff --git a/whitechapel/vendor/google/trusty_metricsd.te b/trusty_metricsd/trusty_metricsd.te
similarity index 100%
rename from whitechapel/vendor/google/trusty_metricsd.te
rename to trusty_metricsd/trusty_metricsd.te
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index d04d3abe..71864a0d 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -328,7 +328,6 @@
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
 /vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
-/vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0

From ef113ab8ace937fedd37cb4af80eb7b1d7951c44 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 10 Jun 2021 10:05:03 +0800
Subject: [PATCH 334/921] update wakeup node

Bug: 190672147
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I3a8e8fa8b9007f556a5bfb402c4e8c726499d66f
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8ede0afd..118f0fc1 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -211,6 +211,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_sup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup                                              u:object_r:sysfs_wakeup:s0
 
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0

From 797b646234dc1d97fd15cb263342d7bc0971d0b1 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Thu, 10 Jun 2021 11:30:11 +0800
Subject: [PATCH 335/921] gs101-sepolicy: Fix avc denial for sysfs_vendor_sched

Fix mediaprovider_app and bluetooth

Bug: 190563839
Bug: 190563916
Test: build pass
Change-Id: I477325ee812d1362db4d5005e999cba989a44216
---
 gs101-sepolicy.mk                      | 3 +++
 private/mediaprovider_app.te           | 2 ++
 public/file.te                         | 7 +++++++
 tracking_denials/bluetooth.te          | 2 --
 whitechapel/vendor/google/bluetooth.te | 3 +++
 whitechapel/vendor/google/file.te      | 7 -------
 6 files changed, 15 insertions(+), 9 deletions(-)
 create mode 100644 private/mediaprovider_app.te
 create mode 100644 public/file.te
 delete mode 100644 tracking_denials/bluetooth.te
 create mode 100644 whitechapel/vendor/google/bluetooth.te

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index ffe102f8..989bb70b 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -37,3 +37,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer
 
 # Wifi Logger
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
+
+# Public
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
new file mode 100644
index 00000000..9d508444
--- /dev/null
+++ b/private/mediaprovider_app.te
@@ -0,0 +1,2 @@
+dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+
diff --git a/public/file.te b/public/file.te
new file mode 100644
index 00000000..4c15c474
--- /dev/null
+++ b/public/file.te
@@ -0,0 +1,7 @@
+# Vendor sched files
+type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_vendor_sched mlstrustedobject;
+')
+type proc_vendor_sched, proc_type, fs_type;
+
diff --git a/tracking_denials/bluetooth.te b/tracking_denials/bluetooth.te
deleted file mode 100644
index ff6d7f9b..00000000
--- a/tracking_denials/bluetooth.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190563916
-dontaudit bluetooth sysfs_vendor_sched:dir search;
diff --git a/whitechapel/vendor/google/bluetooth.te b/whitechapel/vendor/google/bluetooth.te
new file mode 100644
index 00000000..b246eca1
--- /dev/null
+++ b/whitechapel/vendor/google/bluetooth.te
@@ -0,0 +1,3 @@
+allow bluetooth sysfs_vendor_sched:dir search;
+allow bluetooth sysfs_vendor_sched:file w_file_perms;
+
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e0a05a57..55d1f164 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -134,13 +134,6 @@ type vendor_camera_tuning_file, vendor_file_type, file_type;
 type vendor_camera_data_file, file_type, data_file_type;
 type sysfs_camera, sysfs_type, fs_type;
 
-# Vendor sched files
-type sysfs_vendor_sched, sysfs_type, fs_type;
-userdebug_or_eng(`
-    typeattribute sysfs_vendor_sched mlstrustedobject;
-')
-type proc_vendor_sched, proc_type, fs_type;
-
 # GPS
 type vendor_gps_file, file_type, data_file_type;
 userdebug_or_eng(`

From d27e574f3edf39d30bda356800e07a8d3e90f079 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Thu, 10 Jun 2021 10:58:45 +0800
Subject: [PATCH 336/921] Update avc error on ROM 7444346

Bug: 190672147
Bug: 190671898
Test: Test: PtsSELinuxTestCases
Change-Id: Ie9400df24f30474915d757b61ddb1c3fb77903c5
---
 private/system_suspend.te | 2 ++
 vendor/google/bug_map     | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 private/system_suspend.te

diff --git a/private/system_suspend.te b/private/system_suspend.te
new file mode 100644
index 00000000..004de9f1
--- /dev/null
+++ b/private/system_suspend.te
@@ -0,0 +1,2 @@
+# b/190672147
+dontaudit system_suspend sysfs:dir read;
diff --git a/vendor/google/bug_map b/vendor/google/bug_map
index 664a7160..ecb75fb9 100644
--- a/vendor/google/bug_map
+++ b/vendor/google/bug_map
@@ -1,3 +1,4 @@
 bluetooth sysfs_vendor_sched file b/190336525
 mediaprovider_app sysfs_vendor_sched file b/190336723
 hal_graphics_composer_default sysfs_lhbm file b/190563896
+permissioncontroller_app sysfs_vendor_sched file b/190671898

From 985aa698c7c4a104135b92d263922b50fbfcad22 Mon Sep 17 00:00:00 2001
From: Sung-fang Tsai <sungfang@google.com>
Date: Sat, 22 May 2021 15:22:47 +0000
Subject: [PATCH 337/921] qllow priv-app to access Pixel power HAL extension.

SELinux issues to solve:

native  : aion.cc:780 Error loading lib_aion_buffer.so dlopen failed: library "pixel-power-ext-V1-ndk_platform.so" not found: needed by /vendor/lib64/lib_aion_buffer.so in namespace sphal

05-23 10:11:32.055   420   420 E SELinux : avc:  denied  { find } for pid=6630 uid=10089 name=android.hardware.power.IPower/default scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:hal_power_service:s0 tclass=service_manager permissive=0

Bug: 187373665
Test: Passed, procedure listed in b/187373665#comment8 with forrest.
Change-Id: Ice7c69bca4a029a61ca1ccb7087ea01948ae5f24
---
 edgetpu/priv_app.te                     | 3 +++
 whitechapel/vendor/google/file_contexts | 1 +
 2 files changed, 4 insertions(+)

diff --git a/edgetpu/priv_app.te b/edgetpu/priv_app.te
index a9b49c33..db6e0a27 100644
--- a/edgetpu/priv_app.te
+++ b/edgetpu/priv_app.te
@@ -7,3 +7,6 @@ allow priv_app edgetpu_nnapi_service:service_manager find;
 # Allows privileged applications to access the EdgeTPU device, except open,
 # which is guarded by the EdgeTPU service.
 allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows privileged applications to access the PowerHAL.
+hal_client_domain(priv_app, hal_power)
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 71864a0d..6c9bc57f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -177,6 +177,7 @@
 /data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
 /vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libGralloc4Wrapper\.so                                 u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/pixel-power-ext-V1-ndk_platform\.so                    u:object_r:same_process_hal_file:s0
 
 /dev/stmvl53l1_ranging                                                  u:object_r:rls_device:s0
 

From 7db400b679a7e7dee561738d657639323347edca Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Wed, 12 May 2021 18:29:45 +0800
Subject: [PATCH 338/921] Add sepolicy to let fingerprint access power service

Fix the following avc denial:
SELinux : avc:  denied  { find } for pid=1055 uid=1000 name=android.hardware.power.IPower/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_power_service:s0 tclass=service_manager permissive=0

Bug: 185893477
Test: Observe from systrace that the CPU frequency is boosted when
      running fingerprint algorithm.
Change-Id: I245058b912ec2af3555154934dbe722b445181a9
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index c6d64d5d..755ab473 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -12,3 +12,6 @@ userdebug_or_eng(`
   get_prop(hal_fingerprint_default, vendor_fingerprint_fake_prop)
 ')
 add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
+
+# allow fingerprint to access power hal
+hal_client_domain(hal_fingerprint_default, hal_power);

From 25373353a77e56684b72107a2563df678404aeff Mon Sep 17 00:00:00 2001
From: Denny cy Lee <dennycylee@google.com>
Date: Tue, 1 Jun 2021 18:28:06 +0800
Subject: [PATCH 339/921] Sepolicy: Remove permission for fuel gauge

Bug: 189811224
Test: manually, read success in enforcing mode
Change-Id: Ie56179980a9946010fb25683e3819cddbfb93cfb
Signed-off-by: Denny cy Lee <dennycylee@google.com>
---
 tracking_denials/hardware_info_app.te | 4 ----
 1 file changed, 4 deletions(-)
 delete mode 100644 tracking_denials/hardware_info_app.te

diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te
deleted file mode 100644
index dd3c4647..00000000
--- a/tracking_denials/hardware_info_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/181914888
-dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
-# b/181915166
-dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };

From d00aafac7554fc35e51cb2dd4e5bc01d0738f177 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 11 Jun 2021 10:18:02 +0800
Subject: [PATCH 340/921] remove obsolete entries

Bug: 190672147
Bug: 173969091
Bug: 171760921
Bug: 178331773
Bug: 178752616
Bug: 188752940
Bug: 184005231
Bug: 182086688
Bug: 177176899
Bug: 182953825
Bug: 176528557
Bug: 183935382
Test: boot and do bugreport with no relevant error showed up
Change-Id: I869db698e96d2d6cfd533b7fd24c8c88d39fd0eb
---
 private/system_suspend.te             |  2 --
 tracking_denials/gpsd.te              | 11 -----------
 tracking_denials/hal_power_default.te | 14 --------------
 tracking_denials/ofl_app.te           |  3 ---
 tracking_denials/servicemanager.te    |  3 ---
 tracking_denials/surfaceflinger.te    | 10 ----------
 tracking_denials/trusty_apploader.te  |  3 ---
 tracking_denials/vendor_init.te       |  2 --
 tracking_denials/vendor_rcs_app.te    |  3 ---
 9 files changed, 51 deletions(-)
 delete mode 100644 private/system_suspend.te
 delete mode 100644 tracking_denials/gpsd.te
 delete mode 100644 tracking_denials/hal_power_default.te
 delete mode 100644 tracking_denials/ofl_app.te
 delete mode 100644 tracking_denials/servicemanager.te
 delete mode 100644 tracking_denials/trusty_apploader.te
 delete mode 100644 tracking_denials/vendor_rcs_app.te

diff --git a/private/system_suspend.te b/private/system_suspend.te
deleted file mode 100644
index 004de9f1..00000000
--- a/private/system_suspend.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190672147
-dontaudit system_suspend sysfs:dir read;
diff --git a/tracking_denials/gpsd.te b/tracking_denials/gpsd.te
deleted file mode 100644
index fe554396..00000000
--- a/tracking_denials/gpsd.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# b/173969091
-dontaudit gpsd radio_prop:file { read };
-dontaudit gpsd radio_prop:file { open };
-dontaudit gpsd radio_prop:file { map };
-dontaudit gpsd radio_prop:file { map };
-dontaudit gpsd system_data_file:dir { search };
-dontaudit gpsd radio_prop:file { read };
-dontaudit gpsd radio_prop:file { open };
-dontaudit gpsd radio_prop:file { getattr };
-dontaudit gpsd system_data_file:dir { search };
-dontaudit gpsd radio_prop:file { getattr };
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
deleted file mode 100644
index 260747fc..00000000
--- a/tracking_denials/hal_power_default.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# b/171760921
-dontaudit hal_power_default hal_power_default:capability { dac_override };
-# b/178331773
-dontaudit hal_power_default sysfs:file { write };
-dontaudit hal_power_default sysfs:file { open };
-dontaudit hal_power_default sysfs:file { write };
-dontaudit hal_power_default sysfs:file { open };
-# b/178752616
-dontaudit hal_power_default sysfs:file { read };
-dontaudit hal_power_default sysfs:file { getattr };
-dontaudit hal_power_default sysfs:file { read };
-dontaudit hal_power_default sysfs:file { getattr };
-# b/188752940
-dontaudit hal_power_default hal_power_default:capability dac_read_search;
diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te
deleted file mode 100644
index 525ebdad..00000000
--- a/tracking_denials/ofl_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/184005231
-dontaudit ofl_app default_prop:file { read };
-
diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
deleted file mode 100644
index 0900dcdf..00000000
--- a/tracking_denials/servicemanager.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/182086688
-dontaudit servicemanager hal_sensors_default:binder { call };
-dontaudit servicemanager hal_sensors_default:binder { call };
diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te
index 1f7fd2ad..2db24d73 100644
--- a/tracking_denials/surfaceflinger.te
+++ b/tracking_denials/surfaceflinger.te
@@ -1,12 +1,2 @@
 # b/176868297
 dontaudit surfaceflinger hal_graphics_composer_default:dir search ;
-# b/177176899
-dontaudit surfaceflinger hal_graphics_composer_default:file open ;
-dontaudit surfaceflinger hal_graphics_composer_default:file read ;
-dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
-dontaudit surfaceflinger hal_graphics_composer_default:file read ;
-dontaudit surfaceflinger hal_graphics_composer_default:file open ;
-dontaudit surfaceflinger hal_graphics_composer_default:file read ;
-dontaudit surfaceflinger hal_graphics_composer_default:file open ;
-dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
-dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te
deleted file mode 100644
index 3f6e9ae9..00000000
--- a/tracking_denials/trusty_apploader.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/182953825
-dontaudit trusty_apploader trusty_apploader:capability { dac_override };
-dontaudit trusty_apploader trusty_apploader:capability { dac_override };
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 70579511..b908a763 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,5 +1,3 @@
-# b/176528557
-dontaudit vendor_init debugfs_trace_marker:file { getattr };
 # b/190337297
 dontaudit vendor_init vendor_maxfg_debugfs:file setattr;
 dontaudit vendor_init vendor_page_pinner_debugfs:file setattr;
diff --git a/tracking_denials/vendor_rcs_app.te b/tracking_denials/vendor_rcs_app.te
deleted file mode 100644
index 4fdde216..00000000
--- a/tracking_denials/vendor_rcs_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/183935382
-dontaudit vendor_rcs_app default_prop:file { read };
-dontaudit vendor_rcs_app default_prop:file { read };

From 8c979899ccb298dc2007510789e4c59462c3ffcf Mon Sep 17 00:00:00 2001
From: Richard Hsu <hsuy@google.com>
Date: Fri, 14 May 2021 16:28:16 -0700
Subject: [PATCH 341/921] [BugFix] SEPolicy for libedgetpu_darwinn2.so logging
 to stats service

In order to access the darwinn metrics library from the google camera
app (product partition), we need to create an SELinux exception for
the related shared library (in vendor) it uses. This CL adds the same_process_hal_file tag to allow this exception.

Bug: 190661153, 151063663

Test: App can load the .so and not crash after this change.
Before: No permission to access namespace.
(https://paste.googleplex.com/6602755121610752)
After: GCA doesn't crash on load.

Change-Id: I8671732184bbbe283c94d1acd3bb1ff397fe651c
---
 edgetpu/file_contexts                   | 2 ++
 whitechapel/vendor/google/file_contexts | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index e0439c40..9255e741 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -23,3 +23,5 @@
 # NeuralNetworks file contexts
 /vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
 
+# EdgeTPU metrics logging service.
+/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 71864a0d..53a4a984 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -432,3 +432,8 @@
 # WLC FW update
 /vendor/bin/wlc_upt/p9412_mtp            u:object_r:vendor_wlc_fwupdata_file:s0
 /vendor/bin/wlc_upt/wlc_fw_update\.sh    u:object_r:wlcfwupdate_exec:s0
+
+# Statsd service to support EdgeTPU metrics logging service.
+/vendor/lib64/android\.frameworks\.stats-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0

From d0bb82843434c42e1dde2ca299ca91c947ffd5ef Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 11 Jun 2021 11:16:16 +0800
Subject: [PATCH 342/921] remove vcd from user ROM

Bug: 190331325
Test: build all ROM variants with only user ROM without vcd
Change-Id: If9dc555ee8582b605ccdf9d60c3a9c89cd6634d8
---
 modem/userdebug/file_contexts                         | 1 +
 {whitechapel/vendor/google => modem/userdebug}/vcd.te | 0
 public/property.te                                    | 2 ++
 whitechapel/vendor/google/file.te                     | 1 -
 whitechapel/vendor/google/file_contexts               | 2 --
 whitechapel/vendor/google/property.te                 | 2 --
 6 files changed, 3 insertions(+), 5 deletions(-)
 create mode 100644 modem/userdebug/file_contexts
 rename {whitechapel/vendor/google => modem/userdebug}/vcd.te (100%)
 create mode 100644 public/property.te

diff --git a/modem/userdebug/file_contexts b/modem/userdebug/file_contexts
new file mode 100644
index 00000000..20b74c64
--- /dev/null
+++ b/modem/userdebug/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/vcd                u:object_r:vcd_exec:s0
diff --git a/whitechapel/vendor/google/vcd.te b/modem/userdebug/vcd.te
similarity index 100%
rename from whitechapel/vendor/google/vcd.te
rename to modem/userdebug/vcd.te
diff --git a/public/property.te b/public/property.te
new file mode 100644
index 00000000..5f60d635
--- /dev/null
+++ b/public/property.te
@@ -0,0 +1,2 @@
+vendor_internal_prop(vendor_rild_prop)
+vendor_internal_prop(vendor_persist_config_default_prop)
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 55d1f164..36948935 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -13,7 +13,6 @@ type vendor_rild_log_file, file_type, data_file_type;
 type vendor_sced_log_file, file_type, data_file_type;
 type vendor_slog_file, file_type, data_file_type, mlstrustedobject;
 type vendor_telephony_log_file, file_type, data_file_type;
-type vendor_vcd_log_file, file_type, data_file_type;
 
 # app data files
 type vendor_test_data_file, file_type, data_file_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 71864a0d..d7a6f99a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -136,7 +136,6 @@
 /(vendor|system/vendor)/bin/hw/rild_exynos     u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/rfsd               u:object_r:rfsd_exec:s0
 /(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
-/(vendor|system/vendor)/bin/vcd                u:object_r:vcd_exec:s0
 /(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
 
 # WFC
@@ -160,7 +159,6 @@
 /data/vendor/log/sced(/.*)?  u:object_r:vendor_sced_log_file:s0
 /data/vendor/log/slog(/.*)?  u:object_r:vendor_slog_file:s0
 /data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
-/data/vendor/log/vcd(/.*)?   u:object_r:vendor_vcd_log_file:s0
 
 /persist/sensorcal\.json     u:object_r:sensors_cal_file:s0
 
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 9454c2eb..bc62032b 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -2,7 +2,6 @@
 vendor_internal_prop(vendor_prop)
 vendor_internal_prop(vendor_ims_prop)
 vendor_internal_prop(vendor_rcs_prop)
-vendor_internal_prop(vendor_rild_prop)
 vendor_internal_prop(vendor_slog_prop)
 vendor_internal_prop(sensors_prop)
 vendor_internal_prop(vendor_ssrdump_prop)
@@ -15,7 +14,6 @@ vendor_internal_prop(vendor_cbd_prop)
 # vendor defaults
 vendor_internal_prop(vendor_config_default_prop)
 vendor_internal_prop(vendor_ro_config_default_prop)
-vendor_internal_prop(vendor_persist_config_default_prop)
 vendor_internal_prop(vendor_sys_default_prop)
 vendor_internal_prop(vendor_ro_sys_default_prop)
 vendor_internal_prop(vendor_persist_sys_default_prop)

From ad47112c59342a73f5b128ac443f079067899c8a Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Fri, 11 Jun 2021 18:39:28 +0800
Subject: [PATCH 343/921] gs101-sepolicy: Fix avc denial for
 permissioncontroller_app

Bug: 190671898
Test: build pass
Change-Id: I3ccfe958892cd27ebbcacc651847d4277d39855b
---
 private/permissioncontroller_app.te | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 private/permissioncontroller_app.te

diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
new file mode 100644
index 00000000..425ea309
--- /dev/null
+++ b/private/permissioncontroller_app.te
@@ -0,0 +1,3 @@
+allow permissioncontroller_app sysfs_vendor_sched:dir r_dir_perms;
+allow permissioncontroller_app sysfs_vendor_sched:file w_file_perms;
+

From 5492a92a39977da6e0ccedc429beae28514fe29e Mon Sep 17 00:00:00 2001
From: Jayachandran C <jayachandranc@google.com>
Date: Fri, 11 Jun 2021 17:13:38 -0700
Subject: [PATCH 344/921] Allow telephony to access the file descriptor of the
 priv_apps tcp_socket

The priv_apps could register for QOS notifications for its tcp_socket.
This change allows telephony to access the file descriptor for the
tcp_socket so it could double check the source and destination address
of the socket when the QOS indication is received from modem.

This addresses the following SE policy denial
auditd  : type=1400 audit(0.0:219): avc: denied { read write } for
comm="ConnectivitySer" path="socket:[98511]" dev="sockfs" ino=98511
scontext=u:r:radio:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=tcp_socket
permissive=0

Bug: 190580419
Test: Manual
Change-Id: I35d4e1fb06242eb5fcbcb36439a55c11166b149b
---
 whitechapel/vendor/google/radio.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te
index 47a70dda..af56688b 100644
--- a/whitechapel/vendor/google/radio.te
+++ b/whitechapel/vendor/google/radio.te
@@ -1,3 +1,7 @@
 allow radio hal_exynos_rild_hwservice:hwservice_manager find;
 allow radio sysfs_vendor_sched:dir r_dir_perms;
 allow radio sysfs_vendor_sched:file w_file_perms;
+
+# Allow telephony to access file descriptor of the QOS socket
+# so it can make sure the QOS is meant for the intended addresses
+allow radio priv_app:tcp_socket { read write };

From 5bb07db1de2b426e95c918f3b36de3865fe46ce6 Mon Sep 17 00:00:00 2001
From: Armelle Laine <armellel@google.com>
Date: Sun, 13 Jun 2021 23:59:37 +0000
Subject: [PATCH 345/921] add se-policy to /dev/trusty-log0 so it can be
 accessed by dumpstate hal

reuse logbuffer_device group as dumpstate hal already has read perms
on this group.

Bug: 188285071
Test: adb bugreport to include a trusty section in dumpstate_board.txt
Change-Id: I623a5d450bdbe2ceef4fe460bf31bfe740d847b2
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 6c9bc57f..6200e2a5 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -337,6 +337,7 @@
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
 /mnt/vendor/persist/ss(/.*)?         u:object_r:tee_data_file:s0
 /dev/sg1                             u:object_r:sg_device:s0
+/dev/trusty-log0                     u:object_r:logbuffer_device:s0
 
 # Battery
 /mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0

From 90ae782e26b3bb317acf0aa9270aae6756d2f0b5 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Tue, 15 Jun 2021 12:02:59 +0800
Subject: [PATCH 346/921] Move oriole bug map to whitechapel folder

Bug: 190563896
Bug: 190671898
Test: PtsSELinuxTestCases
Change-Id: I15f1a6d2ebab9c5794a79abccf3530eb4bfc8307
---
 {vendor => whitechapel/vendor}/google/bug_map | 2 --
 1 file changed, 2 deletions(-)
 rename {vendor => whitechapel/vendor}/google/bug_map (54%)

diff --git a/vendor/google/bug_map b/whitechapel/vendor/google/bug_map
similarity index 54%
rename from vendor/google/bug_map
rename to whitechapel/vendor/google/bug_map
index ecb75fb9..e97b8e14 100644
--- a/vendor/google/bug_map
+++ b/whitechapel/vendor/google/bug_map
@@ -1,4 +1,2 @@
-bluetooth sysfs_vendor_sched file b/190336525
-mediaprovider_app sysfs_vendor_sched file b/190336723
 hal_graphics_composer_default sysfs_lhbm file b/190563896
 permissioncontroller_app sysfs_vendor_sched file b/190671898

From 02ada4f4634ac461dc0d6aacc038400d785ac19d Mon Sep 17 00:00:00 2001
From: Jiyoung <ji_young.bae@samsung.com>
Date: Thu, 27 May 2021 18:50:29 +0900
Subject: [PATCH 347/921] vendor_telephony_app.te: add selinuxfs:file

- add selinuxfs:file for AP TCP dump
- allow userdebug or eng

Bug: 188422036

Signed-off-by: Jiyoung <ji_young.bae@samsung.com>
Change-Id: I9502f9f7320ca4ee298b38e40da0ccf11adfba7f
---
 whitechapel/vendor/google/vendor_telephony_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
index 7d515a8a..499764b2 100644
--- a/whitechapel/vendor/google/vendor_telephony_app.te
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -19,4 +19,5 @@ userdebug_or_eng(`
 dontaudit vendor_telephony_app system_app_data_file:dir create_dir_perms;
 dontaudit vendor_telephony_app system_app_data_file:file create_file_perms;
 dontaudit vendor_telephony_app default_prop:file { getattr open read map };
+allow vendor_telephony_app selinuxfs:file { read open };
 ')

From 81aaf6cda36e88c0deedb8f41dc1ef6f042da3a3 Mon Sep 17 00:00:00 2001
From: linpeter <linpeter@google.com>
Date: Mon, 19 Apr 2021 21:06:45 +0800
Subject: [PATCH 348/921] Add sepolicy for hwcomposer to access lhbm sysfs

avc: denied { read write } for comm="android.hardwar" name="local_hbm_mode" dev="sysfs" ino=70189 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:sysfs_lhbm:s0 tclass=file permissive=0

Bug: 190563896
test: check avc denied
Change-Id: I0f6abc1244d24781ff3318908b524a889490993d
---
 display/gs101/hal_graphics_composer_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index 0b4c26e8..aa429277 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -40,3 +40,6 @@ allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
 # allow HWC to output to dumpstate via pipe fd
 allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
 allow hal_graphics_composer_default hal_dumpstate_default:fd use;
+
+# allow HWC to access LHBM sysfs
+allow hal_graphics_composer_default sysfs_lhbm:file rw_file_perms;

From 673b8f101469e66d41de4e5194c8cd91f12fd717 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Tue, 15 Jun 2021 19:59:10 +0800
Subject: [PATCH 349/921] Update avc error on ROM 7457955

Bug: 191132545
Bug: 191133059
Test: PtsSELinuxTestCases
Change-Id: I6a8e7924819734e38c2b6f761eb738f3e4d21c32
---
 tracking_denials/hal_graphics_composer_default.te | 2 ++
 tracking_denials/hal_power_default.te             | 3 +++
 2 files changed, 5 insertions(+)
 create mode 100644 tracking_denials/hal_graphics_composer_default.te
 create mode 100644 tracking_denials/hal_power_default.te

diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
new file mode 100644
index 00000000..9640b83e
--- /dev/null
+++ b/tracking_denials/hal_graphics_composer_default.te
@@ -0,0 +1,2 @@
+# b/191132545
+dontaudit hal_graphics_composer_default sysfs_lhbm:file { read write };
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
new file mode 100644
index 00000000..bef5f129
--- /dev/null
+++ b/tracking_denials/hal_power_default.te
@@ -0,0 +1,3 @@
+# b/191133059
+dontaudit hal_power_default hal_power_default:capability dac_read_search;
+dontaudit hal_power_default hal_power_default:capability dac_override;

From dfc3d869271e5a8a85ee91d83ad23076926791ae Mon Sep 17 00:00:00 2001
From: David Anderson <dvander@google.com>
Date: Mon, 7 Jun 2021 18:41:39 -0700
Subject: [PATCH 350/921] Fix denial when flashing vendor_boot in fastbootd.

This mirrors the same sepolicy line in previous Pixel devices.

Bug: 189493387
Test: fastboot flash vendor_boot on r4
Change-Id: Ie15c8e6e5c01b249e1e5e244666c461253279f0b
---
 whitechapel/vendor/google/fastbootd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index c1c4de7b..32944aa1 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -3,4 +3,5 @@ recovery_only(`
 allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
+allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
 ')

From dc0cdc36f371d9e938d2c2b59f4bb9cd5004b8ef Mon Sep 17 00:00:00 2001
From: Wenhao Wang <wenhaowang@google.com>
Date: Tue, 15 Jun 2021 17:24:01 -0700
Subject: [PATCH 351/921] Use label persist_ss_file

The label "persist_ss_file" was created for "/mnt/vendor/persist/ss(/.*)?".
But we erroneously didn't assign the label to the path.
This patch fixes the error.

Bug: 173971240
Bug: 173032298
Test: Trusty storage tests
Change-Id: I8e891ebd90ae47ab8a4aad1c2b0a3bbb734174d8
---
 whitechapel/vendor/google/file_contexts    | 2 +-
 whitechapel/vendor/google/storageproxyd.te | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 1f06bee4..ec4e5de6 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -335,7 +335,7 @@
 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
-/mnt/vendor/persist/ss(/.*)?         u:object_r:tee_data_file:s0
+/mnt/vendor/persist/ss(/.*)?         u:object_r:persist_ss_file:s0
 /dev/sg1                             u:object_r:sg_device:s0
 /dev/trusty-log0                     u:object_r:logbuffer_device:s0
 
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index 315300c2..d5d4dca9 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -1,6 +1,7 @@
 type sg_device, dev_type;
 type persist_ss_file, file_type, vendor_persist_type;
 
+allow tee persist_ss_file:file rw_file_perms;
 allow tee persist_ss_file:dir r_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;

From 3031b077a3d2238780ce11dc97f684fc6bbef464 Mon Sep 17 00:00:00 2001
From: Craig Dooley <dooleyc@google.com>
Date: Wed, 16 Jun 2021 17:18:55 +0000
Subject: [PATCH 352/921] Allow hal_dumpstate to collect AoC statistics

Bug: 188114650
Signed-off-by: Craig Dooley <dooleyc@google.com>
Change-Id: Iba5525af2c651070b9a5f7769c0439ef320d666b
---
 tracking_denials/hal_dumpstate_default.te          | 2 --
 whitechapel/vendor/google/file.te                  | 1 +
 whitechapel/vendor/google/genfs_contexts           | 4 ++++
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 +++
 4 files changed, 8 insertions(+), 2 deletions(-)
 delete mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
deleted file mode 100644
index cfc9c4eb..00000000
--- a/tracking_denials/hal_dumpstate_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/188752787
-dontaudit hal_dumpstate_default sysfs_aoc:dir search;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 55d1f164..513e6735 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -94,6 +94,7 @@ type proc_touch, proc_type, fs_type, mlstrustedobject;
 type sysfs_touch, sysfs_type, fs_type;
 
 # AOC
+type sysfs_aoc_dumpstate, sysfs_type, fs_type;
 type sysfs_aoc_boottime, sysfs_type, fs_type;
 type sysfs_aoc_firmware, sysfs_type, fs_type;
 type sysfs_aoc, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 4fcd1ab1..f7a18ce8 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -4,6 +4,10 @@ genfscon sysfs /devices/platform/19000000.aoc/firmware                      u:ob
 genfscon sysfs /devices/platform/19000000.aoc                               u:object_r:sysfs_aoc:s0
 genfscon sysfs /devices/platform/19000000.aoc/reset                         u:object_r:sysfs_aoc_reset:s0
 
+genfscon sysfs /devices/platform/19000000.aoc/services                      u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/restart_count                 u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/coredump_count                u:object_r:sysfs_aoc_dumpstate:s0
+
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0
 # Battery
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 10f9c0cd..b9385364 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -39,6 +39,9 @@ allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_pe
 allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
 
+allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms;
+
 allow hal_dumpstate_default sysfs_spi:dir search;
 allow hal_dumpstate_default sysfs_spi:file rw_file_perms;
 

From 643e5a71235419f259d9aad56ac86870cd2f1463 Mon Sep 17 00:00:00 2001
From: Yu-Chi Cheng <yuchicheng@google.com>
Date: Wed, 16 Jun 2021 16:17:14 -0700
Subject: [PATCH 353/921] Allowed EdgeTPU compilation services (tflite and
 nnapi) to access overcommit_memory info.

This is required as part of the compilation process, likely part of
the jemalloc which was added recently.

Bug: 190790251
Test: verified on local P21 device.
Change-Id: I4d90ea92afd7beaa4c4efa6ed509d703764932a1
---
 edgetpu/edgetpu_vendor_service.te     | 3 +++
 edgetpu/hal_neuralnetworks_darwinn.te | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/edgetpu/edgetpu_vendor_service.te b/edgetpu/edgetpu_vendor_service.te
index 538c47b9..10605107 100644
--- a/edgetpu/edgetpu_vendor_service.te
+++ b/edgetpu/edgetpu_vendor_service.te
@@ -26,3 +26,6 @@ allow edgetpu_vendor_server hal_camera_default:fd use;
 # Allow EdgeTPU vendor service to read the kernel version.
 # This is done inside the InitGoogle.
 allow edgetpu_vendor_server proc_version:file r_file_perms;
+
+# Allow EdgeTPU vendor service to read the overcommit_memory info.
+allow edgetpu_vendor_server proc_overcommit_memory:file r_file_perms;
diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
index 88a24db9..d143ab1d 100644
--- a/edgetpu/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/hal_neuralnetworks_darwinn.te
@@ -33,3 +33,6 @@ binder_use(hal_neuralnetworks_darwinn)
 
 # TPU NNAPI to register the service to service_manager.
 add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service);
+
+# Allow TPU NNAPI HAL to read the overcommit_memory info.
+allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms;

From 14786d9b408f49feeed48fe272c2baf08a57843e Mon Sep 17 00:00:00 2001
From: Yuriy Romanenko <yromanenko@google.com>
Date: Wed, 16 Jun 2021 20:55:38 -0700
Subject: [PATCH 354/921] Allow rlsservice/camera HAL to read
 /apex/apex-info-list.xml

To detect apex updates

Bug: 188246923
Test: See topic
Change-Id: I28a27741c1c285f8b49a2aa50bc0665143c1b7cb
---
 whitechapel/vendor/google/hal_camera_default.te | 3 +++
 whitechapel/vendor/google/rlsservice.te         | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index df210f6f..02b29f89 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -75,3 +75,6 @@ binder_call(hal_camera_default, hal_radioext_default);
 
 # Allow camera HAL to connect to the stats service.
 allow hal_camera_default fwk_stats_service:service_manager find;
+
+# For observing apex file changes
+allow hal_camera_default apex_info_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index 113ef312..bf8b401f 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -26,3 +26,5 @@ allow rlsservice aoc_device:chr_file rw_file_perms;
 # Allow use of the USF low latency transport
 usf_low_latency_transport(rlsservice)
 
+# For observing apex file changes
+allow rlsservice apex_info_file:file r_file_perms;

From c53c03b843bdfa26a68120193fece44c40b669fa Mon Sep 17 00:00:00 2001
From: Franklin He <franklinh@google.com>
Date: Wed, 16 Jun 2021 21:47:39 +0800
Subject: [PATCH 355/921] Add new sepolicy to allow Power Hint

SELinux policy changes to work with https://googleplex-android-review.git.corp.google.com/c/device/google/gs101/+/14997393
This allows the NNAPI HAL to make IPC calls to the Power HAL in order to request power hints

Bug: 191241561
Test: Pushed new SEPolicy to device, verified no AVC problems when making IPC calls
Change-Id: I8209b3677bedf908901389c07304f4478d0431b0
---
 edgetpu/hal_neuralnetworks_darwinn.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
index 88a24db9..4a36b9a2 100644
--- a/edgetpu/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/hal_neuralnetworks_darwinn.te
@@ -31,5 +31,8 @@ allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find;
 binder_call(hal_neuralnetworks_darwinn, system_server);
 binder_use(hal_neuralnetworks_darwinn)
 
+# Allow TPU NNAPI HAL to request power hints from the Power Service
+hal_client_domain(hal_neuralnetworks_darwinn, hal_power)
+
 # TPU NNAPI to register the service to service_manager.
 add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service);

From eb3881dbe70ca74be9a850e8d33a902a1c568ad1 Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <badhri@google.com>
Date: Thu, 17 Jun 2021 16:09:27 -0700
Subject: [PATCH 356/921] Add file context for /dev/logbuffer_tcpm

/dev/logbuffer_tcpm gets accessed by dumpstate while bugreport
generation.

Bug: 189792358
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Change-Id: Ica0f3557ad9c41844f8411b0bdf68d66fbba00e5
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index bed54869..7773f31c 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -95,6 +95,7 @@
 /dev/scsc_h4_0                 u:object_r:radio_device:s0
 /dev/umts_boot0                u:object_r:radio_device:s0
 /dev/tui-driver                u:object_r:tui_device:s0
+/dev/logbuffer_tcpm            u:object_r:logbuffer_device:s0
 /dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
 /dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
 /dev/logbuffer_wireless        u:object_r:logbuffer_device:s0

From d77bc5a970879e0e7dc14fc15fe9f6b9f204034b Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 18 Jun 2021 09:32:08 +0800
Subject: [PATCH 357/921] organize confirmationui settings

Bug: 190331547
Bug: 190331370
Test: build ROM and make sure file and sepolicy is still there
Change-Id: I4cabf9280ab5e21038bcb72615799b7ed0fb1670
---
 confirmationui/device.te                                      | 1 +
 confirmationui/file_contexts                                  | 4 ++++
 .../vendor/google => confirmationui}/hal_confirmationui.te    | 0
 .../vendor/google => confirmationui}/securedpud.slider.te     | 0
 whitechapel/vendor/google/device.te                           | 1 -
 whitechapel/vendor/google/file_contexts                       | 3 ---
 6 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 confirmationui/device.te
 create mode 100644 confirmationui/file_contexts
 rename {whitechapel/vendor/google => confirmationui}/hal_confirmationui.te (100%)
 rename {whitechapel/vendor/google => confirmationui}/securedpud.slider.te (100%)

diff --git a/confirmationui/device.te b/confirmationui/device.te
new file mode 100644
index 00000000..54fe349f
--- /dev/null
+++ b/confirmationui/device.te
@@ -0,0 +1 @@
+type tui_device, dev_type;
diff --git a/confirmationui/file_contexts b/confirmationui/file_contexts
new file mode 100644
index 00000000..49db4171
--- /dev/null
+++ b/confirmationui/file_contexts
@@ -0,0 +1,4 @@
+/vendor/bin/securedpud\.slider                                                   u:object_r:securedpud_slider_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+
+/dev/tui-driver                                                                  u:object_r:tui_device:s0
diff --git a/whitechapel/vendor/google/hal_confirmationui.te b/confirmationui/hal_confirmationui.te
similarity index 100%
rename from whitechapel/vendor/google/hal_confirmationui.te
rename to confirmationui/hal_confirmationui.te
diff --git a/whitechapel/vendor/google/securedpud.slider.te b/confirmationui/securedpud.slider.te
similarity index 100%
rename from whitechapel/vendor/google/securedpud.slider.te
rename to confirmationui/securedpud.slider.te
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 68a73c6f..f0e8d8d0 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -16,7 +16,6 @@ type pktrouter_device, dev_type;
 type vendor_toe_device, dev_type;
 type custom_ab_block_device, dev_type;
 type devinfo_block_device, dev_type;
-type tui_device, dev_type;
 
 # usbpd
 type logbuffer_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 7773f31c..4b8ac2dd 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -94,7 +94,6 @@
 /dev/repeater                  u:object_r:video_device:s0
 /dev/scsc_h4_0                 u:object_r:radio_device:s0
 /dev/umts_boot0                u:object_r:radio_device:s0
-/dev/tui-driver                u:object_r:tui_device:s0
 /dev/logbuffer_tcpm            u:object_r:logbuffer_device:s0
 /dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
 /dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
@@ -325,13 +324,11 @@
 
 
 # Trusty
-/vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
 /vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0
-/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
 /mnt/vendor/persist/ss(/.*)?         u:object_r:persist_ss_file:s0

From 6bf4661e8f30c75ac07a9eef03809bd9b98f231e Mon Sep 17 00:00:00 2001
From: Yuriy Romanenko <yromanenko@google.com>
Date: Thu, 17 Jun 2021 18:05:15 -0700
Subject: [PATCH 358/921] Allow camera HAL to set vendor.camera properties

Bug: 188246923
Test: See topic
Change-Id: I18cbcf1b622ad7cd6d6bd1ea258b3d537db54412
---
 whitechapel/vendor/google/hal_camera_default.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 02b29f89..8bf449b1 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -44,7 +44,7 @@ userdebug_or_eng(`
 tmpfs_domain(hal_camera_default);
 
 # Allow access to camera-related system properties
-get_prop(hal_camera_default, vendor_camera_prop);
+set_prop(hal_camera_default, vendor_camera_prop);
 get_prop(hal_camera_default, vendor_camera_debug_prop);
 userdebug_or_eng(`
   set_prop(hal_camera_default, vendor_camera_fatp_prop);

From 7e232446dc6074990585a73314659a75d2711217 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Fri, 18 Jun 2021 08:56:59 +0200
Subject: [PATCH 359/921] Fix access permissions for sysfs_aoc_reset

avc: denied { getattr } for comm="UsfHalWorker" path="/sys/devices/platform/19000000.aoc/reset" dev="sysfs" ino=69873 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_aoc_reset:s0 tclass=file permissive=0

Bug: 190712449
Bug: 191415949
Change-Id: Ibad4e75aa60b06129221086031289c855c561e96
---
 usf/sensor_hal.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 233c5231..502e14c3 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -43,7 +43,7 @@ allow hal_sensors_default sysfs_aoc:file r_file_perms;
 usf_low_latency_transport(hal_sensors_default)
 
 # Allow sensor HAL to reset AOC.
-allow hal_sensors_default sysfs_aoc_reset:file w_file_perms;
+allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
 
 #
 # Suez type enforcements.

From 279437055748330fc2d89107be06cbec67e6a4be Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Thu, 27 May 2021 00:04:14 +0800
Subject: [PATCH 360/921] sepolicy: gs101: allows pixelstat to access wlc file
 nodes

05-31 11:14:57.280  1000  3126  3126 W pixelstats-vend: type=1400 audit(0.0:162): avc: denied { search } for name="i2c-p9412" dev="sysfs" ino=60862 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=0
05-31 11:14:57.280  1000  3126  3126 W pixelstats-vend: type=1400 audit(0.0:163): avc: denied { search } for name="i2c-p9412" dev="sysfs" ino=60862 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=0

05-31 13:12:23.940  1000  2838  2838 W pixelstats-vend: type=1400 audit(0.0:182): avc: denied { read } for name="charge_stats" dev="sysfs" ino=73276 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0

05-31 15:02:02.215  1000 13169 13169 W pixelstats-vend: type=1400 audit(0.0:166): avc: denied { write } for name="charge_stats" dev="sysfs" ino=73483 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0
05-31 15:02:02.215  1000 13169 13169 W pixelstats-vend: type=1400 audit(0.0:167): avc: denied { write } for name="charge_stats" dev="sysfs" ino=73483 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=file permissive=0

Bug: 176195960
Test: manually test, no avc: denied
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I0af03dd8099e246c5f94e8e8530d7b2bcf50ff95
---
 whitechapel/vendor/google/pixelstats_vendor.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index ba063193..68e59120 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -15,3 +15,6 @@ allow pixelstats_vendor fwk_stats_service:service_manager find;
 
 allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
 allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;
+
+allow pixelstats_vendor sysfs_wlc:dir search;
+allow pixelstats_vendor sysfs_wlc:file rw_file_perms;

From 51c891fa7be2c4e49fbf1848abfcb469de2abde9 Mon Sep 17 00:00:00 2001
From: Srinivas Patibandla <patibandlas@google.com>
Date: Thu, 17 Jun 2021 17:38:49 +0000
Subject: [PATCH 361/921] Update time sync seinfo to not use platform signature

Bug: b/190695230
Change-Id: I2dbee2e624c8794b3aa9ff85d8985a15ee159a0f
---
 whitechapel/vendor/google/seapp_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 3636ed46..b10941ac 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -51,4 +51,4 @@ user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
 # CccDkTimeSyncService
-user=_app seinfo=platform name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all

From c598db170cfd2fa22df344d1aa78ccbd34d42516 Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Mon, 21 Jun 2021 17:29:50 +0800
Subject: [PATCH 362/921] Move the genfs_contexts of sched nodes from vendor to
 product

For sched nodes, "proc_vendor_sched" and "sysfs_vendor_sched",
their type definition is in product sepolicy,
while genfs_contexts is in vendor sepolicy.
In this case, genfs_contexts cannot be resolved after product sepolicy
is replaced by Dynamic System Update.

Need to keep the type definition and genfs_contexts in the same partition.
Now move genfs_contexts because the type definition has to be in product for now
since other private domains are accessing these sched nodes.

Test: $ make selinux_policy
      The device can boot to home after replacing with GSI.
Bug: 191236468
Change-Id: I02ea78b04dfcade4ceb426ff6ebf498daa81ac32
---
 private/genfs_contexts                   | 3 +++
 whitechapel/vendor/google/genfs_contexts | 4 ----
 2 files changed, 3 insertions(+), 4 deletions(-)
 create mode 100644 private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
new file mode 100644
index 00000000..448ca5e3
--- /dev/null
+++ b/private/genfs_contexts
@@ -0,0 +1,3 @@
+# Vendor sched files
+genfscon sysfs /kernel/vendor_sched                                            u:object_r:sysfs_vendor_sched:s0
+genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 4fcd1ab1..7c705b82 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -109,10 +109,6 @@ genfscon proc  /fts/driver_test
 genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
 genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
 
-# Vendor sched files
-genfscon sysfs /kernel/vendor_sched                                            u:object_r:sysfs_vendor_sched:s0
-genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0
-
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
 

From 419019a71af0f020096c65e6b21bcab156f6c96d Mon Sep 17 00:00:00 2001
From: Speth Chang <spethchang@google.com>
Date: Tue, 15 Jun 2021 22:56:44 +0800
Subject: [PATCH 363/921] Allow camera hal to access devfreq query

Bug: 190687351
Test: p21 checklist
Change-Id: Id0cb74b483882a6ede93cadc475a7be334ecf20d
---
 whitechapel/vendor/google/hal_camera_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 8bf449b1..7202369c 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -78,3 +78,6 @@ allow hal_camera_default fwk_stats_service:service_manager find;
 
 # For observing apex file changes
 allow hal_camera_default apex_info_file:file r_file_perms;
+
+# Allow camera HAL to query current device clock frequencies.
+allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;

From d74e9897392060304ca620f2c2e2f38030d266f1 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 22 Jun 2021 12:46:00 +0800
Subject: [PATCH 364/921] modulize init.radio.sh

Bug: 190331600
Test: build ROM and make sure the file is there and functional.
Change-Id: Icb3e0e590ae315d53eb5251fd5e74d6aacab1fe2
---
 public/file.te                                              | 3 +++
 telephony/user/file_contexts                                | 5 +++++
 {whitechapel/vendor/google => telephony/user}/init_radio.te | 0
 whitechapel/vendor/google/file.te                           | 3 ---
 whitechapel/vendor/google/file_contexts                     | 6 ------
 5 files changed, 8 insertions(+), 9 deletions(-)
 create mode 100644 telephony/user/file_contexts
 rename {whitechapel/vendor/google => telephony/user}/init_radio.te (100%)

diff --git a/public/file.te b/public/file.te
index 4c15c474..2aef505f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -5,3 +5,6 @@ userdebug_or_eng(`
 ')
 type proc_vendor_sched, proc_type, fs_type;
 
+# Radio
+type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
diff --git a/telephony/user/file_contexts b/telephony/user/file_contexts
new file mode 100644
index 00000000..1e0c1a44
--- /dev/null
+++ b/telephony/user/file_contexts
@@ -0,0 +1,5 @@
+# ECC List
+/vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
+# Radio files.
+/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
+
diff --git a/whitechapel/vendor/google/init_radio.te b/telephony/user/init_radio.te
similarity index 100%
rename from whitechapel/vendor/google/init_radio.te
rename to telephony/user/init_radio.te
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index a7eeea53..ce5b993c 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -105,9 +105,6 @@ type persist_aoc_file, file_type, vendor_persist_type;
 type audio_vendor_data_file, file_type, data_file_type;
 type aoc_audio_file, file_type, vendor_file_type;
 
-# Radio
-type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-
 # RILD
 type rild_vendor_data_file, file_type, data_file_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 4b8ac2dd..379ef830 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -348,9 +348,6 @@
 # R4
 /vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_default_exec:s0
 
-# Radio files.
-/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
-
 # RILD files
 /data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
 
@@ -384,9 +381,6 @@
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc                u:object_r:hal_fingerprint_default_exec:s0
 
-# ECC List
-/vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
-
 # Zram
 /data/per_boot(/.*)?                                                          u:object_r:per_boot_file:s0
 

From cebbf141748f1c8636610c884a7f51ca3773f83c Mon Sep 17 00:00:00 2001
From: Michael Ayoubi <mayoubi@google.com>
Date: Thu, 10 Jun 2021 02:11:14 +0000
Subject: [PATCH 365/921] Add support for non-su hal_uwb

Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: Ia9f3f90fba6981762fe375aa37c81f8474ad9c53
---
 whitechapel/vendor/google/hal_uwb.te         | 15 +++++++++++++++
 whitechapel/vendor/google/hal_uwb_default.te |  3 +++
 whitechapel/vendor/google/uwb_vendor_app.te  |  6 ++++++
 3 files changed, 24 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_uwb.te

diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te
new file mode 100644
index 00000000..d0995686
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_uwb_client, hal_uwb_server)
+binder_call(hal_uwb_server, hal_uwb_client)
+
+hal_attribute_service(hal_uwb, hal_uwb_service)
+
+binder_call(hal_uwb_server, servicemanager)
+
+# allow hal_uwb to set wpan interfaces up and down
+allow hal_uwb self:udp_socket create_socket_perms;
+allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+allow hal_uwb self:global_capability_class_set { net_admin };
+
+# allow hal_uwb to speak to nl802154 in the kernel
+allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
index f066aa4d..2d513b61 100644
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ b/whitechapel/vendor/google/hal_uwb_default.te
@@ -3,3 +3,6 @@ type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_uwb_default)
 
 add_service(hal_uwb_default, hal_uwb_service)
+
+hal_server_domain(hal_uwb_default, hal_uwb)
+binder_call(hal_uwb_default, uwb_vendor_app)
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index aee5c49f..e0a9ebc9 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -4,9 +4,15 @@ app_domain(uwb_vendor_app)
 
 add_service(uwb_vendor_app, uwb_vendor_service)
 
+not_recovery(`
+hal_client_domain(uwb_vendor_app, hal_uwb)
+
 allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
+
+binder_call(uwb_vendor_app, hal_uwb_default)
+')

From a92605574995ee200e88bbd36651f3e5cad57d5d Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Wed, 23 Jun 2021 09:12:35 +0800
Subject: [PATCH 366/921] vendor_init/dumpstate: Grant to access logger prop

Bug: 176176656
Change-Id: I551ccfac57d983aab95aa23e1f350f78ee0a159f
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 1 +
 whitechapel/vendor/google/property_contexts        | 1 +
 whitechapel/vendor/google/vendor_init.te           | 1 +
 3 files changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index b9385364..22122688 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -110,6 +110,7 @@ get_prop(hal_dumpstate_default, boottime_public_prop)
 get_prop(hal_dumpstate_default, vendor_gps_prop)
 set_prop(hal_dumpstate_default, vendor_modem_prop)
 get_prop(hal_dumpstate_default, vendor_rild_prop)
+set_prop(hal_dumpstate_default, vendor_logger_prop)
 
 userdebug_or_eng(`
   allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 94d4065f..51390357 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -44,6 +44,7 @@ persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
 # for logger app
 vendor.pixellogger.          u:object_r:vendor_logger_prop:s0
 persist.vendor.pixellogger.  u:object_r:vendor_logger_prop:s0
+persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0
 
 # for cbd
 vendor.cbd.                  u:object_r:vendor_cbd_prop:s0
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 8e3e369c..ae9b22b9 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -12,6 +12,7 @@ set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
 set_prop(vendor_init, vendor_thermal_prop)
+set_prop(vendor_init, vendor_logger_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From a70819d2f04ad4f8b7d58c9fe87c1a1db461a10d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 22 Jun 2021 14:04:23 +0800
Subject: [PATCH 367/921] modularize pktrouter

Bug: 190331212
Test: make sure pktrouter gets initialized
06-23 13:21:19.372  1 1 I init : Parsing file /vendor/etc/init/pktrouter.rc...
06-23 13:21:23.510     1     1 I init    : processing action (vendor.pktrouter=1) from (/vendor/etc/init/pktrouter.rc:7)
06-23 13:21:23.510     1     1 I init    : starting service 'pktrouter'...
Change-Id: Icc7ab88505aea47cfed5ffc5182d0625b7a7609d
---
 telephony/pktrouter/device.te                                 | 1 +
 telephony/pktrouter/file_contexts                             | 4 ++++
 .../vendor/google => telephony/pktrouter}/netutils_wrapper.te | 0
 .../vendor/google => telephony/pktrouter}/pktrouter.te        | 0
 telephony/pktrouter/property.te                               | 1 +
 telephony/pktrouter/property_contexts                         | 3 +++
 telephony/pktrouter/vendor_init.te                            | 1 +
 whitechapel/vendor/google/device.te                           | 1 -
 whitechapel/vendor/google/file_contexts                       | 4 ----
 whitechapel/vendor/google/property.te                         | 1 -
 whitechapel/vendor/google/property_contexts                   | 4 ----
 whitechapel/vendor/google/vendor_init.te                      | 1 -
 12 files changed, 10 insertions(+), 11 deletions(-)
 create mode 100644 telephony/pktrouter/device.te
 create mode 100644 telephony/pktrouter/file_contexts
 rename {whitechapel/vendor/google => telephony/pktrouter}/netutils_wrapper.te (100%)
 rename {whitechapel/vendor/google => telephony/pktrouter}/pktrouter.te (100%)
 create mode 100644 telephony/pktrouter/property.te
 create mode 100644 telephony/pktrouter/property_contexts
 create mode 100644 telephony/pktrouter/vendor_init.te

diff --git a/telephony/pktrouter/device.te b/telephony/pktrouter/device.te
new file mode 100644
index 00000000..3225bac6
--- /dev/null
+++ b/telephony/pktrouter/device.te
@@ -0,0 +1 @@
+type pktrouter_device, dev_type;
diff --git a/telephony/pktrouter/file_contexts b/telephony/pktrouter/file_contexts
new file mode 100644
index 00000000..f6e73dbf
--- /dev/null
+++ b/telephony/pktrouter/file_contexts
@@ -0,0 +1,4 @@
+# WFC
+/vendor/bin/wfc-pkt-router     u:object_r:pktrouter_exec:s0
+
+/dev/umts_wfc[01]              u:object_r:pktrouter_device:s0
diff --git a/whitechapel/vendor/google/netutils_wrapper.te b/telephony/pktrouter/netutils_wrapper.te
similarity index 100%
rename from whitechapel/vendor/google/netutils_wrapper.te
rename to telephony/pktrouter/netutils_wrapper.te
diff --git a/whitechapel/vendor/google/pktrouter.te b/telephony/pktrouter/pktrouter.te
similarity index 100%
rename from whitechapel/vendor/google/pktrouter.te
rename to telephony/pktrouter/pktrouter.te
diff --git a/telephony/pktrouter/property.te b/telephony/pktrouter/property.te
new file mode 100644
index 00000000..a3d6a392
--- /dev/null
+++ b/telephony/pktrouter/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_ims_prop)
diff --git a/telephony/pktrouter/property_contexts b/telephony/pktrouter/property_contexts
new file mode 100644
index 00000000..4165d92c
--- /dev/null
+++ b/telephony/pktrouter/property_contexts
@@ -0,0 +1,3 @@
+# for ims service
+vendor.pktrouter              u:object_r:vendor_ims_prop:s0
+
diff --git a/telephony/pktrouter/vendor_init.te b/telephony/pktrouter/vendor_init.te
new file mode 100644
index 00000000..3a867815
--- /dev/null
+++ b/telephony/pktrouter/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_ims_prop)
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index f0e8d8d0..54327dfa 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -12,7 +12,6 @@ type vendor_m2m1shot_device, dev_type;
 type vendor_gnss_device, dev_type;
 type vendor_nanohub_device, dev_type;
 type vendor_secmem_device, dev_type;
-type pktrouter_device, dev_type;
 type vendor_toe_device, dev_type;
 type custom_ab_block_device, dev_type;
 type devinfo_block_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 4b8ac2dd..451ae38d 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -123,7 +123,6 @@
 # GPU device
 /dev/mali0                     u:object_r:gpu_device:s0
 /dev/s5p-smem                  u:object_r:vendor_secmem_device:s0
-/dev/umts_wfc[01]                 u:object_r:pktrouter_device:s0
 
 #
 # Exynos Daemon Exec
@@ -138,9 +137,6 @@
 /(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
 /(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
 
-# WFC
-/(vendor|system/vendor)/bin/wfc-pkt-router     u:object_r:pktrouter_exec:s0
-
 #
 # Exynos Data Files
 #
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index bc62032b..254e9ac7 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -1,6 +1,5 @@
 # For Exynos Properties
 vendor_internal_prop(vendor_prop)
-vendor_internal_prop(vendor_ims_prop)
 vendor_internal_prop(vendor_rcs_prop)
 vendor_internal_prop(vendor_slog_prop)
 vendor_internal_prop(sensors_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 94d4065f..1e43044b 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -7,10 +7,6 @@ vendor.sys.rild_reset            u:object_r:vendor_rild_prop:s0
 vendor.ril.                      u:object_r:vendor_rild_prop:s0
 ro.vendor.build.svn              u:object_r:vendor_rild_prop:s0
 
-# for ims service
-vendor.charon.                u:object_r:vendor_ims_prop:s0
-vendor.pktrouter              u:object_r:vendor_ims_prop:s0
-
 # Ramdump
 persist.vendor.sys.crash_rcu    u:object_r:vendor_ramdump_prop:s0
 
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 8e3e369c..58551577 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -5,7 +5,6 @@ set_prop(vendor_init, vendor_rild_prop)
 set_prop(vendor_init, vendor_usb_config_prop)
 set_prop(vendor_init, vendor_slog_prop)
 set_prop(vendor_init, vendor_sys_default_prop)
-set_prop(vendor_init, vendor_ims_prop)
 set_prop(vendor_init, vendor_rcs_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)

From 0b21a2d44a7ffd32ffa82d63a236aafe56bd425e Mon Sep 17 00:00:00 2001
From: Denny cy Lee <dennycylee@google.com>
Date: Mon, 24 May 2021 13:32:21 +0800
Subject: [PATCH 368/921] Pixelstat: battery history access premission

Test: manually, relate seploicy not show; battery history log printed
      05-24 13:29:19.637  2829  2829 D pixelstats_BatteryEEPROM:
      checkAndReport: 0940 0a80 0500 0200 0200 0000
Bug: 189050725
Change-Id: I20567e168db43fe2168a9a30ac7a4b0cec65a665
Signed-off-by: Denny cy Lee <dennycylee@google.com>
---
 whitechapel/vendor/google/device.te            | 2 ++
 whitechapel/vendor/google/file_contexts        | 3 +++
 whitechapel/vendor/google/pixelstats_vendor.te | 6 ++++++
 whitechapel/vendor/google/system_server.te     | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index f0e8d8d0..c99eaa9e 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -53,3 +53,5 @@ type fingerprint_device, dev_type;
 # AMCS device
 type amcs_device, dev_type;
 
+# Battery history
+type battery_history_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 379ef830..c858c346 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -361,6 +361,9 @@
 # pixelstats binary
 /vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
 
+# battery history
+/dev/battery_history                                                                  u:object_r:battery_history_device:s0
+
 # Vendor_kernel_modules
 /vendor_dlkm/lib/modules/.*\.ko                                               u:object_r:vendor_kernel_modules:s0
 
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 68e59120..07c370b6 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -18,3 +18,9 @@ allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;
 
 allow pixelstats_vendor sysfs_wlc:dir search;
 allow pixelstats_vendor sysfs_wlc:file rw_file_perms;
+
+# OrientationCollector
+allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
+
+# Batery history
+allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
index 001b8556..b2563949 100644
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@@ -3,3 +3,6 @@ binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
 # Allow system server to find vendor uwb service
 allow system_server uwb_vendor_service:service_manager find;
+
+# pixelstats_vendor/OrientationCollector
+binder_call(system_server, pixelstats_vendor)

From 433aeb2d4d407e263386dbc84e36669bfacd8ecd Mon Sep 17 00:00:00 2001
From: Denny cy Lee <dennycylee@google.com>
Date: Fri, 7 May 2021 15:30:47 +0800
Subject: [PATCH 369/921] Sepolicy: Pixel stats wireless charger sepolicy

Bug: 171853251
Bug: 188601686
Test: manually, do wirelees charge, check logcat
Change-Id: I4cbd7da038365ae92e34780131056da61b9a55dc
Signed-off-by: Denny cy Lee <dennycylee@google.com>
---
 whitechapel/vendor/google/pixelstats_vendor.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 07c370b6..5b0c251b 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -24,3 +24,7 @@ allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
 
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+
+# Wireless charge
+allow pixelstats_vendor sysfs_wlc:dir search;
+allow pixelstats_vendor sysfs_wlc:file r_file_perms;

From a23d1bb37bac9396469dfe7e7b93626c5cfb863c Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Wed, 23 Jun 2021 16:19:00 +0800
Subject: [PATCH 370/921] Allow fingerprint hal to read sysfs_chosen

Fixes the following avc denial:
android.hardwar: type=1400 audit(0.0:49): avc: denied { search } for name="chosen" dev="sysfs" ino=9575 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_chosen:s0 tclass=dir permissive=1
android.hardwar: type=1400 audit(0.0:50): avc: denied { read } for name="platform" dev="sysfs" ino=9591 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_chosen:s0 tclass=file permissive=1
android.hardwar: type=1400 audit(0.0:51): avc: denied { open } for path="/sys/firmware/devicetree/base/chosen/plat/platform" dev="sysfs" ino=9591 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_chosen:s0 tclass=file permissive=1

Bug: 191832617
Test: Enroll and authenticate fingerprints.
Change-Id: I5c576cc210d9e85b1999655bdc27736183db8aed
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 755ab473..a7f769bf 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -15,3 +15,6 @@ add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
 
 # allow fingerprint to access power hal
 hal_client_domain(hal_fingerprint_default, hal_power);
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_fingerprint_default, sysfs_chosen)

From 5aaa0f6044ba6e1c9f68507a13c15f13fdc4e3b3 Mon Sep 17 00:00:00 2001
From: Sungwoo choi <sungwoo48.choi@samsung.com>
Date: Wed, 23 Jun 2021 17:25:27 +0900
Subject: [PATCH 371/921] gs101-sepolicy: add oemrilservice_app.te

Seperate oemrilservice_app.te from vendor_telephony_app.te.
  - target process: com.samsung.slsi.telephony.oemril
  - selabel: oemrilservice_app
  - allow to find app_api_service
  - allow to find radio_service
  - allow to find vendor HAL
  - a binder communication with rild

Bug: 191830874
Test: Manual

Signed-off-by: Sungwoo choi <sungwoo48.choi@samsung.com>
Change-Id: I5e31b4a16f0b4d25bf4889da0150084937354808
---
 whitechapel/vendor/google/oemrilservice_app.te | 7 +++++++
 whitechapel/vendor/google/rild.te              | 1 +
 whitechapel/vendor/google/seapp_contexts       | 3 +++
 3 files changed, 11 insertions(+)
 create mode 100644 whitechapel/vendor/google/oemrilservice_app.te

diff --git a/whitechapel/vendor/google/oemrilservice_app.te b/whitechapel/vendor/google/oemrilservice_app.te
new file mode 100644
index 00000000..6b3a319f
--- /dev/null
+++ b/whitechapel/vendor/google/oemrilservice_app.te
@@ -0,0 +1,7 @@
+type oemrilservice_app, domain;
+app_domain(oemrilservice_app)
+
+allow oemrilservice_app app_api_service:service_manager find;
+allow oemrilservice_app radio_service:service_manager find;
+allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find;
+binder_call(oemrilservice_app, rild)
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index a39ab520..5fc2159c 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -25,6 +25,7 @@ binder_call(rild, platform_app)
 binder_call(rild, modem_svc_sit)
 binder_call(rild, vendor_ims_app)
 binder_call(rild, vendor_rcs_app)
+binder_call(rild, oemrilservice_app)
 
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index b10941ac..10343969 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -6,6 +6,9 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=ve
 user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all
 user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all
 
+# oemrilservice
+user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all
+
 # Samsung S.LSI IMS
 user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all

From 7f9abeee45adad1e1e7dfa9830516e9594cca3e1 Mon Sep 17 00:00:00 2001
From: Minchan Kim <minchan@google.com>
Date: Wed, 23 Jun 2021 14:05:06 -0700
Subject: [PATCH 372/921] sepolicy: gs101: allow dump cma statistics

Provide necessary sepolicy for bugreport dump to access cma metric
information under /sys/kernel/pixel_stat/*

Test: Run "adb bugreport <zip>" and verify it contains the output
      from dumpstate_board.txt
Bug: 191904985
Signed-off-by: Minchan Kim <minchan@google.com>
Change-Id: Iaa92006eeb5158a0962652427d1af061fe1cf03d
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index b9385364..52d66199 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -118,6 +118,9 @@ userdebug_or_eng(`
   allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search;
   allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms;
 
+  allow hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
+  allow hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
+
   allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
   allow hal_dumpstate_default vendor_dri_debugfs:dir search;
 
@@ -161,6 +164,9 @@ dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
 dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search;
 dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms;
 
+dontaudit hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
+dontaudit hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
+
 dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
 dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search;
 

From e44e43267288de9f8f4cd38c83f79c7fba887cf7 Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Wed, 23 Jun 2021 23:59:14 +0800
Subject: [PATCH 373/921] Move the type definition of properties from product
 to vendor

These properties cannot be resolved after product sepolicy is replaced.
  vendor_persist_config_default_prop
  vendor_rild_prop

Test: The device can boot to home after replacing with GSI
Bug: 191236468
Change-Id: Ib797601a44306987e5a85897c7b6cd7827ad91b2
---
 public/property.te                    | 2 --
 whitechapel/vendor/google/property.te | 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)
 delete mode 100644 public/property.te

diff --git a/public/property.te b/public/property.te
deleted file mode 100644
index 5f60d635..00000000
--- a/public/property.te
+++ /dev/null
@@ -1,2 +0,0 @@
-vendor_internal_prop(vendor_rild_prop)
-vendor_internal_prop(vendor_persist_config_default_prop)
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index bc62032b..9454c2eb 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -2,6 +2,7 @@
 vendor_internal_prop(vendor_prop)
 vendor_internal_prop(vendor_ims_prop)
 vendor_internal_prop(vendor_rcs_prop)
+vendor_internal_prop(vendor_rild_prop)
 vendor_internal_prop(vendor_slog_prop)
 vendor_internal_prop(sensors_prop)
 vendor_internal_prop(vendor_ssrdump_prop)
@@ -14,6 +15,7 @@ vendor_internal_prop(vendor_cbd_prop)
 # vendor defaults
 vendor_internal_prop(vendor_config_default_prop)
 vendor_internal_prop(vendor_ro_config_default_prop)
+vendor_internal_prop(vendor_persist_config_default_prop)
 vendor_internal_prop(vendor_sys_default_prop)
 vendor_internal_prop(vendor_ro_sys_default_prop)
 vendor_internal_prop(vendor_persist_sys_default_prop)

From 8b326703e16804079272eea0df4404fc8a10c318 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 23 Jun 2021 10:27:36 +0800
Subject: [PATCH 374/921] modularize dmd

Bug: 190331463
Test: build ROM and make sure dmd is launched
Change-Id: If1e51b6bc100e870a15a40f5e0d93a75fe68bac3
---
 modem/user/dmd.te                           | 29 +++++++++++++++++++++
 modem/user/file.te                          |  1 +
 modem/user/file_contexts                    |  2 ++
 modem/user/property.te                      |  3 +++
 modem/user/property_contexts                | 14 ++++++++++
 whitechapel/vendor/google/dmd.te            | 28 --------------------
 whitechapel/vendor/google/file.te           |  1 -
 whitechapel/vendor/google/file_contexts     |  3 ---
 whitechapel/vendor/google/property.te       |  3 ---
 whitechapel/vendor/google/property_contexts | 14 ----------
 10 files changed, 49 insertions(+), 49 deletions(-)
 create mode 100644 modem/user/dmd.te
 create mode 100644 modem/user/file.te
 create mode 100644 modem/user/file_contexts
 create mode 100644 modem/user/property.te
 create mode 100644 modem/user/property_contexts

diff --git a/modem/user/dmd.te b/modem/user/dmd.te
new file mode 100644
index 00000000..eabf8930
--- /dev/null
+++ b/modem/user/dmd.te
@@ -0,0 +1,29 @@
+type dmd, domain;
+type dmd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(dmd)
+
+# Grant to access serial device for external logging tool
+allow dmd serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow dmd radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow dmd node:tcp_socket node_bind;
+allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_slog_prop)
+set_prop(dmd, vendor_modem_prop)
+
+get_prop(dmd, vendor_persist_config_default_prop)
+
+# Grant to access hwservice manager
+get_prop(dmd, hwservicemanager_prop)
+
+binder_call(dmd, hwservicemanager)
diff --git a/modem/user/file.te b/modem/user/file.te
new file mode 100644
index 00000000..e2beb8bc
--- /dev/null
+++ b/modem/user/file.te
@@ -0,0 +1 @@
+type vendor_slog_file, file_type, data_file_type, mlstrustedobject;
diff --git a/modem/user/file_contexts b/modem/user/file_contexts
new file mode 100644
index 00000000..ff1482bc
--- /dev/null
+++ b/modem/user/file_contexts
@@ -0,0 +1,2 @@
+/data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
+/vendor/bin/dmd              u:object_r:dmd_exec:s0
diff --git a/modem/user/property.te b/modem/user/property.te
new file mode 100644
index 00000000..353b1c8a
--- /dev/null
+++ b/modem/user/property.te
@@ -0,0 +1,3 @@
+vendor_internal_prop(vendor_diag_prop)
+vendor_internal_prop(vendor_slog_prop)
+vendor_internal_prop(vendor_modem_prop)
diff --git a/modem/user/property_contexts b/modem/user/property_contexts
new file mode 100644
index 00000000..0be942b8
--- /dev/null
+++ b/modem/user/property_contexts
@@ -0,0 +1,14 @@
+# for dmd
+persist.vendor.sys.dm.       u:object_r:vendor_diag_prop:s0
+persist.vendor.sys.diag.     u:object_r:vendor_diag_prop:s0
+vendor.sys.dmd.              u:object_r:vendor_diag_prop:s0
+vendor.sys.diag.             u:object_r:vendor_diag_prop:s0
+
+# for modem
+persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
+vendor.modem.                u:object_r:vendor_modem_prop:s0
+vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
+ro.vendor.sys.modem.         u:object_r:vendor_modem_prop:s0
+vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
+persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
+
diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te
index 4f9cef1d..b51c34d6 100644
--- a/whitechapel/vendor/google/dmd.te
+++ b/whitechapel/vendor/google/dmd.te
@@ -1,33 +1,5 @@
-type dmd, domain;
-type dmd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(dmd)
-
-# Grant to access serial device for external logging tool
-allow dmd serial_device:chr_file rw_file_perms;
-
-# Grant to access radio device
-allow dmd radio_device:chr_file rw_file_perms;
-
-# Grant to access slog dir/file
-allow dmd vendor_slog_file:dir create_dir_perms;
-allow dmd vendor_slog_file:file create_file_perms;
-
-# Grant to access tcp socket
-allow dmd node:tcp_socket node_bind;
-allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
-
-# Grant to access log related properties
-set_prop(dmd, vendor_diag_prop)
-set_prop(dmd, vendor_slog_prop)
-set_prop(dmd, vendor_modem_prop)
-
-get_prop(dmd, vendor_persist_config_default_prop)
-
-# Grant to access hwservice manager
-get_prop(dmd, hwservicemanager_prop)
 allow dmd hidl_base_hwservice:hwservice_manager add;
 allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
-binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
 binder_call(dmd, modem_logging_control)
 binder_call(dmd, vendor_telephony_app)
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index ce5b993c..2b58a952 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -11,7 +11,6 @@ type vendor_rfsd_log_file, file_type, data_file_type;
 type vendor_dump_log_file, file_type, data_file_type;
 type vendor_rild_log_file, file_type, data_file_type;
 type vendor_sced_log_file, file_type, data_file_type;
-type vendor_slog_file, file_type, data_file_type, mlstrustedobject;
 type vendor_telephony_log_file, file_type, data_file_type;
 
 # app data files
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c858c346..000d3e3c 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -129,7 +129,6 @@
 # Exynos Daemon Exec
 #
 /(vendor|system/vendor)/bin/cbd                u:object_r:cbd_exec:s0
-/(vendor|system/vendor)/bin/dmd                u:object_r:dmd_exec:s0
 /(vendor|system/vendor)/bin/hw/scd             u:object_r:scd_exec:s0
 /(vendor|system/vendor)/bin/hw/gpsd            u:object_r:gpsd_exec:s0
 /(vendor|system/vendor)/bin/hw/lhd             u:object_r:lhd_exec:s0
@@ -157,8 +156,6 @@
 /data/vendor/log/dump(/.*)?  u:object_r:vendor_dump_log_file:s0
 /data/vendor/log/rild(/.*)?  u:object_r:vendor_rild_log_file:s0
 /data/vendor/log/sced(/.*)?  u:object_r:vendor_sced_log_file:s0
-/data/vendor/log/slog(/.*)?  u:object_r:vendor_slog_file:s0
-/data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
 
 /persist/sensorcal\.json     u:object_r:sensors_cal_file:s0
 
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 9454c2eb..9f9347f9 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -3,14 +3,11 @@ vendor_internal_prop(vendor_prop)
 vendor_internal_prop(vendor_ims_prop)
 vendor_internal_prop(vendor_rcs_prop)
 vendor_internal_prop(vendor_rild_prop)
-vendor_internal_prop(vendor_slog_prop)
 vendor_internal_prop(sensors_prop)
 vendor_internal_prop(vendor_ssrdump_prop)
 vendor_internal_prop(vendor_device_prop)
 vendor_internal_prop(vendor_usb_config_prop)
 vendor_internal_prop(vendor_secure_element_prop)
-vendor_internal_prop(vendor_modem_prop)
-vendor_internal_prop(vendor_diag_prop)
 vendor_internal_prop(vendor_cbd_prop)
 # vendor defaults
 vendor_internal_prop(vendor_config_default_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 94d4065f..9be2642d 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -33,14 +33,6 @@ vendor.debug.c2.dump.opt    u:object_r:vendor_codec2_debug_prop:s0
 persist.vendor.usb.    u:object_r:vendor_usb_config_prop:s0
 vendor.usb.            u:object_r:vendor_usb_config_prop:s0
 
-# for modem
-persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
-vendor.modem.                u:object_r:vendor_modem_prop:s0
-vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
-ro.vendor.sys.modem.         u:object_r:vendor_modem_prop:s0
-vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
-persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
-
 # for logger app
 vendor.pixellogger.          u:object_r:vendor_logger_prop:s0
 persist.vendor.pixellogger.  u:object_r:vendor_logger_prop:s0
@@ -54,12 +46,6 @@ vendor.sys.silentlog.            u:object_r:vendor_slog_prop:s0
 vendor.sys.exynos.slog.          u:object_r:vendor_slog_prop:s0
 persist.vendor.sys.silentlog     u:object_r:vendor_slog_prop:s0
 
-# for dmd
-persist.vendor.sys.dm.       u:object_r:vendor_diag_prop:s0
-persist.vendor.sys.diag.     u:object_r:vendor_diag_prop:s0
-vendor.sys.dmd.              u:object_r:vendor_diag_prop:s0
-vendor.sys.diag.             u:object_r:vendor_diag_prop:s0
-
 # vendor default
 vendor.config.               u:object_r:vendor_config_default_prop:s0
 ro.vendor.config.            u:object_r:vendor_ro_config_default_prop:s0

From 2460cdcc9fec63c33e6a9d7a4d13588fc967bed0 Mon Sep 17 00:00:00 2001
From: Ilya Matyukhin <ilyamaty@google.com>
Date: Wed, 23 Jun 2021 23:38:27 -0700
Subject: [PATCH 375/921] raviole: transition SystemUI to use HWC for LHBM

This change removes direct access to the LHBM sysfs node from SystemUI,
but allows SystemUI to make binder calls to the hardware composer (HWC),
which can be used to enable or disable LHBM.

Bug: 191132545
Bug: 190563896
Bug: 184768835
Test: no avc denials
Change-Id: I5417377ff096e869ad772e4fd2fb23f8c1fd4f1e
---
 display/gs101/hal_graphics_composer_default.te    | 3 ---
 tracking_denials/hal_graphics_composer_default.te | 2 --
 usf/sensor_hal.te                                 | 3 ---
 whitechapel/vendor/google/bug_map                 | 1 -
 whitechapel/vendor/google/file.te                 | 4 ----
 whitechapel/vendor/google/genfs_contexts          | 4 ----
 whitechapel/vendor/google/platform_app.te         | 8 ++------
 7 files changed, 2 insertions(+), 23 deletions(-)

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index aa429277..0b4c26e8 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -40,6 +40,3 @@ allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
 # allow HWC to output to dumpstate via pipe fd
 allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
 allow hal_graphics_composer_default hal_dumpstate_default:fd use;
-
-# allow HWC to access LHBM sysfs
-allow hal_graphics_composer_default sysfs_lhbm:file rw_file_perms;
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
index 9640b83e..e69de29b 100644
--- a/tracking_denials/hal_graphics_composer_default.te
+++ b/tracking_denials/hal_graphics_composer_default.te
@@ -1,2 +0,0 @@
-# b/191132545
-dontaudit hal_graphics_composer_default sysfs_lhbm:file { read write };
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 502e14c3..03cdc090 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -55,6 +55,3 @@ allow hal_sensors_default fwk_stats_service:service_manager find;
 
 # Allow access to CHRE socket to connect to nanoapps.
 unix_socket_connect(hal_sensors_default, chre, chre)
-
-# Allow sensor HAL to read lhbm.
-allow hal_sensors_default sysfs_lhbm:file r_file_perms;
diff --git a/whitechapel/vendor/google/bug_map b/whitechapel/vendor/google/bug_map
index e97b8e14..6faa712a 100644
--- a/whitechapel/vendor/google/bug_map
+++ b/whitechapel/vendor/google/bug_map
@@ -1,2 +1 @@
-hal_graphics_composer_default sysfs_lhbm file b/190563896
 permissioncontroller_app sysfs_vendor_sched file b/190671898
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index a7eeea53..b961dcd9 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -184,10 +184,6 @@ type sysfs_bcmdhd, sysfs_type, fs_type;
 # Video
 type sysfs_video, sysfs_type, fs_type;
 
-# TODO(b/184768835): remove this once the bug is fixed
-# LHBM (Local High Brightness Mode)
-type sysfs_lhbm, sysfs_type, fs_type, mlstrustedobject;
-
 # UWB vendor
 type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 34c93866..e0542a78 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -124,10 +124,6 @@ genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extin
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
 
-# TODO(b/184768835): remove this once the bug is fixed
-# Display / LHBM (Local High Brightness Mode)
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/local_hbm_mode u:object_r:sysfs_lhbm:s0
-
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
 
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 40556ded..66e7721d 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -19,9 +19,5 @@ binder_call(platform_app, twoshay)
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 get_prop(platform_app, fingerprint_ghbm_prop)
 
-# TODO(b/184768835): remove this once the bug is fixed
-# Fingerprint (UDFPS) LHBM access
-userdebug_or_eng(`
-  allow platform_app sysfs_leds:dir search;
-  allow platform_app sysfs_lhbm:file rw_file_perms;
-')
+allow platform_app hal_pixel_display_service:service_manager find;
+binder_call(platform_app, hal_graphics_composer_default)

From e31c8840de9e98d749b7b63a076f22e516835131 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Fri, 25 Jun 2021 09:42:51 +0800
Subject: [PATCH 376/921] Update avc error on ROM 7490489

avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:hal_uwb_default:s0 tclass=binder permissive=0
avc: denied { call } for comm="dumpstate" scontext=u:r:dumpstate:s0 tcontext=u:r:hal_uwb_default:s0 tclass=binder permissive=0

Bug: 192026913
Test: PtsSELinuxTestCases
Change-Id: Ieca08e87db1b46f3b7fc7de1492e45d4a5bec868
---
 tracking_denials/dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 1a3571bf..a19ceb0a 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -4,3 +4,5 @@ dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
 dontaudit dumpstate twoshay:binder call;
 # b/190337283
 dontaudit dumpstate debugfs_wakeup_sources:file read;
+# b/192026913
+dontaudit dumpstate hal_uwb_default:binder call;

From 7ea816284d2c6541183339790de73bd981ade6a7 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Fri, 25 Jun 2021 14:40:17 +0800
Subject: [PATCH 377/921] Update avc error on ROM 7492139

avc: denied { call } for comm="servicemanager" scontext=u:r:servicemanager:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=0

Bug: 192040144
Test: PtsSELinuxTestCases
Change-Id: I2de11d2706222a88c4234d99399b7b2437f36e31
---
 tracking_denials/servicemanager.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/servicemanager.te

diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
new file mode 100644
index 00000000..cf725d21
--- /dev/null
+++ b/tracking_denials/servicemanager.te
@@ -0,0 +1,2 @@
+# b/192040144
+dontaudit servicemanager hal_fingerprint_default:binder call;

From 9ac870aa22fa5b774072212f7a0fd8bafd9a25a3 Mon Sep 17 00:00:00 2001
From: Jeffrey Carlyle <jcarlyle@google.com>
Date: Fri, 21 May 2021 07:54:41 -0700
Subject: [PATCH 378/921] allow recovery and fastboot to access secure elment

This is to enable clearing of secure element during a master reset.

Bug: 182508814
Test: master reset on device with keys; verified no keys after reset
Signed-off-by: Jeffrey Carlyle <jcarlyle@google.com>
Change-Id: I15c7fbd7f2c4fb34dcad0ae4f5cee3238f526fa5
---
 whitechapel/vendor/google/fastbootd.te | 1 +
 whitechapel/vendor/google/recovery.te  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index c1c4de7b..6b663dfb 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -1,5 +1,6 @@
 # Required by the bootcontrol HAL for the 'set_active' command.
 recovery_only(`
+allow fastbootd secure_element_device:chr_file rw_file_perms;
 allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te
index 6eb97aa3..4687a43c 100644
--- a/whitechapel/vendor/google/recovery.te
+++ b/whitechapel/vendor/google/recovery.te
@@ -1,3 +1,4 @@
 recovery_only(`
   allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery secure_element_device:chr_file rw_file_perms;
 ')

From 4ea317bb6a379abb87270891ec63d39072dc5d8d Mon Sep 17 00:00:00 2001
From: Gazi Yamin Iqbal <gaziyaminiqbal@google.com>
Date: Mon, 28 Jun 2021 15:35:28 +0800
Subject: [PATCH 379/921] gs101-sepolicy: allow rlsservice to read display
 status files

major changes:
        1. This change is to allow rlsservice to read the status of
        display status file. Similar method was employed in previous
        pixels.
Bug: 191122203
Test: p21 camera test checklist

Change-Id: I09483881294fd6dde46d4d0b7283311a2d20c404
---
 whitechapel/vendor/google/rlsservice.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index bf8b401f..425620f3 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -23,6 +23,10 @@ binder_call(rlsservice, hal_camera_default)
 allow rlsservice device:dir { read watch };
 allow rlsservice aoc_device:chr_file rw_file_perms;
 
+# Allow access to display backlight information
+allow rlsservice sysfs_leds:dir search;
+allow rlsservice sysfs_leds:file r_file_perms;
+
 # Allow use of the USF low latency transport
 usf_low_latency_transport(rlsservice)
 

From 4b6bc8cb327dae92f454b698130bf4eea66c960e Mon Sep 17 00:00:00 2001
From: David Lin <dtwlin@google.com>
Date: Mon, 28 Jun 2021 13:53:30 -0700
Subject: [PATCH 380/921] ssr_detector_app: Add additional vendor dir and
 crgroup allow for debug

Bug: 192126013

Signed-off-by: David Lin <dtwlin@google.com>
Change-Id: Idadf81cf92099804f300f87fb1bedf9bed7decbd
---
 whitechapel/vendor/google/ssr_detector.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 16e0e9f0..793e51b6 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -14,7 +14,9 @@ userdebug_or_eng(`
   get_prop(ssr_detector_app, vendor_aoc_prop)
   allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
   allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
+  allow ssr_detector_app sysfs_vendor_sched:dir search;
   allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms;
+  allow ssr_detector_app cgroup:file write;
 ')
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)

From f9501fc87c9d39e4812d1053c7203bcbc0fea1c1 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 29 Jun 2021 07:20:18 +0800
Subject: [PATCH 381/921] Avoid VTS testDataTypeViolators failure

Bug: 192209720
Test: run -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest
Change-Id: I9043c5adfb544179bceb0f6e5cf73c2b2ddd3d02
---
 public/file.te         | 3 ---
 telephony/user/file.te | 5 +++++
 2 files changed, 5 insertions(+), 3 deletions(-)
 create mode 100644 telephony/user/file.te

diff --git a/public/file.te b/public/file.te
index 2aef505f..4c15c474 100644
--- a/public/file.te
+++ b/public/file.te
@@ -5,6 +5,3 @@ userdebug_or_eng(`
 ')
 type proc_vendor_sched, proc_type, fs_type;
 
-# Radio
-type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-
diff --git a/telephony/user/file.te b/telephony/user/file.te
new file mode 100644
index 00000000..05f3c5e2
--- /dev/null
+++ b/telephony/user/file.te
@@ -0,0 +1,5 @@
+# Radio
+type radio_vendor_data_file, file_type, data_file_type;
+userdebug_or_eng(`
+  typeattribute radio_vendor_data_file mlstrustedobject;
+')

From 93944a8b1c8fe1d4f7455bff6ef89537848e2a30 Mon Sep 17 00:00:00 2001
From: neoyu <neoyu@google.com>
Date: Mon, 28 Jun 2021 23:52:24 +0800
Subject: [PATCH 382/921] Fix avc denied for getprop
 "vendor.radio.call_end_reason"

06-10 11:13:02.867 10224  2377  2377 W libc    : Access denied finding property "vendor.radio.call_end_reason"

Bug: 191204793
Test: error is gone with this fix
Change-Id: I50c1d21ba4e2343aa2cee0c533b8c3dbe535e4b5
---
 whitechapel/vendor/google/property_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 3fe740e2..5d2f018a 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -5,6 +5,7 @@ persist.vendor.radio.            u:object_r:vendor_rild_prop:s0
 vendor.radio.ril.                u:object_r:vendor_rild_prop:s0
 vendor.sys.rild_reset            u:object_r:vendor_rild_prop:s0
 vendor.ril.                      u:object_r:vendor_rild_prop:s0
+vendor.radio.                    u:object_r:vendor_rild_prop:s0
 ro.vendor.build.svn              u:object_r:vendor_rild_prop:s0
 
 # Ramdump

From 2354e3a924a69e465caee38ad2e2f99b3a8a5265 Mon Sep 17 00:00:00 2001
From: David Anderson <dvander@google.com>
Date: Mon, 7 Jun 2021 18:41:39 -0700
Subject: [PATCH 383/921] Fix denial when flashing vendor_boot in fastbootd.

This mirrors the same sepolicy line in previous Pixel devices.

Bug: 189493387
Test: fastboot flash vendor_boot on r4
Change-Id: Ie15c8e6e5c01b249e1e5e244666c461253279f0b
---
 whitechapel/vendor/google/fastbootd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index c1c4de7b..32944aa1 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -3,4 +3,5 @@ recovery_only(`
 allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
+allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
 ')

From fd47b111621b7d008af72615c1aa05b059347af9 Mon Sep 17 00:00:00 2001
From: Kevin Han <kevhan@google.com>
Date: Tue, 29 Jun 2021 19:19:24 +0000
Subject: [PATCH 384/921] Revert "allow recovery and fastboot to access secure
 elment"

Revert "add gs101-specific recovery library"

Revert "recovery: enable support for device-specific WipeSe impl..."

Revert "clear secure element of Digital Car Keys during factory ..."

Revert submission 14983788-clear_keys

Reason for revert: b/192373955
Reverted Changes:
Ia8fc29e6c:add gs101-specific recovery library
Icc1eabfd4:clear secure element of Digital Car Keys during fa...
I943d97b26:recovery: enable support for device-specific WipeS...
I15c7fbd7f:allow recovery and fastboot to access secure elmen...

Change-Id: Ic576b40641171298ad840bedbd4a9f7b67052d95
---
 whitechapel/vendor/google/fastbootd.te | 1 -
 whitechapel/vendor/google/recovery.te  | 1 -
 2 files changed, 2 deletions(-)

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index 6b663dfb..c1c4de7b 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -1,6 +1,5 @@
 # Required by the bootcontrol HAL for the 'set_active' command.
 recovery_only(`
-allow fastbootd secure_element_device:chr_file rw_file_perms;
 allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te
index 4687a43c..6eb97aa3 100644
--- a/whitechapel/vendor/google/recovery.te
+++ b/whitechapel/vendor/google/recovery.te
@@ -1,4 +1,3 @@
 recovery_only(`
   allow recovery sysfs_ota:file rw_file_perms;
-  allow recovery secure_element_device:chr_file rw_file_perms;
 ')

From 4aa936d63b9762201986e599be0cdd4c747c6600 Mon Sep 17 00:00:00 2001
From: George Lee <geolee@google.com>
Date: Tue, 29 Jun 2021 16:08:38 -0700
Subject: [PATCH 385/921] pixelstats: add bcl directory permission

Bug: 186806028
Test: Local test
$>cmd stats print-logs
$>logcat | grep <atom id>

Signed-off-by: George Lee <geolee@google.com>
Change-Id: I7288a9ab44e2387d37c5442297cf80f5b5428c8f
---
 whitechapel/vendor/google/pixelstats_vendor.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 5b0c251b..01eb843b 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -28,3 +28,7 @@ allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
 # Wireless charge
 allow pixelstats_vendor sysfs_wlc:dir search;
 allow pixelstats_vendor sysfs_wlc:file r_file_perms;
+
+# BCL
+allow pixelstats_vendor sysfs_bcl:dir search;
+allow pixelstats_vendor sysfs_bcl:file r_file_perms;

From cb3ca1e87b8614b6aeaaa3548965b6ce6e9c87bf Mon Sep 17 00:00:00 2001
From: Ted Lin <tedlin@google.com>
Date: Wed, 30 Jun 2021 11:09:36 +0800
Subject: [PATCH 386/921] Remove dontaudit form tracking_denials for maxfg and
 regmap

Bug:190337297
Test: Check the bugreport
Change-Id: I0887e6256b4f158bd525ed66475cd1ef5672c9df
Signed-off-by: Ted Lin <tedlin@google.com>
---
 tracking_denials/vendor_init.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index b908a763..d27b8e95 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,4 +1,2 @@
 # b/190337297
-dontaudit vendor_init vendor_maxfg_debugfs:file setattr;
 dontaudit vendor_init vendor_page_pinner_debugfs:file setattr;
-dontaudit vendor_init vendor_regmap_debugfs:file setattr;

From 14fcd5ffaff966d91b872144484fb81c60c9625d Mon Sep 17 00:00:00 2001
From: Jeffrey Carlyle <jcarlyle@google.com>
Date: Fri, 21 May 2021 07:54:41 -0700
Subject: [PATCH 387/921] allow recovery and fastboot to access secure elment

This is to enable clearing of secure element during a master reset.

Bug: 182508814
Test: master reset on device with keys; verified no keys after reset
Signed-off-by: Jeffrey Carlyle <jcarlyle@google.com>
Change-Id: I9bb569e09f8cd6f5640757bd0d10a14ef32946ff
---
 whitechapel/vendor/google/fastbootd.te | 1 +
 whitechapel/vendor/google/recovery.te  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index 32944aa1..f9d09d95 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -1,5 +1,6 @@
 # Required by the bootcontrol HAL for the 'set_active' command.
 recovery_only(`
+allow fastbootd secure_element_device:chr_file rw_file_perms;
 allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te
index 6eb97aa3..4687a43c 100644
--- a/whitechapel/vendor/google/recovery.te
+++ b/whitechapel/vendor/google/recovery.te
@@ -1,3 +1,4 @@
 recovery_only(`
   allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery secure_element_device:chr_file rw_file_perms;
 ')

From 6d6a7c96ab73652c8595bca06b7ee14842868b4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Wed, 30 Jun 2021 13:51:22 -0700
Subject: [PATCH 388/921] Allow Power Stats HAL to access EdgeTPU sysfs files.

Should fix intermittent failures of SELinuxUncheckedDenialBootTest.

Bug: 192485697
Test: build, checked for denials in logcat
Change-Id: I3b9cafd99f9ff343e5ab5c67f5f268e5eb4382d6
---
 whitechapel/vendor/google/hal_power_stats_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index 497350c6..6f5f9e21 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -10,6 +10,9 @@ allow hal_power_stats_default odpm_config_file:file r_file_perms;
 allow hal_power_stats_default sysfs_odpm:dir search;
 allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
 
+allow hal_power_stats_default sysfs_edgetpu:dir search;
+allow hal_power_stats_default sysfs_edgetpu:file r_file_perms;
+
 binder_call(hal_power_stats_default, citadeld)
 r_dir_file(hal_power_stats_default, sysfs_aoc)
 r_dir_file(hal_power_stats_default, sysfs_cpu)

From 1a2d199a28841cea108a85f9a821f8e931e9bdc0 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 30 Jun 2021 11:33:52 +0800
Subject: [PATCH 389/921] remove obsolete errors

Bug: 183338543
Bug: 187015705
Bug: 191133059
Bug: 180963348
Bug: 187016930
Bug: 190563838
Test: boot with no relevant error
Change-Id: I8d194415dc823da9dec5c315a6068d0d2c2d4a6c
---
 tracking_denials/hal_fingerprint_default.te       | 6 ------
 tracking_denials/hal_graphics_composer_default.te | 0
 tracking_denials/hal_power_default.te             | 3 ---
 tracking_denials/init.te                          | 3 ---
 tracking_denials/priv_app.te                      | 4 ----
 5 files changed, 16 deletions(-)
 delete mode 100644 tracking_denials/hal_graphics_composer_default.te
 delete mode 100644 tracking_denials/hal_power_default.te
 delete mode 100644 tracking_denials/init.te
 delete mode 100644 tracking_denials/priv_app.te

diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
index e9c6ff2a..9a2d37e5 100644
--- a/tracking_denials/hal_fingerprint_default.te
+++ b/tracking_denials/hal_fingerprint_default.te
@@ -5,11 +5,5 @@ dontaudit hal_fingerprint_default default_prop:file { map };
 dontaudit hal_fingerprint_default default_prop:file { open };
 dontaudit hal_fingerprint_default default_prop:file { read };
 dontaudit hal_fingerprint_default system_data_root_file:file { open };
-dontaudit hal_fingerprint_default system_data_root_file:file { read };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-dontaudit hal_fingerprint_default system_data_root_file:file { open };
 # b/187015705
 dontaudit hal_fingerprint_default property_socket:sock_file write;
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
deleted file mode 100644
index e69de29b..00000000
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
deleted file mode 100644
index bef5f129..00000000
--- a/tracking_denials/hal_power_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/191133059
-dontaudit hal_power_default hal_power_default:capability dac_read_search;
-dontaudit hal_power_default hal_power_default:capability dac_override;
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
deleted file mode 100644
index 27d6f882..00000000
--- a/tracking_denials/init.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/180963348
-dontaudit init overlayfs_file:chr_file { unlink };
-dontaudit init overlayfs_file:file { rename };
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
deleted file mode 100644
index f3e34533..00000000
--- a/tracking_denials/priv_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/187016930
-dontaudit priv_app fwk_stats_service:service_manager find ;
-# b/190563838
-dontaudit priv_app sysfs_chip_id:file getattr;

From 56beb62f69c3de97b5e0542c845afe84d6f7b96e Mon Sep 17 00:00:00 2001
From: Michael Ayoubi <mayoubi@google.com>
Date: Thu, 1 Jul 2021 00:10:44 +0000
Subject: [PATCH 390/921] Fix hal_uwb_default dumpstate SELinux errors

Fixes: b/192026913
Test: Run dumpstate and confirm no avc denials

Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I3d818fb066a834663dc63b8757bd16c08a1a0e9e
---
 tracking_denials/dumpstate.te          | 2 --
 whitechapel/vendor/google/dumpstate.te | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index a19ceb0a..1a3571bf 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -4,5 +4,3 @@ dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
 dontaudit dumpstate twoshay:binder call;
 # b/190337283
 dontaudit dumpstate debugfs_wakeup_sources:file read;
-# b/192026913
-dontaudit dumpstate hal_uwb_default:binder call;
diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index 7c024e3d..d4dd87b0 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -1,5 +1,6 @@
 dump_hal(hal_telephony)
 dump_hal(hal_graphics_composer)
+dump_hal(hal_uwb)
 
 userdebug_or_eng(`
   allow dumpstate media_rw_data_file:file append;

From eee09878b65cbd491fc5c93213e3858e46ff94a7 Mon Sep 17 00:00:00 2001
From: YongWook Shin <yongwook.shin@samsung.com>
Date: Thu, 3 Jun 2021 16:46:49 +0900
Subject: [PATCH 391/921] Allowed HWC HAL access TUI status node

Bug: 157272869
Signed-off-by: YongWook Shin <yongwook.shin@samsung.com>
Change-Id: Id4abb0277bda9c9ff13f753e6f74438ce55be0ab
---
 display/gs101/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts
index 6b155761..e4ccf2f7 100644
--- a/display/gs101/genfs_contexts
+++ b/display/gs101/genfs_contexts
@@ -12,3 +12,5 @@ genfscon sysfs /module/drm/parameters/vblankoffdelay
 
 genfscon sysfs /devices/platform/1c300000.drmdecon/dqe/atc                                     u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup                                u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/exynos-drm/tui_status                                         u:object_r:sysfs_display:s0

From 755c601dd8f1c754350d8caa508ab2af3a54b5a0 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Fri, 2 Jul 2021 10:34:49 +0800
Subject: [PATCH 392/921] Update avc error on ROM 7515047

Bug: 192617242
Bug: 192617244
Test: PtsSELinuxTestCases
Change-Id: I94f7fa36632147676adc46f520e9a2a4f9b413cd
---
 tracking_denials/hal_power_default.te | 3 +++
 tracking_denials/init.te              | 2 ++
 2 files changed, 5 insertions(+)
 create mode 100644 tracking_denials/hal_power_default.te
 create mode 100644 tracking_denials/init.te

diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
new file mode 100644
index 00000000..47f5162e
--- /dev/null
+++ b/tracking_denials/hal_power_default.te
@@ -0,0 +1,3 @@
+# b/192617242
+dontaudit hal_power_default hal_power_default:capability dac_read_search;
+dontaudit hal_power_default hal_power_default:capability dac_override;
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
new file mode 100644
index 00000000..6e62968e
--- /dev/null
+++ b/tracking_denials/init.te
@@ -0,0 +1,2 @@
+# b/192617244
+dontaudit init overlayfs_file:file rename;

From 1e748ab270fb954743a91f3d948e51bf22da7f8f Mon Sep 17 00:00:00 2001
From: millerliang <millerliang@google.com>
Date: Sat, 3 Jul 2021 05:40:22 +0000
Subject: [PATCH 393/921] Fix AAudio avc denied

E SELinux : avc:  denied  { find } for pid=765 uid=1041 name=audio
scontext=u:r:audioserver:s0 tcontext=u:object_r:audio_service:s0
tclass=service_manager permissive=0

Bug: 191103346
Test: build and run CtsNativeMediaAAudioTestCases
Change-Id: I8e9a41360a382ba5f461818b9f8d6658dd53c62a
---
 whitechapel/vendor/google/audioserver.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/audioserver.te b/whitechapel/vendor/google/audioserver.te
index 69d7c1a4..c7d69097 100644
--- a/whitechapel/vendor/google/audioserver.te
+++ b/whitechapel/vendor/google/audioserver.te
@@ -1,2 +1,3 @@
 # allow access to ALSA MMAP FDs for AAudio API
 allow audioserver audio_device:chr_file r_file_perms;
+allow audioserver audio_service:service_manager find;

From 6e7338095bf93bf0b059b3228b48d9d7efed4f53 Mon Sep 17 00:00:00 2001
From: davidycchen <davidycchen@google.com>
Date: Tue, 15 Jun 2021 16:06:33 +0800
Subject: [PATCH 394/921] Allow twoshay to access fwk_stats_service and
 system_server

avc:  denied  { find } for pid=813 uid=0
name=android.frameworks.stats.IStats/default scontext=u:r:twoshay:s0
tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager

avc: denied { call } for scontext=u:r:twoshay:s0
tcontext=u:r:system_server:s0 tclass=binder

Bug: 179334953
Test: Make selinux_policy and push related files to the device.

Signed-off-by: davidycchen <davidycchen@google.com>
Change-Id: Ib95debbc9ce10919c5f935e8f70b340bb293b54a
---
 whitechapel/vendor/google/twoshay.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
index ad239702..f940d3aa 100644
--- a/whitechapel/vendor/google/twoshay.te
+++ b/whitechapel/vendor/google/twoshay.te
@@ -8,3 +8,6 @@ allow twoshay twoshay:capability sys_nice;
 
 binder_use(twoshay)
 add_service(twoshay, touch_context_service)
+
+allow twoshay fwk_stats_service:service_manager find;
+binder_call(twoshay, stats_service_server)

From 3aa97b50125587962f6f69e6094ad4ceef6be9a3 Mon Sep 17 00:00:00 2001
From: "Yu(Swim) Chih Ren" <ychihren@google.com>
Date: Wed, 30 Jun 2021 06:11:13 +0000
Subject: [PATCH 395/921] Add system file of INT clock to sysfs_fabric group

It is for power hal can access system file of INT clock

Bug: 168654554

Test: 1. Check file group of INT clock system file
      2. P21 Camera Test Checklist done

Change-Id: I1952c5d2ae39c338c9d2ccb8db49d1d119943c06
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index e0542a78..d6eed838 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -246,6 +246,7 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo
 # Fabric
 genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load  u:object_r:sysfs_fabric:s0
 genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq                 u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq                 u:object_r:sysfs_fabric:s0
 
 # GPU
 genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq                                            u:object_r:sysfs_gpu:s0

From 46dfc784f5a30c28edffeb22599db7cfc2f30108 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Tue, 6 Jul 2021 09:42:31 +0800
Subject: [PATCH 396/921] Update avc error on ROM 7522385

avc: denied { read } for name="u:object_r:odsign_prop:s0" dev="tmpfs" ino=220 scontext=u:r:incidentd:s0 tcontext=u:object_r:odsign_prop:s0 tclass=file permissive=0
avc: denied { read } for comm="app_process" name="u:object_r:odsign_prop:s0" dev="tmpfs" ino=220 scontext=u:r:incidentd:s0 tcontext=u:object_r:odsign_prop:s0 tclass=file permissive=0

Bug: 192895524
Test: PtsSELinuxTestCases
Change-Id: I770c953e80920388e9c21e6dc8a12762c1f4fb8a
---
 private/incidentd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/private/incidentd.te b/private/incidentd.te
index 1557f065..0867ffa3 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -12,3 +12,5 @@ dontaudit incidentd apexd_prop:file open ;
 dontaudit incidentd adbd_config_prop:file getattr ;
 dontaudit incidentd adbd_config_prop:file map ;
 dontaudit incidentd adbd_prop:file map ;
+# b/192895524
+dontaudit incidentd odsign_prop:file read;

From d328008234dcbf2768975b3cf88e2a51abe524da Mon Sep 17 00:00:00 2001
From: Randall Huang <huangrandall@google.com>
Date: Tue, 6 Jul 2021 18:19:04 +0800
Subject: [PATCH 397/921] Fix overlayfs avc denied

avc: denied { rename } for comm="init" name="#b" dev="dm-6" ino=52
scontext=u:r:init:s0 tcontext=u:object_r:overlayfs_file:s0
tclass=file permissive=1

avc: denied { unlink } for comm="init" name="#b" dev="dm-6" ino=53
scontext=u:r:init:s0 tcontext=u:object_r:overlayfs_file:s0
tclass=chr_file permissive=1

Bug: 192617244
Test: boot & adb remount
Signed-off-by: Randall Huang <huangrandall@google.com>
Change-Id: I740ff317520439034d2bf6e0659b1418bf6dac5c
---
 tracking_denials/init.te          | 2 --
 whitechapel/vendor/google/init.te | 5 +++++
 2 files changed, 5 insertions(+), 2 deletions(-)
 delete mode 100644 tracking_denials/init.te

diff --git a/tracking_denials/init.te b/tracking_denials/init.te
deleted file mode 100644
index 6e62968e..00000000
--- a/tracking_denials/init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/192617244
-dontaudit init overlayfs_file:file rename;
diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te
index 5d6a6810..e98d414f 100644
--- a/whitechapel/vendor/google/init.te
+++ b/whitechapel/vendor/google/init.te
@@ -18,3 +18,8 @@ allow init ram_device:blk_file w_file_perms;
 allow init per_boot_file:file ioctl;
 allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE };
 allow init sysfs_scsi_devices_0000:file w_file_perms;
+
+userdebug_or_eng(`
+  allow init overlayfs_file:file { rename };
+  allow init overlayfs_file:chr_file { unlink };
+')

From 81a8e5b4cee8baa45e07bb7efd2ea255c3533e53 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Wed, 7 Jul 2021 09:56:30 +0800
Subject: [PATCH 398/921] Update avc error on ROM 7526917

Bug: 192980495
Bug: 192980564
Bug: 192924316
Test: PtsSELinuxTestCases
Change-Id: If1042973df8d8eac24065e50e64d5a60c5a4dc49
---
 tracking_denials/hal_uwb_default.te | 2 ++
 tracking_denials/vendor_init.te     | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 tracking_denials/hal_uwb_default.te

diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te
new file mode 100644
index 00000000..9f2ef843
--- /dev/null
+++ b/tracking_denials/hal_uwb_default.te
@@ -0,0 +1,2 @@
+# b/192980495
+dontaudit hal_uwb_default hal_uwb_default:capability sys_nice;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index d27b8e95..8af84483 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,2 +1,4 @@
 # b/190337297
 dontaudit vendor_init vendor_page_pinner_debugfs:file setattr;
+# b/192980564
+dontaudit vendor_init default_prop:file read;

From a2d9731099eeb0f9dd308ef01427ffd0777a629f Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Wed, 7 Jul 2021 20:01:18 +0800
Subject: [PATCH 399/921] Update avc error on ROM 7527858

avc:  denied  { find } for pid=2874 uid=1083 name=isub scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=0

Bug: 193009345
Bug: 192924316
Test: PtsSELinuxTestCases
Change-Id: I694c1a98ab57123c44717d2af5e57cfc486f76a1
---
 tracking_denials/uwb_vendor_app.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/uwb_vendor_app.te

diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te
new file mode 100644
index 00000000..91933c0d
--- /dev/null
+++ b/tracking_denials/uwb_vendor_app.te
@@ -0,0 +1,2 @@
+# b/193009345
+dontaudit uwb_vendor_app radio_service:service_manager find;

From 714075eba72067489d08c36b87bfed9656092b2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
Date: Tue, 29 Jun 2021 14:29:11 -0700
Subject: [PATCH 400/921] add sepolicy for set_usb_irq.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: 185092876
Test: TreeHugger, booted on oriole, enabled/disabled tethering
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7361a4390197e04b27eaf153a696e3f800f79b55
---
 whitechapel/vendor/google/file_contexts     |  3 +++
 whitechapel/vendor/google/set-usb-irq-sh.te | 13 +++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 whitechapel/vendor/google/set-usb-irq-sh.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index b892d447..86af0a91 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -270,6 +270,9 @@
 # Kernel modules related
 /vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
 
+# USB
+/vendor/bin/hw/set_usb_irq\.sh  u:object_r:set-usb-irq-sh_exec:s0
+
 # NFC
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
diff --git a/whitechapel/vendor/google/set-usb-irq-sh.te b/whitechapel/vendor/google/set-usb-irq-sh.te
new file mode 100644
index 00000000..a00fe3bb
--- /dev/null
+++ b/whitechapel/vendor/google/set-usb-irq-sh.te
@@ -0,0 +1,13 @@
+type set-usb-irq-sh, domain;
+type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(set-usb-irq-sh)
+
+allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans;
+
+allow set-usb-irq-sh proc_irq:dir r_dir_perms;
+allow set-usb-irq-sh proc_irq:file w_file_perms;
+
+# AFAICT this happens if /proc/irq updates as we're running
+# and we end up trying to write into non-existing file,
+# which implies creation...
+dontaudit set-usb-irq-sh self:capability dac_override;

From a5c9028cedc6276ffc0be939f19f9c8c50e5bebd Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Thu, 8 Jul 2021 00:56:29 +0800
Subject: [PATCH 401/921] Add sepolicy rules for fingerprint hal

Fix following avc denial:
servicemanager: type=1400 audit(0.0:8): avc: denied { call } for scontext=u:r:servicemanager:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=0

Bug: 192040144
Test: No above avc denial in logcat.
Change-Id: I1b93474cac4ccb24736bc97665a7ca533ef0a7d3
---
 tracking_denials/servicemanager.te          | 2 --
 whitechapel/vendor/google/servicemanager.te | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)
 delete mode 100644 tracking_denials/servicemanager.te
 create mode 100644 whitechapel/vendor/google/servicemanager.te

diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
deleted file mode 100644
index cf725d21..00000000
--- a/tracking_denials/servicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/192040144
-dontaudit servicemanager hal_fingerprint_default:binder call;
diff --git a/whitechapel/vendor/google/servicemanager.te b/whitechapel/vendor/google/servicemanager.te
new file mode 100644
index 00000000..efddd92c
--- /dev/null
+++ b/whitechapel/vendor/google/servicemanager.te
@@ -0,0 +1 @@
+binder_call(servicemanager, hal_fingerprint_default)

From 99e75b6ab90ebf363a06c8d310f0a154fc3ee5b1 Mon Sep 17 00:00:00 2001
From: Myung-jong Kim <mj610.kim@samsung.com>
Date: Fri, 2 Jul 2021 13:48:01 +0900
Subject: [PATCH 402/921] [RCS] Update sepolicy for RCS

Fix seapp_contexts sepolicy for shannon-rcs, where
:shannonrcsservice process exceptions are not handled

Bug: 190581528
Signed-off-by: Myung-jong Kim <mj610.kim@samsung.com>
Change-Id: I15cbf103cea70f6db878305a8fca6b35aa521f9b
---
 whitechapel/vendor/google/seapp_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 10343969..4dcd8e5d 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -13,7 +13,7 @@ user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilser
 user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all
-user=_app isPrivApp=true name=com.shannon.rcsservice:remote domain=vendor_rcs_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all
 
 # coredump/ramdump

From 20dd1ef66c488ef6b6f738eeb6b31ca00ed9a8e2 Mon Sep 17 00:00:00 2001
From: Bo-Yuan Ye <byye@google.com>
Date: Thu, 8 Jul 2021 09:56:54 +0800
Subject: [PATCH 403/921] [3A Coordinator] Enable to property_set for log.tag.
 prefix

major changes:
        1. add log_tag_prop for hal_camera_default

Test: go/p21-camera-test-checklist
Bug: 191923902
Change-Id: I767c235666c6761af6d21178d829a0f7cb8d42c8
---
 whitechapel/vendor/google/hal_camera_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 7202369c..91bdd3e6 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -45,6 +45,7 @@ tmpfs_domain(hal_camera_default);
 
 # Allow access to camera-related system properties
 set_prop(hal_camera_default, vendor_camera_prop);
+set_prop(hal_camera_default, log_tag_prop);
 get_prop(hal_camera_default, vendor_camera_debug_prop);
 userdebug_or_eng(`
   set_prop(hal_camera_default, vendor_camera_fatp_prop);

From da1f469dc8e1735c458017e44eaa1e92dba07819 Mon Sep 17 00:00:00 2001
From: Orion Hodson <oth@google.com>
Date: Fri, 9 Jul 2021 15:50:22 +0100
Subject: [PATCH 404/921] Revert "Update avc error on ROM 7522385"

This reverts commit 46dfc784f5a30c28edffeb22599db7cfc2f30108.

Bug: 192895524
Test: PtsSELinuxTestCases
Change-Id: Iaf00b567fbd3df575ea009036c2e35f6a7a87d90
---
 private/incidentd.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/private/incidentd.te b/private/incidentd.te
index 0867ffa3..1557f065 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -12,5 +12,3 @@ dontaudit incidentd apexd_prop:file open ;
 dontaudit incidentd adbd_config_prop:file getattr ;
 dontaudit incidentd adbd_config_prop:file map ;
 dontaudit incidentd adbd_prop:file map ;
-# b/192895524
-dontaudit incidentd odsign_prop:file read;

From 12370586c95a5e38be63cd73afc8580850588b7a Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Fri, 9 Jul 2021 21:13:03 +0800
Subject: [PATCH 405/921] init: change overlayfs_file rule to dontaudit

Workaround for modem_img being unlabeled after disable-verity.

Bug: 193113005

Change-Id: I64b528d9952849ff73bcd583211d33c3b220438d
---
 whitechapel/vendor/google/init.te | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te
index e98d414f..11726894 100644
--- a/whitechapel/vendor/google/init.te
+++ b/whitechapel/vendor/google/init.te
@@ -19,7 +19,6 @@ allow init per_boot_file:file ioctl;
 allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE };
 allow init sysfs_scsi_devices_0000:file w_file_perms;
 
-userdebug_or_eng(`
-  allow init overlayfs_file:file { rename };
-  allow init overlayfs_file:chr_file { unlink };
-')
+# Workaround for b/193113005 that modem_img unlabeled after disable-verity
+dontaudit init overlayfs_file:file { rename };
+dontaudit init overlayfs_file:chr_file { unlink };

From a06677ce7aa624d37d1a9473fde7b4306f19bdf0 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Mon, 12 Jul 2021 09:49:17 +0800
Subject: [PATCH 406/921] Update avc error on ROM 7539530

avc: denied { read } for name="u:object_r:vendor_camera_debug_prop:s0" dev="tmpfs" ino=300 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_camera_debug_prop:s0 tclass=file permissive=0
avc: denied { read } for comm="dumpstate@1.1-s" name="u:object_r:vendor_camera_debug_prop:s0" dev="tmpfs" ino=300 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_camera_debug_prop:s0 tclass=file permissive=0

Bug: 193365129
Test: PtsSELinuxTestCases
Change-Id: I1d0258ec4ce2abbf8f899add86be2076c0c72be0
---
 tracking_denials/hal_dumpstate_default.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
new file mode 100644
index 00000000..d175c643
--- /dev/null
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/193365129
+dontaudit hal_dumpstate_default vendor_camera_debug_prop:file read;

From 2046513eb7e73b048e9ab28cafc4bcdfb5615263 Mon Sep 17 00:00:00 2001
From: Stephane Lee <stayfan@google.com>
Date: Fri, 2 Jul 2021 16:49:47 -0700
Subject: [PATCH 407/921] Add DC Charging to server configurable parameters;
 ensure the sysfs node is writable

hal_googlebattery will be writing to:
/sys/devices/platform/google,cpm/dc_ctl

Test: Ensure there are no errors on logcat | grep google_battery@
Bug: 183772980

Change-Id: Id4490d6de161eefe63c36c01d497696b16c6292d
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index d6eed838..42ff564a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -13,6 +13,7 @@ genfscon sysfs /wifi                                                        u:ob
 # Battery
 genfscon sysfs /devices/platform/google,battery/power_supply/battery            u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply                        u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,cpm/                                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/google,charger                                 u:object_r:sysfs_batteryinfo:s0
 
 #   Slider

From 9d7e88c27e16b5f4b818754e519f5310817fdf85 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 13 Jul 2021 09:57:18 +0800
Subject: [PATCH 408/921] suppress error for ag/15263334

Bug: 193474772
Test: boot with no relevant error found
Change-Id: Ia3f49fbf9e623c6b81d6c595e19e275f64521dfe
---
 private/fsverity_init.te           | 2 ++
 tracking_denials/init-insmod-sh.te | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 private/fsverity_init.te
 create mode 100644 tracking_denials/init-insmod-sh.te

diff --git a/private/fsverity_init.te b/private/fsverity_init.te
new file mode 100644
index 00000000..ed3728d6
--- /dev/null
+++ b/private/fsverity_init.te
@@ -0,0 +1,2 @@
+# b/193474772
+dontaudit fsverity_init domain:key view;
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
new file mode 100644
index 00000000..815824f6
--- /dev/null
+++ b/tracking_denials/init-insmod-sh.te
@@ -0,0 +1,2 @@
+# b/193474772
+dontaudit init-insmod-sh self:key write;

From 04d9f1ac13d188d30a6e1663c22d14e6ddd53e1a Mon Sep 17 00:00:00 2001
From: Michael Ayoubi <mayoubi@google.com>
Date: Tue, 13 Jul 2021 02:43:04 +0000
Subject: [PATCH 409/921] Revert "Update avc error on ROM 7526917"

This reverts commit 81a8e5b4cee8baa45e07bb7efd2ea255c3533e53.

Reason for revert: <Qorvo Version P2-S4(ag/15139489) which caused these errors got reverted from sc-dev in ag/15224151. It will now go into master>

Bug: 192924316
Change-Id: I772053cf512ba555a5fa657d39f957ac51f013c1
---
 tracking_denials/hal_uwb_default.te | 2 --
 tracking_denials/vendor_init.te     | 2 --
 2 files changed, 4 deletions(-)
 delete mode 100644 tracking_denials/hal_uwb_default.te

diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te
deleted file mode 100644
index 9f2ef843..00000000
--- a/tracking_denials/hal_uwb_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/192980495
-dontaudit hal_uwb_default hal_uwb_default:capability sys_nice;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 8af84483..d27b8e95 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -1,4 +1,2 @@
 # b/190337297
 dontaudit vendor_init vendor_page_pinner_debugfs:file setattr;
-# b/192980564
-dontaudit vendor_init default_prop:file read;

From c60e44c29e6375cdfc277842cc3dfe5a9fbf55e2 Mon Sep 17 00:00:00 2001
From: Wenhao Wang <wenhaowang@google.com>
Date: Tue, 13 Jul 2021 16:09:08 -0700
Subject: [PATCH 410/921] Add create perm for tee

The storageproxyd needs to create persist/ss from scratch.
So we add the create perm.

Bug: 193489307
Test: Trusty storage tests
Change-Id: Ida1c07acac26494ae6bba0392fb2da0425803608
---
 whitechapel/vendor/google/storageproxyd.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index d5d4dca9..f8c2692b 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -1,8 +1,8 @@
 type sg_device, dev_type;
 type persist_ss_file, file_type, vendor_persist_type;
 
-allow tee persist_ss_file:file rw_file_perms;
-allow tee persist_ss_file:dir r_dir_perms;
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;

From c7342a7824b40d29473bfaf7ec5c065d8be1d949 Mon Sep 17 00:00:00 2001
From: Stephane Lee <stayfan@google.com>
Date: Wed, 14 Jul 2021 16:10:15 -0700
Subject: [PATCH 411/921] odpm: Rename the odpm_config sepolicies to be more
 consistent

Test: Ensure that there are no sepolicy errors on odpm_config
Bug: 192674986
Change-Id: I3043a544511c8c3051e1bd10e9f6b668b251cf5f
---
 whitechapel/vendor/google/file.te                    | 2 +-
 whitechapel/vendor/google/file_contexts              | 2 +-
 whitechapel/vendor/google/hal_power_stats_default.te | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index f8c5df0b..7d2fd820 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -147,7 +147,7 @@ type sysfs_backlight, sysfs_type, fs_type;
 type sysfs_chargelevel, sysfs_type, fs_type;
 
 # ODPM
-type odpm_config_file, file_type, data_file_type;
+type powerstats_vendor_data_file, file_type, data_file_type;
 type sysfs_odpm, sysfs_type, fs_type;
 
 # bcl
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 86af0a91..805cb750 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -387,7 +387,7 @@
 /dev/cpuctl(/.*)?	                                                      u:object_r:cpuctl_device:s0
 
 # ODPM
-/data/vendor/powerstats(/.*)?                                              u:object_r:odpm_config_file:s0
+/data/vendor/powerstats(/.*)?                                              u:object_r:powerstats_vendor_data_file:s0
 
 # sensor direct DMA-BUF heap
 /dev/dma_heap/sensor_direct_heap                                               u:object_r:sensor_direct_heap_device:s0
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index 6f5f9e21..db81a74e 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -5,8 +5,8 @@ allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms;
 binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
 
 r_dir_file(hal_power_stats_default, sysfs_iio_devices)
-allow hal_power_stats_default odpm_config_file:dir search;
-allow hal_power_stats_default odpm_config_file:file r_file_perms;
+allow hal_power_stats_default powerstats_vendor_data_file:dir search;
+allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms;
 allow hal_power_stats_default sysfs_odpm:dir search;
 allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
 

From 06ea8d9432514054597fbe81af9617217b6ccbb8 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Thu, 15 Jul 2021 09:10:36 +0800
Subject: [PATCH 412/921] Update avc error on ROM 7550575

Bug: 193726003
Bug: 193633303
Bug: 193548421
Test: PtsSELinuxTestCases
Change-Id: Id6cb13602eb9a69f7815a0301a5708577c663bd2
---
 tracking_denials/init-insmod-sh.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
index 815824f6..8b2358b2 100644
--- a/tracking_denials/init-insmod-sh.te
+++ b/tracking_denials/init-insmod-sh.te
@@ -1,2 +1,4 @@
 # b/193474772
 dontaudit init-insmod-sh self:key write;
+# b/193726003
+dontaudit init-insmod-sh debugfs_bootreceiver_tracing:dir search;

From 3050ed8ed9c4e4bbb30ceaa60434f0be965f2a41 Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Tue, 13 Jul 2021 20:09:14 +0800
Subject: [PATCH 413/921] Set sepolicy for shell script of disabling
 contaminant detection

The avc denials are listed in b/192208389#comment10.

Bug: 192208389
Test: Manually tested
Change-Id: Ib2e3cf498851c0c9e5e74aacc9bf391549c0ad1a
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 .../disable-contaminant-detection-sh.te       |  7 +++++
 whitechapel/vendor/google/file_contexts       |  3 +-
 whitechapel/vendor/google/genfs_contexts      | 30 ++++---------------
 3 files changed, 15 insertions(+), 25 deletions(-)
 create mode 100644 whitechapel/vendor/google/disable-contaminant-detection-sh.te

diff --git a/whitechapel/vendor/google/disable-contaminant-detection-sh.te b/whitechapel/vendor/google/disable-contaminant-detection-sh.te
new file mode 100644
index 00000000..95845a18
--- /dev/null
+++ b/whitechapel/vendor/google/disable-contaminant-detection-sh.te
@@ -0,0 +1,7 @@
+type disable-contaminant-detection-sh, domain;
+type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(disable-contaminant-detection-sh)
+
+allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 86af0a91..5360a0a7 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -271,7 +271,8 @@
 /vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
 
 # USB
-/vendor/bin/hw/set_usb_irq\.sh  u:object_r:set-usb-irq-sh_exec:s0
+/vendor/bin/hw/set_usb_irq\.sh                    u:object_r:set-usb-irq-sh_exec:s0
+/vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 42ff564a..cc285c9a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -16,42 +16,24 @@ genfscon sysfs /devices/platform/google,cpm/power_supply
 genfscon sysfs /devices/platform/google,cpm/                                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/google,charger                                 u:object_r:sysfs_batteryinfo:s0
 
+genfscon sysfs /devices/platform/10d50000.hsi2c                                 u:object_r:sysfs_batteryinfo:s0
 #   Slider
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
-#   Whitefin
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
 #   R4 / P7 LunchBox
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
 
 #   O6
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
-
 # Storage
 genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
 genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0

From d8d8580281d568517d8706d9c6a6db9306c48615 Mon Sep 17 00:00:00 2001
From: Andrew LeCain <alecain@google.com>
Date: Wed, 14 Jul 2021 20:40:03 -0700
Subject: [PATCH 414/921] sepolicy allow fingerprint hal to read mfg_data

declares new device context for mfg_data_block_device
give fp HAL permission to read/write/open
give fp HAL permission to search block_device dir

Bug: 189135413
Test: sideload calibration in enforcing mode.
Change-Id: I19e0cd13fc452b42c3f35772c4bafd433dbcc8b1
---
 whitechapel/vendor/google/device.te                  | 1 +
 whitechapel/vendor/google/file_contexts              | 1 +
 whitechapel/vendor/google/hal_fingerprint_default.te | 4 ++++
 whitechapel/vendor/google/vendor_init.te             | 1 +
 4 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 609e117e..bd62647d 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -6,6 +6,7 @@ type modem_userdata_block_device, dev_type;
 type persist_block_device, dev_type;
 type vendor_block_device, dev_type;
 type sda_block_device, dev_type;
+type mfg_data_block_device, dev_type;
 
 # Exynos devices
 type vendor_m2m1shot_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 86af0a91..1a7e422a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -73,6 +73,7 @@
 /dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab]         u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab]  u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab]    u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/mfg_data            u:object_r:mfg_data_block_device:s0
 /dev/block/sda                                                u:object_r:sda_block_device:s0
 /dev/sys/block/bootdevice(/.*)?                               u:object_r:bootdevice_sysdev:s0
 
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index a7f769bf..6dedfce8 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -18,3 +18,7 @@ hal_client_domain(hal_fingerprint_default, hal_power);
 
 # Allow access to the files of CDT information.
 r_dir_file(hal_fingerprint_default, sysfs_chosen)
+
+# Allow fingerprint to access calibration blk device.
+allow hal_fingerprint_default mfg_data_block_device:blk_file { rw_file_perms };
+allow hal_fingerprint_default block_device:dir search;
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 63f98f83..12768769 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -16,6 +16,7 @@ set_prop(vendor_init, vendor_logger_prop)
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;
 allow vendor_init bootdevice_sysdev:file create_file_perms;
+allow vendor_init block_device:lnk_file setattr;
 
 userdebug_or_eng(`
   set_prop(vendor_init, logpersistd_logging_prop)

From 5c009fb96ffe5927499d3981841402609f7d4e00 Mon Sep 17 00:00:00 2001
From: Wenhao Wang <wenhaowang@google.com>
Date: Thu, 15 Jul 2021 17:10:31 -0700
Subject: [PATCH 415/921] Add wakelock access for storageproxyd

The storageproxyd needs a wakelock around the sequence of UFS commands

Bug: 193456223
Test: Trusty storage tests
Change-Id: I1efe3144c8bcc17c056fc3b9b796e080f77991d5
---
 whitechapel/vendor/google/storageproxyd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index f8c2692b..d6acb458 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -1,6 +1,9 @@
 type sg_device, dev_type;
 type persist_ss_file, file_type, vendor_persist_type;
 
+# Handle wake locks
+wakelock_use(tee)
+
 allow tee persist_ss_file:file create_file_perms;
 allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;

From 4055c31faf537947ca3b65d517aa618fe32eb0f4 Mon Sep 17 00:00:00 2001
From: Namkyu Kim <namkyu78.kim@samsung.com>
Date: Mon, 10 May 2021 22:06:18 +0900
Subject: [PATCH 416/921] sepolicy: gs101: support tetheroffload hal version
 1.y

Support both 1.0 and 1.1.

Bug: 186539538
Test: run vts -m VtsHalTetheroffloadControlV1_0TargetTest
      run vts -m VtsHalTetheroffloadControlV1_1TargetTest

Signed-off-by: Namkyu Kim <namkyu78.kim@samsung.com>
Change-Id: I76a26dcd22e1c8985d470a39b9aeae618f459d00
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 86af0a91..57dd0aed 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -352,7 +352,7 @@
 
 # Tetheroffload Service
 /dev/dit2                      u:object_r:vendor_toe_device:s0
-/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service     u:object_r:hal_tetheroffload_default_exec:s0
+/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service     u:object_r:hal_tetheroffload_default_exec:s0
 
 # pixelstats binary
 /vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0

From e763f3cc9bdb60baa2961045e14dfbc68534e93d Mon Sep 17 00:00:00 2001
From: Sina Hassani <shassani@google.com>
Date: Thu, 15 Jul 2021 21:55:57 -0700
Subject: [PATCH 417/921] Allow HAL to access sysfs.

This is so that it can read fw metrics from sysfs and dump them through
dumpsys.

Test: Ran dumpsys and bugreport.
Bug: 193841666
Change-Id: I08c08e35bad35d0eefc3f6ad218fb47e24051b0c
---
 edgetpu/hal_neuralnetworks_darwinn.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
index 1e65c1ff..b45a7059 100644
--- a/edgetpu/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/hal_neuralnetworks_darwinn.te
@@ -39,3 +39,7 @@ add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service);
 
 # Allow TPU NNAPI HAL to read the overcommit_memory info.
 allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms;
+
+# Allows the logging service to access /sys/class/edgetpu
+allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms;
+allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms;

From 022b61751ef6f23452edb6632771b9d9ea9af8d8 Mon Sep 17 00:00:00 2001
From: Stephane Lee <stayfan@google.com>
Date: Fri, 16 Jul 2021 16:22:07 -0700
Subject: [PATCH 418/921] Add cpm/pca9468 logbuffer directories so that
 bugreports can take a snapshot

Test: adb bugreport; check "dumpstate_board.txt"
Bug: 193894298
Change-Id: I222405ab6d78bd4367a91cc0f13b8d8a0f1ca578
---
 whitechapel/vendor/google/file_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 6b4d5874..1b111ea1 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -105,6 +105,8 @@
 /dev/logbuffer_maxfg_base      u:object_r:logbuffer_device:s0
 /dev/logbuffer_maxfg_flip      u:object_r:logbuffer_device:s0
 /dev/logbuffer_pca9468_tcpm    u:object_r:logbuffer_device:s0
+/dev/logbuffer_pca9468         u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpm             u:object_r:logbuffer_device:s0
 
 # DM tools device
 /dev/umts_dm0                  u:object_r:radio_device:s0

From 5201b7dd089efb6df183e5078ab7f8112e319384 Mon Sep 17 00:00:00 2001
From: Max Kogan <maxkogan@google.com>
Date: Wed, 14 Jul 2021 15:09:57 -0700
Subject: [PATCH 419/921] Add AoC wakeup stats to dump state

Need add support for wakeup stats to track AoC to AP messages
resulting in frequent wake-ups.

Bug: 192988670
Signed-off-by: Max Kogan <maxkogan@google.com>
Change-Id: I5eec808ed2dba9996607151efe494a238491076d
---
 whitechapel/vendor/google/genfs_contexts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 42ff564a..ab67d9c7 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -7,6 +7,12 @@ genfscon sysfs /devices/platform/19000000.aoc/reset                         u:ob
 genfscon sysfs /devices/platform/19000000.aoc/services                      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/restart_count                 u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/coredump_count                u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup    u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup       u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup            u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup          u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
 
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0

From d9309ef34d26a28afd10322b3823f7f866f2aa1e Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Tue, 20 Jul 2021 09:41:27 +0800
Subject: [PATCH 420/921] Update avc error on ROM 7562467

avc: denied { read } for name="u:object_r:odsign_prop:s0" dev="tmpfs" ino=229 scontext=u:r:postinstall_dexopt:s0 tcontext=u:object_r:odsign_prop:s0 tclass=file permissive=0
avc: denied { read } for comm="otapreopt" name="u:object_r:odsign_prop:s0" dev="tmpfs" ino=229 scontext=u:r:postinstall_dexopt:s0 tcontext=u:object_r:odsign_prop:s0 tclass=file permissive=0

Bug: 194142604
Bug: 194065991
Test: PtsSELinuxTestCases
Change-Id: Ic3bb544f05ffff0df42f820d2f9cf6cd7cb24879
---
 private/postinstall_dexopt.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 private/postinstall_dexopt.te

diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
new file mode 100644
index 00000000..2b51e8b7
--- /dev/null
+++ b/private/postinstall_dexopt.te
@@ -0,0 +1,2 @@
+# b/194142604
+dontaudit postinstall_dexopt odsign_prop:file read;

From f0589d11df45e917b1a2443a325b87bebe494e4d Mon Sep 17 00:00:00 2001
From: Alex Hong <rurumihong@google.com>
Date: Tue, 20 Jul 2021 16:48:05 +0800
Subject: [PATCH 421/921] Allow suspend_control to access the AOC wakeup node

Test: Check avc denials during boot
      $ adb shell su 0 dumpsys suspend_control
Bug: 194164089

Change-Id: I9edcf6398f61daec6fdde0f7ac69ddd5d275f753
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index cc285c9a..32bf2cef 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -88,6 +88,7 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0

From 0612b5aa857765321ef5691480cae93ae74bf8cc Mon Sep 17 00:00:00 2001
From: Sungjun Park <sj19385.park@samsung.com>
Date: Fri, 16 Jul 2021 15:02:11 +0900
Subject: [PATCH 422/921] ims: allow finding mediametrics_service for
 vendor_ims_app

For generate dtmf tone, ImsService find mediametrics_service.
So, added the seplicy rule for finding mediametrics_service.

<Related log>
07-14 15:37:21.391   411   411 E SELinux : avc:  denied  { find } for
pid=2263 uid=10217 name=media.metrics scontext=u:r:vendor_ims_app:s0:
c217,c256,c512,c768 tcontext=u:object_r:mediametrics_service:s0 tclass
=service_manager permissive=0

Bug: 192543653
Signed-off-by: Sungjun Park <sj19385.park@samsung.com>
Change-Id: Ia0f6610ecc454533d9584367694228245afe46e4
---
 whitechapel/vendor/google/vendor_ims_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index d2e671c3..8d655747 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -9,6 +9,7 @@ allow vendor_ims_app radio_service:service_manager find;
 
 allow vendor_ims_app mediaserver_service:service_manager find;
 allow vendor_ims_app cameraserver_service:service_manager find;
+allow vendor_ims_app mediametrics_service:service_manager find;
 
 binder_call(vendor_ims_app, rild)
 set_prop(vendor_ims_app, vendor_rild_prop)

From 411aa59779a00eba68f79c6a657460a43c40ea4e Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Wed, 21 Jul 2021 09:31:23 +0800
Subject: [PATCH 423/921] Update avc error on ROM 7566803

avc: denied { read } for name="platform:1cc40000.sysmmu--platform:1ce00000.abrolhos" dev="sysfs" ino=21006 scontext=u:r:hal_neuralnetworks_darwinn:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0

Bug: 194241380
Test: PtsSELinuxTestCases
Change-Id: If7ee99a36bca88fffc37c12dc306e0453afb1395
---
 tracking_denials/hal_neuralnetworks_darwinn.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te

diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te
new file mode 100644
index 00000000..314122e7
--- /dev/null
+++ b/tracking_denials/hal_neuralnetworks_darwinn.te
@@ -0,0 +1,2 @@
+# b/194241380
+dontaudit hal_neuralnetworks_darwinn sysfs:dir read;

From d12714ccc0732e3c2ac65d3e9b5ba778428ae059 Mon Sep 17 00:00:00 2001
From: Petri Gynther <pgynther@google.com>
Date: Tue, 13 Jul 2021 14:10:22 -0700
Subject: [PATCH 424/921] Add vbmeta_vendor_[ab] to file_contexts

Bug: 181909612
Test: build + install + boot to home
Change-Id: Ibb7bd8e5a61d86de1b51a3780a5bfa8cf4caf59b
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 40ee0d6e..ad3c94e9 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -72,6 +72,7 @@
 /dev/block/platform/14700000\.ufs/by-name/tzsw_[ab]           u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab]         u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab]  u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab]  u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab]    u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/mfg_data            u:object_r:mfg_data_block_device:s0
 /dev/block/sda                                                u:object_r:sda_block_device:s0

From b47cdf282abb6722d5774514c73ccd6e3b83713c Mon Sep 17 00:00:00 2001
From: Sungwoo choi <sungwoo48.choi@samsung.com>
Date: Fri, 16 Jul 2021 11:19:15 +0900
Subject: [PATCH 425/921] Allow to set vendor_rild_prop for oemrilservice_app

Bug: 193367138
Test: make sure no denied logs in oemrilservice_app when access the
radio property

Signed-off-by: Sungwoo choi <sungwoo48.choi@samsung.com>
Change-Id: I9014002476df7b4e650f7a5a2f153e4eca47d23d
---
 whitechapel/vendor/google/oemrilservice_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/oemrilservice_app.te b/whitechapel/vendor/google/oemrilservice_app.te
index 6b3a319f..ca8257a1 100644
--- a/whitechapel/vendor/google/oemrilservice_app.te
+++ b/whitechapel/vendor/google/oemrilservice_app.te
@@ -1,6 +1,8 @@
 type oemrilservice_app, domain;
 app_domain(oemrilservice_app)
 
+set_prop(oemrilservice_app, vendor_rild_prop);
+
 allow oemrilservice_app app_api_service:service_manager find;
 allow oemrilservice_app radio_service:service_manager find;
 allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find;

From 1ebd84703b13bf6e285c07ef98bd81661d853003 Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <badhri@google.com>
Date: Fri, 2 Jul 2021 19:32:06 -0700
Subject: [PATCH 426/921] Update Usb hal permissions to allow pushing overheat
 suez events

Usb hal now pushes the Usb port overheat event through statsd.
Usb hal also accesses usbc-throttling stats to gather info.

Bug: 193615568
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Change-Id: I4918458bc7a8a25d7655b66d1fe40eafc7ccb070
---
 whitechapel/vendor/google/file.te         |  3 +++
 whitechapel/vendor/google/genfs_contexts  |  5 +++++
 whitechapel/vendor/google/hal_usb_impl.te | 14 ++++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index f8c5df0b..21a702d1 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -189,6 +189,9 @@ type sysfs_pixelstats, fs_type, sysfs_type;
 # WLC FW
 type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
 
+#USB-C throttling stats
+type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
+
 # SJTAG
 type sysfs_sjtag, fs_type, sysfs_type;
 userdebug_or_eng(`
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index e0542a78..e288fb06 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -311,3 +311,8 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface                   u:object_
 # Camera
 genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq       u:object_r:sysfs_camera:s0
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq             u:object_r:sysfs_camera:s0
+
+# USB-C throttling stats
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time      u:object_r:sysfs_usbc_throttling_stats:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index 45ca9245..ec640c29 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -12,3 +12,17 @@ set_prop(hal_usb_impl, vendor_usb_config_prop)
 allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
 allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;
 allow hal_usb_impl sysfs_extcon:dir search;
+
+# Needed for reporting Usb Overheat suez event through statsd
+allow hal_usb_impl fwk_stats_service:service_manager find;
+binder_call(hal_usb_impl, servicemanager)
+
+# Needed for monitoring usb port temperature
+allow hal_usb_impl self:capability2 wake_alarm;
+wakelock_use(hal_usb_impl);
+
+# For interfacing with ThermalHAL
+hal_client_domain(hal_usb_impl, hal_thermal);
+
+# For reading the usb-c throttling stats
+allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms;

From 561ce13d593f48cf3d56d2533cce540c7868b2b6 Mon Sep 17 00:00:00 2001
From: chened <chened@google.com>
Date: Thu, 22 Jul 2021 14:47:30 +0800
Subject: [PATCH 427/921] gs101: Allow camera hal to create file in persist
 camera folder

Test: build pass, no cts regression
Bug: 189844464
Change-Id: If150a94f184424f21c509a44001192e36b6ee24a
---
 whitechapel/vendor/google/hal_camera_default.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 91bdd3e6..895080f6 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -26,8 +26,8 @@ binder_call(hal_camera_default, edgetpu_vendor_server)
 # Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;
 allow hal_camera_default persist_file:dir search;
-allow hal_camera_default persist_camera_file:dir search;
-allow hal_camera_default persist_camera_file:file r_file_perms;
+allow hal_camera_default persist_camera_file:dir rw_dir_perms;
+allow hal_camera_default persist_camera_file:file create_file_perms;
 allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
 allow hal_camera_default vendor_camera_data_file:file create_file_perms;
 allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;

From 0bd50d1eb5498f03bf3372b5952558b81cc0d2a0 Mon Sep 17 00:00:00 2001
From: Max Shi <meixuanshi@google.com>
Date: Wed, 21 Jul 2021 22:43:56 -0700
Subject: [PATCH 428/921] Allow USF sensor HAL to read camera persist files.

USF sensor HAL requires access to camera persist files to determine if
the camera module has been replaced (e.g. via repair), which may affect
calibration of the magnetometer.

Bug: 193727762
Test: Verify sensor HAL can open and read files under
Test: /mnt/vendor/persist/camera/
Change-Id: Icb9d7a46bf8465e1a72054ac9c8493ba18445ef3
---
 usf/sensor_hal.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 03cdc090..e8368b9c 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -2,10 +2,11 @@
 # USF sensor HAL SELinux type enforcements.
 #
 
-# Allow reading of sensor registry persist files.
+# Allow reading of sensor registry persist files and camera persist files.
 allow hal_sensors_default persist_file:dir search;
 allow hal_sensors_default mnt_vendor_file:dir search;
 r_dir_file(hal_sensors_default, persist_sensor_reg_file)
+r_dir_file(hal_sensors_default, persist_camera_file)
 
 # Allow creation and writing of sensor registry data files.
 allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;

From 0f9820830c2deffcb0b4569151b167c530817cb6 Mon Sep 17 00:00:00 2001
From: Ankit Goyal <layog@google.com>
Date: Wed, 14 Jul 2021 19:13:54 +0800
Subject: [PATCH 429/921] Add SE policies for memtrack HAL

Bug: 191966412
Test: adb shell dumpsys meminfo
Change-Id: Ia7ec64840d2bb7c3ae0d61304e109d2ceb9e5f78
---
 whitechapel/vendor/google/file_contexts           | 1 +
 whitechapel/vendor/google/genfs_contexts          | 3 +++
 whitechapel/vendor/google/hal_memtrack_default.te | 1 +
 3 files changed, 5 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_memtrack_default.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index ad3c94e9..11445e44 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -28,6 +28,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm                u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel                       u:object_r:hal_memtrack_default_exec:s0
 # Wireless charger HAL
 /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor             u:object_r:hal_wlc_exec:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 32bf2cef..328875ef 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -234,6 +234,9 @@ genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_i
 
 # GPU
 genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq                                            u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem                                          u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem                                            u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/kprcs                                                    u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
diff --git a/whitechapel/vendor/google/hal_memtrack_default.te b/whitechapel/vendor/google/hal_memtrack_default.te
new file mode 100644
index 00000000..7554c6ff
--- /dev/null
+++ b/whitechapel/vendor/google/hal_memtrack_default.te
@@ -0,0 +1 @@
+r_dir_file(hal_memtrack_default, sysfs_gpu)

From d6c1a50bbaa11e7a09117f42a6d2f92d37440cfa Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Fri, 23 Jul 2021 14:28:04 +0800
Subject: [PATCH 430/921] sepolicy: gs101: allows pixelstat to access pca file
 nodes

07-23 14:24:45.512  1000  3001  3001 I pixelstats-vend: type=1400 audit(0.0:10): avc: denied { open } for path="/sys/devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats" dev="sysfs" ino=72245 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
07-23 14:24:45.512  1000  3001  3001 I pixelstats-vend: type=1400 audit(0.0:11): avc: denied { getattr } for path="/sys/devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats" dev="sysfs" ino=72245 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
07-23 14:24:57.536  1000  3001  3001 I pixelstats-vend: type=1400 audit(0.0:12): avc: denied { read } for name="chg_stats" dev="sysfs" ino=72245 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
07-23 14:24:57.536  1000  3001  3001 I pixelstats-vend: type=1400 audit(0.0:13): avc: denied { open } for path="/sys/devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats" dev="sysfs" ino=72245 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
07-23 14:24:57.536  1000  3001  3001 I pixelstats-vend: type=1400 audit(0.0:14): avc: denied { getattr } for path="/sys/devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats" dev="sysfs" ino=72245 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
07-23 14:24:57.536  1000  3001  3001 I pixelstats-vend: type=1400 audit(0.0:15): avc: denied { write } for name="chg_stats" dev="sysfs" ino=72245 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 194386750
Test: manually test, no avc: denied
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I1a16edb5bb7820f62b3ce598aa50eba2d9455927
---
 whitechapel/vendor/google/file.te              | 3 +++
 whitechapel/vendor/google/genfs_contexts       | 2 ++
 whitechapel/vendor/google/pixelstats_vendor.te | 8 ++++----
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e68107e7..85c8dcca 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -124,6 +124,9 @@ type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 # Wireless
 type sysfs_wlc, sysfs_type, fs_type;
 
+# Pca
+type sysfs_pca, sysfs_type, fs_type;
+
 # Camera
 type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5e42bd1f..ade88791 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -26,6 +26,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats          u:object_r:sysfs_pca:s0
 
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
 
@@ -33,6 +34,7 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats          u:object_r:sysfs_pca:s0
 
 # Storage
 genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 01eb843b..96bd9325 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -16,19 +16,19 @@ allow pixelstats_vendor fwk_stats_service:service_manager find;
 allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
 allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;
 
+# Wireless charge
 allow pixelstats_vendor sysfs_wlc:dir search;
 allow pixelstats_vendor sysfs_wlc:file rw_file_perms;
 
+# Pca charge
+allow pixelstats_vendor sysfs_pca:file rw_file_perms;
+
 # OrientationCollector
 allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
 
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
 
-# Wireless charge
-allow pixelstats_vendor sysfs_wlc:dir search;
-allow pixelstats_vendor sysfs_wlc:file r_file_perms;
-
 # BCL
 allow pixelstats_vendor sysfs_bcl:dir search;
 allow pixelstats_vendor sysfs_bcl:file r_file_perms;

From 5374497df501f4eee2f328b13c995451bb1a1067 Mon Sep 17 00:00:00 2001
From: Max Kogan <maxkogan@google.com>
Date: Wed, 14 Jul 2021 15:09:57 -0700
Subject: [PATCH 431/921] Add AoC wakeup stats to dump state

Need add support for wakeup stats to track AoC to AP messages
resulting in frequent wake-ups.

Bug: 192668026
Change-Id: I073406cc101e114135c863b0e0b86357e93c0415
---
 whitechapel/vendor/google/genfs_contexts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5e42bd1f..763ead5d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -7,6 +7,12 @@ genfscon sysfs /devices/platform/19000000.aoc/reset                         u:ob
 genfscon sysfs /devices/platform/19000000.aoc/services                      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/restart_count                 u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/coredump_count                u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup    u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup       u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup            u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup          u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
 
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0

From 30bd5e8ed68adc7f5f1f6149dfb763bc43c01a4e Mon Sep 17 00:00:00 2001
From: Michael Eastwood <mweastwood@google.com>
Date: Tue, 27 Jul 2021 17:17:17 -0700
Subject: [PATCH 432/921] Allow hal_dumpstate_default to access
 vendor_camera_debug_prop

Bug: 193365129
Test: atest com.google.android.selinux.pts.SELinuxTest#scanBugreport
Change-Id: I43e389d46e8116844bb9ca4259e5ea28e86c50f4
---
 tracking_denials/hal_dumpstate_default.te          | 2 --
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 +++
 2 files changed, 3 insertions(+), 2 deletions(-)
 delete mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
deleted file mode 100644
index d175c643..00000000
--- a/tracking_denials/hal_dumpstate_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193365129
-dontaudit hal_dumpstate_default vendor_camera_debug_prop:file read;
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 5c61bf46..b5608c16 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -27,6 +27,9 @@ allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
 allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms;
 
+# camera prop access
+get_prop(hal_dumpstate_default, vendor_camera_debug_prop);
+
 allow hal_dumpstate_default vendor_log_file:dir search;
 
 allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;

From 0474bcf10edf9457d360fe7275efb5fa7562b573 Mon Sep 17 00:00:00 2001
From: Jaineel Mehta <jaineelm@google.com>
Date: Thu, 29 Jul 2021 21:23:32 +0000
Subject: [PATCH 433/921] Add vendor SELinux denial to allowlist

Change-Id: If7435e9c62811ef3c9757f22f06018c32a8d3597
Test: None
Bug: 194281028
---
 whitechapel/vendor/google/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/bug_map b/whitechapel/vendor/google/bug_map
index 6faa712a..3dc069c5 100644
--- a/whitechapel/vendor/google/bug_map
+++ b/whitechapel/vendor/google/bug_map
@@ -1 +1,2 @@
 permissioncontroller_app sysfs_vendor_sched file b/190671898
+vendor_ims_app default_prop file b/194281028
\ No newline at end of file

From a1aab562ca083f2531a551d1b228749d39f14368 Mon Sep 17 00:00:00 2001
From: Mark Chang <changmark@google.com>
Date: Thu, 29 Jul 2021 16:31:03 +0800
Subject: [PATCH 434/921] [DO NOT MERGE] sepolicy: Add "dontaudit" for twoshay
 dac_override.

Bug: 193224954
Test: build pass and boot to home
Signed-off-by: Mark Chang <changmark@google.com>
Change-Id: I5c330564cc026e113c5d33d5d093dbcdb3ede5e4
---
 whitechapel/vendor/google/twoshay.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
index ad239702..92b517a1 100644
--- a/whitechapel/vendor/google/twoshay.te
+++ b/whitechapel/vendor/google/twoshay.te
@@ -8,3 +8,6 @@ allow twoshay twoshay:capability sys_nice;
 
 binder_use(twoshay)
 add_service(twoshay, touch_context_service)
+
+# b/193224954
+dontaudit twoshay twoshay:capability dac_override;

From cd9ddb134b306e187bb174478e83c64fc33acd53 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Thu, 29 Jul 2021 20:48:48 +0800
Subject: [PATCH 435/921] gs101: Remove vendor_sched

Moved to system/sepolicy.

Bug: 194656257
Test: build pass
Change-Id: Ia5ea1bbc05bdc52b43cb403d99994bad70613e08
---
 private/genfs_contexts | 3 ---
 public/file.te         | 7 -------
 2 files changed, 10 deletions(-)
 delete mode 100644 private/genfs_contexts
 delete mode 100644 public/file.te

diff --git a/private/genfs_contexts b/private/genfs_contexts
deleted file mode 100644
index 448ca5e3..00000000
--- a/private/genfs_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# Vendor sched files
-genfscon sysfs /kernel/vendor_sched                                            u:object_r:sysfs_vendor_sched:s0
-genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0
diff --git a/public/file.te b/public/file.te
deleted file mode 100644
index 4c15c474..00000000
--- a/public/file.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Vendor sched files
-type sysfs_vendor_sched, sysfs_type, fs_type;
-userdebug_or_eng(`
-    typeattribute sysfs_vendor_sched mlstrustedobject;
-')
-type proc_vendor_sched, proc_type, fs_type;
-

From 7de8a5d4a787f00add4b3190da1186dd03ef9df8 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Thu, 29 Jul 2021 20:48:48 +0800
Subject: [PATCH 436/921] gs101: Remove vendor_sched

Moved to system/sepolicy.

Bug: 194656257
Test: build pass
Change-Id: Ia5ea1bbc05bdc52b43cb403d99994bad70613e08
Merged-In: Ia5ea1bbc05bdc52b43cb403d99994bad70613e08
---
 private/genfs_contexts | 3 ---
 public/file.te         | 7 -------
 2 files changed, 10 deletions(-)
 delete mode 100644 private/genfs_contexts
 delete mode 100644 public/file.te

diff --git a/private/genfs_contexts b/private/genfs_contexts
deleted file mode 100644
index 448ca5e3..00000000
--- a/private/genfs_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# Vendor sched files
-genfscon sysfs /kernel/vendor_sched                                            u:object_r:sysfs_vendor_sched:s0
-genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0
diff --git a/public/file.te b/public/file.te
deleted file mode 100644
index 4c15c474..00000000
--- a/public/file.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Vendor sched files
-type sysfs_vendor_sched, sysfs_type, fs_type;
-userdebug_or_eng(`
-    typeattribute sysfs_vendor_sched mlstrustedobject;
-')
-type proc_vendor_sched, proc_type, fs_type;
-

From ee4e7f45cee3fe5b951df9030097e9795c866800 Mon Sep 17 00:00:00 2001
From: qinyiyan <qinyiyan@google.com>
Date: Fri, 30 Jul 2021 14:20:58 -0700
Subject: [PATCH 437/921] Revert the unnecessary sepolicy rules for
 hal_neuralnetworks_darwinn.

Bug: 194241380
Test: flashed forrest build and ran PtsSELinuxTestCases
Change-Id: Ie2f0572a368f09e522bc2cdfdf9da1859c1c44e7
---
 tracking_denials/hal_neuralnetworks_darwinn.te | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te

diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te
deleted file mode 100644
index 314122e7..00000000
--- a/tracking_denials/hal_neuralnetworks_darwinn.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/194241380
-dontaudit hal_neuralnetworks_darwinn sysfs:dir read;

From 718a856e26941a72640f1f94ddb204959f63b634 Mon Sep 17 00:00:00 2001
From: Charles Chiu <chiucharles@google.com>
Date: Fri, 30 Jul 2021 12:08:41 +0800
Subject: [PATCH 438/921] Allow init to set Camera properties.

Test: Camera CTS
Bug: 194656156

Change-Id: I2f8f89a02984bfb9fea96df7b0a1d4150c9fdd8d
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 12768769..c1db5e43 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -1,3 +1,4 @@
+set_prop(vendor_init, vendor_camera_prop)
 set_prop(vendor_init, vendor_device_prop)
 set_prop(vendor_init, vendor_modem_prop)
 set_prop(vendor_init, vendor_cbd_prop)

From ad42045b877c37ee88ca270b9ceb42c4d5ab34a9 Mon Sep 17 00:00:00 2001
From: Erik Staats <estaats@google.com>
Date: Mon, 2 Aug 2021 15:47:37 -0700
Subject: [PATCH 439/921] Allow sensor HAL to read AoC dumpstate.

Bug: 194021578
Test: Simulated communication failure and verified AoC services state
 log.
Test: See details in testing done comment in
 https://googleplex-android-review.git.corp.google.com/15444398 .
Change-Id: I76f376577abad26fe86b5ecb6a570716381227f0
---
 usf/sensor_hal.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index e8368b9c..e071b9bc 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -46,6 +46,9 @@ usf_low_latency_transport(hal_sensors_default)
 # Allow sensor HAL to reset AOC.
 allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
 
+# Allow sensor HAL to read AoC dumpstate.
+allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
+
 #
 # Suez type enforcements.
 #

From 0d7ab6ea8b73af4ca4c03f9993c78933d20e367d Mon Sep 17 00:00:00 2001
From: Alice Yang <aliceatyang@google.com>
Date: Wed, 4 Aug 2021 00:28:16 +0800
Subject: [PATCH 440/921] Add sepolicy to allow camera HAL to read display
 backlight

Add sepolicy to allow camera HAL to read display backlight to use in
gabc algorithm.

Bug: 187917645
Test: build pass,  go/p21-camera-test-checklist
Change-Id: I628ee2dedd48dd1360d0818137ba9139ae194029
---
 whitechapel/vendor/google/hal_camera_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 895080f6..fa8e5f2a 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -82,3 +82,7 @@ allow hal_camera_default apex_info_file:file r_file_perms;
 
 # Allow camera HAL to query current device clock frequencies.
 allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
+
+# allow camera HAL to read backlight of display
+allow hal_camera_default sysfs_leds:dir r_dir_perms;
+allow hal_camera_default sysfs_leds:file r_file_perms;

From 57d81aa6c179817c2ea67899be6faf5a47ee5eac Mon Sep 17 00:00:00 2001
From: Siqi Lin <siqilin@google.com>
Date: Thu, 5 Aug 2021 10:43:27 -0700
Subject: [PATCH 441/921] sepolicy: gs101: allow dumpstate to access AoC stats

Add AP wakeups from AoC DRAM exceptions to bugreports.

Bug: 186456919
Change-Id: I31df82addf1b5024b8e33c6284e5da1f473ac5d9
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 0088e23c..b9a6a60f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -13,6 +13,7 @@ genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup            u:ob
 genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup          u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception      u:object_r:sysfs_aoc_dumpstate:s0
 
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0

From 5cc5d52bd758a3345fa6afd25c8ba1d8835617b0 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 6 Aug 2021 19:58:01 +0900
Subject: [PATCH 442/921] Remove ndk_platform backend. Use the ndk backend.

The ndk_platform backend will soon be deprecated because the ndk backend
can serve the same purpose. This is to eliminate the confusion about
having two variants (ndk and ndk_platform) for the same ndk backend.

Bug: 161456198
Test: m

Change-Id: Icc9af3798ac89742fa56b1cb37d8116d99b4a9c2
---
 edgetpu/file_contexts                   | 4 ++--
 whitechapel/vendor/google/file_contexts | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index 9255e741..dcaacdcf 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -6,12 +6,12 @@
 
 # EdgeTPU service binaries and libraries
 /system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU vendor service
 /vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU runtime libraries
 /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 11445e44..80575289 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -173,7 +173,7 @@
 /data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
 /vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libGralloc4Wrapper\.so                                 u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/pixel-power-ext-V1-ndk_platform\.so                    u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so                             u:object_r:same_process_hal_file:s0
 
 /dev/stmvl53l1_ranging                                                  u:object_r:rls_device:s0
 
@@ -374,7 +374,7 @@
 /vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so                               u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                        u:object_r:same_process_hal_file:s0
 
 # Touch
 /dev/touch_offload                                                               u:object_r:touch_offload_device:s0
@@ -431,6 +431,6 @@
 /vendor/bin/wlc_upt/wlc_fw_update\.sh    u:object_r:wlcfwupdate_exec:s0
 
 # Statsd service to support EdgeTPU metrics logging service.
-/vendor/lib64/android\.frameworks\.stats-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0

From 0c429efc07e21a3de6e08fc68d47f75eac53ec9c Mon Sep 17 00:00:00 2001
From: Victor Liu <victorliu@google.com>
Date: Wed, 7 Jul 2021 12:13:48 -0700
Subject: [PATCH 443/921] uwb: allow uwb to access the radio service

07-07 18:28:28.391   409   409 E SELinux : avc:  denied  { find } for pid=4609 uid=1083 name=isub scontext=u:r:uwb_vendor_app:s0:c59,c260,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=0

Bug: 192833779
Test: on device, no avc denied message
Change-Id: I4a6b778dce6f493093d3a05683473bb60e9cfa5c
---
 whitechapel/vendor/google/uwb_vendor_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index e0a9ebc9..b9e27426 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -10,6 +10,7 @@ hal_client_domain(uwb_vendor_app, hal_uwb)
 allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
+allow uwb_vendor_app radio_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;

From 39b5815a1e5fb53d90b73a70da00c34974323917 Mon Sep 17 00:00:00 2001
From: Victor Liu <victorliu@google.com>
Date: Thu, 12 Aug 2021 14:53:10 -0700
Subject: [PATCH 444/921] allow uwb hal sys_nice access

hardware.qorvo.: type=1400 audit(0.0:9): avc: denied { sys_nice } for capability=23 scontext=u:r:hal_uwb_default:s0 tcontext=u:r:hal_uwb_default:s0 tclass=capability permissive=0
hardware.qorvo.: type=1400 audit(0.0:9): avc: denied { setsched } for scontext=u:r:hal_uwb_default:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

Bug: 196438549
Signed-off-by: Victor Liu <victorliu@google.com>
Change-Id: I742bae701cfcc7b4842cd63abbc8c275d82c8ba1
---
 whitechapel/vendor/google/uwb_vendor_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index b9e27426..ed53fd00 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -15,5 +15,8 @@ allow uwb_vendor_app radio_service:service_manager find;
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
+allow hal_uwb_default self:global_capability_class_set { sys_nice };
+allow hal_uwb_default kernel:process { setsched };
+
 binder_call(uwb_vendor_app, hal_uwb_default)
 ')

From 8a586e678656b6359220ef208fc237ccf3823e2c Mon Sep 17 00:00:00 2001
From: Lucas Dupin <dupin@google.com>
Date: Wed, 11 Aug 2021 19:57:41 -0700
Subject: [PATCH 445/921] Allow boot color propagation

Allows SystemUI to write the boot color sysprop

Test: manual
Bug: 190093578
Change-Id: I844a4dae87fe09a09ff3368c540ffab5f745d455
---
 system_ext/private/platform_app.te   | 2 ++
 system_ext/private/property_contexts | 6 ++++++
 2 files changed, 8 insertions(+)
 create mode 100644 system_ext/private/platform_app.te

diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te
new file mode 100644
index 00000000..10d6bba9
--- /dev/null
+++ b/system_ext/private/platform_app.te
@@ -0,0 +1,2 @@
+# allow systemui to set boot animation colors
+set_prop(platform_app, bootanim_system_prop);
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index 9f462bda..9cf97280 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -1,2 +1,8 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
+
+# Boot animation dynamic colors
+persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int

From e212167642a8810c6e31768e327f51db8bdf99b5 Mon Sep 17 00:00:00 2001
From: horngchuang <horngchuang@google.com>
Date: Fri, 13 Aug 2021 18:35:16 +0800
Subject: [PATCH 446/921] sepolicy: gs101: Grant permission for more camera
 device nodes

Bug: 193103432
Test: aosp camera
Change-Id: Ic921200f05092c217d9c3d859ed33b5dc8e5b44b
---
 whitechapel/vendor/google/file_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 80575289..5cf443f3 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -192,6 +192,8 @@
 /dev/lwis-eeprom-m24c64s                                                u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64s-imx355-inner                                   u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64s-imx355-outer                                   u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-rear                                           u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-front                                          u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64x                                                u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64x-imx386                                         u:object_r:lwis_device:s0
 /dev/lwis-eeprom-m24c64x-imx663                                         u:object_r:lwis_device:s0
@@ -218,6 +220,8 @@
 /dev/lwis-sensor-imx355                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx355-inner                                           u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx355-outer                                           u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-rear                                            u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-front                                           u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx363                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx386                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx586                                                 u:object_r:lwis_device:s0

From 2ef3daba5053058dea44f66805efe32661bba4d1 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Thu, 12 Aug 2021 13:27:20 +0800
Subject: [PATCH 447/921] gs101-sepolicy: Use untrusted_app_all for
 vendor_sched denials

Use untrusted_app_all to cover all Use untrusted_app versions.

Bug: 196109806
Test: no untrusted_app denials for vendor_sched
Change-Id: Ic6426b26b8a05f8a0bc7e2a4a4a293b2988812d3
---
 whitechapel/vendor/google/untrusted_app.te     | 1 -
 whitechapel/vendor/google/untrusted_app_29.te  | 1 -
 whitechapel/vendor/google/untrusted_app_all.te | 2 ++
 3 files changed, 2 insertions(+), 2 deletions(-)
 delete mode 100644 whitechapel/vendor/google/untrusted_app.te
 delete mode 100644 whitechapel/vendor/google/untrusted_app_29.te

diff --git a/whitechapel/vendor/google/untrusted_app.te b/whitechapel/vendor/google/untrusted_app.te
deleted file mode 100644
index 4fbfe935..00000000
--- a/whitechapel/vendor/google/untrusted_app.te
+++ /dev/null
@@ -1 +0,0 @@
-dontaudit untrusted_app sysfs_vendor_sched:dir search;
diff --git a/whitechapel/vendor/google/untrusted_app_29.te b/whitechapel/vendor/google/untrusted_app_29.te
deleted file mode 100644
index 844bb6a4..00000000
--- a/whitechapel/vendor/google/untrusted_app_29.te
+++ /dev/null
@@ -1 +0,0 @@
-dontaudit untrusted_app_29 sysfs_vendor_sched:dir search;
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index a4d8beb8..04229ff6 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -1,3 +1,5 @@
 # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+dontaudit untrusted_app_all sysfs_vendor_sched:dir search;

From 6b30dbc54cd68667d438f62d5488a3539f67f157 Mon Sep 17 00:00:00 2001
From: Edmond Chung <edmondchung@google.com>
Date: Mon, 16 Aug 2021 10:52:27 -0700
Subject: [PATCH 448/921] gs101: Allow camera HAL to access interrupt handles

This is to allow camera HAL to modify IRQ affinity for different use
cases.

Bug: 196058977
Test: Camera use cases
Change-Id: I498b0ac763b735d05299e1f4b09de14e131fd6e3
---
 whitechapel/vendor/google/hal_camera_default.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index fa8e5f2a..bb0e206f 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -86,3 +86,9 @@ allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
 # allow camera HAL to read backlight of display
 allow hal_camera_default sysfs_leds:dir r_dir_perms;
 allow hal_camera_default sysfs_leds:file r_file_perms;
+
+# allow camera HAL to query interrupts and set interrupt affinity
+allow hal_camera_default proc_irq:dir r_dir_perms;
+allow hal_camera_default proc_irq:file rw_file_perms;
+allow hal_camera_default proc_interrupts:dir r_dir_perms;
+allow hal_camera_default proc_interrupts:file r_file_perms;

From 941a3bcd44eb24c16dbf8ab100f4cc76aa4ca887 Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Tue, 10 Aug 2021 21:10:00 +0800
Subject: [PATCH 449/921] sepolicy: gs101: allows dock power supply permission

Bug: 196017001
Test: can dump dock power supply in dumpstate
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: Ie2781da77da0f181665974c335998a6dcb0e8ad2
---
 whitechapel/vendor/google/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 15473d72..6c9eb2d1 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -22,6 +22,7 @@ genfscon sysfs /devices/platform/google,battery/power_supply/battery
 genfscon sysfs /devices/platform/google,cpm/power_supply                        u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/google,cpm/                                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/google,charger                                 u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,dock/power_supply/dock                  u:object_r:sysfs_batteryinfo:s0
 
 genfscon sysfs /devices/platform/10d50000.hsi2c                                 u:object_r:sysfs_batteryinfo:s0
 #   Slider
@@ -98,6 +99,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wake
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup                         u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0

From 6224fa93541cfbc234c17c84ba485d58cca95f8f Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Tue, 17 Aug 2021 21:09:20 +0800
Subject: [PATCH 450/921] gs101-sepolicy: Remove private/mediaprovider_app.te

Moved to system/sepolicy to solve GSI avc denials.

Bug: 196326750
Test: build pass
Change-Id: I4bdcc1d49bf9550297687534074fd3fc526d3acc
---
 private/mediaprovider_app.te | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 private/mediaprovider_app.te

diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
deleted file mode 100644
index 9d508444..00000000
--- a/private/mediaprovider_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
-

From 6e887cf3a05a4a13d92cb260e8f20fad1be23cfe Mon Sep 17 00:00:00 2001
From: Lucas Dupin <dupin@google.com>
Date: Wed, 11 Aug 2021 19:57:41 -0700
Subject: [PATCH 451/921] Allow boot color propagation

Allows SystemUI to write the boot color sysprop

Test: manual
Bug: 190093578
Change-Id: I844a4dae87fe09a09ff3368c540ffab5f745d455
(cherry picked from commit 8a586e678656b6359220ef208fc237ccf3823e2c)
---
 system_ext/private/platform_app.te   | 2 ++
 system_ext/private/property_contexts | 6 ++++++
 2 files changed, 8 insertions(+)
 create mode 100644 system_ext/private/platform_app.te

diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te
new file mode 100644
index 00000000..10d6bba9
--- /dev/null
+++ b/system_ext/private/platform_app.te
@@ -0,0 +1,2 @@
+# allow systemui to set boot animation colors
+set_prop(platform_app, bootanim_system_prop);
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index 9f462bda..9cf97280 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -1,2 +1,8 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
+
+# Boot animation dynamic colors
+persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int

From 37b574130114211a3fcf4d91e79dd0c19e772224 Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@google.com>
Date: Fri, 6 Aug 2021 15:40:33 -0700
Subject: [PATCH 452/921] Add the 'bdev_type' attribute to all block device
 types

The following patch introduces code that iterates over all block
devices:
https://android-review.googlesource.com/c/platform/system/core/+/1783847/9

The following patch grants 'init' and 'apexd' permission to iterate over
all block devices:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947

The above SELinux policy change requires to add the 'bdev_type'
attribute to all block devices. Hence this patch.

Bug: 194450129
Bug: 196982345
Test: Built Android images that include this change and verified that neither init nor apexd triggers any SELinux access denied errors.
Change-Id: I6ce1127f199c5b33812f15fe280d86594d7d7ebf
Signed-off-by: Bart Van Assche <bvanassche@google.com>
---
 whitechapel/vendor/google/device.te | 20 ++++++++++----------
 whitechapel/vendor/google/file.te   |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index bd62647d..bc3c9477 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -1,12 +1,12 @@
 # Block Devices
-type efs_block_device, dev_type;
-type fat_block_device, dev_type;
-type modem_block_device, dev_type;
-type modem_userdata_block_device, dev_type;
-type persist_block_device, dev_type;
-type vendor_block_device, dev_type;
-type sda_block_device, dev_type;
-type mfg_data_block_device, dev_type;
+type efs_block_device, dev_type, bdev_type;
+type fat_block_device, dev_type, bdev_type;
+type modem_block_device, dev_type, bdev_type;
+type modem_userdata_block_device, dev_type, bdev_type;
+type persist_block_device, dev_type, bdev_type;
+type vendor_block_device, dev_type, bdev_type;
+type sda_block_device, dev_type, bdev_type;
+type mfg_data_block_device, dev_type, bdev_type;
 
 # Exynos devices
 type vendor_m2m1shot_device, dev_type;
@@ -14,8 +14,8 @@ type vendor_gnss_device, dev_type;
 type vendor_nanohub_device, dev_type;
 type vendor_secmem_device, dev_type;
 type vendor_toe_device, dev_type;
-type custom_ab_block_device, dev_type;
-type devinfo_block_device, dev_type;
+type custom_ab_block_device, dev_type, bdev_type;
+type devinfo_block_device, dev_type, bdev_type;
 
 # usbpd
 type logbuffer_device, dev_type;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 85c8dcca..b8c22e12 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -78,7 +78,7 @@ type updated_wifi_firmware_data_file, file_type, data_file_type;
 type mediadrm_vendor_data_file, file_type, data_file_type;
 
 # Storage Health HAL
-type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type;
 type debugfs_f2fs, debugfs_type, fs_type;
 type proc_f2fs, proc_type, fs_type;
 

From c0922582bc6033ef2f37169b68141bc591f09986 Mon Sep 17 00:00:00 2001
From: davidycchen <davidycchen@google.com>
Date: Tue, 15 Jun 2021 16:06:33 +0800
Subject: [PATCH 453/921] Allow twoshay to access fwk_stats_service and
 system_server

avc:  denied  { find } for pid=813 uid=0
name=android.frameworks.stats.IStats/default scontext=u:r:twoshay:s0
tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager

avc: denied { call } for scontext=u:r:twoshay:s0
tcontext=u:r:system_server:s0 tclass=binder

Bug: 179334953
Test: Make selinux_policy and push related files to the device.

Signed-off-by: davidycchen <davidycchen@google.com>
Change-Id: Ib95debbc9ce10919c5f935e8f70b340bb293b54a
Merged-In: Ib95debbc9ce10919c5f935e8f70b340bb293b54a
---
 whitechapel/vendor/google/twoshay.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
index 92b517a1..fafd0642 100644
--- a/whitechapel/vendor/google/twoshay.te
+++ b/whitechapel/vendor/google/twoshay.te
@@ -11,3 +11,6 @@ add_service(twoshay, touch_context_service)
 
 # b/193224954
 dontaudit twoshay twoshay:capability dac_override;
+
+allow twoshay fwk_stats_service:service_manager find;
+binder_call(twoshay, stats_service_server)

From 515c17c4e351af9f72e7852a1884a63db3f93aca Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Mon, 23 Aug 2021 08:55:07 -0700
Subject: [PATCH 454/921] gs101-sepolicy: Rename hal_uwb -> hal_uwb_vendor

Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal
HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy
rules.

Bug: 195308730
Test: Compiles
Change-Id: Ief48eacde68b062b2199b20c0c1bb3af23795240
---
 whitechapel/vendor/google/dumpstate.te            |  2 +-
 whitechapel/vendor/google/file_contexts           |  2 +-
 whitechapel/vendor/google/hal_uwb.te              | 15 ---------------
 whitechapel/vendor/google/hal_uwb_default.te      |  8 --------
 whitechapel/vendor/google/hal_uwb_vendor.te       | 15 +++++++++++++++
 .../vendor/google/hal_uwb_vendor_default.te       |  8 ++++++++
 whitechapel/vendor/google/service.te              |  2 +-
 whitechapel/vendor/google/service_contexts        |  2 +-
 whitechapel/vendor/google/uwb_vendor_app.te       | 10 +++++-----
 9 files changed, 32 insertions(+), 32 deletions(-)
 delete mode 100644 whitechapel/vendor/google/hal_uwb.te
 delete mode 100644 whitechapel/vendor/google/hal_uwb_default.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor_default.te

diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index d4dd87b0..cdf6e8ef 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -1,6 +1,6 @@
 dump_hal(hal_telephony)
 dump_hal(hal_graphics_composer)
-dump_hal(hal_uwb)
+dump_hal(hal_uwb_vendor)
 
 userdebug_or_eng(`
   allow dumpstate media_rw_data_file:file append;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 5cf443f3..328a4b39 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -352,7 +352,7 @@
 
 # Uwb
 # R4
-/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_default_exec:s0
+/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_vendor_default_exec:s0
 
 # RILD files
 /data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te
deleted file mode 100644
index d0995686..00000000
--- a/whitechapel/vendor/google/hal_uwb.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_uwb_client, hal_uwb_server)
-binder_call(hal_uwb_server, hal_uwb_client)
-
-hal_attribute_service(hal_uwb, hal_uwb_service)
-
-binder_call(hal_uwb_server, servicemanager)
-
-# allow hal_uwb to set wpan interfaces up and down
-allow hal_uwb self:udp_socket create_socket_perms;
-allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
-allow hal_uwb self:global_capability_class_set { net_admin };
-
-# allow hal_uwb to speak to nl802154 in the kernel
-allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
deleted file mode 100644
index 2d513b61..00000000
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type hal_uwb_default, domain;
-type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(hal_uwb_default)
-
-add_service(hal_uwb_default, hal_uwb_service)
-
-hal_server_domain(hal_uwb_default, hal_uwb)
-binder_call(hal_uwb_default, uwb_vendor_app)
diff --git a/whitechapel/vendor/google/hal_uwb_vendor.te b/whitechapel/vendor/google/hal_uwb_vendor.te
new file mode 100644
index 00000000..ccfc1705
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server)
+binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client)
+
+hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service)
+
+binder_call(hal_uwb_vendor_server, servicemanager)
+
+# allow hal_uwb_vendor to set wpan interfaces up and down
+allow hal_uwb_vendor self:udp_socket create_socket_perms;
+allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+allow hal_uwb_vendor self:global_capability_class_set { net_admin };
+
+# allow hal_uwb_vendor to speak to nl802154 in the kernel
+allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te
new file mode 100644
index 00000000..31b392be
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te
@@ -0,0 +1,8 @@
+type hal_uwb_vendor_default, domain;
+type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_uwb_vendor_default)
+
+add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)
+
+hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
+binder_call(hal_uwb_vendor_default, uwb_vendor_app)
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 99e99483..357dffe4 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
-type hal_uwb_service, service_manager_type, vendor_service;
+type hal_uwb_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 687f8cc8..6fb9de1f 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
-hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
+hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index ed53fd00..675ecdb6 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -5,18 +5,18 @@ app_domain(uwb_vendor_app)
 add_service(uwb_vendor_app, uwb_vendor_service)
 
 not_recovery(`
-hal_client_domain(uwb_vendor_app, hal_uwb)
+hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 
 allow uwb_vendor_app app_api_service:service_manager find;
-allow uwb_vendor_app hal_uwb_service:service_manager find;
+allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 allow uwb_vendor_app radio_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
-allow hal_uwb_default self:global_capability_class_set { sys_nice };
-allow hal_uwb_default kernel:process { setsched };
+allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice };
+allow hal_uwb_vendor_default kernel:process { setsched };
 
-binder_call(uwb_vendor_app, hal_uwb_default)
+binder_call(uwb_vendor_app, hal_uwb_vendor_default)
 ')

From 04fbca104c84a17f0160dd9dde09998d3a3ffcda Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Mon, 23 Aug 2021 08:55:07 -0700
Subject: [PATCH 455/921] gs101-sepolicy: Rename hal_uwb -> hal_uwb_vendor

Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal
HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy
rules.

Bug: 195308730
Test: Compiles
Change-Id: Ief48eacde68b062b2199b20c0c1bb3af23795240
Merged-In: Ief48eacde68b062b2199b20c0c1bb3af23795240
---
 whitechapel/vendor/google/dumpstate.te            |  2 +-
 whitechapel/vendor/google/file_contexts           |  2 +-
 whitechapel/vendor/google/hal_uwb.te              | 15 ---------------
 whitechapel/vendor/google/hal_uwb_default.te      |  8 --------
 whitechapel/vendor/google/hal_uwb_vendor.te       | 15 +++++++++++++++
 .../vendor/google/hal_uwb_vendor_default.te       |  8 ++++++++
 whitechapel/vendor/google/service.te              |  2 +-
 whitechapel/vendor/google/service_contexts        |  2 +-
 whitechapel/vendor/google/uwb_vendor_app.te       |  6 +++---
 9 files changed, 30 insertions(+), 30 deletions(-)
 delete mode 100644 whitechapel/vendor/google/hal_uwb.te
 delete mode 100644 whitechapel/vendor/google/hal_uwb_default.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor_default.te

diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index d4dd87b0..cdf6e8ef 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -1,6 +1,6 @@
 dump_hal(hal_telephony)
 dump_hal(hal_graphics_composer)
-dump_hal(hal_uwb)
+dump_hal(hal_uwb_vendor)
 
 userdebug_or_eng(`
   allow dumpstate media_rw_data_file:file append;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 11445e44..639f7d49 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -348,7 +348,7 @@
 
 # Uwb
 # R4
-/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_default_exec:s0
+/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_vendor_default_exec:s0
 
 # RILD files
 /data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te
deleted file mode 100644
index d0995686..00000000
--- a/whitechapel/vendor/google/hal_uwb.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_uwb_client, hal_uwb_server)
-binder_call(hal_uwb_server, hal_uwb_client)
-
-hal_attribute_service(hal_uwb, hal_uwb_service)
-
-binder_call(hal_uwb_server, servicemanager)
-
-# allow hal_uwb to set wpan interfaces up and down
-allow hal_uwb self:udp_socket create_socket_perms;
-allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
-allow hal_uwb self:global_capability_class_set { net_admin };
-
-# allow hal_uwb to speak to nl802154 in the kernel
-allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
deleted file mode 100644
index 2d513b61..00000000
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type hal_uwb_default, domain;
-type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(hal_uwb_default)
-
-add_service(hal_uwb_default, hal_uwb_service)
-
-hal_server_domain(hal_uwb_default, hal_uwb)
-binder_call(hal_uwb_default, uwb_vendor_app)
diff --git a/whitechapel/vendor/google/hal_uwb_vendor.te b/whitechapel/vendor/google/hal_uwb_vendor.te
new file mode 100644
index 00000000..ccfc1705
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server)
+binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client)
+
+hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service)
+
+binder_call(hal_uwb_vendor_server, servicemanager)
+
+# allow hal_uwb_vendor to set wpan interfaces up and down
+allow hal_uwb_vendor self:udp_socket create_socket_perms;
+allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+allow hal_uwb_vendor self:global_capability_class_set { net_admin };
+
+# allow hal_uwb_vendor to speak to nl802154 in the kernel
+allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te
new file mode 100644
index 00000000..31b392be
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te
@@ -0,0 +1,8 @@
+type hal_uwb_vendor_default, domain;
+type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_uwb_vendor_default)
+
+add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)
+
+hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
+binder_call(hal_uwb_vendor_default, uwb_vendor_app)
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 99e99483..357dffe4 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
-type hal_uwb_service, service_manager_type, vendor_service;
+type hal_uwb_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 687f8cc8..6fb9de1f 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
-hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
+hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index e0a9ebc9..f1124b28 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -5,14 +5,14 @@ app_domain(uwb_vendor_app)
 add_service(uwb_vendor_app, uwb_vendor_service)
 
 not_recovery(`
-hal_client_domain(uwb_vendor_app, hal_uwb)
+hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 
 allow uwb_vendor_app app_api_service:service_manager find;
-allow uwb_vendor_app hal_uwb_service:service_manager find;
+allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
-binder_call(uwb_vendor_app, hal_uwb_default)
+binder_call(uwb_vendor_app, hal_uwb_vendor_default)
 ')

From 8383d9e13fe2f880c859041f7dc19ba94368ff7b Mon Sep 17 00:00:00 2001
From: Victor Liu <victorliu@google.com>
Date: Wed, 18 Aug 2021 17:01:45 -0700
Subject: [PATCH 456/921] uwb: permissions for factory uwb calibration file

add permission to:
copy factory uwb calib files from persist to /data/vendor/uwb
convert copied file to proper format for uwb stack to consume

Bug: 195659525
Signed-off-by: Victor Liu <victorliu@google.com>
Change-Id: I3e5282477fd391b483e03242ce0b806bd447dc54
---
 whitechapel/vendor/google/file.te                   |  2 ++
 whitechapel/vendor/google/file_contexts             |  3 +++
 whitechapel/vendor/google/hal_nfc_default.te        |  3 +++
 whitechapel/vendor/google/hal_uwb_vendor_default.te |  3 +++
 whitechapel/vendor/google/vendor_uwb_init.te        | 10 ++++++++++
 5 files changed, 21 insertions(+)
 create mode 100644 whitechapel/vendor/google/vendor_uwb_init.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index b8c22e12..9b4c95b4 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -185,6 +185,8 @@ type sysfs_video, sysfs_type, fs_type;
 
 # UWB vendor
 type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
+type persist_uwb_file, file_type, vendor_persist_type;
+type uwb_data_vendor, file_type, data_file_type;
 
 # PixelStats_vendor
 type sysfs_pixelstats, fs_type, sysfs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 328a4b39..1ab52a02 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -353,6 +353,9 @@
 # Uwb
 # R4
 /vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_vendor_default_exec:s0
+/vendor/bin/init\.uwb\.calib\.sh                                     u:object_r:vendor_uwb_init_exec:s0
+/mnt/vendor/persist/uwb(/.*)?                                        u:object_r:persist_uwb_file:s0
+/data/vendor/uwb(/.*)?                                               u:object_r:uwb_data_vendor:s0
 
 # RILD files
 /data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te
index f98e78c6..174b5383 100644
--- a/whitechapel/vendor/google/hal_nfc_default.te
+++ b/whitechapel/vendor/google/hal_nfc_default.te
@@ -7,3 +7,6 @@ set_prop(hal_nfc_default, vendor_secure_element_prop)
 # Modem property
 set_prop(hal_nfc_default, vendor_modem_prop)
 
+# Access uwb cal for SecureRanging Applet
+allow hal_nfc_default uwb_data_vendor:dir r_dir_perms;
+allow hal_nfc_default uwb_data_vendor:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te
index 31b392be..f72e879d 100644
--- a/whitechapel/vendor/google/hal_uwb_vendor_default.te
+++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te
@@ -6,3 +6,6 @@ add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)
 
 hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
 binder_call(hal_uwb_vendor_default, uwb_vendor_app)
+
+allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms;
+allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
diff --git a/whitechapel/vendor/google/vendor_uwb_init.te b/whitechapel/vendor/google/vendor_uwb_init.te
new file mode 100644
index 00000000..716af19c
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_uwb_init.te
@@ -0,0 +1,10 @@
+type vendor_uwb_init, domain;
+type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_uwb_init)
+
+allow vendor_uwb_init vendor_shell_exec:file rx_file_perms;
+allow vendor_uwb_init vendor_toolbox_exec:file  rx_file_perms;
+
+allow vendor_uwb_init uwb_data_vendor:file create_file_perms;
+allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms;

From 29aa9816231281ca4c50f6ed0ff9428bcbd19bc1 Mon Sep 17 00:00:00 2001
From: Victor Liu <victorliu@google.com>
Date: Wed, 18 Aug 2021 17:01:45 -0700
Subject: [PATCH 457/921] uwb: permissions for factory uwb calibration file

add permission to:
copy factory uwb calib files from persist to /data/vendor/uwb
convert copied file to proper format for uwb stack to consume

Bug: 195659525
Signed-off-by: Victor Liu <victorliu@google.com>
Change-Id: I3e5282477fd391b483e03242ce0b806bd447dc54
Merged-In: I3e5282477fd391b483e03242ce0b806bd447dc54
---
 whitechapel/vendor/google/file.te            |  2 ++
 whitechapel/vendor/google/file_contexts      |  3 +++
 whitechapel/vendor/google/hal_nfc_default.te |  4 ++++
 whitechapel/vendor/google/hal_uwb_default.te |  3 +++
 whitechapel/vendor/google/vendor_uwb_init.te | 10 ++++++++++
 5 files changed, 22 insertions(+)
 create mode 100644 whitechapel/vendor/google/vendor_uwb_init.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index b8c22e12..9b4c95b4 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -185,6 +185,8 @@ type sysfs_video, sysfs_type, fs_type;
 
 # UWB vendor
 type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
+type persist_uwb_file, file_type, vendor_persist_type;
+type uwb_data_vendor, file_type, data_file_type;
 
 # PixelStats_vendor
 type sysfs_pixelstats, fs_type, sysfs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 11445e44..fdbd87e1 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -349,6 +349,9 @@
 # Uwb
 # R4
 /vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_default_exec:s0
+/vendor/bin/init\.uwb\.calib\.sh                                     u:object_r:vendor_uwb_init_exec:s0
+/mnt/vendor/persist/uwb(/.*)?                                        u:object_r:persist_uwb_file:s0
+/data/vendor/uwb(/.*)?                                               u:object_r:uwb_data_vendor:s0
 
 # RILD files
 /data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te
index f98e78c6..b6477925 100644
--- a/whitechapel/vendor/google/hal_nfc_default.te
+++ b/whitechapel/vendor/google/hal_nfc_default.te
@@ -7,3 +7,7 @@ set_prop(hal_nfc_default, vendor_secure_element_prop)
 # Modem property
 set_prop(hal_nfc_default, vendor_modem_prop)
 
+# Access uwb cal for SecureRanging Applet
+allow hal_nfc_default uwb_data_vendor:dir r_dir_perms;
+allow hal_nfc_default uwb_data_vendor:file r_file_perms;
+
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
index 2d513b61..8165dc21 100644
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ b/whitechapel/vendor/google/hal_uwb_default.te
@@ -6,3 +6,6 @@ add_service(hal_uwb_default, hal_uwb_service)
 
 hal_server_domain(hal_uwb_default, hal_uwb)
 binder_call(hal_uwb_default, uwb_vendor_app)
+
+allow hal_uwb_default uwb_data_vendor:dir create_dir_perms;
+allow hal_uwb_default uwb_data_vendor:file create_file_perms;
diff --git a/whitechapel/vendor/google/vendor_uwb_init.te b/whitechapel/vendor/google/vendor_uwb_init.te
new file mode 100644
index 00000000..716af19c
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_uwb_init.te
@@ -0,0 +1,10 @@
+type vendor_uwb_init, domain;
+type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_uwb_init)
+
+allow vendor_uwb_init vendor_shell_exec:file rx_file_perms;
+allow vendor_uwb_init vendor_toolbox_exec:file  rx_file_perms;
+
+allow vendor_uwb_init uwb_data_vendor:file create_file_perms;
+allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms;

From a3f040d2acc254db2b80ab36e5d48a12e1607c07 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Mon, 23 Aug 2021 08:55:07 -0700
Subject: [PATCH 458/921] gs101-sepolicy: Rename hal_uwb -> hal_uwb_vendor

Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal
HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy
rules.

Bug: 195308730
Test: Compiles
Change-Id: Ief48eacde68b062b2199b20c0c1bb3af23795240
Merged-In: Ief48eacde68b062b2199b20c0c1bb3af23795240
---
 whitechapel/vendor/google/dumpstate.te            |  2 +-
 whitechapel/vendor/google/file_contexts           |  2 +-
 whitechapel/vendor/google/hal_uwb.te              | 15 ---------------
 whitechapel/vendor/google/hal_uwb_default.te      | 11 -----------
 whitechapel/vendor/google/hal_uwb_vendor.te       | 15 +++++++++++++++
 .../vendor/google/hal_uwb_vendor_default.te       | 11 +++++++++++
 whitechapel/vendor/google/service.te              |  2 +-
 whitechapel/vendor/google/service_contexts        |  2 +-
 whitechapel/vendor/google/uwb_vendor_app.te       | 10 +++++-----
 9 files changed, 35 insertions(+), 35 deletions(-)
 delete mode 100644 whitechapel/vendor/google/hal_uwb.te
 delete mode 100644 whitechapel/vendor/google/hal_uwb_default.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor_default.te

diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index d4dd87b0..cdf6e8ef 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -1,6 +1,6 @@
 dump_hal(hal_telephony)
 dump_hal(hal_graphics_composer)
-dump_hal(hal_uwb)
+dump_hal(hal_uwb_vendor)
 
 userdebug_or_eng(`
   allow dumpstate media_rw_data_file:file append;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fdbd87e1..581e4154 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -348,7 +348,7 @@
 
 # Uwb
 # R4
-/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_default_exec:s0
+/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/init\.uwb\.calib\.sh                                     u:object_r:vendor_uwb_init_exec:s0
 /mnt/vendor/persist/uwb(/.*)?                                        u:object_r:persist_uwb_file:s0
 /data/vendor/uwb(/.*)?                                               u:object_r:uwb_data_vendor:s0
diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te
deleted file mode 100644
index d0995686..00000000
--- a/whitechapel/vendor/google/hal_uwb.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_uwb_client, hal_uwb_server)
-binder_call(hal_uwb_server, hal_uwb_client)
-
-hal_attribute_service(hal_uwb, hal_uwb_service)
-
-binder_call(hal_uwb_server, servicemanager)
-
-# allow hal_uwb to set wpan interfaces up and down
-allow hal_uwb self:udp_socket create_socket_perms;
-allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
-allow hal_uwb self:global_capability_class_set { net_admin };
-
-# allow hal_uwb to speak to nl802154 in the kernel
-allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
deleted file mode 100644
index 8165dc21..00000000
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type hal_uwb_default, domain;
-type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(hal_uwb_default)
-
-add_service(hal_uwb_default, hal_uwb_service)
-
-hal_server_domain(hal_uwb_default, hal_uwb)
-binder_call(hal_uwb_default, uwb_vendor_app)
-
-allow hal_uwb_default uwb_data_vendor:dir create_dir_perms;
-allow hal_uwb_default uwb_data_vendor:file create_file_perms;
diff --git a/whitechapel/vendor/google/hal_uwb_vendor.te b/whitechapel/vendor/google/hal_uwb_vendor.te
new file mode 100644
index 00000000..ccfc1705
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server)
+binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client)
+
+hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service)
+
+binder_call(hal_uwb_vendor_server, servicemanager)
+
+# allow hal_uwb_vendor to set wpan interfaces up and down
+allow hal_uwb_vendor self:udp_socket create_socket_perms;
+allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+allow hal_uwb_vendor self:global_capability_class_set { net_admin };
+
+# allow hal_uwb_vendor to speak to nl802154 in the kernel
+allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te
new file mode 100644
index 00000000..93616874
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te
@@ -0,0 +1,11 @@
+type hal_uwb_vendor_default, domain;
+type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_uwb_vendor_default)
+
+add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)
+
+hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
+binder_call(hal_uwb_vendor_default, uwb_vendor_app)
+
+allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms;
+allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 99e99483..357dffe4 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
-type hal_uwb_service, service_manager_type, vendor_service;
+type hal_uwb_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 687f8cc8..6fb9de1f 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
-hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
+hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index ed53fd00..675ecdb6 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -5,18 +5,18 @@ app_domain(uwb_vendor_app)
 add_service(uwb_vendor_app, uwb_vendor_service)
 
 not_recovery(`
-hal_client_domain(uwb_vendor_app, hal_uwb)
+hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 
 allow uwb_vendor_app app_api_service:service_manager find;
-allow uwb_vendor_app hal_uwb_service:service_manager find;
+allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 allow uwb_vendor_app radio_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
-allow hal_uwb_default self:global_capability_class_set { sys_nice };
-allow hal_uwb_default kernel:process { setsched };
+allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice };
+allow hal_uwb_vendor_default kernel:process { setsched };
 
-binder_call(uwb_vendor_app, hal_uwb_default)
+binder_call(uwb_vendor_app, hal_uwb_vendor_default)
 ')

From 9c96111094c3bb7e61cea08a60a05bd08d84956f Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Mon, 23 Aug 2021 08:55:07 -0700
Subject: [PATCH 459/921] gs101-sepolicy: Rename hal_uwb -> hal_uwb_vendor

Since we are now creating an AOSP HAL for uwb. Rename qorvo's internal
HAL to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy
rules.

Bug: 195308730
Test: Compiles
Change-Id: Ief48eacde68b062b2199b20c0c1bb3af23795240
Merged-In: Ief48eacde68b062b2199b20c0c1bb3af23795240
---
 whitechapel/vendor/google/dumpstate.te            |  2 +-
 whitechapel/vendor/google/file_contexts           |  2 +-
 whitechapel/vendor/google/hal_uwb.te              | 15 ---------------
 whitechapel/vendor/google/hal_uwb_default.te      | 11 -----------
 whitechapel/vendor/google/hal_uwb_vendor.te       | 15 +++++++++++++++
 .../vendor/google/hal_uwb_vendor_default.te       | 11 +++++++++++
 whitechapel/vendor/google/service.te              |  2 +-
 whitechapel/vendor/google/service_contexts        |  2 +-
 whitechapel/vendor/google/uwb_vendor_app.te       | 10 +++++-----
 9 files changed, 35 insertions(+), 35 deletions(-)
 delete mode 100644 whitechapel/vendor/google/hal_uwb.te
 delete mode 100644 whitechapel/vendor/google/hal_uwb_default.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor.te
 create mode 100644 whitechapel/vendor/google/hal_uwb_vendor_default.te

diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index d4dd87b0..cdf6e8ef 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -1,6 +1,6 @@
 dump_hal(hal_telephony)
 dump_hal(hal_graphics_composer)
-dump_hal(hal_uwb)
+dump_hal(hal_uwb_vendor)
 
 userdebug_or_eng(`
   allow dumpstate media_rw_data_file:file append;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fdbd87e1..581e4154 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -348,7 +348,7 @@
 
 # Uwb
 # R4
-/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_default_exec:s0
+/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/init\.uwb\.calib\.sh                                     u:object_r:vendor_uwb_init_exec:s0
 /mnt/vendor/persist/uwb(/.*)?                                        u:object_r:persist_uwb_file:s0
 /data/vendor/uwb(/.*)?                                               u:object_r:uwb_data_vendor:s0
diff --git a/whitechapel/vendor/google/hal_uwb.te b/whitechapel/vendor/google/hal_uwb.te
deleted file mode 100644
index d0995686..00000000
--- a/whitechapel/vendor/google/hal_uwb.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_uwb_client, hal_uwb_server)
-binder_call(hal_uwb_server, hal_uwb_client)
-
-hal_attribute_service(hal_uwb, hal_uwb_service)
-
-binder_call(hal_uwb_server, servicemanager)
-
-# allow hal_uwb to set wpan interfaces up and down
-allow hal_uwb self:udp_socket create_socket_perms;
-allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
-allow hal_uwb self:global_capability_class_set { net_admin };
-
-# allow hal_uwb to speak to nl802154 in the kernel
-allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_default.te b/whitechapel/vendor/google/hal_uwb_default.te
deleted file mode 100644
index 8165dc21..00000000
--- a/whitechapel/vendor/google/hal_uwb_default.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type hal_uwb_default, domain;
-type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(hal_uwb_default)
-
-add_service(hal_uwb_default, hal_uwb_service)
-
-hal_server_domain(hal_uwb_default, hal_uwb)
-binder_call(hal_uwb_default, uwb_vendor_app)
-
-allow hal_uwb_default uwb_data_vendor:dir create_dir_perms;
-allow hal_uwb_default uwb_data_vendor:file create_file_perms;
diff --git a/whitechapel/vendor/google/hal_uwb_vendor.te b/whitechapel/vendor/google/hal_uwb_vendor.te
new file mode 100644
index 00000000..ccfc1705
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server)
+binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client)
+
+hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service)
+
+binder_call(hal_uwb_vendor_server, servicemanager)
+
+# allow hal_uwb_vendor to set wpan interfaces up and down
+allow hal_uwb_vendor self:udp_socket create_socket_perms;
+allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+allow hal_uwb_vendor self:global_capability_class_set { net_admin };
+
+# allow hal_uwb_vendor to speak to nl802154 in the kernel
+allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te
new file mode 100644
index 00000000..93616874
--- /dev/null
+++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te
@@ -0,0 +1,11 @@
+type hal_uwb_vendor_default, domain;
+type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_uwb_vendor_default)
+
+add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)
+
+hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
+binder_call(hal_uwb_vendor_default, uwb_vendor_app)
+
+allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms;
+allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 99e99483..357dffe4 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,4 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
-type hal_uwb_service, service_manager_type, vendor_service;
+type hal_uwb_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 687f8cc8..6fb9de1f 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
-hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
+hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index ed53fd00..675ecdb6 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -5,18 +5,18 @@ app_domain(uwb_vendor_app)
 add_service(uwb_vendor_app, uwb_vendor_service)
 
 not_recovery(`
-hal_client_domain(uwb_vendor_app, hal_uwb)
+hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 
 allow uwb_vendor_app app_api_service:service_manager find;
-allow uwb_vendor_app hal_uwb_service:service_manager find;
+allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 allow uwb_vendor_app radio_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
-allow hal_uwb_default self:global_capability_class_set { sys_nice };
-allow hal_uwb_default kernel:process { setsched };
+allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice };
+allow hal_uwb_vendor_default kernel:process { setsched };
 
-binder_call(uwb_vendor_app, hal_uwb_default)
+binder_call(uwb_vendor_app, hal_uwb_vendor_default)
 ')

From 17e518038e7188a2bc825cedf909b08f28013cab Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Thu, 12 Aug 2021 23:26:43 +0800
Subject: [PATCH 460/921] sepolicy: add rule for new debug file node

W dumpstate@1.1-s: type=1400 audit(0.0:7): avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=500 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0

Bug: 196755019
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: I0ddf68d5e15fe8d77d8d61287f65621c14024f46
---
 whitechapel/vendor/google/file_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fdbd87e1..bc03a78e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -111,6 +111,10 @@
 /dev/logbuffer_pca9468         u:object_r:logbuffer_device:s0
 /dev/logbuffer_cpm             u:object_r:logbuffer_device:s0
 
+/dev/logbuffer_maxfg_monitor        u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_base_monitor   u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_flip_monitor   u:object_r:logbuffer_device:s0
+
 # DM tools device
 /dev/umts_dm0                  u:object_r:radio_device:s0
 /dev/umts_router               u:object_r:radio_device:s0

From 8a5863ab6d6a65ff7b7e1ddcf48f3f75e0f42185 Mon Sep 17 00:00:00 2001
From: Mark Chang <changmark@google.com>
Date: Thu, 29 Jul 2021 16:31:03 +0800
Subject: [PATCH 461/921] sepolicy: Add "dontaudit" for twoshay dac_override.

Bug: 198755236
Test: build pass and boot to home
Signed-off-by: Mark Chang <changmark@google.com>
Change-Id: I5c330564cc026e113c5d33d5d093dbcdb3ede5e4
(cherry picked from commit a1aab562ca083f2531a551d1b228749d39f14368)
---
 whitechapel/vendor/google/twoshay.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
index f940d3aa..eba1ccee 100644
--- a/whitechapel/vendor/google/twoshay.te
+++ b/whitechapel/vendor/google/twoshay.te
@@ -11,3 +11,6 @@ add_service(twoshay, touch_context_service)
 
 allow twoshay fwk_stats_service:service_manager find;
 binder_call(twoshay, stats_service_server)
+
+# b/198755236
+dontaudit twoshay twoshay:capability dac_override;

From 82db60c2d4af0ead1bbc52082ea19f0cab0850d7 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 8 Sep 2021 13:15:44 +0800
Subject: [PATCH 462/921] remove obsolete devices

Bug: 196916111
Test: No file on the path
Change-Id: If8e54bd161bc955424b40023d94f15bf6b82cc8f
---
 whitechapel/vendor/google/device.te     | 5 -----
 whitechapel/vendor/google/file_contexts | 6 ------
 2 files changed, 11 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index bc3c9477..35833bf8 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -1,18 +1,13 @@
 # Block Devices
 type efs_block_device, dev_type, bdev_type;
-type fat_block_device, dev_type, bdev_type;
 type modem_block_device, dev_type, bdev_type;
 type modem_userdata_block_device, dev_type, bdev_type;
 type persist_block_device, dev_type, bdev_type;
-type vendor_block_device, dev_type, bdev_type;
 type sda_block_device, dev_type, bdev_type;
 type mfg_data_block_device, dev_type, bdev_type;
 
 # Exynos devices
-type vendor_m2m1shot_device, dev_type;
 type vendor_gnss_device, dev_type;
-type vendor_nanohub_device, dev_type;
-type vendor_secmem_device, dev_type;
 type vendor_toe_device, dev_type;
 type custom_ab_block_device, dev_type, bdev_type;
 type devinfo_block_device, dev_type, bdev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 13179922..86e308c7 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -42,13 +42,11 @@
 /dev/block/platform/14700000\.ufs/by-name/efs                 u:object_r:efs_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/efs_backup          u:object_r:efs_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/modem_userdata      u:object_r:modem_userdata_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/fat                 u:object_r:fat_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/modem_[ab]          u:object_r:modem_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/modem               u:object_r:modem_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/persist             u:object_r:persist_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/system              u:object_r:system_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/userdata            u:object_r:userdata_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/vendor              u:object_r:vendor_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/frp                 u:object_r:frp_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/misc                u:object_r:misc_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/devinfo             u:object_r:devinfo_block_device:s0
@@ -86,9 +84,6 @@
 /dev/bbd_control               u:object_r:vendor_gnss_device:s0
 /dev/bbd_pwrstat               u:object_r:power_stats_device:s0
 /dev/ttyBCM                    u:object_r:vendor_gnss_device:s0
-/dev/nanohub                   u:object_r:vendor_nanohub_device:s0
-/dev/nanohub_comms             u:object_r:vendor_nanohub_device:s0
-/dev/m2m1shot_scaler0          u:object_r:vendor_m2m1shot_device:s0
 /dev/radio0                    u:object_r:radio_device:s0
 /dev/dri/card0                 u:object_r:graphics_device:s0
 /dev/fimg2d                    u:object_r:graphics_device:s0
@@ -131,7 +126,6 @@
 
 # GPU device
 /dev/mali0                     u:object_r:gpu_device:s0
-/dev/s5p-smem                  u:object_r:vendor_secmem_device:s0
 
 #
 # Exynos Daemon Exec

From d1dd6bac2a9045b64a0ec7e76c2590c9665ac2c6 Mon Sep 17 00:00:00 2001
From: Philip Quinn <pquinn@google.com>
Date: Wed, 25 Aug 2021 12:43:01 -0700
Subject: [PATCH 463/921] Move twoshay definitions to
 hardware/google/pixel-sepolicy/input.

Bug: 187654303
Test: twoshay works on r4
Change-Id: Id2b0e1db3e1cb9ddf579ea7ed74493464d13fc84
---
 whitechapel/vendor/google/device.te     | 3 ---
 whitechapel/vendor/google/file_contexts | 4 ----
 whitechapel/vendor/google/twoshay.te    | 8 --------
 3 files changed, 15 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index bc3c9477..27b04ec5 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -26,9 +26,6 @@ type cpuctl_device, dev_type;
 # Bt Wifi Coexistence device
 type wb_coexistence_dev, dev_type;
 
-# Touch
-type touch_offload_device, dev_type;
-
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 13179922..f7bec37b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -387,10 +387,6 @@
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                        u:object_r:same_process_hal_file:s0
 
-# Touch
-/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
-/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
-
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
index eba1ccee..e3e71d30 100644
--- a/whitechapel/vendor/google/twoshay.te
+++ b/whitechapel/vendor/google/twoshay.te
@@ -1,11 +1,3 @@
-type twoshay, domain;
-type twoshay_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(twoshay)
-
-allow twoshay touch_offload_device:chr_file rw_file_perms;
-allow twoshay twoshay:capability sys_nice;
-
 binder_use(twoshay)
 add_service(twoshay, touch_context_service)
 

From 778f7da931ea093ac63c3b29353074ff8f83ee52 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 9 Sep 2021 13:05:36 +0800
Subject: [PATCH 464/921] label Extcon files

Bug: 199218084
Test: Boot with target files labeled correctly
Change-Id: I7d8c4ecb23a5717e2265cfd66b161fb46717615f
---
 whitechapel/vendor/google/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 6c9eb2d1..3ec57c2d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -315,3 +315,7 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time      u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
+
+# Extcon
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+

From cb6a843980a9ab53f33b95c1cb77d4f3fa5a8e68 Mon Sep 17 00:00:00 2001
From: Michael Ayoubi <mayoubi@google.com>
Date: Thu, 9 Sep 2021 15:44:25 +0000
Subject: [PATCH 465/921] Allow euiccpixel_app to get dck_prop

Bug: 189881206
Bug: 183606657

Test: Build and confirm EuiccSupportPixel can get
      ro.gms.dck.eligible_wcc
Change-Id: I59873d33f21632347183d749c9bbf25c6e6ba2cd
---
 whitechapel/vendor/google/euiccpixel_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te
index db3d0aed..32f958b3 100644
--- a/whitechapel/vendor/google/euiccpixel_app.te
+++ b/whitechapel/vendor/google/euiccpixel_app.te
@@ -10,6 +10,7 @@ allow euiccpixel_app surfaceflinger_service:service_manager find;
 
 set_prop(euiccpixel_app, vendor_secure_element_prop)
 set_prop(euiccpixel_app, vendor_modem_prop)
+get_prop(euiccpixel_app, dck_prop)
 
 userdebug_or_eng(`
     net_domain(euiccpixel_app)

From 7254de258a89495975a6fe3c9180496e9ee287c5 Mon Sep 17 00:00:00 2001
From: Jonglin Lee <jonglin@google.com>
Date: Fri, 10 Sep 2021 21:23:57 +0000
Subject: [PATCH 466/921] Revert "Move twoshay definitions to
 hardware/google/pixel-sepoli..."

Revert "Move twoshay definitions to hardware/google/pixel-sepoli..."

Revert "Move twoshay definitions to hardware/google/pixel-sepoli..."

Revert "Move twoshay definitions to hardware/google/pixel-sepoli..."

Revert "Move sepolicy for _touchflow targets."

Revert submission 15676823-reflector-sepolicy

Reason for revert: breaking several builds in git_master-without-vendor
Reverted Changes:
Ifecfc81f0:Move twoshay definitions to hardware/google/pixel-...
Idfd81131c:Move twoshay definitions to hardware/google/pixel-...
Id2b0e1db3:Move twoshay definitions to hardware/google/pixel-...
I43ac6337f:Move twoshay definitions to hardware/google/pixel-...
If95e6e788:Move twoshay definitions to hardware/google/pixel-...
I07ab95780:Move sepolicy for _touchflow targets.
I01f378b51:Move sepolicy for _touchflow targets.

Bug: 199548147
Change-Id: I84f106c24bd47fd171788301415c0eabafe9254f
---
 whitechapel/vendor/google/device.te     | 3 +++
 whitechapel/vendor/google/file_contexts | 4 ++++
 whitechapel/vendor/google/twoshay.te    | 8 ++++++++
 3 files changed, 15 insertions(+)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 27b04ec5..bc3c9477 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -26,6 +26,9 @@ type cpuctl_device, dev_type;
 # Bt Wifi Coexistence device
 type wb_coexistence_dev, dev_type;
 
+# Touch
+type touch_offload_device, dev_type;
+
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f7bec37b..13179922 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -387,6 +387,10 @@
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                        u:object_r:same_process_hal_file:s0
 
+# Touch
+/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
+/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
+
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
index e3e71d30..eba1ccee 100644
--- a/whitechapel/vendor/google/twoshay.te
+++ b/whitechapel/vendor/google/twoshay.te
@@ -1,3 +1,11 @@
+type twoshay, domain;
+type twoshay_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(twoshay)
+
+allow twoshay touch_offload_device:chr_file rw_file_perms;
+allow twoshay twoshay:capability sys_nice;
+
 binder_use(twoshay)
 add_service(twoshay, touch_context_service)
 

From f97138a6bb99b210eaff4eeba7b95a104664047b Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 14 Sep 2021 13:35:19 +0800
Subject: [PATCH 467/921] organize wifi_sniffer

Bug: 196916111
Test: boot with wifi_sniffer started

Change-Id: If12fb0499c749e4e8379a5c2095fbf9cd2ca624e
---
 gs101-sepolicy.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 989bb70b..8a9eded6 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -32,9 +32,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 # sscoredump
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
 
-# Sniffer Logger
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer
-
 # Wifi Logger
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
 

From 9795c12e8f348d25bca4f3bfa166baf6d51ed4eb Mon Sep 17 00:00:00 2001
From: Patty <plhuang@google.com>
Date: Mon, 30 Aug 2021 18:02:43 +0800
Subject: [PATCH 468/921] Split bluetooth sepolicy file to avoid conflict

- Move bluetooth related config to bluetooth folder

Bug: 196308076
Test: make; boot with service btlinux started
Change-Id: I8d40697f20a916fc154f0b60851abecd1deadc0d
---
 bluetooth/file_contexts                                         | 2 ++
 .../vendor/google => bluetooth}/hal_bluetooth_btlinux.te        | 0
 whitechapel/vendor/google/file_contexts                         | 1 -
 3 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 bluetooth/file_contexts
 rename {whitechapel/vendor/google => bluetooth}/hal_bluetooth_btlinux.te (100%)

diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
new file mode 100644
index 00000000..5bb9a33a
--- /dev/null
+++ b/bluetooth/file_contexts
@@ -0,0 +1,2 @@
+# Bluetooth
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/bluetooth/hal_bluetooth_btlinux.te
similarity index 100%
rename from whitechapel/vendor/google/hal_bluetooth_btlinux.te
rename to bluetooth/hal_bluetooth_btlinux.te
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 11445e44..6aa2a0f6 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -294,7 +294,6 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service    u:object_r:hal_secure_element_default_exec:s0
 
 # Bluetooth
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
 /dev/wbrc                           u:object_r:wb_coexistence_dev:s0
 /dev/ttySAC16                       u:object_r:hci_attach_dev:s0
 /dev/logbuffer_btlpm                  u:object_r:logbuffer_device:s0

From 2d2d6999d2a18590d9e55eb4dc4f22c959660fa7 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Wed, 15 Sep 2021 14:40:51 +0800
Subject: [PATCH 469/921] Update avc error on ROM 7733084

avc: denied { read } for comm="android.ui" name="extcon0" dev="sysfs" ino=72527 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0

Bug: 199987074
Test: PtsSELinuxTestCases
Change-Id: I1d160b06b4b0bba9402ae3de5f564d6f893505c1
---
 tracking_denials/system_server.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/system_server.te

diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
new file mode 100644
index 00000000..538ac241
--- /dev/null
+++ b/tracking_denials/system_server.te
@@ -0,0 +1,2 @@
+# b/199987074
+dontaudit system_server sysfs_batteryinfo:dir read;

From 22ed933f97c98d4f22315889bf189fa7330a265e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 16 Sep 2021 10:02:11 +0800
Subject: [PATCH 470/921] label extcon files

Bug: 199987074
Test: boot with no relevant errors
Change-Id: Idd26d8675c332043b1066e3eba1706527254eb03
---
 tracking_denials/system_server.te        | 2 --
 whitechapel/vendor/google/genfs_contexts | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)
 delete mode 100644 tracking_denials/system_server.te

diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
deleted file mode 100644
index 538ac241..00000000
--- a/tracking_denials/system_server.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/199987074
-dontaudit system_server sysfs_batteryinfo:dir read;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 3ec57c2d..59aa244d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -318,4 +318,5 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time
 
 # Extcon
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 

From fba4a09331c43bb7a022034451b53f47c39709ee Mon Sep 17 00:00:00 2001
From: Erik Staats <estaats@google.com>
Date: Mon, 20 Sep 2021 16:50:50 -0700
Subject: [PATCH 471/921] Allow the sensor HAL to access dynamic sensor
 properties.

Bug: 195964858
Test: Verified dynamic sensor manager is present in sensor list and that
 no SELinux violations occur.
Test: See details in testing done comment in
 https://googleplex-android-review.git.corp.google.com/15874927 .
Change-Id: I76a60f7fbd113059156ccaea2c4f98580cb0836a
---
 usf/sensor_hal.te                           | 3 +++
 whitechapel/vendor/google/property.te       | 4 ++++
 whitechapel/vendor/google/property_contexts | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index e071b9bc..0797253e 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -49,6 +49,9 @@ allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
 # Allow sensor HAL to read AoC dumpstate.
 allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
 
+# Allow access for dynamic sensor properties.
+get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
+
 #
 # Suez type enforcements.
 #
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 4b671a4c..bb0894fc 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -49,3 +49,7 @@ vendor_internal_prop(vendor_tcpdump_log_prop)
 
 # Fingerprint
 vendor_internal_prop(vendor_fingerprint_fake_prop)
+
+# Dynamic sensor
+vendor_internal_prop(vendor_dynamic_sensor_prop)
+
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5d2f018a..18a6059c 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -104,3 +104,7 @@ vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_pr
 
 # Fingerprint
 vendor.fingerprint.disable.fake                 u:object_r:vendor_fingerprint_fake_prop:s0
+
+# Dynamic sensor
+vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor_prop:s0
+

From aef1a206a7765e90e4d8ea3f385a9f5100b1038e Mon Sep 17 00:00:00 2001
From: Erik Staats <estaats@google.com>
Date: Wed, 22 Sep 2021 17:53:58 +0000
Subject: [PATCH 472/921] Revert "Allow the sensor HAL to access dynamic sensor
 properties."

Revert "dynamic_sensor: Add sensor manager init to sub-HAL 2.1."

Revert submission 15874906-bug_195964858.2

Reason for revert: b/200815351
Reverted Changes:
I76a60f7fb:Allow the sensor HAL to access dynamic sensor prop...
I5d587dc46:dynamic_sensor: Add sensor manager init to sub-HAL...

Change-Id: Ib29649b058ec6f329958e1dfcba0c2e35ea79306
---
 usf/sensor_hal.te                           | 3 ---
 whitechapel/vendor/google/property.te       | 4 ----
 whitechapel/vendor/google/property_contexts | 4 ----
 3 files changed, 11 deletions(-)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 0797253e..e071b9bc 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -49,9 +49,6 @@ allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
 # Allow sensor HAL to read AoC dumpstate.
 allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
 
-# Allow access for dynamic sensor properties.
-get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
-
 #
 # Suez type enforcements.
 #
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index bb0894fc..4b671a4c 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -49,7 +49,3 @@ vendor_internal_prop(vendor_tcpdump_log_prop)
 
 # Fingerprint
 vendor_internal_prop(vendor_fingerprint_fake_prop)
-
-# Dynamic sensor
-vendor_internal_prop(vendor_dynamic_sensor_prop)
-
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 18a6059c..5d2f018a 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -104,7 +104,3 @@ vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_pr
 
 # Fingerprint
 vendor.fingerprint.disable.fake                 u:object_r:vendor_fingerprint_fake_prop:s0
-
-# Dynamic sensor
-vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor_prop:s0
-

From 2bc80fd0e76114f72223f602190dd9b8e545b100 Mon Sep 17 00:00:00 2001
From: Arthur Ishiguro <arthuri@google.com>
Date: Thu, 23 Sep 2021 08:01:59 -0700
Subject: [PATCH 473/921] Add Context Hub AIDL to gs101 sepolicy

Bug: 194285834
Test: None
Change-Id: I8f9ef02c51d3f06bbfa94e9ce006cd2a0ee59c73
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 9889fcef..a4c3eb40 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -249,7 +249,7 @@
 /dev/aoc                               u:object_r:aoc_device:s0
 
 # Contexthub
-/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic  u:object_r:hal_contexthub_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/chre                                            u:object_r:chre_exec:s0
 /dev/socket/chre                                                            u:object_r:chre_socket:s0
 

From c8651e514ca7a6cb77218fb4a1aa39871f1d3c6a Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Thu, 12 Aug 2021 23:26:43 +0800
Subject: [PATCH 474/921] sepolicy: add rule for new debug file node

W dumpstate@1.1-s: type=1400 audit(0.0:7): avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=500 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0

Bug: 196755019
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Merged-In: I0ddf68d5e15fe8d77d8d61287f65621c14024f46
Change-Id: I0ddf68d5e15fe8d77d8d61287f65621c14024f46
---
 whitechapel/vendor/google/file_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index fdbd87e1..bc03a78e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -111,6 +111,10 @@
 /dev/logbuffer_pca9468         u:object_r:logbuffer_device:s0
 /dev/logbuffer_cpm             u:object_r:logbuffer_device:s0
 
+/dev/logbuffer_maxfg_monitor        u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_base_monitor   u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_flip_monitor   u:object_r:logbuffer_device:s0
+
 # DM tools device
 /dev/umts_dm0                  u:object_r:radio_device:s0
 /dev/umts_router               u:object_r:radio_device:s0

From b92bc5f51c389d4e29ab45e2277440f05deb0095 Mon Sep 17 00:00:00 2001
From: Max Kogan <maxkogan@google.com>
Date: Thu, 23 Sep 2021 17:45:35 -0700
Subject: [PATCH 475/921] sepolicy: gs101: allow dumpstate to access AoC stats

Add AoC DRAM votes to bugreports.

Bug: 198203507
Change-Id: I77addf15709fceb70514d552b9fa8553cb129a7c
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b9a6a60f..2d34d993 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -14,6 +14,7 @@ genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup          u:ob
 genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception      u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes          u:object_r:sysfs_aoc_dumpstate:s0
 
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0

From e42a4ed3be1fb144c1b14f3bdc3cb933f854d5d1 Mon Sep 17 00:00:00 2001
From: Erik Staats <estaats@google.com>
Date: Fri, 24 Sep 2021 05:43:08 -0700
Subject: [PATCH 476/921] Allow the sensor HAL to access dynamic sensor
 properties.

Bug: 195964858
Test: Verified dynamic sensor manager is present in sensor list and that
 no SELinux violations occur on sc-v2-dev and master.
Test: See details in testing done comment in
 https://googleplex-android-review.git.corp.google.com/15905607 .
Change-Id: I2f1c05ec0d840f6ebae1e5356f668b3f9431fd25
---
 usf/sensor_hal.te                           | 3 +++
 whitechapel/vendor/google/property.te       | 4 ++++
 whitechapel/vendor/google/property_contexts | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index e071b9bc..0797253e 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -49,6 +49,9 @@ allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
 # Allow sensor HAL to read AoC dumpstate.
 allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
 
+# Allow access for dynamic sensor properties.
+get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
+
 #
 # Suez type enforcements.
 #
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 4b671a4c..bb0894fc 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -49,3 +49,7 @@ vendor_internal_prop(vendor_tcpdump_log_prop)
 
 # Fingerprint
 vendor_internal_prop(vendor_fingerprint_fake_prop)
+
+# Dynamic sensor
+vendor_internal_prop(vendor_dynamic_sensor_prop)
+
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5d2f018a..18a6059c 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -104,3 +104,7 @@ vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_pr
 
 # Fingerprint
 vendor.fingerprint.disable.fake                 u:object_r:vendor_fingerprint_fake_prop:s0
+
+# Dynamic sensor
+vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor_prop:s0
+

From 2a4bce5b315fa60300d4fcffbd472e7af7f82564 Mon Sep 17 00:00:00 2001
From: George Lee <geolee@google.com>
Date: Thu, 16 Sep 2021 15:04:20 -0700
Subject: [PATCH 477/921] power_hal: add bcl file permission

Bug: 201002339
Test: Local test and ensure proper ratio written via PowerHAL
Signed-off-by: George Lee <geolee@google.com>
Change-Id: Ib0a3a5401312403ce870b9c4a4ca971f05c253e4
---
 whitechapel/vendor/google/genfs_contexts       | 8 +++++++-
 whitechapel/vendor/google/hal_power_default.te | 2 ++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b9a6a60f..d47c3dc2 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -149,7 +149,13 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 
 # bcl sysfs files
-genfscon sysfs /devices/virtual/pmic/mitigation                                 u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio        u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/gpu_heavy_clk_ratio        u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/cpu2_heavy_clk_ratio       u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/cpu2_light_clk_ratio       u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_light_clk_ratio        u:object_r:sysfs_bcl:s0
+genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/gpu_light_clk_ratio        u:object_r:sysfs_bcl:s0
 
 # Chosen
 genfscon sysfs /firmware/devicetree/base/chosen                                u:object_r:sysfs_chosen:s0
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index cc5fe8ff..a04e40a1 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -12,6 +12,8 @@ allow hal_power_default thermal_link_device:dir r_dir_perms;
 allow hal_power_default sysfs_thermal:dir r_dir_perms;
 allow hal_power_default sysfs_thermal:file rw_file_perms;
 allow hal_power_default sysfs_thermal:lnk_file r_file_perms;
+allow hal_power_default sysfs_bcl:dir r_dir_perms;
+allow hal_power_default sysfs_bcl:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
 set_prop(hal_power_default, vendor_camera_debug_prop)
 set_prop(hal_power_default, vendor_camera_fatp_prop)

From d60ebc5327b34f93a2ba74c0754cc5cebdc9c9ee Mon Sep 17 00:00:00 2001
From: Erik Staats <estaats@google.com>
Date: Thu, 16 Sep 2021 15:03:31 -0700
Subject: [PATCH 478/921] Allow the sensor HAL to access raw HID devices.

Bug: 195964858
Test: Paired a Sony PS4 controller and verified that it's discovered by
 the dynamic sensor HAL.
Test: See details in testing done comment in
 https://googleplex-android-review.git.corp.google.com/15847652 .
Change-Id: Ic0bdd711d066a9793eba305102e9a850e3973856
---
 usf/sensor_hal.te                       | 3 +++
 whitechapel/vendor/google/device.te     | 4 ++++
 whitechapel/vendor/google/file_contexts | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 0797253e..22a42087 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -52,6 +52,9 @@ allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
 # Allow access for dynamic sensor properties.
 get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
 
+# Allow access to raw HID devices for dynamic sensors.
+allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
+
 #
 # Suez type enforcements.
 #
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index bc3c9477..bad0be07 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -55,3 +55,7 @@ type amcs_device, dev_type;
 
 # Battery history
 type battery_history_device, dev_type;
+
+# Raw HID device
+type hidraw_device, dev_type;
+
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index bc03a78e..ff401dcd 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -441,3 +441,7 @@
 /vendor/lib64/android\.frameworks\.stats-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0
+
+# Raw HID device
+/dev/hidraw[0-9]*                        u:object_r:hidraw_device:s0
+

From 951ce82739f1fcdf610e0a368d1f39c2067a1ebd Mon Sep 17 00:00:00 2001
From: Ted Lin <tedlin@google.com>
Date: Fri, 24 Sep 2021 17:14:15 +0800
Subject: [PATCH 479/921] Using dontaudit to fix the avc on boot test

avc: denied { search } for comm="kworker/6:2" name="google_battery" dev="debugfs" ino=32648 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_battery_debugfs:s0 tclass=dir permissive=1

Bug:200739262
Test: Check bugreport
Change-Id: I50a96bab88f564fef0eda9a23bb77dc6ffed357f
Signed-off-by: Ted Lin <tedlin@google.com>
---
 whitechapel/vendor/google/kernel.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index 0156784e..c34e7f72 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -7,3 +7,5 @@ allow kernel per_boot_file:file r_file_perms;
 # memlat needs permision to create/delete perf events when hotplug on/off
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
+
+dontaudit kernel vendor_battery_debugfs:dir search;

From d5ac0ac3cea5d896ffadb9f4abba9f798c59bfb6 Mon Sep 17 00:00:00 2001
From: Philip Quinn <pquinn@google.com>
Date: Wed, 25 Aug 2021 12:43:01 -0700
Subject: [PATCH 480/921] Move twoshay definitions to
 hardware/google/pixel-sepolicy/input.

Bug: 187654303
Test: twoshay works on R4, B3, P7
Change-Id: I2cada463fcbfd3b52230430b12b091a655e2abbb
---
 tracking_denials/dumpstate.te                    |  2 --
 whitechapel/vendor/google/device.te              |  3 ---
 whitechapel/vendor/google/file_contexts          |  4 ----
 .../vendor/google/hal_dumpstate_default.te       |  3 ---
 whitechapel/vendor/google/platform_app.te        |  3 ---
 whitechapel/vendor/google/service.te             |  1 -
 whitechapel/vendor/google/service_contexts       |  1 -
 whitechapel/vendor/google/twoshay.te             | 16 ----------------
 8 files changed, 33 deletions(-)
 delete mode 100644 whitechapel/vendor/google/twoshay.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 1a3571bf..fa9d5cec 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,6 +1,4 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/187795940
-dontaudit dumpstate twoshay:binder call;
 # b/190337283
 dontaudit dumpstate debugfs_wakeup_sources:file read;
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 1212d6ce..f5a47828 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -21,9 +21,6 @@ type cpuctl_device, dev_type;
 # Bt Wifi Coexistence device
 type wb_coexistence_dev, dev_type;
 
-# Touch
-type touch_offload_device, dev_type;
-
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index a27cdc2b..184f6c65 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -380,10 +380,6 @@
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                        u:object_r:same_process_hal_file:s0
 
-# Touch
-/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
-/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
-
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index b5608c16..612b3c0b 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -64,9 +64,6 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
 allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 
-allow hal_dumpstate_default touch_context_service:service_manager find;
-binder_call(hal_dumpstate_default, twoshay)
-
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 66e7721d..70480beb 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -13,9 +13,6 @@ allow platform_app uwb_service:service_manager find;
 allow platform_app fwk_stats_service:service_manager find;
 binder_use(platform_app)
 
-allow platform_app touch_context_service:service_manager find;
-binder_call(platform_app, twoshay)
-
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 get_prop(platform_app, fingerprint_ghbm_prop)
 
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 357dffe4..aa60e3f7 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,3 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
-type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 6fb9de1f..812105a6 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,3 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
-com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
deleted file mode 100644
index eba1ccee..00000000
--- a/whitechapel/vendor/google/twoshay.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type twoshay, domain;
-type twoshay_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(twoshay)
-
-allow twoshay touch_offload_device:chr_file rw_file_perms;
-allow twoshay twoshay:capability sys_nice;
-
-binder_use(twoshay)
-add_service(twoshay, touch_context_service)
-
-allow twoshay fwk_stats_service:service_manager find;
-binder_call(twoshay, stats_service_server)
-
-# b/198755236
-dontaudit twoshay twoshay:capability dac_override;

From 4d6a7023e1abfe50b6f97b8abd078796e57e90bd Mon Sep 17 00:00:00 2001
From: Edwin Tung <edwintung@google.com>
Date: Tue, 22 Jun 2021 14:01:09 +0800
Subject: [PATCH 481/921] gps: add sepolicy to allow gps access pps gpio

Bug: 175086879
Test: no avc deny
Change-Id: I960940d7223c25732021ff4d92ae72255c044291
---
 whitechapel/vendor/google/file.te        | 1 +
 whitechapel/vendor/google/genfs_contexts | 1 +
 whitechapel/vendor/google/gpsd.te        | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 9b4c95b4..e2baeca6 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -139,6 +139,7 @@ userdebug_or_eng(`
     typeattribute vendor_gps_file mlstrustedobject;
 ')
 type sysfs_gps, sysfs_type, fs_type;
+type sysfs_gps_assert, sysfs_type, fs_type;
 
 # Display
 type sysfs_display, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b9a6a60f..e4871882 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -108,6 +108,7 @@ genfscon sysfs /devices/virtual/sec/tsp
 
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
+genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed                         u:object_r:sysfs_gps_assert:s0
 
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
diff --git a/whitechapel/vendor/google/gpsd.te b/whitechapel/vendor/google/gpsd.te
index 64591cba..791a02e4 100644
--- a/whitechapel/vendor/google/gpsd.te
+++ b/whitechapel/vendor/google/gpsd.te
@@ -23,3 +23,6 @@ allow gpsd hal_exynos_rild_hwservice:hwservice_manager find;
 # Allow gpsd to access sensor service
 binder_call(gpsd, system_server);
 allow gpsd fwk_sensor_hwservice:hwservice_manager find;
+
+# Allow gpsd to access pps gpio
+allow gpsd sysfs_gps_assert:file r_file_perms;

From d61f60e882198799b77d272b3b7044fabc5681ed Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 30 Sep 2021 14:25:57 +0800
Subject: [PATCH 482/921] centralize wifi_ext config

Bug: 201599426
Test: boot with wifi_ext started
Change-Id: I0638216a7100b26415a79e87cdb1a5a260f05baa
---
 gs101-sepolicy.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 8a9eded6..8a302845 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -23,9 +23,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/priv
 #   Dauntless (uses Citadel policy currently)
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
 
-#   Wifi
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext
-
 #   PowerStats HAL
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 

From 8f3fb5c47f64079a2c1c43eb02968511637fb00d Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Wed, 12 May 2021 20:57:09 +0800
Subject: [PATCH 483/921] Update SecureElement Sepolicy

Add rules for sysfs_st33spi
Separate hal_secure_element_st54spi and st33spi form default

Bug: 193417907
Test: VtsHalSecureElementV1_2TargetTest,
      VtsHalSecureElementV1_1TargetTest,
      VtsHalSecureElementV1_0TargetTest,
      CtsOmapiTestCases
Change-Id: I444af2e38fc120d173445bce48b7e4d381201a91
---
 whitechapel/vendor/google/device.te                    |  4 ++++
 whitechapel/vendor/google/euiccpixel_app.te            |  9 ++++++---
 whitechapel/vendor/google/fastbootd.te                 |  2 +-
 whitechapel/vendor/google/file.te                      |  3 +++
 whitechapel/vendor/google/file_contexts                | 10 ++++------
 whitechapel/vendor/google/genfs_contexts               |  4 ++++
 .../vendor/google/hal_secure_element_default.te        |  2 --
 .../vendor/google/hal_secure_element_st33spi.te        |  8 ++++++++
 .../vendor/google/hal_secure_element_st54spi.te        |  9 +++++++++
 whitechapel/vendor/google/ofl_app.te                   |  9 ++++++---
 whitechapel/vendor/google/recovery.te                  |  2 +-
 whitechapel/vendor/google/vendor_init.te               |  1 +
 12 files changed, 47 insertions(+), 16 deletions(-)
 create mode 100644 whitechapel/vendor/google/hal_secure_element_st33spi.te
 create mode 100644 whitechapel/vendor/google/hal_secure_element_st54spi.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 1212d6ce..764cc877 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -54,3 +54,7 @@ type battery_history_device, dev_type;
 # Raw HID device
 type hidraw_device, dev_type;
 
+# SecureElement SPI device
+type st54spi_device, dev_type;
+type st33spi_device, dev_type;
+
diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te
index db3d0aed..b03b48db 100644
--- a/whitechapel/vendor/google/euiccpixel_app.te
+++ b/whitechapel/vendor/google/euiccpixel_app.te
@@ -14,8 +14,11 @@ set_prop(euiccpixel_app, vendor_modem_prop)
 userdebug_or_eng(`
     net_domain(euiccpixel_app)
 
-    # Access to directly upgrade firmware on secure_element used for engineering devices
-    typeattribute secure_element_device mlstrustedobject;
-    allow euiccpixel_app secure_element_device:chr_file rw_file_perms;
+    # Access to directly upgrade firmware on st54spi_device used for engineering devices
+    typeattribute st54spi_device mlstrustedobject;
+    allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
+    # Access to directly upgrade firmware on st33spi_device used for engineering devices
+    typeattribute st33spi_device mlstrustedobject;
+    allow euiccpixel_app st33spi_device:chr_file rw_file_perms;
 ')
 
diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index f9d09d95..d6cf7315 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -1,6 +1,6 @@
 # Required by the bootcontrol HAL for the 'set_active' command.
 recovery_only(`
-allow fastbootd secure_element_device:chr_file rw_file_perms;
+allow fastbootd st54spi_device:chr_file rw_file_perms;
 allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 9b4c95b4..18a034c8 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -202,3 +202,6 @@ type sysfs_sjtag, fs_type, sysfs_type;
 userdebug_or_eng(`
     typeattribute sysfs_sjtag mlstrustedobject;
 ')
+
+# SecureElement
+type sysfs_st33spi, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index a27cdc2b..c460e6a8 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -287,13 +287,11 @@
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 
 # SecureElement
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st     u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2     u:object_r:hal_secure_element_default_exec:s0
-/dev/st54j_se                                                                         u:object_r:secure_element_device:s0
-/dev/st54spi                                                                          u:object_r:secure_element_device:s0
-/dev/st33spi                                                                          u:object_r:secure_element_device:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_st54spi_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2    u:object_r:hal_secure_element_st33spi_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service    u:object_r:hal_secure_element_default_exec:s0
+/dev/st54spi                                                                          u:object_r:st54spi_device:s0
+/dev/st33spi                                                                          u:object_r:st33spi_device:s0
 
 # Bluetooth
 /dev/wbrc                           u:object_r:wb_coexistence_dev:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 59aa244d..7d622e4a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -320,3 +320,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 
+# SecureElement
+genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi    u:object_r:sysfs_st33spi:s0
+genfscon sysfs /devices/platform/175c0000.spi/spi_master/spi15/spi15.0/st33spi  u:object_r:sysfs_st33spi:s0
+
diff --git a/whitechapel/vendor/google/hal_secure_element_default.te b/whitechapel/vendor/google/hal_secure_element_default.te
index dc048746..17a679d2 100644
--- a/whitechapel/vendor/google/hal_secure_element_default.te
+++ b/whitechapel/vendor/google/hal_secure_element_default.te
@@ -1,7 +1,5 @@
 allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
-allow hal_secure_element_default nfc_device:chr_file rw_file_perms;
 set_prop(hal_secure_element_default, vendor_secure_element_prop)
-set_prop(hal_secure_element_default, vendor_nfc_prop)
 set_prop(hal_secure_element_default, vendor_modem_prop)
 
 # Allow hal_secure_element_default to access rild
diff --git a/whitechapel/vendor/google/hal_secure_element_st33spi.te b/whitechapel/vendor/google/hal_secure_element_st33spi.te
new file mode 100644
index 00000000..a5978f20
--- /dev/null
+++ b/whitechapel/vendor/google/hal_secure_element_st33spi.te
@@ -0,0 +1,8 @@
+type hal_secure_element_st33spi, domain;
+hal_server_domain(hal_secure_element_st33spi, hal_secure_element)
+type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type;
+
+allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st33spi, vendor_secure_element_prop)
+
+init_daemon_domain(hal_secure_element_st33spi)
diff --git a/whitechapel/vendor/google/hal_secure_element_st54spi.te b/whitechapel/vendor/google/hal_secure_element_st54spi.te
new file mode 100644
index 00000000..7f6ea41b
--- /dev/null
+++ b/whitechapel/vendor/google/hal_secure_element_st54spi.te
@@ -0,0 +1,9 @@
+type hal_secure_element_st54spi, domain;
+hal_server_domain(hal_secure_element_st54spi, hal_secure_element)
+type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type;
+allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi, vendor_secure_element_prop)
+set_prop(hal_secure_element_st54spi, vendor_nfc_prop)
+set_prop(hal_secure_element_st54spi, vendor_modem_prop)
+init_daemon_domain(hal_secure_element_st54spi)
diff --git a/whitechapel/vendor/google/ofl_app.te b/whitechapel/vendor/google/ofl_app.te
index e3f61408..a9498165 100644
--- a/whitechapel/vendor/google/ofl_app.te
+++ b/whitechapel/vendor/google/ofl_app.te
@@ -11,7 +11,10 @@ userdebug_or_eng(`
   allow ofl_app radio_service:service_manager find;
   allow ofl_app surfaceflinger_service:service_manager find;
 
-  # Access to directly update firmware on secure_element
-  typeattribute secure_element_device mlstrustedobject;
-  allow ofl_app secure_element_device:chr_file rw_file_perms;
+  # Access to directly update firmware on st54spi_device
+  typeattribute st54spi_device mlstrustedobject;
+  allow ofl_app st54spi_device:chr_file rw_file_perms;
+  # Access to directly update firmware on st33spi_device
+  typeattribute st33spi_device mlstrustedobject;
+  allow ofl_app st33spi_device:chr_file rw_file_perms;
 ')
diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te
index 4687a43c..1974ebb1 100644
--- a/whitechapel/vendor/google/recovery.te
+++ b/whitechapel/vendor/google/recovery.te
@@ -1,4 +1,4 @@
 recovery_only(`
   allow recovery sysfs_ota:file rw_file_perms;
-  allow recovery secure_element_device:chr_file rw_file_perms;
+  allow recovery st54spi_device:chr_file rw_file_perms;
 ')
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index c1db5e43..321da078 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -18,6 +18,7 @@ allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;
 allow vendor_init bootdevice_sysdev:file create_file_perms;
 allow vendor_init block_device:lnk_file setattr;
+allow vendor_init sysfs_st33spi:file w_file_perms;
 
 userdebug_or_eng(`
   set_prop(vendor_init, logpersistd_logging_prop)

From 17881f3a38eb5a6c8b2ab48215489989c000649e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 8 Oct 2021 11:06:49 +0800
Subject: [PATCH 484/921] reorganize pixelstats_vendor

Bug: 202462997
Test: boot with pixelstats_vendor started
Change-Id: I8582ac4e83720768ee7992d41bdac0798da892d9
---
 whitechapel/vendor/google/file_contexts        | 3 ---
 whitechapel/vendor/google/pixelstats_vendor.te | 6 ------
 2 files changed, 9 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index aec51ec9..f8648be0 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -362,9 +362,6 @@
 /dev/dit2                      u:object_r:vendor_toe_device:s0
 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service     u:object_r:hal_tetheroffload_default_exec:s0
 
-# pixelstats binary
-/vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
-
 # battery history
 /dev/battery_history                                                                  u:object_r:battery_history_device:s0
 
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 96bd9325..f0cca685 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -1,9 +1,3 @@
-# pixelstats vendor
-type pixelstats_vendor, domain;
-
-type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(pixelstats_vendor)
-
 unix_socket_connect(pixelstats_vendor, chre, chre)
 
 get_prop(pixelstats_vendor, hwservicemanager_prop)

From a03f3b1a50b304596f2cc0b2126c69405824cfaa Mon Sep 17 00:00:00 2001
From: David Brazdil <dbrazdil@google.com>
Date: Wed, 6 Oct 2021 17:33:57 +0000
Subject: [PATCH 485/921] Assign pkvm_enabler to vendor_misc_writer domain

Builds of gs101 targets with pKVM force-enabled have an init service
which checks that /dev/kvm exists and if not, runs misc_writer to
instruct the bootloader to enable pKVM, and forces a reboot.

Assign the binary to the existing vendor_misc_writer domain and add
permission to execute the /vendor/bin/misc_writer binary. Since this is
for tests only, the rules are only added to targets that define
TARGET_PKVM_ENABLED.

Bug: 192819132
Test: flash a _pkvm build, observe double-reboot, check /dev/kvm exists
Change-Id: I5f9962e4cdd3ec267ab19ea4485e4e94a3ec15cd
---
 gs101-sepolicy.mk          | 5 +++++
 pkvm/file_contexts         | 1 +
 pkvm/vendor_misc_writer.te | 2 ++
 3 files changed, 8 insertions(+)
 create mode 100644 pkvm/file_contexts
 create mode 100644 pkvm/vendor_misc_writer.te

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 8a302845..b9b3b8c5 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -34,3 +34,8 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
 
 # Public
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
+
+# pKVM
+ifeq ($(TARGET_PKVM_ENABLED),true)
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm
+endif
diff --git a/pkvm/file_contexts b/pkvm/file_contexts
new file mode 100644
index 00000000..310aad4d
--- /dev/null
+++ b/pkvm/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/pkvm_enabler             u:object_r:vendor_misc_writer_exec:s0
diff --git a/pkvm/vendor_misc_writer.te b/pkvm/vendor_misc_writer.te
new file mode 100644
index 00000000..b9b4ceb1
--- /dev/null
+++ b/pkvm/vendor_misc_writer.te
@@ -0,0 +1,2 @@
+# Allow pkvm_enabler to execute misc_writer.
+allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans;

From 24693cd264337394d086239eea27ed67eb59a8c6 Mon Sep 17 00:00:00 2001
From: Alfred Lin <llinlinlin@google.com>
Date: Fri, 8 Oct 2021 07:38:26 +0000
Subject: [PATCH 486/921] [Display] Add SELinux policy for
 hal_graphics_composer_default

Add SELinux policy for hal_graphics_composer_default to find persist_display_file

Bug: 202487234

Test: device boot will not find avc denied log as "avc: denied { search } for name="display" dev="sda1" ino=21 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:persist_display_file:s0 tclass=dir permissive=0"
Change-Id: I8fc386cb18397911404e1f2803601711e40edead
---
 display/gs101/hal_graphics_composer_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index 0b4c26e8..1bea8b50 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -16,6 +16,7 @@ userdebug_or_eng(`
 allow hal_graphics_composer_default mnt_vendor_file:dir search;
 allow hal_graphics_composer_default persist_file:dir search;
 allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+allow hal_graphics_composer_default persist_display_file:dir search;
 
 # allow HWC to r/w backlight
 allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;

From 6e818988b6bc8d86f6f54f71232845d571617fb8 Mon Sep 17 00:00:00 2001
From: qinyiyan <qinyiyan@google.com>
Date: Tue, 12 Oct 2021 13:53:44 -0700
Subject: [PATCH 487/921] Allow the NNAPI HAL to access edgetpu_app_service.

10-12 14:40:11.528   759   759 W Binder:759_1: type=1400 audit(0.0:23): avc: denied { call } for scontext=u:r:hal_neuralnetworks_darwinn:s0 tcontext=u:r:edgetpu_app_server:s0 tclass=binder permissive=0

10-12 18:17:04.678   440   440 E SELinux : avc:  denied  { find } for pid=753 uid=1000 name=com.google.edgetpu.IEdgeTpuAppService/default scontext=u:r:hal_neuralnetworks_darwinn:s0 tcontext=u:object_r:edgetpu_app_service:s0 tclass=service_manager permissive=0

Test: rebuilt the selinux_policy. The AVC denials don't show up.
Bug: 196697793
Change-Id: If43f7411a3324f65323ea004e34878f070d9ebeb
---
 edgetpu/hal_neuralnetworks_darwinn.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
index b45a7059..18960713 100644
--- a/edgetpu/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/hal_neuralnetworks_darwinn.te
@@ -43,3 +43,7 @@ allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms;
 # Allows the logging service to access /sys/class/edgetpu
 allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms;
 allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms;
+
+# Allows the NNAPI HAL to access the edgetpu_app_service
+allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find;
+binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server);

From 3a1c10bb76b1d14b7b26b367748359df28a70947 Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@google.com>
Date: Fri, 8 Oct 2021 14:55:37 -0700
Subject: [PATCH 488/921] Stop using the bdev_type and sysfs_block_type SELinux
 attributes

Stop using these attributes since these will be removed soon. This
commit reverts 37b574130114 ("Add the 'bdev_type' attribute to all block
device types").

Bug: 202520796
Test: Untested.
Change-Id: I00f10d1fd164b6ca01ecd5cffd2012acfc05eeca
Signed-off-by: Bart Van Assche <bvanassche@google.com>
---
 whitechapel/vendor/google/device.te | 16 ++++++++--------
 whitechapel/vendor/google/file.te   |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 6fcfd0d0..058174d7 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -1,16 +1,16 @@
 # Block Devices
-type efs_block_device, dev_type, bdev_type;
-type modem_block_device, dev_type, bdev_type;
-type modem_userdata_block_device, dev_type, bdev_type;
-type persist_block_device, dev_type, bdev_type;
-type sda_block_device, dev_type, bdev_type;
-type mfg_data_block_device, dev_type, bdev_type;
+type efs_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type sda_block_device, dev_type;
+type mfg_data_block_device, dev_type;
 
 # Exynos devices
 type vendor_gnss_device, dev_type;
 type vendor_toe_device, dev_type;
-type custom_ab_block_device, dev_type, bdev_type;
-type devinfo_block_device, dev_type, bdev_type;
+type custom_ab_block_device, dev_type;
+type devinfo_block_device, dev_type;
 
 # usbpd
 type logbuffer_device, dev_type;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 8447cf5b..90098249 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -78,7 +78,7 @@ type updated_wifi_firmware_data_file, file_type, data_file_type;
 type mediadrm_vendor_data_file, file_type, data_file_type;
 
 # Storage Health HAL
-type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type;
+type sysfs_scsi_devices_0000, sysfs_type, fs_type;
 type debugfs_f2fs, debugfs_type, fs_type;
 type proc_f2fs, proc_type, fs_type;
 

From 5c28519e40e06a650eaa4440b006184898a1f2dc Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 12 Oct 2021 11:34:29 +0800
Subject: [PATCH 489/921] move bluetooth related types to bluetooth

Bug: 202790744
Test: boot with bluetooth hal started
Change-Id: I615d4b13262af2bc2c044914e595a7c2085999d2
---
 bluetooth/device.te                          | 3 +++
 bluetooth/file_contexts                      | 4 ++++
 bluetooth/genfs_contexts                     | 7 +++++++
 bluetooth/hwservice.te                       | 3 +++
 bluetooth/hwservice_contexts                 | 5 +++++
 whitechapel/vendor/google/device.te          | 3 ---
 whitechapel/vendor/google/file_contexts      | 4 +---
 whitechapel/vendor/google/genfs_contexts     | 6 ------
 whitechapel/vendor/google/hwservice.te       | 3 ---
 whitechapel/vendor/google/hwservice_contexts | 5 -----
 10 files changed, 23 insertions(+), 20 deletions(-)
 create mode 100644 bluetooth/device.te
 create mode 100644 bluetooth/genfs_contexts
 create mode 100644 bluetooth/hwservice.te
 create mode 100644 bluetooth/hwservice_contexts

diff --git a/bluetooth/device.te b/bluetooth/device.te
new file mode 100644
index 00000000..a2563322
--- /dev/null
+++ b/bluetooth/device.te
@@ -0,0 +1,3 @@
+# Bt Wifi Coexistence device
+type wb_coexistence_dev, dev_type;
+
diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
index 5bb9a33a..d4681dbd 100644
--- a/bluetooth/file_contexts
+++ b/bluetooth/file_contexts
@@ -1,2 +1,6 @@
 # Bluetooth
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
+
+/dev/wbrc                           u:object_r:wb_coexistence_dev:s0
+/dev/ttySAC16                       u:object_r:hci_attach_dev:s0
+
diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts
new file mode 100644
index 00000000..607e1462
--- /dev/null
+++ b/bluetooth/genfs_contexts
@@ -0,0 +1,7 @@
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/timesync                                                               u:object_r:proc_bluetooth_writable:s0
+
diff --git a/bluetooth/hwservice.te b/bluetooth/hwservice.te
new file mode 100644
index 00000000..5e36cd0c
--- /dev/null
+++ b/bluetooth/hwservice.te
@@ -0,0 +1,3 @@
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
+
diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts
new file mode 100644
index 00000000..df77e6f8
--- /dev/null
+++ b/bluetooth/hwservice_contexts
@@ -0,0 +1,5 @@
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.ccc::IBluetoothCcc                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
+
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 6fcfd0d0..59e1eaba 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -18,9 +18,6 @@ type logbuffer_device, dev_type;
 #cpuctl
 type cpuctl_device, dev_type;
 
-# Bt Wifi Coexistence device
-type wb_coexistence_dev, dev_type;
-
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f8648be0..70a37ee0 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -294,9 +294,7 @@
 /dev/st33spi                                                                          u:object_r:st33spi_device:s0
 
 # Bluetooth
-/dev/wbrc                           u:object_r:wb_coexistence_dev:s0
-/dev/ttySAC16                       u:object_r:hci_attach_dev:s0
-/dev/logbuffer_btlpm                  u:object_r:logbuffer_device:s0
+/dev/logbuffer_btlpm                u:object_r:logbuffer_device:s0
 /dev/logbuffer_tty16                u:object_r:logbuffer_device:s0
 
 # Audio
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 82e5d700..ea4a4e83 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -126,12 +126,6 @@ genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u
 
 # Bluetooth
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state                             u:object_r:sysfs_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/timesync                                                               u:object_r:proc_bluetooth_writable:s0
 
 # ODPM
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
index 7ac98578..a3a3ead1 100644
--- a/whitechapel/vendor/google/hwservice.te
+++ b/whitechapel/vendor/google/hwservice.te
@@ -16,9 +16,6 @@ type hal_audio_ext_hwservice, hwservice_manager_type;
 # WLC
 type hal_wlc_hwservice, hwservice_manager_type;
 
-# Bluetooth HAL extension
-type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
-
 # Fingerprint
 type hal_fingerprint_ext_hwservice, hwservice_manager_type;
 
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
index 0bcb1f64..30207772 100644
--- a/whitechapel/vendor/google/hwservice_contexts
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -23,11 +23,6 @@ vendor.google.whitechapel.audio.audioext::IAudioExt             u:object_r:hal_a
 # Wireless charger hal
 vendor.google.wireless_charger::IWirelessCharger                u:object_r:hal_wlc_hwservice:s0
 
-# Bluetooth HAL extension
-hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ccc::IBluetoothCcc                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
-
 # Fingerprint
 vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon  u:object_r:hal_fingerprint_ext_hwservice:s0
 

From 936079ad1cd7a9baaac7aa0e51af214b313e11cb Mon Sep 17 00:00:00 2001
From: jintinglin <jintinglin@google.com>
Date: Wed, 22 Sep 2021 12:51:52 +0800
Subject: [PATCH 490/921] Allow modem app to read the battery info

Test: flash the forrest build, MDS can read the info file

Bug: 203478533

Change-Id: I9985dd2731a43445dd653e226fd2939ca355cda4
---
 whitechapel/vendor/google/modem_diagnostics.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/modem_diagnostics.te b/whitechapel/vendor/google/modem_diagnostics.te
index 7908be1b..9fa772b4 100644
--- a/whitechapel/vendor/google/modem_diagnostics.te
+++ b/whitechapel/vendor/google/modem_diagnostics.te
@@ -29,4 +29,7 @@ userdebug_or_eng(`
   allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms;
 
   allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find;
+
+  allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms;
+  allow modem_diagnostic_app sysfs_batteryinfo:dir search;
 ')

From e6c87533b8cb5d522e0551fadb8118145af44fe0 Mon Sep 17 00:00:00 2001
From: Maurice Lam <yukl@google.com>
Date: Fri, 15 Oct 2021 18:11:41 -0700
Subject: [PATCH 491/921] Allow exo_app to find Virtual Device manager

Bug: 194949534
Test: Manual
Change-Id: I529b9eaf0d2a058a0653ec388d0e1f5abad9d094
---
 ambient/exo_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
index ef928f65..3a88eebb 100644
--- a/ambient/exo_app.te
+++ b/ambient/exo_app.te
@@ -10,6 +10,7 @@ allow exo_app mediaserver_service:service_manager find;
 allow exo_app radio_service:service_manager find;
 allow exo_app fwk_stats_service:service_manager find;
 allow exo_app mediametrics_service:service_manager find;
+allow exo_app virtual_device_service:service_manager find;
 allow exo_app gpu_device:dir search;
 
 allow exo_app uhid_device:chr_file rw_file_perms;

From 27a4afc1a9b4577433d624d35dec4cf1d4308984 Mon Sep 17 00:00:00 2001
From: Jasmine Cha <chajasmine@google.com>
Date: Thu, 16 Sep 2021 17:57:33 +0800
Subject: [PATCH 492/921] audio: add permission to request health/sensor data

- Add audio hal into hal_health clients
- Allow audio hal to find fwk_sensor_hwservice
SELinux : avc:  denied  { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_audio_default:s0 pid=5907 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=1
SELinux : avc:  denied  { find } for interface=android.hardware.health::IHealth sid=u:r:hal_audio_default:s0 pid=9875 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:hal_health_hwservice:s0 tclass=hwservice_manager permissive=1
audio.service: type=1400 audit(0.0:14): avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1
audio.service: type=1400 audit(0.0:15): avc: denied { transfer } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1


Bug: 199382564
Bug: 199801586
Test: build pass

Signed-off-by: Jasmine Cha <chajasmine@google.com>
Change-Id: I8e8a512cfbd6be814c98bac75ff6c0e5db028db2
---
 whitechapel/vendor/google/hal_audio_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
index 5ee99469..1f3edbe2 100644
--- a/whitechapel/vendor/google/hal_audio_default.te
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -23,6 +23,9 @@ allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;
 
 get_prop(hal_audio_default, vendor_audio_prop);
 
+hal_client_domain(hal_audio_default, hal_health);
+allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find;
+
 userdebug_or_eng(`
     allow hal_audio_default self:unix_stream_socket create_stream_socket_perms;
     allow hal_audio_default audio_vendor_data_file:sock_file { create unlink };

From 0d48ab4fbfd11b53828e998eb7b95b2884d07be8 Mon Sep 17 00:00:00 2001
From: Philip Quinn <pquinn@google.com>
Date: Wed, 25 Aug 2021 12:43:01 -0700
Subject: [PATCH 493/921] Move twoshay definitions to
 hardware/google/pixel-sepolicy/input.

Bug: 187654303
Test: twoshay works on R4, B3, P7
Change-Id: I2cada463fcbfd3b52230430b12b091a655e2abbb
Merged-In: I2cada463fcbfd3b52230430b12b091a655e2abbb
---
 tracking_denials/dumpstate.te                    |  2 --
 whitechapel/vendor/google/device.te              |  3 ---
 whitechapel/vendor/google/file_contexts          |  4 ----
 .../vendor/google/hal_dumpstate_default.te       |  3 ---
 whitechapel/vendor/google/platform_app.te        |  3 ---
 whitechapel/vendor/google/service.te             |  1 -
 whitechapel/vendor/google/service_contexts       |  1 -
 whitechapel/vendor/google/twoshay.te             | 16 ----------------
 8 files changed, 33 deletions(-)
 delete mode 100644 whitechapel/vendor/google/twoshay.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 1a3571bf..fa9d5cec 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,6 +1,4 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/187795940
-dontaudit dumpstate twoshay:binder call;
 # b/190337283
 dontaudit dumpstate debugfs_wakeup_sources:file read;
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index bad0be07..7cd2c7f2 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -26,9 +26,6 @@ type cpuctl_device, dev_type;
 # Bt Wifi Coexistence device
 type wb_coexistence_dev, dev_type;
 
-# Touch
-type touch_offload_device, dev_type;
-
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index ff401dcd..604e6501 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -383,10 +383,6 @@
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so                               u:object_r:same_process_hal_file:s0
 
-# Touch
-/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
-/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
-
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index b5608c16..612b3c0b 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -64,9 +64,6 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
 allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 
-allow hal_dumpstate_default touch_context_service:service_manager find;
-binder_call(hal_dumpstate_default, twoshay)
-
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 66e7721d..70480beb 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -13,9 +13,6 @@ allow platform_app uwb_service:service_manager find;
 allow platform_app fwk_stats_service:service_manager find;
 binder_use(platform_app)
 
-allow platform_app touch_context_service:service_manager find;
-binder_call(platform_app, twoshay)
-
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 get_prop(platform_app, fingerprint_ghbm_prop)
 
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 99e99483..6012e87a 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,3 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
-type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 687f8cc8..9112cd41 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,3 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
-com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_service:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
deleted file mode 100644
index 84087fe7..00000000
--- a/whitechapel/vendor/google/twoshay.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type twoshay, domain;
-type twoshay_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(twoshay)
-
-allow twoshay touch_offload_device:chr_file rw_file_perms;
-allow twoshay twoshay:capability sys_nice;
-
-binder_use(twoshay)
-add_service(twoshay, touch_context_service)
-
-# b/193224954
-dontaudit twoshay twoshay:capability dac_override;
-
-allow twoshay fwk_stats_service:service_manager find;
-binder_call(twoshay, stats_service_server)
\ No newline at end of file

From a7aa46862d2366abfe72274508e6323c7a263ffe Mon Sep 17 00:00:00 2001
From: Siddharth Kapoor <ksiddharth@google.com>
Date: Thu, 21 Oct 2021 14:19:42 +0800
Subject: [PATCH 494/921] Label GPU power_policy sysfs node

Bug: 201718421
Test: trace while App launch
Change-Id: Icd85b8611632e4638946b492740e509baf2714ce
Signed-off-by: Siddharth Kapoor <ksiddharth@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 6124bc5d..386efc84 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -254,6 +254,7 @@ genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq
 genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem                                          u:object_r:sysfs_gpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem                                            u:object_r:sysfs_gpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/kprcs                                                    u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/power_policy                                             u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0

From c8220eea823629d7482ccceb5a313204d0d93496 Mon Sep 17 00:00:00 2001
From: Super Liu <supercjliu@google.com>
Date: Thu, 21 Oct 2021 14:19:06 +0800
Subject: [PATCH 495/921] Add touch procfs and sysfs sepolicy.

Bug: 193467774
Test: TH build pass.
Signed-off-by: Super Liu <supercjliu@google.com>
Change-Id: I25c4d9422966e8603f12222e93ca7b6d6ea6f566
---
 whitechapel/vendor/google/genfs_contexts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index ea4a4e83..f58ed38f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -108,6 +108,17 @@ genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0
 genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
 genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
 genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/virtual/input/input2                                    u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/virtual/input/input3                                    u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/virtual/input/nvt_touch                                 u:object_r:sysfs_touch:s0
+genfscon proc  /nvt_baseline                                                    u:object_r:proc_touch:s0
+genfscon proc  /nvt_cc_uniformity                                               u:object_r:proc_touch:s0
+genfscon proc  /nvt_diff                                                        u:object_r:proc_touch:s0
+genfscon proc  /nvt_fw_version                                                  u:object_r:proc_touch:s0
+genfscon proc  /nvt_heatmap                                                     u:object_r:proc_touch:s0
+genfscon proc  /nvt_pen_diff                                                    u:object_r:proc_touch:s0
+genfscon proc  /nvt_raw                                                         u:object_r:proc_touch:s0
+genfscon proc  /nvt_selftest                                                    u:object_r:proc_touch:s0
 
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0

From b834b1d0080b95729a8ccb596e8a0a8e54c6cce4 Mon Sep 17 00:00:00 2001
From: Philip Quinn <pquinn@google.com>
Date: Wed, 25 Aug 2021 12:43:01 -0700
Subject: [PATCH 496/921] Move twoshay definitions to
 hardware/google/pixel-sepolicy/input.

Bug: 187654303
Test: twoshay works on R4, B3, P7
Change-Id: I2cada463fcbfd3b52230430b12b091a655e2abbb
Merged-In: I2cada463fcbfd3b52230430b12b091a655e2abbb
---
 tracking_denials/dumpstate.te                    |  2 --
 whitechapel/vendor/google/device.te              |  3 ---
 whitechapel/vendor/google/file_contexts          |  4 ----
 .../vendor/google/hal_dumpstate_default.te       |  3 ---
 whitechapel/vendor/google/platform_app.te        |  3 ---
 whitechapel/vendor/google/service.te             |  1 -
 whitechapel/vendor/google/service_contexts       |  1 -
 whitechapel/vendor/google/twoshay.te             | 16 ----------------
 8 files changed, 33 deletions(-)
 delete mode 100644 whitechapel/vendor/google/twoshay.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 1a3571bf..fa9d5cec 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,6 +1,4 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/187795940
-dontaudit dumpstate twoshay:binder call;
 # b/190337283
 dontaudit dumpstate debugfs_wakeup_sources:file read;
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index bad0be07..7cd2c7f2 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -26,9 +26,6 @@ type cpuctl_device, dev_type;
 # Bt Wifi Coexistence device
 type wb_coexistence_dev, dev_type;
 
-# Touch
-type touch_offload_device, dev_type;
-
 # LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
 type lwis_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index e8cd67ca..bb1288b4 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -383,10 +383,6 @@
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so                               u:object_r:same_process_hal_file:s0
 
-# Touch
-/dev/touch_offload                                                               u:object_r:touch_offload_device:s0
-/vendor/bin/twoshay                                                              u:object_r:twoshay_exec:s0
-
 # Fingerprint
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index b5608c16..612b3c0b 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -64,9 +64,6 @@ allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
 allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 
-allow hal_dumpstate_default touch_context_service:service_manager find;
-binder_call(hal_dumpstate_default, twoshay)
-
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 66e7721d..70480beb 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -13,9 +13,6 @@ allow platform_app uwb_service:service_manager find;
 allow platform_app fwk_stats_service:service_manager find;
 binder_use(platform_app)
 
-allow platform_app touch_context_service:service_manager find;
-binder_call(platform_app, twoshay)
-
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 get_prop(platform_app, fingerprint_ghbm_prop)
 
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 357dffe4..aa60e3f7 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,4 +1,3 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
-type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 6fb9de1f..812105a6 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,3 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
-com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
diff --git a/whitechapel/vendor/google/twoshay.te b/whitechapel/vendor/google/twoshay.te
deleted file mode 100644
index 84087fe7..00000000
--- a/whitechapel/vendor/google/twoshay.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type twoshay, domain;
-type twoshay_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(twoshay)
-
-allow twoshay touch_offload_device:chr_file rw_file_perms;
-allow twoshay twoshay:capability sys_nice;
-
-binder_use(twoshay)
-add_service(twoshay, touch_context_service)
-
-# b/193224954
-dontaudit twoshay twoshay:capability dac_override;
-
-allow twoshay fwk_stats_service:service_manager find;
-binder_call(twoshay, stats_service_server)
\ No newline at end of file

From 90d1e82ae64cac41c2c45b4e4dba70e02349e2f9 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 6 Aug 2021 19:58:01 +0900
Subject: [PATCH 497/921] Remove ndk_platform backend. Use the ndk backend.

The ndk_platform backend will soon be deprecated because the ndk backend
can serve the same purpose. This is to eliminate the confusion about
having two variants (ndk and ndk_platform) for the same ndk backend.

Bug: 161456198
Test: m

Merged-In: Icc9af3798ac89742fa56b1cb37d8116d99b4a9c2
Change-Id: Icc9af3798ac89742fa56b1cb37d8116d99b4a9c2
(cherry picked from commit 5cc5d52bd758a3345fa6afd25c8ba1d8835617b0)
---
 edgetpu/file_contexts                   | 4 ++--
 whitechapel/vendor/google/file_contexts | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index 9255e741..dcaacdcf 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -6,12 +6,12 @@
 
 # EdgeTPU service binaries and libraries
 /system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU vendor service
 /vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU runtime libraries
 /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 639f7d49..85e6e649 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -173,7 +173,7 @@
 /data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
 /vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libGralloc4Wrapper\.so                                 u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/pixel-power-ext-V1-ndk_platform\.so                    u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so                             u:object_r:same_process_hal_file:s0
 
 /dev/stmvl53l1_ranging                                                  u:object_r:rls_device:s0
 
@@ -374,7 +374,7 @@
 /vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so                               u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                        u:object_r:same_process_hal_file:s0
 
 # Touch
 /dev/touch_offload                                                               u:object_r:touch_offload_device:s0
@@ -431,6 +431,6 @@
 /vendor/bin/wlc_upt/wlc_fw_update\.sh    u:object_r:wlcfwupdate_exec:s0
 
 # Statsd service to support EdgeTPU metrics logging service.
-/vendor/lib64/android\.frameworks\.stats-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0

From f94633e7187e2c7cf9725a06f6174be397cef015 Mon Sep 17 00:00:00 2001
From: Siddharth Kapoor <ksiddharth@google.com>
Date: Thu, 21 Oct 2021 14:19:42 +0800
Subject: [PATCH 498/921] Label GPU power_policy sysfs node

Bug: 201718421
Test: trace while App launch
Change-Id: Icd85b8611632e4638946b492740e509baf2714ce
Signed-off-by: Siddharth Kapoor <ksiddharth@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 0c7a1c70..afdb6314 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -254,6 +254,7 @@ genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq
 genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem                                          u:object_r:sysfs_gpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem                                            u:object_r:sysfs_gpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/kprcs                                                    u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/power_policy                                             u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0

From d60240f50401213c76b9dea22cb0a7cf89390ae1 Mon Sep 17 00:00:00 2001
From: qinyiyan <qinyiyan@google.com>
Date: Fri, 29 Oct 2021 15:04:31 -0700
Subject: [PATCH 499/921] Grant selinux permission to
 com.google.edgetpu_app_service-V2-ndk.so

Bug: 204528053
Test: forrest build with the change. AVC denials don't show up.
Change-Id: Ic3fafeb749156967d772d5288ecf99a44ebc7031
---
 edgetpu/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index dcaacdcf..386e7b34 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -6,7 +6,7 @@
 
 # EdgeTPU service binaries and libraries
 /system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU vendor service

From 9a94f84d7b6f513789747486b5a822359ba5d825 Mon Sep 17 00:00:00 2001
From: Sean Wang <ihsean@google.com>
Date: Tue, 2 Nov 2021 06:02:29 +0000
Subject: [PATCH 500/921] Grant selinux permission to
 com.google.edgetpu_vendor_service-V2-ndk.so

This change is related to ag/16062268 with modifications to the edgetpu_vendor_service

Bug: 198131843
Test: tested on oriole
Change-Id: Ic512e5878a4d6af3aeaa939868b07dd449948f45
---
 edgetpu/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index 386e7b34..04f8491f 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -11,7 +11,7 @@
 
 # EdgeTPU vendor service
 /vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU runtime libraries
 /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0

From 3d463050a2a89d11a5f1d99a3033dabc63124d41 Mon Sep 17 00:00:00 2001
From: Ted Lin <tedlin@google.com>
Date: Fri, 24 Sep 2021 17:14:15 +0800
Subject: [PATCH 501/921] Using dontaudit to fix the avc on boot test

avc: denied { search } for comm="kworker/6:2" name="google_battery" dev="debugfs" ino=32648 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_battery_debugfs:s0 tclass=dir permissive=1

Bug:200739262
Test: Check bugreport
Change-Id: I50a96bab88f564fef0eda9a23bb77dc6ffed357f
Signed-off-by: Ted Lin <tedlin@google.com>
(cherry picked from commit 951ce82739f1fcdf610e0a368d1f39c2067a1ebd)
---
 whitechapel/vendor/google/kernel.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index 0156784e..c34e7f72 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -7,3 +7,5 @@ allow kernel per_boot_file:file r_file_perms;
 # memlat needs permision to create/delete perf events when hotplug on/off
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
+
+dontaudit kernel vendor_battery_debugfs:dir search;

From 18d2a96a115b42c6da7f964b3126642dcf8f4e97 Mon Sep 17 00:00:00 2001
From: Michael Ayoubi <mayoubi@google.com>
Date: Thu, 11 Nov 2021 00:02:08 +0000
Subject: [PATCH 502/921] Allow uwb_vendor_app to get SE properties

Bug: 205770401
Test: Build and flash on device.
Change-Id: Ic98f394434fad12e7d8ef804ecfd694a55ee8190
---
 whitechapel/vendor/google/uwb_vendor_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index 675ecdb6..8822343c 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -17,6 +17,7 @@ allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
 allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice };
 allow hal_uwb_vendor_default kernel:process { setsched };
+get_prop(uwb_vendor_app, vendor_secure_element_prop)
 
 binder_call(uwb_vendor_app, hal_uwb_vendor_default)
 ')

From a8e745039f6b28868b425fe2d43425b933db5aea Mon Sep 17 00:00:00 2001
From: Michael Ayoubi <mayoubi@google.com>
Date: Thu, 11 Nov 2021 00:02:08 +0000
Subject: [PATCH 503/921] Allow uwb_vendor_app to get SE properties

Bug: 205770401
Test: Build and flash on device.
Change-Id: Ic98f394434fad12e7d8ef804ecfd694a55ee8190
Merged-In: Ic98f394434fad12e7d8ef804ecfd694a55ee8190
---
 whitechapel/vendor/google/uwb_vendor_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index ed53fd00..7a9dddc9 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -15,6 +15,8 @@ allow uwb_vendor_app radio_service:service_manager find;
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
+get_prop(uwb_vendor_app, vendor_secure_element_prop)
+
 allow hal_uwb_default self:global_capability_class_set { sys_nice };
 allow hal_uwb_default kernel:process { setsched };
 

From 63d04e1e020b7758f44a9362528c64ceb01780e6 Mon Sep 17 00:00:00 2001
From: Oleg Matcovschi <omatcovschi@google.com>
Date: Wed, 10 Nov 2021 19:01:44 -0800
Subject: [PATCH 504/921] gs101:ssr_detector: Allow access to aoc properties in
 user builds

Bug: 205755422
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: I684590a2ee91cf6d1edfc8a606f3a9e6672ca46f
---
 whitechapel/vendor/google/ssr_detector.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 793e51b6..958ed352 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -11,7 +11,6 @@ allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
 userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-  get_prop(ssr_detector_app, vendor_aoc_prop)
   allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
   allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
   allow ssr_detector_app sysfs_vendor_sched:dir search;
@@ -21,3 +20,4 @@ userdebug_or_eng(`
 
 get_prop(ssr_detector_app, vendor_ssrdump_prop)
 get_prop(ssr_detector_app, vendor_wifi_version)
+get_prop(ssr_detector_app, vendor_aoc_prop)

From 37d4cfa648c1d295a4a1bdd7363835dfa83ccaaf Mon Sep 17 00:00:00 2001
From: chenpaul <chenpaul@google.com>
Date: Fri, 5 Nov 2021 16:33:32 +0800
Subject: [PATCH 505/921] Remove wifi_logger related sepolicy settings

Due to the fact that /vendor/bin/wifi_logger no longer exists
on the P21 master branch any more, we remove obsolete sepolicy.

Bug: 201599426
Test: wlan_logger in Pixel Logger is workable
Change-Id: I22d99c3577f3cceb786e2ffd01c327a67d420202
---
 gs101-sepolicy.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 989bb70b..f00a170e 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -35,8 +35,5 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
 # Sniffer Logger
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer
 
-# Wifi Logger
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
-
 # Public
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public

From c0ad9b7e8a1d5dd707b4c9284afc9c7810f55c72 Mon Sep 17 00:00:00 2001
From: Albert Wang <albertccwang@google.com>
Date: Fri, 12 Nov 2021 14:32:17 +0800
Subject: [PATCH 506/921] Allow suspend_control to access xHCI wakeup node

Bug: 205138535
Test: n/a
Signed-off-by: Albert Wang <albertccwang@google.com>
Change-Id: I6e012fea56c50656c8f26216199459092dcfc0f9
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index f93bc487..9addc141 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -101,6 +101,7 @@ genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0

From 002907fb12d1af03c0b02d75764658cdae15160a Mon Sep 17 00:00:00 2001
From: yixuanjiang <yixuanjiang@google.com>
Date: Tue, 16 Nov 2021 14:38:20 +0800
Subject: [PATCH 507/921] aoc: add audio property for audio aocdump feature

Bug: 204080552
Test: local
Signed-off-by: yixuanjiang <yixuanjiang@google.com>
Change-Id: I79b960cf5e88856c37f7901d718ac8f14e44b812
---
 whitechapel/vendor/google/property_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 18a6059c..ac829149 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -60,6 +60,7 @@ persist.vendor.audio.                   u:object_r:vendor_audio_prop:s0
 vendor.audiodump.log.ondemand           u:object_r:vendor_audio_prop:s0
 vendor.audiodump.log.config             u:object_r:vendor_audio_prop:s0
 vendor.audiodump.output.dir             u:object_r:vendor_audio_prop:s0
+vendor.audiodump.encode.disable         u:object_r:vendor_audio_prop:s0
 
 
 # for display

From e6fb90425db144e3af51d0b165a27b954a82f088 Mon Sep 17 00:00:00 2001
From: Albert Wang <albertccwang@google.com>
Date: Fri, 12 Nov 2021 14:32:17 +0800
Subject: [PATCH 508/921] [RESTRICT AUTOMERGE] Allow suspend_control to access
 xHCI wakeup node

Bug: 205138535
Test: n/a
Signed-off-by: Albert Wang <albertccwang@google.com>
Change-Id: I6e012fea56c50656c8f26216199459092dcfc0f9
Merged-In: I6e012fea56c50656c8f26216199459092dcfc0f9
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index afdb6314..6397bd1f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -99,6 +99,7 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wake
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0

From d7947930ec57e6b4ace7c2d697f77f1d5eb14dbb Mon Sep 17 00:00:00 2001
From: chenpaul <chenpaul@google.com>
Date: Fri, 5 Nov 2021 16:33:32 +0800
Subject: [PATCH 509/921] Remove wifi_logger related sepolicy settings

Due to the fact that /vendor/bin/wifi_logger no longer exists
on the P21 master branch any more, we remove obsolete sepolicy.

Bug: 201599426
Test: wlan_logger in Pixel Logger is workable
Change-Id: I22d99c3577f3cceb786e2ffd01c327a67d420202
---
 gs101-sepolicy.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index b9b3b8c5..d8b19689 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -29,9 +29,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 # sscoredump
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
 
-# Wifi Logger
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
-
 # Public
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
 

From 68ffcb774d50d951d57983537ecb50ffdbd03aca Mon Sep 17 00:00:00 2001
From: Randall Huang <huangrandall@google.com>
Date: Tue, 23 Nov 2021 11:08:27 +0800
Subject: [PATCH 510/921] Fix health HAL avc denied when running idle-maint

Log:
avc: denied { read } for comm="android.hardwar" name="wb_avail_buf"
dev="sysfs" ino=59061 scontext=u:r:hal_health_storage_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 206741894
Test: adb shell sm idle-maint run
Signed-off-by: Randall Huang <huangrandall@google.com>
Change-Id: I79e7763df16816e6799f288d2f8b7e26c204cbc4
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 9addc141..3f888564 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -63,6 +63,7 @@ genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable    u:object
 genfscon sysfs /devices/platform/14700000.ufs/health_descriptor         u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:  u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf   u:object_r:sysfs_scsi_devices_0000:s0
 
 # Networking / Tethering
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee802154/phy0/net  u:object_r:sysfs_net:s0

From 4075287498706dcd322b52de4f85692bb35c3c32 Mon Sep 17 00:00:00 2001
From: Rick Yiu <rickyiu@google.com>
Date: Thu, 25 Nov 2021 21:54:47 +0800
Subject: [PATCH 511/921] gs101-sepolicy: Fix avc denials

Fix below and other potential denials

11-21 10:10:43.984  3417  3417 I auditd  : type=1400 audit(0.0:4): avc: denied { write } for comm=4173796E635461736B202332 path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.pixel.setupwizard

11-21 10:10:44.840  3976  3976 I auditd  : type=1400 audit(0.0:10): avc: denied { write } for comm="StallDetector-1" path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:untrusted_app_30:s0:c170,c256,c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.inputmethod.latin

11-21 18:10:51.280  5595  5595 I auditd  : type=1400 audit(0.0:102): avc: denied { write } for comm="SharedPreferenc" path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.gms

Bug: 206970384
Test: make selinux_policy pass
Change-Id: I7c981ef0516dc5be93ec825768de57c15786b4bd
---
 private/gmscore_app.te                         | 1 +
 private/priv_app.te                            | 1 +
 whitechapel/vendor/google/logger_app.te        | 1 +
 whitechapel/vendor/google/mediaprovider.te     | 1 +
 whitechapel/vendor/google/shell.te             | 1 +
 whitechapel/vendor/google/untrusted_app_all.te | 1 +
 6 files changed, 6 insertions(+)

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index fa20f247..3968de30 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -1,2 +1,3 @@
 # b/177389198
 dontaudit gmscore_app adbd_prop:file *;
+dontaudit gmscore_app sysfs_vendor_sched:file write;
diff --git a/private/priv_app.te b/private/priv_app.te
index 2ef1f969..de2a4f28 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -17,3 +17,4 @@ dontaudit priv_app ab_update_gki_prop:file { getattr };
 dontaudit priv_app ab_update_gki_prop:file { map };
 dontaudit priv_app adbd_prop:file { open };
 dontaudit priv_app adbd_prop:file { getattr };
+dontaudit priv_app sysfs_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 8c8f5197..d091cff0 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -25,4 +25,5 @@ userdebug_or_eng(`
 
   dontaudit logger_app default_prop:file { read };
   dontaudit logger_app sysfs_vendor_sched:dir search;
+  dontaudit logger_app sysfs_vendor_sched:file write;
 ')
diff --git a/whitechapel/vendor/google/mediaprovider.te b/whitechapel/vendor/google/mediaprovider.te
index a1b629f8..835593fc 100644
--- a/whitechapel/vendor/google/mediaprovider.te
+++ b/whitechapel/vendor/google/mediaprovider.te
@@ -1 +1,2 @@
 dontaudit mediaprovider sysfs_vendor_sched:dir search;
+dontaudit mediaprovider sysfs_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index aa4dfa44..abc2f2cc 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -7,3 +7,4 @@ userdebug_or_eng(`
 ')
 
 dontaudit shell sysfs_vendor_sched:dir search;
+dontaudit shell sysfs_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index 04229ff6..dda81542 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -3,3 +3,4 @@
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
 
 dontaudit untrusted_app_all sysfs_vendor_sched:dir search;
+dontaudit untrusted_app_all sysfs_vendor_sched:file write;

From a506ed1e06ed148c9a25c854089a683106b5a82f Mon Sep 17 00:00:00 2001
From: Albert Wang <albertccwang@google.com>
Date: Wed, 1 Dec 2021 23:45:19 +0800
Subject: [PATCH 512/921] Allow suspend_control to access xHCI wakeup node

This is a WORKAROUND to avoid the xHCI wakeup node permission problem,
since system will automatically allocated device ID.

Bug: 205138535
Test: n/a
Signed-off-by: Albert Wang <albertccwang@google.com>
Change-Id: Ia2ca04618f950bdded4aea76c897579eb4b92daf
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 6397bd1f..626e91b7 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -100,6 +100,7 @@ genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0

From 02a20e025f823ad846cd91713488eb0b7f9e266f Mon Sep 17 00:00:00 2001
From: joenchen <joenchen@google.com>
Date: Fri, 19 Nov 2021 13:23:43 +0000
Subject: [PATCH 513/921] Label min_vrefresh and idle_delay_ms as sysfs_display

Bug: 202567084
Test: Check the files label by "adb shell ls -Z"
Change-Id: I29243751ab5f38eca5d8e4221122764f79c75e04
---
 whitechapel/vendor/google/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index f0663808..588b786e 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -130,6 +130,10 @@ genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0

From bef2d7397cf45af6dac80a7b4717822caecbadf8 Mon Sep 17 00:00:00 2001
From: joenchen <joenchen@google.com>
Date: Fri, 19 Nov 2021 13:23:43 +0000
Subject: [PATCH 514/921] Label min_vrefresh and idle_delay_ms as sysfs_display

Bug: 202567084
Test: Check the files label by "adb shell ls -Z"
Change-Id: I29243751ab5f38eca5d8e4221122764f79c75e04
Merged-In: I29243751ab5f38eca5d8e4221122764f79c75e04
---
 whitechapel/vendor/google/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 6397bd1f..b06cc1de 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -115,6 +115,10 @@ genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0

From 8d4e8a65d67afa21a556963d63b0bb1e169b0243 Mon Sep 17 00:00:00 2001
From: joenchen <joenchen@google.com>
Date: Fri, 19 Nov 2021 13:23:43 +0000
Subject: [PATCH 515/921] Label min_vrefresh and idle_delay_ms as sysfs_display

Bug: 202567084
Test: Check the files label by "adb shell ls -Z"
Change-Id: I29243751ab5f38eca5d8e4221122764f79c75e04
Merged-In: I29243751ab5f38eca5d8e4221122764f79c75e04
---
 whitechapel/vendor/google/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 626e91b7..cea476c4 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -116,6 +116,10 @@ genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0

From 734d79bdaf9d69cefbf0ea54b6481e05e42e905c Mon Sep 17 00:00:00 2001
From: Chris Kuiper <ckuiper@google.com>
Date: Wed, 1 Dec 2021 21:29:36 -0800
Subject: [PATCH 516/921] selinux: Allow sensor HAL to access the display
 service HAL

Add necessary permissions.

Bug: b/204471211
Test: Testing with corresponding sensor HAL changes and sensor_test commands.
Change-Id: I01774210693ceb4a6d0d4dee4fb5e905117774d3
---
 usf/sensor_hal.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 22a42087..ac9d5c2d 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -55,6 +55,10 @@ get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
 # Allow access to raw HID devices for dynamic sensors.
 allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
 
+# Allow sensor HAL to access the display service HAL
+allow hal_sensors_default hal_pixel_display_service:service_manager find;
+binder_call(hal_sensors_default, hal_graphics_composer_default)
+
 #
 # Suez type enforcements.
 #

From 11c8ad745aca354b7e9cddbe817eb5bdcd0abea4 Mon Sep 17 00:00:00 2001
From: Cliff Wu <cliffwu@google.com>
Date: Mon, 22 Nov 2021 23:40:57 +0800
Subject: [PATCH 517/921] Update the sepolicy for exo_camera_injection v1.1

- Update exo_camera_injection hal service from 1.0 to 1.1.
- Selinux avc log:
avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs"
ino=152 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:default_prop:s0 tclass=file permissive=0.

Bug: 202092371
Test: Verified exo_camera_injection provider service use cases function
as expected; no denials.

Change-Id: Ica94a00db580356158d94af2ae6dbe9c9a81be0a
---
 whitechapel/vendor/google/exo_camera_injection/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/exo_camera_injection/file_contexts b/whitechapel/vendor/google/exo_camera_injection/file_contexts
index cfcbd6ff..98627c63 100644
--- a/whitechapel/vendor/google/exo_camera_injection/file_contexts
+++ b/whitechapel/vendor/google/exo_camera_injection/file_contexts
@@ -1 +1 @@
-/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.0-service  u:object_r:hal_exo_camera_injection_exec:s0
+/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.1-service  u:object_r:hal_exo_camera_injection_exec:s0

From 8f356044ffd6c71ecaa2e68ea6358a74c7d2aa2c Mon Sep 17 00:00:00 2001
From: Super Liu <supercjliu@google.com>
Date: Thu, 9 Dec 2021 14:35:51 +0800
Subject: [PATCH 518/921] Allow vendor init to read gesture_prop.

Bug: 209713977
Bug: 193467627
Test: local test.
Signed-off-by: Super Liu <supercjliu@google.com>
Change-Id: I7f061f550bcf6c3a61b5528e8c21eae8567e677b
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 321da078..8b66b73b 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -1,3 +1,4 @@
+get_prop(vendor_init, gesture_prop)
 set_prop(vendor_init, vendor_camera_prop)
 set_prop(vendor_init, vendor_device_prop)
 set_prop(vendor_init, vendor_modem_prop)

From 3f9a11fa0b59339d51cc4d4edcb718c27c905c0e Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 14 Dec 2021 14:33:56 -0800
Subject: [PATCH 519/921] Allow TEE storageproxyd permissions needed for DSU
 handling

Allows the vendor TEE access to GSI metadata files (which are publicly
readable). Storageproxyd needs access to this metadata to determine if a
GSI image is currently booted. Also allows the TEE domain to make new
directories in its data path.

Test: access /metadata/gsi/dsu/booted from storageproxyd
Bug: 203719297
Change-Id: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b
---
 whitechapel/vendor/google/storageproxyd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index d6acb458..76552d04 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -8,6 +8,10 @@ allow tee persist_ss_file:file create_file_perms;
 allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)

From 0b5b4a969204dd32a41a741f7a87c24769445ad1 Mon Sep 17 00:00:00 2001
From: Cyan_Hsieh <cyanhsieh@google.com>
Date: Mon, 20 Dec 2021 10:09:58 +0800
Subject: [PATCH 520/921] Add pvmfw to custom_ab_block_device

Bug: 211070100
Change-Id: Icd8f6d1837b8124bd8cd7b3d59d43b755455bae6
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 70a37ee0..d7ac4461 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -66,6 +66,7 @@
 /dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]           u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/metadata            u:object_r:metadata_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/pbl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab]          u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/reclaim_[ab]        u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/super               u:object_r:super_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/tzsw_[ab]           u:object_r:custom_ab_block_device:s0

From b287da183eec3806b1705469ba5395fc5be7f959 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Tue, 21 Dec 2021 07:27:03 -0800
Subject: [PATCH 521/921] Include core policy OWNERS.

Test: None
Change-Id: I053d84eba7695fe125783b536421d43117b3f16d
---
 OWNERS | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/OWNERS b/OWNERS
index a24d5fb4..791abb4a 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,11 +1,3 @@
-adamshih@google.com
-alanstokes@google.com
-bowgotsai@google.com
-jbires@google.com
-jeffv@google.com
-jgalenson@google.com
-jiyong@google.com
+include platform/system/sepolicy:/OWNERS
+
 rurumihong@google.com
-sspatil@google.com
-smoreland@google.com
-trong@google.com

From 317166636f2f45d064beffaa24df5ead08be32e7 Mon Sep 17 00:00:00 2001
From: Matt Buckley <mattbuckley@google.com>
Date: Tue, 28 Dec 2021 18:50:28 +0000
Subject: [PATCH 522/921] Allow HWC to get
 device_config_surface_flinger_native_boot_prop for adpf flags

For the hardware composer and surfaceflinger to coordinate on certain features, it is necessary for the hardware composer to be able to read the surface_flinger_native_boot_prop to know what should be enabled.

Bug: b/195990840
Test: None
Change-Id: Idc1599820026febecda84233d60982e7db7b14b5
---
 display/gs101/hal_graphics_composer_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index 1bea8b50..c1eac9ce 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -28,6 +28,9 @@ get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
 # allow HWC to get vendor_display_prop
 get_prop(hal_graphics_composer_default, vendor_display_prop)
 
+# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags
+get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop)
+
 # allow HWC to access vendor_displaycolor_service
 add_service(hal_graphics_composer_default, vendor_displaycolor_service)
 

From 2fe229352bddee03740ac8382fedd040b6a9abc0 Mon Sep 17 00:00:00 2001
From: David Anderson <dvander@google.com>
Date: Tue, 28 Dec 2021 13:09:35 -0800
Subject: [PATCH 523/921] Fix sepolicy denial in update_engine.

pvmfw is an A/B partition but is not properly labeled and update_engine
gets a denial trying to write to it.

Bug: N/A
Test: m otapackage, apply OTA, check for denials
Change-Id: I55f41a8937384d3bcda5797b5df3f34257f7a114
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 241be432..e7d08435 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -68,6 +68,7 @@
 /dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]           u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/metadata            u:object_r:metadata_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/pbl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab]          u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/reclaim_[ab]        u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/super               u:object_r:super_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/tzsw_[ab]           u:object_r:custom_ab_block_device:s0

From 5521fb530c0f2d157e27c2ffb3515dd9bc693ce7 Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Wed, 5 Jan 2022 23:08:07 -0800
Subject: [PATCH 524/921] Implement health AIDL HAL.

Test: VTS
Test: manual charger mode
Test: recovery
Bug: 213273090
Change-Id: Iabaf31644f4406092a881841fb4084499fb4de89
---
 gs101-sepolicy.mk    | 3 +++
 health/file_contexts | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 health/file_contexts

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index d8b19689..d33fcd4e 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -36,3 +36,6 @@ PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
 ifeq ($(TARGET_PKVM_ENABLED),true)
 BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm
 endif
+
+# Health HAL
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/health
diff --git a/health/file_contexts b/health/file_contexts
new file mode 100644
index 00000000..55321741
--- /dev/null
+++ b/health/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.health-service\.gs101  u:object_r:hal_health_default_exec:s0

From b0880417ff61e31f3e11f8b25d8f8517985afb1e Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Tue, 21 Dec 2021 07:27:03 -0800
Subject: [PATCH 525/921] Include core policy OWNERS.

Test: None
Change-Id: I053d84eba7695fe125783b536421d43117b3f16d
(cherry picked from commit b287da183eec3806b1705469ba5395fc5be7f959)
---
 OWNERS | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/OWNERS b/OWNERS
index a24d5fb4..791abb4a 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,11 +1,3 @@
-adamshih@google.com
-alanstokes@google.com
-bowgotsai@google.com
-jbires@google.com
-jeffv@google.com
-jgalenson@google.com
-jiyong@google.com
+include platform/system/sepolicy:/OWNERS
+
 rurumihong@google.com
-sspatil@google.com
-smoreland@google.com
-trong@google.com

From 8337626f4a40d3b0b65ebed41b3e6f6e9a6acde3 Mon Sep 17 00:00:00 2001
From: Vinay Kalia <vinaykalia@google.com>
Date: Thu, 16 Dec 2021 00:08:15 +0000
Subject: [PATCH 526/921] [DO NOT MERGE] Allow media codec to access power HAL

This commit fixes the following denials:

W /vendor/bin/hw/google.hardware.media.c2@1.0-service: type=1400 audit(0.0:276): avc: denied
{ call } for comm=436F646563322E30204C6F6F706572 scontext=u:r:mediacodec:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0

bug: 206687836
Test: Secure HFR AV1 video playback with resolution change.
Signed-off-by: Vinay Kalia <vinaykalia@google.com>
Change-Id: I79c20bda87af6066ae667a5176747378718a3a62
---
 whitechapel/vendor/google/mediacodec.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index ed7c1adf..f92302eb 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -7,3 +7,4 @@ allow mediacodec hal_camera_default:binder call;
 allow mediacodec sysfs_video:file r_file_perms;
 allow mediacodec sysfs_video:dir r_dir_perms;
 allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+hal_client_domain(mediacodec, hal_power);

From c876449a7b834cff5b397584f634281880952e75 Mon Sep 17 00:00:00 2001
From: Matt Buckley <mattbuckley@google.com>
Date: Sat, 8 Jan 2022 00:00:58 +0000
Subject: [PATCH 527/921] Allow HWC to get
 device_config_surface_flinger_native_boot_prop for adpf flags

For the hardware composer and surfaceflinger to coordinate on certain features, it is necessary for the hardware composer to be able to read the surface_flinger_native_boot_prop to know what should be enabled.

Bug: b/195990840
Test: None
Change-Id: I41e1aa0f80c1138cf46f4f139253158b005a8634
---
 display/gs101/hal_graphics_composer_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index 1bea8b50..c1eac9ce 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -28,6 +28,9 @@ get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
 # allow HWC to get vendor_display_prop
 get_prop(hal_graphics_composer_default, vendor_display_prop)
 
+# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags
+get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop)
+
 # allow HWC to access vendor_displaycolor_service
 add_service(hal_graphics_composer_default, vendor_displaycolor_service)
 

From 1459e9734a4f752ec403737e8c5e11ba28d7dc74 Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Mon, 10 Jan 2022 11:25:25 -0800
Subject: [PATCH 528/921] Add SOC specific ETM sysfs paths

Bug: 213519191
Test: run profcollectd on oriole
Change-Id: Ib1ae7466c76362b8242f2bb8560bb8b1d80c4253
---
 whitechapel/vendor/google/genfs_contexts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 6124bc5d..d1fd5d77 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -321,3 +321,13 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time      u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
+
+# Coresight ETM
+genfscon sysfs /devices/platform/25840000.etm    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/25940000.etm    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/25a40000.etm    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/25b40000.etm    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/25c40000.etm    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/25d40000.etm    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/25e40000.etm    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/25f40000.etm    u:object_r:sysfs_devices_cs_etm:s0

From ca0622247251d6c817b87893a56c03ff71c753c9 Mon Sep 17 00:00:00 2001
From: YiHo Cheng <yihocheng@google.com>
Date: Thu, 6 Jan 2022 06:21:08 +0800
Subject: [PATCH 529/921] thermal: Label tmu register dump sysfs

Allow dumpstate to access tmu register dump sysfs

[ 1155.422181] type=1400 audit(1641335196.892:8): avc: denied { read }
for comm="dumpstate@1.1-s" name="tmu_reg_dump_state" dev="sysfs"
ino=68561
scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:sysfs:s0
tclass=file permissive=0
[ 1155.423398] type=1400 audit(1641335196.892:9): avc: denied { read }
for comm="dumpstate@1.1-s" name="tmu_reg_dump_current_temp" dev="sysfs"
ino
=68562 scontext=u:r:hal_dumpstate_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
[ 1155.443740] type=1400 audit(1641335196.896:10): avc: denied { read }
for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_rise_thres"
dev="sysfs"
ino=68563 scontext=u:r:hal_dumpstate_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
[ 1155.466064] type=1400 audit(1641335196.896:11): avc: denied { read }
for comm="dumpstate@1.1-s" name="tmu_top_reg_dump_fall_thres"
dev="sysfs"
ino=68565 scontext=u:r:hal_dumpstate_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
[ 1155.488251] type=1400 audit(1641335196.916:12): avc: denied { read }
for comm="dumpstate@1.1-s" name="tmu_sub_reg_dump_rise_thres"
dev="sysfs" ino=68564 scontext=u:r:hal_dumpstate_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
[ 1155.510614] type=1400 audit(1641335196.960:13): avc: denied { read }
for comm="dumpstate@1.1-s" name="tmu_sub_reg_dump_fall_thres"
dev="sysfs"
ino=68566 scontext=u:r:hal_dumpstate_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
o

Bug: 202736838
Test: check thermal section in dumpstate
Change-Id: Icecca9f69ee9b57d43aa2864864951bf66c4905f
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index cea476c4..3029d7f7 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -324,6 +324,14 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface                   u:object_
 genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq       u:object_r:sysfs_camera:s0
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq             u:object_r:sysfs_camera:s0
 
+# thermal sysfs files
+genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_state            u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_current_temp     u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_rise_thres   u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_fall_thres   u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_rise_thres   u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_fall_thres   u:object_r:sysfs_thermal:s0
+
 # USB-C throttling stats
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time      u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0

From a21b7f88007012fed111896c0e79a56117f65f93 Mon Sep 17 00:00:00 2001
From: Jasmine Cha <chajasmine@google.com>
Date: Thu, 16 Sep 2021 17:57:33 +0800
Subject: [PATCH 530/921] audio: add permission to request health/sensor data

- Add audio hal into hal_health clients
- Allow audio hal to find fwk_sensor_hwservice
SELinux : avc:  denied  { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_audio_default:s0 pid=5907 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=1
SELinux : avc:  denied  { find } for interface=android.hardware.health::IHealth sid=u:r:hal_audio_default:s0 pid=9875 scontext=u:r:hal_audio_default:s0 tcontext=u:object_r:hal_health_hwservice:s0 tclass=hwservice_manager permissive=1
audio.service: type=1400 audit(0.0:14): avc: denied { call } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1
audio.service: type=1400 audit(0.0:15): avc: denied { transfer } for scontext=u:r:hal_audio_default:s0 tcontext=u:r:hal_health_default:s0 tclass=binder permissive=1

Bug: 199382564
Bug: 199801586
Test: build pass

Signed-off-by: Jasmine Cha <chajasmine@google.com>
Change-Id: I8e8a512cfbd6be814c98bac75ff6c0e5db028db2
Merged-In: I8e8a512cfbd6be814c98bac75ff6c0e5db028db2
---
 whitechapel/vendor/google/hal_audio_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
index 5ee99469..1f3edbe2 100644
--- a/whitechapel/vendor/google/hal_audio_default.te
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -23,6 +23,9 @@ allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;
 
 get_prop(hal_audio_default, vendor_audio_prop);
 
+hal_client_domain(hal_audio_default, hal_health);
+allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find;
+
 userdebug_or_eng(`
     allow hal_audio_default self:unix_stream_socket create_stream_socket_perms;
     allow hal_audio_default audio_vendor_data_file:sock_file { create unlink };

From 2abecb1519f2e20ee7cbd512d5d7ea9a5b5d9296 Mon Sep 17 00:00:00 2001
From: Jasmine Cha <chajasmine@google.com>
Date: Mon, 13 Dec 2021 13:52:56 +0800
Subject: [PATCH 531/921] audio: add sepolicy for getting thermal event

type=1400 audit(0.0:15): avc: denied { call } for scontext=u:r:hal_audio_default:s0
tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1

type=1400 audit(0.0:16): avc: denied { transfer } for scontext=u:r:hal_audio_default:s0
tcontext=u:r:hal_thermal_default:s0 tclass=binder permissive=1

Bug: 204271308
Test: build pass

Signed-off-by: Jasmine Cha <chajasmine@google.com>
Change-Id: I900de2a2d8bf0753543ef4428374e782908e7aee
---
 whitechapel/vendor/google/hal_audio_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
index 1f3edbe2..0755cba1 100644
--- a/whitechapel/vendor/google/hal_audio_default.te
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -24,6 +24,7 @@ allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;
 get_prop(hal_audio_default, vendor_audio_prop);
 
 hal_client_domain(hal_audio_default, hal_health);
+hal_client_domain(hal_audio_default, hal_thermal);
 allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find;
 
 userdebug_or_eng(`

From 32458cdc49e4cf6beb877d0b1c80f1d53635293b Mon Sep 17 00:00:00 2001
From: TeYuan Wang <kamewang@google.com>
Date: Wed, 12 Jan 2022 10:16:49 +0800
Subject: [PATCH 532/921] Label TMU as sysfs_thermal

Bug: 202805103
Test: switch thermal tj property and check thermal threshold
Change-Id: Id113b80f856e26412e2e07b9c9b4a61d519b194f
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index d1fd5d77..75579899 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -322,6 +322,14 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
+# Thermal
+genfscon sysfs /devices/platform/100a0000.LITTLE                          u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100a0000.MID                             u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100a0000.BIG                             u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100b0000.G3D                             u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100b0000.ISP                             u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100b0000.TPU                             u:object_r:sysfs_thermal:s0
+
 # Coresight ETM
 genfscon sysfs /devices/platform/25840000.etm    u:object_r:sysfs_devices_cs_etm:s0
 genfscon sysfs /devices/platform/25940000.etm    u:object_r:sysfs_devices_cs_etm:s0

From 85d5a9a60a969fbfa75382e10529c71225e9eded Mon Sep 17 00:00:00 2001
From: linpeter <linpeter@google.com>
Date: Mon, 17 Jan 2022 16:53:53 +0800
Subject: [PATCH 533/921] atc context change

Give atc nodes are changed to dqe0 form.

Bug: 213133646
test: test: check avc denied
Change-Id: Ibbcb7538b7874912f8c7e19a77ae6dd32f097ab0
---
 display/gs101/genfs_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts
index e4ccf2f7..8ea3b669 100644
--- a/display/gs101/genfs_contexts
+++ b/display/gs101/genfs_contexts
@@ -10,7 +10,7 @@ genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible
 
 genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
 
-genfscon sysfs /devices/platform/1c300000.drmdecon/dqe/atc                                     u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c300000.drmdecon/dqe0/atc                                     u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup                                u:object_r:sysfs_display:s0
 
 genfscon sysfs /devices/platform/exynos-drm/tui_status                                         u:object_r:sysfs_display:s0

From b69ac35ff006cccbeee26f299826c32104fe1934 Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 14 Dec 2021 14:33:56 -0800
Subject: [PATCH 534/921] Allow TEE storageproxyd permissions needed for DSU
 handling

Allows the vendor TEE access to GSI metadata files (which are publicly
readable). Storageproxyd needs access to this metadata to determine if a
GSI image is currently booted. Also allows the TEE domain to make new
directories in its data path.

Test: access /metadata/gsi/dsu/booted from storageproxyd
Bug: 203719297
Merged-In: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b
Change-Id: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b
---
 whitechapel/vendor/google/storageproxyd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index d6acb458..76552d04 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -8,6 +8,10 @@ allow tee persist_ss_file:file create_file_perms;
 allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)

From ed2c8d78ae39667034fbb6c647604c64a27dc08d Mon Sep 17 00:00:00 2001
From: eddielan <eddielan@google.com>
Date: Fri, 21 Jan 2022 11:27:23 +0800
Subject: [PATCH 535/921] Add vendor SELinux denial to allowlist

Bug: 215640468
Test: Build Pass
Change-Id: I8c2aa5ce4c6cc229837f763c6a20a1c27e1978a6
---
 whitechapel/vendor/google/bug_map | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/bug_map b/whitechapel/vendor/google/bug_map
index 3dc069c5..6799ba21 100644
--- a/whitechapel/vendor/google/bug_map
+++ b/whitechapel/vendor/google/bug_map
@@ -1,2 +1,3 @@
 permissioncontroller_app sysfs_vendor_sched file b/190671898
-vendor_ims_app default_prop file b/194281028
\ No newline at end of file
+vendor_ims_app default_prop file b/194281028
+hal_fingerprint_default default_prop property_service b/215640468

From 400b93eb0bc296fd4bb483a566bbdd3c5fe6ec51 Mon Sep 17 00:00:00 2001
From: Jagadeesh Pakaravoor <jpakaravoor@google.com>
Date: Thu, 7 Oct 2021 07:57:23 -0700
Subject: [PATCH 536/921] camera_hal: allow changing kthread priority

Allow changing kthread priority during insmod for camera-hal/LWIS.

Bug: 199950581
Test: boot, local camera testing
Change-Id: If59bfe101cab17854a5472ef388411bd19ef0a68
---
 whitechapel/vendor/google/init-insmod-sh.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
index 9b2da73d..0e60196e 100644
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -7,6 +7,9 @@ allow init-insmod-sh sysfs_leds:dir r_dir_perms;
 allow init-insmod-sh vendor_kernel_modules:system module_load;
 allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans;
 
+allow init-insmod-sh self:capability sys_nice;
+allow init-insmod-sh kernel:process setsched;
+
 set_prop(init-insmod-sh, vendor_device_prop)
 
 userdebug_or_eng(`

From 51735ba3ab65065bd79676c4b0e74f970ba1ea90 Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <badhri@google.com>
Date: Tue, 19 Oct 2021 13:26:34 -0700
Subject: [PATCH 537/921] android.hardware.usb.IUsb AIDL migration

android.hardware.usb.IUsb is migrated to AIDL and runs in
its own process. android.hardware.usb.gadget.IUsbGadget
is now published in its own exclusive process
(android.hardware.usb.gadget-service). Creating
file_context and moving the selinux linux rules
for IUsbGadget implementation.

Bug: 200993386
Change-Id: Ia8c24610244856490c8271433710afb57d3da157
---
 whitechapel/vendor/google/file_contexts          |  3 ++-
 whitechapel/vendor/google/hal_usb_gadget_impl.te | 14 ++++++++++++++
 whitechapel/vendor/google/hal_usb_impl.te        |  5 -----
 whitechapel/vendor/google/system_server.te       |  1 +
 4 files changed, 17 insertions(+), 6 deletions(-)
 create mode 100644 whitechapel/vendor/google/hal_usb_gadget_impl.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index d7ac4461..f0719770 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -7,7 +7,8 @@
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service               u:object_r:hal_power_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service         u:object_r:hal_configstore_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs101                       u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.gs101                            u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.gs101                    u:object_r:hal_usb_gadget_impl_exec:s0
 /(vendor|system/vendor)/lib(64)?/libion_exynos\.so                                              u:object_r:same_process_hal_file:s0
 
 /(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te
new file mode 100644
index 00000000..5170a8ae
--- /dev/null
+++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te
@@ -0,0 +1,14 @@
+type hal_usb_gadget_impl, domain;
+hal_server_domain(hal_usb_gadget_impl, hal_usb)
+hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget)
+
+type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_gadget_impl)
+
+allow hal_usb_gadget_impl configfs:dir { create rmdir };
+allow hal_usb_gadget_impl functionfs:dir { watch watch_reads };
+set_prop(hal_usb_gadget_impl, vendor_usb_config_prop)
+
+allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms;
+allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms;
+allow hal_usb_gadget_impl sysfs_extcon:dir search;
diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index ec640c29..736f2cc3 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -1,14 +1,9 @@
 type hal_usb_impl, domain;
 hal_server_domain(hal_usb_impl, hal_usb)
-hal_server_domain(hal_usb_impl, hal_usb_gadget)
 
 type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_usb_impl)
 
-allow hal_usb_impl configfs:dir { create rmdir };
-allow hal_usb_impl functionfs:dir { watch watch_reads };
-set_prop(hal_usb_impl, vendor_usb_config_prop)
-
 allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
 allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;
 allow hal_usb_impl sysfs_extcon:dir search;
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
index b2563949..abae67c1 100644
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@@ -3,6 +3,7 @@ binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
 # Allow system server to find vendor uwb service
 allow system_server uwb_vendor_service:service_manager find;
+allow system_server hal_usb_service:service_manager find;
 
 # pixelstats_vendor/OrientationCollector
 binder_call(system_server, pixelstats_vendor)

From 472abdcd5dd33e472d13e3feb0010ab368cf8c58 Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <badhri@google.com>
Date: Fri, 21 Jan 2022 17:03:14 -0800
Subject: [PATCH 538/921] Remove redundant rule in system_server.te

hal_client_domain(system_server, hal_usb) covers
the needed rule.

Bug: 200993386
Test: Boot up target to check for selinux denials.
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Change-Id: If9803a028babb38a6ed0ce5f87a5c7d1eec8e598
---
 whitechapel/vendor/google/system_server.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
index abae67c1..b2563949 100644
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@@ -3,7 +3,6 @@ binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
 # Allow system server to find vendor uwb service
 allow system_server uwb_vendor_service:service_manager find;
-allow system_server hal_usb_service:service_manager find;
 
 # pixelstats_vendor/OrientationCollector
 binder_call(system_server, pixelstats_vendor)

From 66f1d74123b26b029936c0ecd4276c6fa6840b9b Mon Sep 17 00:00:00 2001
From: TeYuan Wang <kamewang@google.com>
Date: Tue, 25 Jan 2022 11:59:06 +0800
Subject: [PATCH 539/921] Move thermal netlink socket sepolicy rules to pixel
 sepolicy

Bug: 213257759
Test: verified genlink function with emul_temp under enforcing mode
Change-Id: I8f5518e5f866ed0813be1e6630c6a9aefaf06e63
---
 whitechapel/vendor/google/hal_thermal_default.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te
index 491035ee..9852a767 100644
--- a/whitechapel/vendor/google/hal_thermal_default.te
+++ b/whitechapel/vendor/google/hal_thermal_default.te
@@ -1,3 +1,2 @@
-allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms;
 allow hal_thermal_default sysfs_odpm:file r_file_perms;

From 45850f812e1c181c05d13c4b5ae71636e78a0333 Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 25 Jan 2022 17:54:22 -0800
Subject: [PATCH 540/921] Allow storageproxyd to create directories in its data
 location

storageproxyd already has rw_dir_perms for tee_data_file from
vendor/tee.te in platform. We need create_dir_perms to make the
"alternate/" directory for handling DSU correctly.

Test: m dist, flash, and test DSU
Bug: 203719297
Change-Id: Ifcc3e5f82b68a506ff99469d2f3df6ab1440b42a
---
 whitechapel/vendor/google/storageproxyd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index 76552d04..f9222712 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -8,7 +8,7 @@ allow tee persist_ss_file:file create_file_perms;
 allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
-allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:dir create_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };

From b9ad182d4a05d9e4fd39534de26d5413c01ed451 Mon Sep 17 00:00:00 2001
From: Junkyu Kang <junkyukang@google.com>
Date: Fri, 21 Jan 2022 07:14:07 +0000
Subject: [PATCH 541/921] Add persist.vendor.gps to sepolicy

Bug: 196002632
Test: PixelLogger can modify persist.vendor.gps.*
Change-Id: I3fdaf564eacec340003eed0b5845a2c08922362c
---
 whitechapel/vendor/google/property_contexts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index ac829149..149a91be 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -73,7 +73,8 @@ vendor.camera.debug.                 u:object_r:vendor_camera_debug_prop:s0
 vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
 
 # for gps
-vendor.gps                   u:object_r:vendor_gps_prop:s0
+vendor.gps.                      u:object_r:vendor_gps_prop:s0
+persist.vendor.gps.              u:object_r:vendor_gps_prop:s0
 
 # SecureElement
 persist.vendor.se.                              u:object_r:vendor_secure_element_prop:s0

From b9beafc9fa61b89dd00bdc2b51163e7870d34dac Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 14 Dec 2021 14:33:56 -0800
Subject: [PATCH 542/921] Allow TEE storageproxyd permissions needed for DSU
 handling

Allows the vendor TEE access to GSI metadata files (which are publicly
readable). Storageproxyd needs access to this metadata to determine if a
GSI image is currently booted. Also allows the TEE domain to make new
directories in its data path.

Includes the fixed directory creation permission change from
Ifcc3e5f82b68a506ff99469d2f3df6ab1440b42a.

Test: access /metadata/gsi/dsu/booted from storageproxyd
Bug: 203719297
Merged-In: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b
Merged-In: Ifcc3e5f82b68a506ff99469d2f3df6ab1440b42a
Change-Id: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b
(cherry picked from commit b69ac35ff006cccbeee26f299826c32104fe1934)
---
 whitechapel/vendor/google/storageproxyd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index d6acb458..f9222712 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -8,6 +8,10 @@ allow tee persist_ss_file:file create_file_perms;
 allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir create_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)

From ec2a9fb8fcfd8321d8e827ca0af93e0a58bd0704 Mon Sep 17 00:00:00 2001
From: Ankit Goyal <layog@google.com>
Date: Wed, 26 Jan 2022 15:19:45 -0800
Subject: [PATCH 543/921] Rename vulkan library to be platform agnostic

Bug: 174232579
Test: Boots to home
Change-Id: I39d633e79896d7196ca7011dd7e017950248e2d8
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f0719770..70cfb3f1 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -372,7 +372,7 @@
 /vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.mali\.so                                             u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                        u:object_r:same_process_hal_file:s0
 
 # Fingerprint

From a2d6a19bcd019ebf062e3e5eb5c7ce1fd57e5430 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Tue, 1 Feb 2022 08:22:51 -0800
Subject: [PATCH 544/921] Allow logd to read the Trusty log

Bug: 190050919
Test: build
Change-Id: I8a42cd90b1581272f4dafc37d6eb29a98e1fa2e3
---
 whitechapel/vendor/google/logd.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 whitechapel/vendor/google/logd.te

diff --git a/whitechapel/vendor/google/logd.te b/whitechapel/vendor/google/logd.te
new file mode 100644
index 00000000..cc55e204
--- /dev/null
+++ b/whitechapel/vendor/google/logd.te
@@ -0,0 +1,2 @@
+r_dir_file(logd, logbuffer_device)
+allow logd logbuffer_device:chr_file r_file_perms;

From 7df1fa157429e1714e8b3430809e697e6fe016de Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Tue, 1 Feb 2022 08:22:51 -0800
Subject: [PATCH 545/921] Allow logd to read the Trusty log

Bug: 190050919
Test: build
Change-Id: I8a42cd90b1581272f4dafc37d6eb29a98e1fa2e3
---
 whitechapel/vendor/google/logd.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 whitechapel/vendor/google/logd.te

diff --git a/whitechapel/vendor/google/logd.te b/whitechapel/vendor/google/logd.te
new file mode 100644
index 00000000..cc55e204
--- /dev/null
+++ b/whitechapel/vendor/google/logd.te
@@ -0,0 +1,2 @@
+r_dir_file(logd, logbuffer_device)
+allow logd logbuffer_device:chr_file r_file_perms;

From 5a88ee6af15295d5420d5fd9aab4716a3cc0e3aa Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Fri, 4 Feb 2022 11:29:00 -0800
Subject: [PATCH 546/921] genfs_contexts: add paths for unnamed cs40l25a i2c
 devices

In the 5.10 kernel, the i2c paths are named using an out-of-tree patch
[1]. For kernels that don't support that, let's add the unnamed sysfs
paths as well to the selinux policy.

[1] https://android-review.googlesource.com/c/kernel/common/+/1646148

Bug: 217774013
Change-Id: I3a1f279270d22bf82144ce60a08c215308764be3
---
 whitechapel/vendor/google/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 75579899..7077fdf3 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -68,6 +68,8 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee80215
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net                      u:object_r:sysfs_net:s0
 
 # Vibrator
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0042            u:object_r:sysfs_vibrator:s0
@@ -177,6 +179,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_sup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
@@ -195,6 +198,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0

From c292dd65bab84d5560ffb8301677331137f259e8 Mon Sep 17 00:00:00 2001
From: TeYuan Wang <kamewang@google.com>
Date: Tue, 25 Jan 2022 19:18:01 +0800
Subject: [PATCH 547/921] move vendor_thermal_prop rules to pixel-sepolicy

Bug: 213257759
Test: no denied log after "setprop persist.vendor.disable.thermal.control 1"
Change-Id: Ic150959bc6084034d9afcc70bf446692fbe22d11
---
 whitechapel/vendor/google/vendor_init.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index c1db5e43..6f89d9d5 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -11,7 +11,6 @@ set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
-set_prop(vendor_init, vendor_thermal_prop)
 set_prop(vendor_init, vendor_logger_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;

From dcb05d137710334260ede5871e32d73cfc4bc53b Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Wed, 9 Feb 2022 17:40:10 +0800
Subject: [PATCH 548/921] sepolicy: gs101: fix charger_vendor permission denied

[   27.025458][  T443] type=1400 audit(1644391560.640:11): avc: denied { search } for comm="android.hardwar" name="vendor" dev="tmpfs" ino=2 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0
[   26.563658][  T447] type=1400 audit(1644397622.588:5): avc: denied { search } for comm="android.hardwar" name="/" dev="sda1" ino=2 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0
[   27.198144][  T442] type=1400 audit(1644398156.152:5): avc: denied { search } for comm="android.hardwar" name="battery" dev="sda1" ino=12 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=0
[   27.327035][  T443] type=1400 audit(1644398785.276:5): avc: denied { read } for comm="android.hardwar" name="defender_active_time" dev="sda1" ino=17 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=0
[   27.355009][  T443] type=1400 audit(1644398785.276:6): avc: denied { write } for comm="android.hardwar" name="defender_charger_time" dev="sda1" ino=16 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=0
[   26.771705][  T444] type=1400 audit(1644379988.804:4): avc: denied { read } for comm="android.hardwar" name="specification_version" dev="sysfs" ino=56257 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0
[   27.898684][  T445] type=1400 audit(1644392754.928:8): avc: denied { read } for comm="android.hardwar" name="thermal_zone6" dev="sysfs" ino=15901 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0
[   29.180076][  T447] type=1400 audit(1644397625.200:9): avc: denied { write } for comm="android.hardwar" name="mode" dev="sysfs" ino=15915 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
[   27.043845][  T444] type=1400 audit(1644379988.808:9): avc: denied { search } for comm="android.hardwar" name="thermal" dev="tmpfs" ino=899 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=0
[   27.064916][  T444] type=1400 audit(1644379988.808:10): avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_battery_defender_prop:s0" dev="tmpfs" ino=306 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=file permissive=0
[   27.356266][  T444] type=1107 audit(1644404450.376:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.battery.defender.state pid=457 uid=1000 gid=1000 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=property_service permissive=0'

Bug: 218485039
Test: manually test, no avc: denied
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I091dbbca35fb833e59fdbc234d74b90bfe74014c
---
 whitechapel/vendor/google/charger_vendor.te | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 whitechapel/vendor/google/charger_vendor.te

diff --git a/whitechapel/vendor/google/charger_vendor.te b/whitechapel/vendor/google/charger_vendor.te
new file mode 100644
index 00000000..7b914da1
--- /dev/null
+++ b/whitechapel/vendor/google/charger_vendor.te
@@ -0,0 +1,9 @@
+allow charger_vendor mnt_vendor_file:dir search;
+allow charger_vendor persist_file:dir search;
+allow charger_vendor persist_battery_file:dir search;
+allow charger_vendor persist_battery_file:file rw_file_perms;
+allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
+allow charger_vendor sysfs_thermal:file w_file_perms;
+allow charger_vendor sysfs_thermal:lnk_file read;
+allow charger_vendor thermal_link_device:dir search;
+set_prop(charger_vendor, vendor_battery_defender_prop)

From 05eb29e217141d84585325971b43a05c0e2ac7b5 Mon Sep 17 00:00:00 2001
From: Ricky Niu <rickyniu@google.com>
Date: Mon, 14 Feb 2022 15:22:04 +0800
Subject: [PATCH 549/921] Add hal_usb_impl permission

Add hal_usb_impl get below permission

allow hal_usb_impl configfs:dir rw_dir_perms;
allow hal_usb_impl configfs:file create_file_perms;

avc denied
02-16 12:05:19.820   788   788 I android.hardwar: type=1400 audit(0.0:4882): avc: denied { search } for name="/" dev="configfs" ino=13419 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1
02-16 12:05:19.820   788   788 I android.hardwar: type=1400 audit(0.0:4883): avc: denied { write } for name="g1" dev="configfs" ino=38003 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1
02-16 12:05:19.820   788   788 I android.hardwar: type=1400 audit(0.0:4884): avc: denied { add_name } for name="UDC" scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=dir permissive=1
02-16 12:05:19.820   788   788 I android.hardwar: type=1400 audit(0.0:4885): avc: denied { create } for name="UDC" scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=file permissive=1
02-16 12:05:19.820   788   788 I android.hardwar: type=1400 audit(0.0:4886): avc: denied { write } for name="UDC" dev="configfs" ino=106988 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:configfs:s0 tclass=file permissive=1

Bug: 218997592
Signed-off-by: Ricky Niu <rickyniu@google.com>
Change-Id: I854479cef1a0b8ad518814fb9d20558cf52202e7
---
 whitechapel/vendor/google/hal_usb_impl.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index 736f2cc3..6b6d19f6 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -4,6 +4,8 @@ hal_server_domain(hal_usb_impl, hal_usb)
 type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_usb_impl)
 
+allow hal_usb_impl configfs:dir rw_dir_perms;
+allow hal_usb_impl configfs:file create_file_perms;
 allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
 allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;
 allow hal_usb_impl sysfs_extcon:dir search;

From 32307ac30d43c31a01d92dda241a1f7d58f94acf Mon Sep 17 00:00:00 2001
From: Midas Chien <midaschieh@google.com>
Date: Wed, 16 Feb 2022 16:17:22 +0800
Subject: [PATCH 550/921] Allow composer to read panel_idle sysfs node

Change panel_idle selinux type to sysfs_display to allow composer can
read it.

Bug: 198808492
Bug: 219857957
Test: ls -Z to check selinux type
Test: make sure init(write) and composer(read) can access it
Change-Id: I77ae701a73a047b26b4ebb3c9d482c8cb9220999
---
 whitechapel/vendor/google/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index bbf63fdf..ecc583d6 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -138,6 +138,8 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle    u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle    u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
 

From 9244051b3553242b5670c32634a575160eb51c82 Mon Sep 17 00:00:00 2001
From: Junkyu Kang <junkyukang@google.com>
Date: Fri, 21 Jan 2022 07:14:07 +0000
Subject: [PATCH 551/921] Add persist.vendor.gps to sepolicy

Bug: 196002632
Test: PixelLogger can modify persist.vendor.gps.*
Change-Id: I3fdaf564eacec340003eed0b5845a2c08922362c
Merged-In: I3fdaf564eacec340003eed0b5845a2c08922362c
---
 whitechapel/vendor/google/property_contexts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5d2f018a..89bd277b 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -72,7 +72,8 @@ vendor.camera.debug.                 u:object_r:vendor_camera_debug_prop:s0
 vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
 
 # for gps
-vendor.gps                   u:object_r:vendor_gps_prop:s0
+vendor.gps.                      u:object_r:vendor_gps_prop:s0
+persist.vendor.gps.              u:object_r:vendor_gps_prop:s0
 
 # SecureElement
 persist.vendor.se.                              u:object_r:vendor_secure_element_prop:s0

From cb04f5981fc59d8e826079fa1f914ceda986e67d Mon Sep 17 00:00:00 2001
From: Robert Shih <robertshih@google.com>
Date: Tue, 15 Feb 2022 17:01:48 +0000
Subject: [PATCH 552/921] whitechapel: sepolicy for Widevine AIDL HAL

Bug: 219538389
Test: atest GtsMediaTestCases
Change-Id: I431554dcbef014f8235f048ee062a218a2131f9c
---
 whitechapel/vendor/google/file_contexts    | 2 +-
 whitechapel/vendor/google/service_contexts | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 70cfb3f1..69eb9fd3 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -1,7 +1,7 @@
 #
 # Exynos HAL
 #
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine                    u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 812105a6..92fe3e99 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,3 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
+android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_service:s0

From 05565c1f14f9041646e4fc8ec3396688c987f53f Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Mon, 21 Feb 2022 12:16:45 +0800
Subject: [PATCH 553/921] Fix selinux error for system_app

01-26 05:04:53.364   440   440 I auditd  : avc:  denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:system_app:s0 pid=3063 scontext=u:r:system_app:s0 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0

Bug: 216531913
Test: verified with the forrest ROM and error log gone

Change-Id: I73d45f3cf1fe0bd918bb4856ce554e81702e4ff9
Merged-In: I73d45f3cf1fe0bd918bb4856ce554e81702e4ff9
---
 whitechapel/vendor/google/system_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
index a9bab762..07536ccf 100644
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@@ -5,3 +5,4 @@ allow system_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(system_app, hal_wlc)
 
 allow system_app fwk_stats_hwservice:hwservice_manager find;
+allow system_app hal_exynos_rild_hwservice:hwservice_manager find;

From 5e2e26114854c92f4ef652506ca7c63afe9275e6 Mon Sep 17 00:00:00 2001
From: Shubham Dubey <dubeyshubham@google.com>
Date: Mon, 21 Feb 2022 10:22:32 +0000
Subject: [PATCH 554/921] Temporarily don't audit hal_fingerprint to fix avc
 denial

Fix: 220263520

Change-Id: Ic06981fdc071c5027e6ccd137c1a2d19b9366c98
---
 tracking_denials/hal_fingerprint_default.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
index 9a2d37e5..3939b28a 100644
--- a/tracking_denials/hal_fingerprint_default.te
+++ b/tracking_denials/hal_fingerprint_default.te
@@ -1,3 +1,5 @@
+#b/220263520
+dontaudit hal_fingerprint_default vendor_default_prop:property_service set;
 # b/183338543
 dontaudit hal_fingerprint_default system_data_root_file:file { read };
 dontaudit hal_fingerprint_default default_prop:file { getattr };

From 56b04c828ed507e38c092e1e733fc2c99f8834e1 Mon Sep 17 00:00:00 2001
From: Jason Macnak <natsu@google.com>
Date: Thu, 24 Feb 2022 18:37:55 +0000
Subject: [PATCH 555/921] Remove sysfs_gpu type definition

... as it has moved to system/sepolicy.

Bug: b/161819018
Test: presubmit
Change-Id: I6fcafa87541ed0cbaf3ba74fa5ff4dbdebd533f7
---
 whitechapel/vendor/google/file.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 90098249..cb5ade95 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -169,9 +169,6 @@ type persist_battery_file, file_type, vendor_persist_type;
 # CPU
 type sysfs_cpu, sysfs_type, fs_type;
 
-# GPU
-type sysfs_gpu, sysfs_type, fs_type;
-
 # Fabric
 type sysfs_fabric, sysfs_type, fs_type;
 

From 28a21a48e04d9fadeb27bf18ef662413669903c8 Mon Sep 17 00:00:00 2001
From: Jason Macnak <natsu@google.com>
Date: Thu, 24 Feb 2022 18:37:55 +0000
Subject: [PATCH 556/921] Remove sysfs_gpu type definition

... as it has moved to system/sepolicy.

Bug: b/161819018
Test: presubmit
Change-Id: I6fcafa87541ed0cbaf3ba74fa5ff4dbdebd533f7
Merged-In: I6fcafa87541ed0cbaf3ba74fa5ff4dbdebd533f7
---
 whitechapel/vendor/google/file.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e2baeca6..f951e2e3 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -169,9 +169,6 @@ type persist_battery_file, file_type, vendor_persist_type;
 # CPU
 type sysfs_cpu, sysfs_type, fs_type;
 
-# GPU
-type sysfs_gpu, sysfs_type, fs_type;
-
 # Fabric
 type sysfs_fabric, sysfs_type, fs_type;
 

From acd4220ac9776c06c362fef5c884382104b30ab7 Mon Sep 17 00:00:00 2001
From: Midas Chien <midaschieh@google.com>
Date: Sun, 20 Feb 2022 17:51:54 +0800
Subject: [PATCH 557/921] Allow composer to read panel_idle_handle_exit sysfs
 node

Change panel_idle_exit_handle selinux type to sysfs_display to allow
composer to access it.

Bug: 202182467
Test: ls -Z to check selinux type
Test: composer can access it in enforce mode
Change-Id: I5ca811f9500dc452fe6832dd772376da51f675a8
---
 whitechapel/vendor/google/genfs_contexts | 26 +++++++++++++-----------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index ecc583d6..9f4e1fbc 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -130,18 +130,20 @@ genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby
 genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed                         u:object_r:sysfs_gps_assert:s0
 
 # Display
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh  u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle    u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle    u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh                   u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh                   u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle                     u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle                     u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
 
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0

From e0c6120237de82a0e5690f434994f23a3724a721 Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Tue, 1 Mar 2022 12:07:13 +0800
Subject: [PATCH 558/921] Add sepolicy rules for fingerprint hal

Fix the following avc denial:
avc: denied { set } for property=vendor.gf.cali.state pid=1152 uid=1000 gid=1000 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0'

Bug: 219372997
Bug: 220263520
Test: No above avc denial in logcat.
Change-Id: I93ace30c67e04bc836bfba050028a1f25af641d5
---
 tracking_denials/hal_fingerprint_default.te          | 2 --
 whitechapel/vendor/google/hal_fingerprint_default.te | 4 +---
 whitechapel/vendor/google/property.te                | 2 +-
 whitechapel/vendor/google/property_contexts          | 3 ++-
 whitechapel/vendor/google/vendor_init.te             | 4 +---
 5 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
index 3939b28a..9a2d37e5 100644
--- a/tracking_denials/hal_fingerprint_default.te
+++ b/tracking_denials/hal_fingerprint_default.te
@@ -1,5 +1,3 @@
-#b/220263520
-dontaudit hal_fingerprint_default vendor_default_prop:property_service set;
 # b/183338543
 dontaudit hal_fingerprint_default system_data_root_file:file { read };
 dontaudit hal_fingerprint_default default_prop:file { getattr };
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 6dedfce8..b2378682 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -8,9 +8,7 @@ allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
 allow hal_fingerprint_default fwk_stats_service:service_manager find;
 get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
-userdebug_or_eng(`
-  get_prop(hal_fingerprint_default, vendor_fingerprint_fake_prop)
-')
+set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
 add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
 
 # allow fingerprint to access power hal
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index bb0894fc..e98973f2 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -48,7 +48,7 @@ vendor_internal_prop(vendor_touchpanel_prop)
 vendor_internal_prop(vendor_tcpdump_log_prop)
 
 # Fingerprint
-vendor_internal_prop(vendor_fingerprint_fake_prop)
+vendor_internal_prop(vendor_fingerprint_prop)
 
 # Dynamic sensor
 vendor_internal_prop(vendor_dynamic_sensor_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 149a91be..cdbe1bc4 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -105,7 +105,8 @@ vendor.tcpdump.log.alwayson                     u:object_r:vendor_tcpdump_log_pr
 vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_prop:s0
 
 # Fingerprint
-vendor.fingerprint.disable.fake                 u:object_r:vendor_fingerprint_fake_prop:s0
+vendor.fingerprint.                             u:object_r:vendor_fingerprint_prop:s0
+vendor.gf.                                      u:object_r:vendor_fingerprint_prop:s0
 
 # Dynamic sensor
 vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor_prop:s0
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index f8731c04..dfd8e996 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -34,6 +34,4 @@ get_prop(vendor_init, vendor_battery_profile_prop)
 set_prop(vendor_init, vendor_battery_defender_prop)
 
 # Fingerprint property
-userdebug_or_eng(`
-  set_prop(vendor_init, vendor_fingerprint_fake_prop)
-')
+set_prop(vendor_init, vendor_fingerprint_prop)

From e5cf8beff3cf214b4fbaa5725feeb0e22f9398a5 Mon Sep 17 00:00:00 2001
From: Robert Lee <lerobert@google.com>
Date: Thu, 24 Feb 2022 10:32:47 +0800
Subject: [PATCH 559/921] Fix selinux error for aocd

allow write permission to fix following error
auditd  : type=1400 audit(0.0:4): avc: denied { write } for comm="aocd" name="aoc" dev="tmpfs" ino=497 scontext=u:r:aocd:s0 tcontext=u:object_r:aoc_device:s0 tclass=chr_file permissive=0

Bug: 198490099
Test: no avc deny when enable no_ap_restart
Change-Id: Ia72ee36137d78f969c28bf22647443cef45d186a
Signed-off-by: Robert Lee <lerobert@google.com>
---
 whitechapel/vendor/google/aocd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te
index 79add165..69b0af0d 100644
--- a/whitechapel/vendor/google/aocd.te
+++ b/whitechapel/vendor/google/aocd.te
@@ -12,7 +12,7 @@ allow aocd sysfs_aoc:dir search;
 allow aocd sysfs_aoc_firmware:file w_file_perms;
 
 # dev operations
-allow aocd aoc_device:chr_file r_file_perms;
+allow aocd aoc_device:chr_file rw_file_perms;
 
 # allow inotify to watch for additions/removals from /dev
 allow aocd device:dir r_dir_perms;

From 03fef4854280f367115e41568b21f3b4042dd632 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 3 Mar 2022 13:11:39 -0800
Subject: [PATCH 560/921] Don't audit storageproxyd unlabeled access

Test: m sepolicy
Bug: 197502330
Change-Id: I794dac85e475434aaf024027c43c98dde60bee27
---
 whitechapel/vendor/google/storageproxyd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index f9222712..ada64441 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -15,3 +15,7 @@ allow tee self:capability { setgid setuid };
 
 # Allow storageproxyd access to gsi_public_metadata_file
 read_fstab(tee)
+
+# storageproxyd starts before /data is mounted. It handles /data not being there
+# gracefully. However, attempts to access /data trigger a denial.
+dontaudit tee unlabeled:dir { search };

From 0e1e0e2830db571a1e7fde5df26bef0e5c927a3b Mon Sep 17 00:00:00 2001
From: Midas Chien <midaschieh@google.com>
Date: Sun, 20 Feb 2022 17:51:54 +0800
Subject: [PATCH 561/921] [Do Not Merge] Allow composer to read
 panel_idle_handle_exit sysfs node

Change panel_idle_exit_handle selinux type to sysfs_display to allow
composer to access it.

Bug: 202182467
Test: ls -Z to check selinux type
Test: composer can access it in enforce mode
Merged-In: I5ca811f9500dc452fe6832dd772376da51f675a8
Change-Id: I5ca811f9500dc452fe6832dd772376da51f675a8
---
 whitechapel/vendor/google/genfs_contexts | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 7077fdf3..081ec214 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -114,12 +114,14 @@ genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby
 genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed                         u:object_r:sysfs_gps_assert:s0
 
 # Display
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma         u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
 
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0

From 34c5b9b239833c8c728308a6cf009b99ac1ab921 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Fri, 18 Feb 2022 15:36:58 -0800
Subject: [PATCH 562/921] gs-sepolicy(uwb):  Changes for new UCI stack

1. Rename uwb vendor app.
2. Rename uwb vendor HAL binary name & service name.
3. Allow vendor HAL to host the AOSP UWB HAL service.
4. Allow NFC HAL to access uwb calibration files.

Bug: 186585880
Test: Manual Tests
Change-Id: I2c7c2466f42317d643634e24b1efb1855e673d09
---
 whitechapel/vendor/google/file_contexts             | 2 +-
 whitechapel/vendor/google/hal_nfc_default.te        | 3 +++
 whitechapel/vendor/google/hal_uwb_vendor_default.te | 3 +++
 whitechapel/vendor/google/property.te               | 2 ++
 whitechapel/vendor/google/property_contexts         | 2 ++
 whitechapel/vendor/google/seapp_contexts            | 3 ++-
 whitechapel/vendor/google/service_contexts          | 2 +-
 7 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 69eb9fd3..05e49591 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -347,7 +347,7 @@
 
 # Uwb
 # R4
-/vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_vendor_default_exec:s0
+/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/init\.uwb\.calib\.sh                                     u:object_r:vendor_uwb_init_exec:s0
 /mnt/vendor/persist/uwb(/.*)?                                        u:object_r:persist_uwb_file:s0
 /data/vendor/uwb(/.*)?                                               u:object_r:uwb_data_vendor:s0
diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te
index 174b5383..247ca3d7 100644
--- a/whitechapel/vendor/google/hal_nfc_default.te
+++ b/whitechapel/vendor/google/hal_nfc_default.te
@@ -10,3 +10,6 @@ set_prop(hal_nfc_default, vendor_modem_prop)
 # Access uwb cal for SecureRanging Applet
 allow hal_nfc_default uwb_data_vendor:dir r_dir_perms;
 allow hal_nfc_default uwb_data_vendor:file r_file_perms;
+
+# allow nfc to read uwb calibration file
+get_prop(hal_nfc_default, vendor_uwb_calibration_prop)
diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te
index f72e879d..b287433f 100644
--- a/whitechapel/vendor/google/hal_uwb_vendor_default.te
+++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te
@@ -2,6 +2,7 @@ type hal_uwb_vendor_default, domain;
 type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_uwb_vendor_default)
 
+hal_server_domain(hal_uwb_vendor_default, hal_uwb)
 add_service(hal_uwb_vendor_default, hal_uwb_vendor_service)
 
 hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor)
@@ -9,3 +10,5 @@ binder_call(hal_uwb_vendor_default, uwb_vendor_app)
 
 allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms;
 allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
+
+get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop)
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index bb0894fc..b8bfacc8 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -53,3 +53,5 @@ vendor_internal_prop(vendor_fingerprint_fake_prop)
 # Dynamic sensor
 vendor_internal_prop(vendor_dynamic_sensor_prop)
 
+# UWB calibration
+system_vendor_config_prop(vendor_uwb_calibration_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 149a91be..821f4de1 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -110,3 +110,5 @@ vendor.fingerprint.disable.fake                 u:object_r:vendor_fingerprint_fa
 # Dynamic sensor
 vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor_prop:s0
 
+# uwb
+ro.vendor.uwb.calibration.                      u:object_r:vendor_uwb_calibration_prop:s0 exact string
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 4dcd8e5d..f866e37a 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -48,7 +48,8 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=
 user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
 
 # Qorvo UWB system app
-user=uwb isPrivApp=true seinfo=uwb name=com.qorvo.uwb domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+# TODO(b/222204912): Should this run under uwb user?
+user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
 
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 92fe3e99..ca2ec939 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
-hardware.qorvo.uwb.IUwb/default                            u:object_r:hal_uwb_vendor_service:s0
+hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_vendor_service:s0
 android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_service:s0

From c3d3c574f4ba1cbe84ba29ccb6c6e5748e2b5f29 Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Tue, 8 Mar 2022 20:56:51 +0800
Subject: [PATCH 563/921] sepolicy: fix VTS failure for SuspendSepolicyTests

Label the common parent wakeup path instead of each
individual wakeup source to avoid bloating the genfs
contexts.

Bug: 221174227
Test: run vts -m SuspendSepolicyTests
Change-Id: I83a074840198aba323805fd455ee78a0e57174ac
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 36 ++++++++++++------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 9f4e1fbc..c3773b0d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -82,27 +82,27 @@ genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:s
 
 # System_suspend
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/cpif/wakeup/wakeup                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup                                           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup                                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
@@ -190,19 +190,19 @@ genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:
 genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
 
 # system_suspend wakeup nodes
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup                                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup                                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
@@ -219,14 +219,14 @@ genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/sound-aoc/wakeup                                                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup                                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup                                                     u:object_r:sysfs_wakeup:s0
 
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0

From f648f3c989c0292147f30826b172b0365b4bee6c Mon Sep 17 00:00:00 2001
From: Michael Eastwood <mweastwood@google.com>
Date: Tue, 8 Mar 2022 13:54:34 -0800
Subject: [PATCH 564/921] Update SELinux policy to allow camera HAL to send
 Perfetto trace packets

Example denials:

03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:31): avc: denied { use } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:r:tr
aced:s0 tclass=fd permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:32): avc: denied { read write } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext
=u:object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:33): avc: denied { getattr } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:
object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:34): avc: denied { map } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Bug: 222684359
Test: Build and push new SELinux policy. Verify that trace packets are received by Perfetto.
Change-Id: I0180c6bccf8cb65f444b8fb687ab48422c211bac
---
 whitechapel/vendor/google/hal_camera_default.te | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index bb0e206f..24246d2f 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -83,12 +83,15 @@ allow hal_camera_default apex_info_file:file r_file_perms;
 # Allow camera HAL to query current device clock frequencies.
 allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
 
-# allow camera HAL to read backlight of display
+# Allow camera HAL to read backlight of display
 allow hal_camera_default sysfs_leds:dir r_dir_perms;
 allow hal_camera_default sysfs_leds:file r_file_perms;
 
-# allow camera HAL to query interrupts and set interrupt affinity
+# Allow camera HAL to query interrupts and set interrupt affinity
 allow hal_camera_default proc_irq:dir r_dir_perms;
 allow hal_camera_default proc_irq:file rw_file_perms;
 allow hal_camera_default proc_interrupts:dir r_dir_perms;
 allow hal_camera_default proc_interrupts:file r_file_perms;
+
+# Allow camera HAL to send trace packets to Perfetto
+userdebug_or_eng(`perfetto_producer(hal_camera_default)')

From 037f9cda4e0468d1f42aeeaa816c06e9bf13027e Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Wed, 9 Mar 2022 14:15:55 +0800
Subject: [PATCH 565/921] Update avc error on ROM 8276520

Bug: 223502652
Bug: 223330933
Test: PtsSELinuxTestCases
Change-Id: Ib8c14c4928410ee5ed4626e95e2882b89341ee9a
---
 tracking_denials/hal_drm_default.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/hal_drm_default.te

diff --git a/tracking_denials/hal_drm_default.te b/tracking_denials/hal_drm_default.te
new file mode 100644
index 00000000..ee4ed089
--- /dev/null
+++ b/tracking_denials/hal_drm_default.te
@@ -0,0 +1,2 @@
+# b/223502652
+dontaudit hal_drm_default vndbinder_device:chr_file { read };

From 44fcba7efd30a8d70ac8bbb57d75ffc246a172c1 Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Thu, 10 Mar 2022 08:48:05 +0800
Subject: [PATCH 566/921] sepolicy: reorder genfs labels for system suspend

Bug: 223683748
Test: check bugreport without relevant avc denials
Change-Id: I66ede69d94bb3cb1a446e1cd5f3250b6f9b7f7e9
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 125 +++++++++++------------
 1 file changed, 61 insertions(+), 64 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index c3773b0d..63d06d1c 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -81,31 +81,67 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
 
 # System_suspend
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/cpif/wakeup                                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/gpio_keys/wakeup                                             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/wakeup                                                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup                                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup                                                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup                                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/sound-aoc/wakeup                                                                           u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0
@@ -189,45 +225,6 @@ genfscon sysfs /devices/system/chip-id/product_id      u:object_r:sysfs_chip_id:
 genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:s0
 genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
 
-# system_suspend wakeup nodes
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup                                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup                                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/sound-aoc/wakeup                                                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup                                                     u:object_r:sysfs_wakeup:s0
-
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0
 

From 9b54bf3665abce7a6f5f5df22069a8ef081ad80e Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Wed, 8 Dec 2021 07:05:51 +0800
Subject: [PATCH 567/921] Allow hal_fingerprint_default to access
 fwk_sensor_hwservice

Fix the following avc denial:
avc:  denied  { find } for interface=android.frameworks.sensorservice::ISensorManager sid=u:r:hal_fingerprint_default:s0 pid=1258 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:fwk_sensor_hwservice:s0 tclass=hwservice_manager permissive=0

Bug: 197789721
Test: build and test fingerprint on device.
Change-Id: I7494f28e69e5a1b660dc7fbaa528b1088048723b
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index b2378682..d1ac4d72 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -20,3 +20,7 @@ r_dir_file(hal_fingerprint_default, sysfs_chosen)
 # Allow fingerprint to access calibration blk device.
 allow hal_fingerprint_default mfg_data_block_device:blk_file { rw_file_perms };
 allow hal_fingerprint_default block_device:dir search;
+
+# Allow fingerprint to access fwk_sensor_hwservice
+allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find;
+

From f7aba106742d75811287a08e3ab242f4469e927e Mon Sep 17 00:00:00 2001
From: TeYuan Wang <kamewang@google.com>
Date: Thu, 10 Mar 2022 21:27:00 +0800
Subject: [PATCH 568/921] Move libperfmgr thermal rules to pixel-sepolicy

Bug: 213257759
Bug: 188579571
Test: build
Change-Id: I9893d53055594bfb4e4dba3d68b53f0fe132617d
---
 whitechapel/vendor/google/hal_power_default.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index a04e40a1..22764a32 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -8,10 +8,6 @@ allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms;
 allow hal_power_default sysfs_fabric:file rw_file_perms;
 allow hal_power_default sysfs_camera:file rw_file_perms;
 allow hal_power_default sysfs_display:file rw_file_perms;
-allow hal_power_default thermal_link_device:dir r_dir_perms;
-allow hal_power_default sysfs_thermal:dir r_dir_perms;
-allow hal_power_default sysfs_thermal:file rw_file_perms;
-allow hal_power_default sysfs_thermal:lnk_file r_file_perms;
 allow hal_power_default sysfs_bcl:dir r_dir_perms;
 allow hal_power_default sysfs_bcl:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)

From 17f6a0a1bae86210534eeaa0eedfc3126ccde7b6 Mon Sep 17 00:00:00 2001
From: eddielan <eddielan@google.com>
Date: Mon, 14 Mar 2022 10:57:53 +0800
Subject: [PATCH 569/921] sepolicy: Add policy for persist.vendor.udfps

Bug: 222175797
Test: Build Pass
Change-Id: I978325adb5cf25a590b307a38ce2deac4034e656
---
 whitechapel/vendor/google/property_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index cdbe1bc4..a4f2016b 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -107,6 +107,7 @@ vendor.tcpdump.output.dir                       u:object_r:vendor_tcpdump_log_pr
 # Fingerprint
 vendor.fingerprint.                             u:object_r:vendor_fingerprint_prop:s0
 vendor.gf.                                      u:object_r:vendor_fingerprint_prop:s0
+persist.vendor.udfps.                           u:object_r:vendor_fingerprint_prop:s0
 
 # Dynamic sensor
 vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor_prop:s0

From 2018f942a7cb361f701b9691d23c8abfcc87949b Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Thu, 10 Mar 2022 08:48:05 +0800
Subject: [PATCH 570/921] sepolicy: reorder genfs labels for system suspend

Bug: 223683748
Test: check bugreport without relevant avc denials
Change-Id: I66ede69d94bb3cb1a446e1cd5f3250b6f9b7f7e9
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 124 +++++++++++------------
 1 file changed, 61 insertions(+), 63 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 0e231fed..33d761d0 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -79,30 +79,67 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
 
 # System_suspend
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/cpif/wakeup/wakeup                                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/wakeup                                                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup                                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup                                                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup                                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/sound-aoc/wakeup                                                                           u:object_r:sysfs_wakeup:s0
 
 # Touch
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0
@@ -177,45 +214,6 @@ genfscon sysfs /devices/system/chip-id/product_id      u:object_r:sysfs_chip_id:
 genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:s0
 genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
 
-# system_suspend wakeup nodes
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                                             u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup                                                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup                                              u:object_r:sysfs_wakeup:s0
-
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0
 

From 753edef5f6da6c4a170295470d801787d6961d94 Mon Sep 17 00:00:00 2001
From: samou <samou@google.com>
Date: Tue, 22 Feb 2022 06:54:31 +0000
Subject: [PATCH 571/921] Move ODPM file rule to pixel sepolicy

Bug: 213257759
Change-Id: Ic9a89950a609efe5434dfedc0aa023312c4192d9
---
 whitechapel/vendor/google/file.te                    | 1 -
 whitechapel/vendor/google/hal_power_stats_default.te | 2 --
 whitechapel/vendor/google/hal_thermal_default.te     | 1 -
 3 files changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 90098249..6eabe45d 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -152,7 +152,6 @@ type sysfs_chargelevel, sysfs_type, fs_type;
 
 # ODPM
 type powerstats_vendor_data_file, file_type, data_file_type;
-type sysfs_odpm, sysfs_type, fs_type;
 
 # bcl
 type sysfs_bcl, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index db81a74e..b8ab8c5b 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -7,8 +7,6 @@ binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
 r_dir_file(hal_power_stats_default, sysfs_iio_devices)
 allow hal_power_stats_default powerstats_vendor_data_file:dir search;
 allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms;
-allow hal_power_stats_default sysfs_odpm:dir search;
-allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
 
 allow hal_power_stats_default sysfs_edgetpu:dir search;
 allow hal_power_stats_default sysfs_edgetpu:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te
index 9852a767..5e597c7c 100644
--- a/whitechapel/vendor/google/hal_thermal_default.te
+++ b/whitechapel/vendor/google/hal_thermal_default.te
@@ -1,2 +1 @@
 allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms;
-allow hal_thermal_default sysfs_odpm:file r_file_perms;

From 3ffd8035a2c882c846c26db7767a821a8f45b9dd Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Mon, 21 Mar 2022 09:13:58 -0700
Subject: [PATCH 572/921] gs-policy: Remove obsolete uwb vendor service rules

This service no longer exists in the UCI stack.

Bug: 186585880
Test: Manual UWB tests
Change-Id: I198a20f85cb24f9e38035fa037609d6541640d9e
---
 whitechapel/vendor/google/service.te        | 1 -
 whitechapel/vendor/google/service_contexts  | 1 -
 whitechapel/vendor/google/system_server.te  | 2 --
 whitechapel/vendor/google/uwb_vendor_app.te | 2 --
 4 files changed, 6 deletions(-)

diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index aa60e3f7..8d5dc1ee 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,3 +1,2 @@
 type hal_pixel_display_service, service_manager_type, vendor_service;
-type uwb_vendor_service, service_manager_type, vendor_service;
 type hal_uwb_vendor_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index ca2ec939..25108867 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,4 +1,3 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
-uwb_vendor                                                 u:object_r:uwb_vendor_service:s0
 hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_vendor_service:s0
 android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_service:s0
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
index b2563949..d064cb73 100644
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@@ -1,8 +1,6 @@
 # Allow system server to send sensor data callbacks to GPS and camera HALs
 binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
-# Allow system server to find vendor uwb service
-allow system_server uwb_vendor_service:service_manager find;
 
 # pixelstats_vendor/OrientationCollector
 binder_call(system_server, pixelstats_vendor)
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index 8822343c..68edcb1b 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -2,8 +2,6 @@ type uwb_vendor_app, domain;
 
 app_domain(uwb_vendor_app)
 
-add_service(uwb_vendor_app, uwb_vendor_service)
-
 not_recovery(`
 hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 

From 117be9022957430cbac0b8e2bb67198abdebbd54 Mon Sep 17 00:00:00 2001
From: Stephane Lee <stayfan@google.com>
Date: Mon, 21 Mar 2022 17:42:10 -0700
Subject: [PATCH 573/921] Fix off-mode (charger) sepolicy for the health
 interface

Bug: 223537397
Test: Ensure that there are no selinux errors for sysfs_batteryinfo in
   off-mode charging

Change-Id: I46fa1b7552eb0655d0545538142131465a337f23
---
 whitechapel/vendor/google/charger_vendor.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/charger_vendor.te b/whitechapel/vendor/google/charger_vendor.te
index 7b914da1..df59b717 100644
--- a/whitechapel/vendor/google/charger_vendor.te
+++ b/whitechapel/vendor/google/charger_vendor.te
@@ -1,4 +1,5 @@
 allow charger_vendor mnt_vendor_file:dir search;
+allow charger_vendor sysfs_batteryinfo:file w_file_perms;
 allow charger_vendor persist_file:dir search;
 allow charger_vendor persist_battery_file:dir search;
 allow charger_vendor persist_battery_file:file rw_file_perms;

From b67138e8ae79fa4b8ad1283bae54d843fd6965cc Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Wed, 9 Feb 2022 17:40:10 +0800
Subject: [PATCH 574/921] sepolicy: gs101: fix charger_vendor permission denied

[   27.025458][  T443] type=1400 audit(1644391560.640:11): avc: denied { search } for comm="android.hardwar" name="vendor" dev="tmpfs" ino=2 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0
[   26.563658][  T447] type=1400 audit(1644397622.588:5): avc: denied { search } for comm="android.hardwar" name="/" dev="sda1" ino=2 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0
[   27.198144][  T442] type=1400 audit(1644398156.152:5): avc: denied { search } for comm="android.hardwar" name="battery" dev="sda1" ino=12 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=dir permissive=0
[   27.327035][  T443] type=1400 audit(1644398785.276:5): avc: denied { read } for comm="android.hardwar" name="defender_active_time" dev="sda1" ino=17 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=0
[   27.355009][  T443] type=1400 audit(1644398785.276:6): avc: denied { write } for comm="android.hardwar" name="defender_charger_time" dev="sda1" ino=16 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_battery_file:s0 tclass=file permissive=0
[   26.771705][  T444] type=1400 audit(1644379988.804:4): avc: denied { read } for comm="android.hardwar" name="specification_version" dev="sysfs" ino=56257 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0
[   27.898684][  T445] type=1400 audit(1644392754.928:8): avc: denied { read } for comm="android.hardwar" name="thermal_zone6" dev="sysfs" ino=15901 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0
[   29.180076][  T447] type=1400 audit(1644397625.200:9): avc: denied { write } for comm="android.hardwar" name="mode" dev="sysfs" ino=15915 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0
[   27.043845][  T444] type=1400 audit(1644379988.808:9): avc: denied { search } for comm="android.hardwar" name="thermal" dev="tmpfs" ino=899 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:thermal_link_device:s0 tclass=dir permissive=0
[   27.064916][  T444] type=1400 audit(1644379988.808:10): avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_battery_defender_prop:s0" dev="tmpfs" ino=306 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=file permissive=0
[   27.356266][  T444] type=1107 audit(1644404450.376:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.battery.defender.state pid=457 uid=1000 gid=1000 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=property_service permissive=0'

Bug: 218485039
Test: manually test, no avc: denied
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I091dbbca35fb833e59fdbc234d74b90bfe74014c
Merged-In: I091dbbca35fb833e59fdbc234d74b90bfe74014c
---
 whitechapel/vendor/google/charger_vendor.te | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 whitechapel/vendor/google/charger_vendor.te

diff --git a/whitechapel/vendor/google/charger_vendor.te b/whitechapel/vendor/google/charger_vendor.te
new file mode 100644
index 00000000..7b914da1
--- /dev/null
+++ b/whitechapel/vendor/google/charger_vendor.te
@@ -0,0 +1,9 @@
+allow charger_vendor mnt_vendor_file:dir search;
+allow charger_vendor persist_file:dir search;
+allow charger_vendor persist_battery_file:dir search;
+allow charger_vendor persist_battery_file:file rw_file_perms;
+allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
+allow charger_vendor sysfs_thermal:file w_file_perms;
+allow charger_vendor sysfs_thermal:lnk_file read;
+allow charger_vendor thermal_link_device:dir search;
+set_prop(charger_vendor, vendor_battery_defender_prop)

From 84a06151a393254f3c6ed79cf0b27ff002501213 Mon Sep 17 00:00:00 2001
From: Stephane Lee <stayfan@google.com>
Date: Mon, 21 Mar 2022 17:42:10 -0700
Subject: [PATCH 575/921] Fix off-mode (charger) sepolicy for the health
 interface

Bug: 223537397
Test: Ensure that there are no selinux errors for sysfs_batteryinfo in
   off-mode charging

Change-Id: I46fa1b7552eb0655d0545538142131465a337f23
Merged-In: I46fa1b7552eb0655d0545538142131465a337f23
---
 whitechapel/vendor/google/charger_vendor.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/charger_vendor.te b/whitechapel/vendor/google/charger_vendor.te
index 7b914da1..df59b717 100644
--- a/whitechapel/vendor/google/charger_vendor.te
+++ b/whitechapel/vendor/google/charger_vendor.te
@@ -1,4 +1,5 @@
 allow charger_vendor mnt_vendor_file:dir search;
+allow charger_vendor sysfs_batteryinfo:file w_file_perms;
 allow charger_vendor persist_file:dir search;
 allow charger_vendor persist_battery_file:dir search;
 allow charger_vendor persist_battery_file:file rw_file_perms;

From 22def09e8a0b05dc3a759bca0488d101aac6ee58 Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Thu, 24 Mar 2022 14:49:43 +0800
Subject: [PATCH 576/921] Allow hal_power_stats to read sysfs_aoc_dumpstate

avc: denied { read } for comm="android.hardwar" name="restart_count"
dev="sysfs" ino=72823 scontext=u:r:hal_power_stats_default:s0
tcontext=u:object_r:sysfs_aoc_dumpstate:s0 tclass=file permissive=0

Bug: 226173008
Test: check bugreport without avc denials
Change-Id: Iccd8e4475ba6055d07aedc43de72bd39e6674469
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 whitechapel/vendor/google/hal_power_stats_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index db81a74e..13a0487f 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -15,6 +15,7 @@ allow hal_power_stats_default sysfs_edgetpu:file r_file_perms;
 
 binder_call(hal_power_stats_default, citadeld)
 r_dir_file(hal_power_stats_default, sysfs_aoc)
+r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate)
 r_dir_file(hal_power_stats_default, sysfs_cpu)
 r_dir_file(hal_power_stats_default, sysfs_leds)
 r_dir_file(hal_power_stats_default, sysfs_acpm_stats)

From 28ddd3bf9fcfa679679ad3580daf6e2517fe8ee7 Mon Sep 17 00:00:00 2001
From: Chris Kuiper <ckuiper@google.com>
Date: Thu, 24 Mar 2022 17:55:43 -0700
Subject: [PATCH 577/921] Allow Sensor HAL access to display sysfs panel_name
 file.

Bug: 208926536
Test: Accessed the display sysfs from sensor HAL correctly.
Change-Id: Ide86813de20a1240f8ac55322b017329f30b296e
---
 usf/sensor_hal.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index ac9d5c2d..bda44c9f 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -59,6 +59,9 @@ allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
 allow hal_sensors_default hal_pixel_display_service:service_manager find;
 binder_call(hal_sensors_default, hal_graphics_composer_default)
 
+# Allow sensor HAL to access to display sysfs.
+allow hal_sensors_default sysfs_display:file r_file_perms;
+
 #
 # Suez type enforcements.
 #

From f11f53a3ae94eaf539bc2ebf38f58b736f9a609a Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Fri, 25 Mar 2022 11:14:48 +0800
Subject: [PATCH 578/921] Allow hal_power_stats to read sysfs_aoc_dumpstate

avc: denied { read } for comm="android.hardwar" name="restart_count"
dev="sysfs" ino=72823 scontext=u:r:hal_power_stats_default:s0
tcontext=u:object_r:sysfs_aoc_dumpstate:s0 tclass=file permissive=0

Bug: 226173008
Test: check bugreport without avc denials
Change-Id: Ife3a7e00a1ffbcbed7fd8b744f2ac8910931a5fb
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 whitechapel/vendor/google/hal_power_stats_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index db81a74e..13a0487f 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -15,6 +15,7 @@ allow hal_power_stats_default sysfs_edgetpu:file r_file_perms;
 
 binder_call(hal_power_stats_default, citadeld)
 r_dir_file(hal_power_stats_default, sysfs_aoc)
+r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate)
 r_dir_file(hal_power_stats_default, sysfs_cpu)
 r_dir_file(hal_power_stats_default, sysfs_leds)
 r_dir_file(hal_power_stats_default, sysfs_acpm_stats)

From 3df0d7812b3f1c996b7ffce6f1c7cd3b66d70b08 Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Fri, 25 Mar 2022 14:53:53 +0800
Subject: [PATCH 579/921] Allow hal_fingerprint_default to access sysfs_display

Fix the following avc denial:
avc: denied { read } for name="panel_name" dev="sysfs" ino=71133 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=0

Bug: 223687187
Test: build and test fingerprint on device.
Change-Id: Ic2b2cadb97f36643b79de6a8ebfe2232093fe7d7
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index d1ac4d72..2b2e852d 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -24,3 +24,5 @@ allow hal_fingerprint_default block_device:dir search;
 # Allow fingerprint to access fwk_sensor_hwservice
 allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find;
 
+# Allow fingerprint to read sysfs_display
+allow hal_fingerprint_default sysfs_display:file r_file_perms;

From a4b9ad439bb11472639d499d1b94cce335a1c06b Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <badhri@google.com>
Date: Tue, 19 Oct 2021 13:26:34 -0700
Subject: [PATCH 580/921] android.hardware.usb.IUsb AIDL migration

android.hardware.usb.IUsb is migrated to AIDL and runs in
its own process. android.hardware.usb.gadget.IUsbGadget
is now published in its own exclusive process
(android.hardware.usb.gadget-service). Creating
file_context and moving the selinux linux rules
for IUsbGadget implementation.

Bug: 200993386
Change-Id: Ia8c24610244856490c8271433710afb57d3da157
Merged-In: Ia8c24610244856490c8271433710afb57d3da157
(cherry picked from commit 51735ba3ab65065bd79676c4b0e74f970ba1ea90)
---
 whitechapel/vendor/google/file_contexts          |  3 ++-
 whitechapel/vendor/google/hal_usb_gadget_impl.te | 14 ++++++++++++++
 whitechapel/vendor/google/hal_usb_impl.te        |  5 -----
 whitechapel/vendor/google/system_server.te       |  1 +
 4 files changed, 17 insertions(+), 6 deletions(-)
 create mode 100644 whitechapel/vendor/google/hal_usb_gadget_impl.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 309c8969..e7725c37 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -7,7 +7,8 @@
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service               u:object_r:hal_power_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service         u:object_r:hal_configstore_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs101                       u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.gs101                            u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.gs101                    u:object_r:hal_usb_gadget_impl_exec:s0
 /(vendor|system/vendor)/lib(64)?/libion_exynos\.so                                              u:object_r:same_process_hal_file:s0
 
 /(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te
new file mode 100644
index 00000000..5170a8ae
--- /dev/null
+++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te
@@ -0,0 +1,14 @@
+type hal_usb_gadget_impl, domain;
+hal_server_domain(hal_usb_gadget_impl, hal_usb)
+hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget)
+
+type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_gadget_impl)
+
+allow hal_usb_gadget_impl configfs:dir { create rmdir };
+allow hal_usb_gadget_impl functionfs:dir { watch watch_reads };
+set_prop(hal_usb_gadget_impl, vendor_usb_config_prop)
+
+allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms;
+allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms;
+allow hal_usb_gadget_impl sysfs_extcon:dir search;
diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index ec640c29..736f2cc3 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -1,14 +1,9 @@
 type hal_usb_impl, domain;
 hal_server_domain(hal_usb_impl, hal_usb)
-hal_server_domain(hal_usb_impl, hal_usb_gadget)
 
 type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_usb_impl)
 
-allow hal_usb_impl configfs:dir { create rmdir };
-allow hal_usb_impl functionfs:dir { watch watch_reads };
-set_prop(hal_usb_impl, vendor_usb_config_prop)
-
 allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
 allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;
 allow hal_usb_impl sysfs_extcon:dir search;
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
index b2563949..abae67c1 100644
--- a/whitechapel/vendor/google/system_server.te
+++ b/whitechapel/vendor/google/system_server.te
@@ -3,6 +3,7 @@ binder_call(system_server, gpsd);
 binder_call(system_server, hal_camera_default);
 # Allow system server to find vendor uwb service
 allow system_server uwb_vendor_service:service_manager find;
+allow system_server hal_usb_service:service_manager find;
 
 # pixelstats_vendor/OrientationCollector
 binder_call(system_server, pixelstats_vendor)

From de44d766e48789f2b79292dddc5aa842b17c8c5f Mon Sep 17 00:00:00 2001
From: chungkai <chungkai@google.com>
Date: Wed, 23 Mar 2022 09:45:37 +0000
Subject: [PATCH 581/921] sched: move sysfs to procfs

Modify name from sysfs_vendor_sched to proc_vendor_sched

Test: without avc denial
Bug: 216207007
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: Ic113b2d8ee1d3ae1ced9985636b17ef1e7657a84
---
 private/gmscore_app.te                             | 2 +-
 private/permissioncontroller_app.te                | 4 ++--
 private/priv_app.te                                | 2 +-
 whitechapel/vendor/google/bluetooth.te             | 4 ++--
 whitechapel/vendor/google/bug_map                  | 2 +-
 whitechapel/vendor/google/domain.te                | 4 ++--
 whitechapel/vendor/google/hal_dumpstate_default.te | 2 +-
 whitechapel/vendor/google/hal_power_default.te     | 2 +-
 whitechapel/vendor/google/hbmsvmanager_app.te      | 4 ++--
 whitechapel/vendor/google/logger_app.te            | 4 ++--
 whitechapel/vendor/google/mediaprovider.te         | 4 ++--
 whitechapel/vendor/google/nfc.te                   | 4 ++--
 whitechapel/vendor/google/platform_app.te          | 4 ++--
 whitechapel/vendor/google/radio.te                 | 4 ++--
 whitechapel/vendor/google/secure_element.te        | 4 ++--
 whitechapel/vendor/google/shell.te                 | 4 ++--
 whitechapel/vendor/google/ssr_detector.te          | 4 ++--
 whitechapel/vendor/google/system_app.te            | 4 ++--
 whitechapel/vendor/google/untrusted_app_all.te     | 4 ++--
 19 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 3968de30..e52eb551 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -1,3 +1,3 @@
 # b/177389198
 dontaudit gmscore_app adbd_prop:file *;
-dontaudit gmscore_app sysfs_vendor_sched:file write;
+dontaudit gmscore_app proc_vendor_sched:file write;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 425ea309..4619571c 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -1,3 +1,3 @@
-allow permissioncontroller_app sysfs_vendor_sched:dir r_dir_perms;
-allow permissioncontroller_app sysfs_vendor_sched:file w_file_perms;
+allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms;
+allow permissioncontroller_app proc_vendor_sched:file w_file_perms;
 
diff --git a/private/priv_app.te b/private/priv_app.te
index de2a4f28..c77a18da 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -17,4 +17,4 @@ dontaudit priv_app ab_update_gki_prop:file { getattr };
 dontaudit priv_app ab_update_gki_prop:file { map };
 dontaudit priv_app adbd_prop:file { open };
 dontaudit priv_app adbd_prop:file { getattr };
-dontaudit priv_app sysfs_vendor_sched:file write;
+dontaudit priv_app proc_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/bluetooth.te b/whitechapel/vendor/google/bluetooth.te
index b246eca1..92737abe 100644
--- a/whitechapel/vendor/google/bluetooth.te
+++ b/whitechapel/vendor/google/bluetooth.te
@@ -1,3 +1,3 @@
-allow bluetooth sysfs_vendor_sched:dir search;
-allow bluetooth sysfs_vendor_sched:file w_file_perms;
+allow bluetooth proc_vendor_sched:dir search;
+allow bluetooth proc_vendor_sched:file w_file_perms;
 
diff --git a/whitechapel/vendor/google/bug_map b/whitechapel/vendor/google/bug_map
index 6799ba21..b7c26b57 100644
--- a/whitechapel/vendor/google/bug_map
+++ b/whitechapel/vendor/google/bug_map
@@ -1,3 +1,3 @@
-permissioncontroller_app sysfs_vendor_sched file b/190671898
+permissioncontroller_app proc_vendor_sched file b/190671898
 vendor_ims_app default_prop file b/194281028
 hal_fingerprint_default default_prop property_service b/215640468
diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te
index 3e1cbbb7..fd876e09 100644
--- a/whitechapel/vendor/google/domain.te
+++ b/whitechapel/vendor/google/domain.te
@@ -1,2 +1,2 @@
-allow {domain -appdomain -rs} sysfs_vendor_sched:dir r_dir_perms;
-allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms;
+allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms;
+allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 612b3c0b..66c51b7c 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -96,7 +96,7 @@ binder_call(hal_dumpstate_default, hal_graphics_composer_default);
 allow hal_dumpstate_default sysfs_display:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_display:file r_file_perms;
 
-allow hal_dumpstate_default sysfs_vendor_sched:file read;
+allow hal_dumpstate_default proc_vendor_sched:file read;
 allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms;
 allow hal_dumpstate_default proc_vendor_sched:file r_file_perms;
 
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index 22764a32..19cd0bb4 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -1,7 +1,7 @@
 allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms;
 allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms;
 allow hal_power_default sysfs_fs_f2fs:file rw_file_perms;
-allow hal_power_default sysfs_vendor_sched:file rw_file_perms;
+allow hal_power_default proc_vendor_sched:file rw_file_perms;
 allow hal_power_default cpuctl_device:file rw_file_perms;
 allow hal_power_default sysfs_gpu:file rw_file_perms;
 allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 2300a2a8..b7058090 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -2,8 +2,8 @@ type hbmsvmanager_app, domain, coredomain;
 
 app_domain(hbmsvmanager_app);
 
-allow hbmsvmanager_app sysfs_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app sysfs_vendor_sched:file w_file_perms;
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
 
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index d091cff0..be15d0e6 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -24,6 +24,6 @@ userdebug_or_eng(`
   set_prop(logger_app, vendor_wifi_sniffer_prop)
 
   dontaudit logger_app default_prop:file { read };
-  dontaudit logger_app sysfs_vendor_sched:dir search;
-  dontaudit logger_app sysfs_vendor_sched:file write;
+  dontaudit logger_app proc_vendor_sched:dir search;
+  dontaudit logger_app proc_vendor_sched:file write;
 ')
diff --git a/whitechapel/vendor/google/mediaprovider.te b/whitechapel/vendor/google/mediaprovider.te
index 835593fc..dc3e1c01 100644
--- a/whitechapel/vendor/google/mediaprovider.te
+++ b/whitechapel/vendor/google/mediaprovider.te
@@ -1,2 +1,2 @@
-dontaudit mediaprovider sysfs_vendor_sched:dir search;
-dontaudit mediaprovider sysfs_vendor_sched:file write;
+dontaudit mediaprovider proc_vendor_sched:dir search;
+dontaudit mediaprovider proc_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/nfc.te b/whitechapel/vendor/google/nfc.te
index febd851a..80784434 100644
--- a/whitechapel/vendor/google/nfc.te
+++ b/whitechapel/vendor/google/nfc.te
@@ -1,2 +1,2 @@
-allow nfc sysfs_vendor_sched:dir r_dir_perms;
-allow nfc sysfs_vendor_sched:file w_file_perms;
+allow nfc proc_vendor_sched:dir r_dir_perms;
+allow nfc proc_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 70480beb..49fb531b 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -4,8 +4,8 @@ allow platform_app hal_exynos_rild_hwservice:hwservice_manager find;
 allow platform_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(platform_app, hal_wlc)
 
-allow platform_app sysfs_vendor_sched:dir r_dir_perms;
-allow platform_app sysfs_vendor_sched:file w_file_perms;
+allow platform_app proc_vendor_sched:dir r_dir_perms;
+allow platform_app proc_vendor_sched:file w_file_perms;
 
 allow platform_app nfc_service:service_manager find;
 allow platform_app uwb_service:service_manager find;
diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te
index af56688b..baa356bd 100644
--- a/whitechapel/vendor/google/radio.te
+++ b/whitechapel/vendor/google/radio.te
@@ -1,6 +1,6 @@
 allow radio hal_exynos_rild_hwservice:hwservice_manager find;
-allow radio sysfs_vendor_sched:dir r_dir_perms;
-allow radio sysfs_vendor_sched:file w_file_perms;
+allow radio proc_vendor_sched:dir r_dir_perms;
+allow radio proc_vendor_sched:file w_file_perms;
 
 # Allow telephony to access file descriptor of the QOS socket
 # so it can make sure the QOS is meant for the intended addresses
diff --git a/whitechapel/vendor/google/secure_element.te b/whitechapel/vendor/google/secure_element.te
index 831d360e..cb6c1396 100644
--- a/whitechapel/vendor/google/secure_element.te
+++ b/whitechapel/vendor/google/secure_element.te
@@ -1,2 +1,2 @@
-allow secure_element sysfs_vendor_sched:dir r_dir_perms;
-allow secure_element sysfs_vendor_sched:file w_file_perms;
+allow secure_element proc_vendor_sched:dir r_dir_perms;
+allow secure_element proc_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index abc2f2cc..f982424d 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -6,5 +6,5 @@ userdebug_or_eng(`
   allow shell sysfs_sjtag:file rw_file_perms;
 ')
 
-dontaudit shell sysfs_vendor_sched:dir search;
-dontaudit shell sysfs_vendor_sched:file write;
+dontaudit shell proc_vendor_sched:dir search;
+dontaudit shell proc_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 958ed352..934028e1 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -13,8 +13,8 @@ userdebug_or_eng(`
   allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
   allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
   allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
-  allow ssr_detector_app sysfs_vendor_sched:dir search;
-  allow ssr_detector_app sysfs_vendor_sched:file rw_file_perms;
+  allow ssr_detector_app proc_vendor_sched:dir search;
+  allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
   allow ssr_detector_app cgroup:file write;
 ')
 
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
index 07536ccf..8c9d5345 100644
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@@ -1,5 +1,5 @@
-allow system_app sysfs_vendor_sched:dir r_dir_perms;
-allow system_app sysfs_vendor_sched:file w_file_perms;
+allow system_app proc_vendor_sched:dir r_dir_perms;
+allow system_app proc_vendor_sched:file w_file_perms;
 
 allow system_app hal_wlc_hwservice:hwservice_manager find;
 binder_call(system_app, hal_wlc)
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index dda81542..642ee175 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -2,5 +2,5 @@
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
 
-dontaudit untrusted_app_all sysfs_vendor_sched:dir search;
-dontaudit untrusted_app_all sysfs_vendor_sched:file write;
+dontaudit untrusted_app_all proc_vendor_sched:dir search;
+dontaudit untrusted_app_all proc_vendor_sched:file write;

From ed3ac0623ba0237bfc969d971b7a0cae718a7deb Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Thu, 31 Mar 2022 15:47:05 +0800
Subject: [PATCH 582/921] Update avc error on ROM 8386107

Bug: 226717475
Test: PtsSELinuxTestCases
Change-Id: Ia366a4ad0f193858960b7c5df34096bd2d4eada5
---
 tracking_denials/dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index fa9d5cec..fc4afa4d 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -2,3 +2,5 @@
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
 # b/190337283
 dontaudit dumpstate debugfs_wakeup_sources:file read;
+# b/226717475
+dontaudit dumpstate app_zygote:process { signal };

From e60773b92616763b439adb35ff801ef31c71fb6e Mon Sep 17 00:00:00 2001
From: Albert Wang <albertccwang@google.com>
Date: Wed, 30 Mar 2022 07:43:46 +0800
Subject: [PATCH 583/921] Add more xHCI wakeup path for suspend_control

To addressdd the xHCI wakeup nodes permission problem, add new nodes:
/devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup
/devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3/wakeup

avc: denied { read } for name="wakeup175" dev="sysfs" ino=162091
scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
android.system.suspend@1.0-service: Error opening kernel wakelock stats for: wakeup175
(../../devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup/
wakeup175): Permission denied
avc: denied { read } for name="wakeup176" dev="sysfs" ino=162107
scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
android.system.suspend@1.0-service: Error opening kernel wakelock stats for: wakeup176
(../../devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3/wakeup/
wakeup176): Permission denied

Bug: 226056256
Test: test build to verify sepolicy log
Signed-off-by: Albert Wang <albertccwang@google.com>
Change-Id: I7f65597f91db5a16d4f9de4f6bb018bd5b50a965
---
 whitechapel/vendor/google/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 33d761d0..38ffef5f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -116,7 +116,11 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_sup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/wakeup                                                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0

From 8a19d8be9c355dfb2224449e0709d0718f018267 Mon Sep 17 00:00:00 2001
From: chungkai <chungkai@google.com>
Date: Thu, 31 Mar 2022 05:52:07 +0000
Subject: [PATCH 584/921] genfs_contexts: fix path for i2c peripheral devices

paths are changed when we enable parallel module loading and
reorder the initializtaion of devices.

Test: without avc denial on Raven
Bug: 227541760
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: I7d835205696fd727e9be24fcf010ed44bcd5d6ae
---
 whitechapel/vendor/google/genfs_contexts | 102 +++++++++++++++++++----
 1 file changed, 88 insertions(+), 14 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 63d06d1c..bcdff4b0 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -29,21 +29,29 @@ genfscon sysfs /devices/platform/10d50000.hsi2c
 #   Slider
 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
-#   R4 / P7 LunchBox
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats          u:object_r:sysfs_pca:s0
 
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply                       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply                       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
-
-#   O6
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
 
 # Storage
 genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
@@ -76,6 +84,12 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 
 # Fingerprint
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
@@ -83,6 +97,10 @@ genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:s
 # System_suspend
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
@@ -91,8 +109,21 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup                                                         u:object_r:sysfs_wakeup:s0
@@ -111,11 +142,22 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_sup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
@@ -125,12 +167,16 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:0
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
@@ -206,6 +252,24 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
 genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio        u:object_r:sysfs_bcl:s0
@@ -277,6 +341,10 @@ genfscon sysfs /devices/platform/1c500000.mali/power_policy
 
 # nvmem (Non Volatile Memory layer)
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/5-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/6-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/7-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem                              u:object_r:sysfs_memory:s0
 
 # Broadcom
 genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
@@ -285,6 +353,10 @@ genfscon sysfs /module/bcmdhd4389
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 
@@ -351,8 +423,10 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 
 # SecureElement
 genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi    u:object_r:sysfs_st33spi:s0

From 384218408f069629527c4b4ceefe122321a0fce7 Mon Sep 17 00:00:00 2001
From: chungkai <chungkai@google.com>
Date: Wed, 6 Apr 2022 08:07:26 +0000
Subject: [PATCH 585/921] sepolicy: ignore avc denial

dont audit since it's debugfs

Bug: 228181404
Test: forrest with boot test
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: I7f2a85e2a405c78c9d8d11e9c2fdfdc5e87f7931
---
 tracking_denials/kernel.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/kernel.te

diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
new file mode 100644
index 00000000..21776b79
--- /dev/null
+++ b/tracking_denials/kernel.te
@@ -0,0 +1,2 @@
+#b/228181404
+dontaudit kernel vendor_maxfg_debugfs:dir { search };
\ No newline at end of file

From 13f85a37f3f1eab2883d68fb026fa3c2b68fc881 Mon Sep 17 00:00:00 2001
From: Siddharth Kapoor <ksiddharth@google.com>
Date: Thu, 7 Apr 2022 03:29:56 +0000
Subject: [PATCH 586/921] Revert "Move ODPM file rule to pixel sepolicy"

Revert "Move ODPM file rule to pixel sepolicy"

Revert submission 17215583-odpm_sepolicy_refactor-tm-dev

Reason for revert: build failure tracked in b/228261711
Reverted Changes:
Ic9a89950a:Move ODPM file rule to pixel sepolicy
I24105669b:Move ODPM file rule to pixel sepolicy
I044a285ff:Move ODPM file rule to pixel sepolicy

Change-Id: I36abfddaa5903739f9c5bf65d3c1cd506db9e604
---
 whitechapel/vendor/google/file.te                    | 1 +
 whitechapel/vendor/google/hal_power_stats_default.te | 2 ++
 whitechapel/vendor/google/hal_thermal_default.te     | 1 +
 3 files changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 6eabe45d..90098249 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -152,6 +152,7 @@ type sysfs_chargelevel, sysfs_type, fs_type;
 
 # ODPM
 type powerstats_vendor_data_file, file_type, data_file_type;
+type sysfs_odpm, sysfs_type, fs_type;
 
 # bcl
 type sysfs_bcl, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index b8ab8c5b..db81a74e 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -7,6 +7,8 @@ binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
 r_dir_file(hal_power_stats_default, sysfs_iio_devices)
 allow hal_power_stats_default powerstats_vendor_data_file:dir search;
 allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms;
+allow hal_power_stats_default sysfs_odpm:dir search;
+allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
 
 allow hal_power_stats_default sysfs_edgetpu:dir search;
 allow hal_power_stats_default sysfs_edgetpu:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te
index 5e597c7c..9852a767 100644
--- a/whitechapel/vendor/google/hal_thermal_default.te
+++ b/whitechapel/vendor/google/hal_thermal_default.te
@@ -1 +1,2 @@
 allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms;
+allow hal_thermal_default sysfs_odpm:file r_file_perms;

From 8606aa8a51d8d777289480de4a9be076817b6bc5 Mon Sep 17 00:00:00 2001
From: Badhri Jagan Sridharan <badhri@google.com>
Date: Thu, 7 Apr 2022 17:21:15 -0700
Subject: [PATCH 587/921] Allow usb hal to read contaminantdisable property

avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_usb_config_prop:s0"
dev="tmpfs" ino=367 scontext=u:r:hal_usb_impl:s0
tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=0

Bug: 227792357
Change-Id: Id4d5ef7c214f0c0f672db28991b9fbe0152530b7
---
 whitechapel/vendor/google/hal_usb_impl.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index 6b6d19f6..97ec1c7c 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -23,3 +23,6 @@ hal_client_domain(hal_usb_impl, hal_thermal);
 
 # For reading the usb-c throttling stats
 allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms;
+
+# For checking contaminant detection status
+get_prop(hal_usb_impl, vendor_usb_config_prop);

From 3c11d8d1c5a88051634d1bce840cb4d0bf2e7c43 Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Mon, 11 Apr 2022 10:54:20 +0800
Subject: [PATCH 588/921] sepolicy: label charger wakeups for system suspend

Bug: 226887726
Test: do bugreport without avc denials
Change-Id: I779b646846da90cdc710145e959644efc4733b3b
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 38ffef5f..d611ac9c 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -90,6 +90,19 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0

From 40cd670c9f624393b86656918a709996d9f49a91 Mon Sep 17 00:00:00 2001
From: Patty <plhuang@google.com>
Date: Wed, 6 Apr 2022 19:16:05 +0800
Subject: [PATCH 589/921] Grant policy for EWP feature

Bug: 220121592
Test: Manual
Change-Id: I274a9519c40915cf65de45a3d8cf452faf16c8b4
---
 bluetooth/hwservice_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts
index df77e6f8..1b4f5445 100644
--- a/bluetooth/hwservice_contexts
+++ b/bluetooth/hwservice_contexts
@@ -2,4 +2,4 @@
 hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
 hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
 hardware.google.bluetooth.ccc::IBluetoothCcc                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
-
+hardware.google.bluetooth.ewp::IBluetoothEwp                          u:object_r:hal_bluetooth_coexistence_hwservice:s0

From 613bdcdec8d8b4b0fd357b49213201d0b9a320cb Mon Sep 17 00:00:00 2001
From: Anthony Stange <stange@google.com>
Date: Tue, 12 Apr 2022 20:58:12 +0000
Subject: [PATCH 590/921] Update SELinux to allow CHRE to talk to the Wifi HAL

Bug: 206614765
Test: Run locally
Change-Id: I73bcf96ed1cab0a101e5f84852a1d82258b9c690
---
 whitechapel/vendor/google/chre.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 7eca5e43..67ba090a 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -15,3 +15,6 @@ allow chre device:dir r_dir_perms;
 # Allow CHRE to use the USF low latency transport
 usf_low_latency_transport(chre)
 
+# Allow CHRE to talk to the WiFi HAL
+allow chre hal_wifi_ext:binder { call transfer };
+allow chre hal_wifi_ext_hwservice:hwservice_manager find;

From 953583844f6844265a6dee0ad283d5daa9e8fd6c Mon Sep 17 00:00:00 2001
From: chungkai <chungkai@google.com>
Date: Thu, 14 Apr 2022 04:12:41 +0000
Subject: [PATCH 591/921] genfs_contexts: fix path for i2c peripheral device

paths are changed when we enable parallel module loading and
reorder the initializtaion of devices.

Test: without avc denial on R4/O6 when booting
Bug: 22754176
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: Ibcd5138170449e24115a0de5c3beda79914d1dc1
---
 whitechapel/vendor/google/genfs_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1b367a46..9f1921d7 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -130,6 +130,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_sup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
@@ -440,6 +441,8 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0

From 517ab7da4ddc46597df17ad68b548b75d93e05b9 Mon Sep 17 00:00:00 2001
From: Joshua McCloskey <joshmccloskey@google.com>
Date: Wed, 6 Apr 2022 22:33:26 +0000
Subject: [PATCH 592/921] Allow platform apps to access FP Hal

Bug: 227247855
Test: Verified manually that the fingerprint extension is working.
Change-Id: Ia8fedcb373e23bf2103803195f844bf90b1807bc
---
 system_ext/private/platform_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te
index 10d6bba9..e9dcc76b 100644
--- a/system_ext/private/platform_app.te
+++ b/system_ext/private/platform_app.te
@@ -1,2 +1,5 @@
 # allow systemui to set boot animation colors
 set_prop(platform_app, bootanim_system_prop);
+
+# allow systemui to access fingerprint
+hal_client_domain(platform_app, hal_fingerprint)

From f2be252260049581e8e37226fe2f375b967c8e8b Mon Sep 17 00:00:00 2001
From: Jason Macnak <natsu@google.com>
Date: Thu, 24 Feb 2022 18:37:55 +0000
Subject: [PATCH 593/921] Remove sysfs_gpu type definition

... as it has moved to system/sepolicy.

Bug: b/161819018
Test: presubmit
Change-Id: I6fcafa87541ed0cbaf3ba74fa5ff4dbdebd533f7
Merged-In: I6fcafa87541ed0cbaf3ba74fa5ff4dbdebd533f7
---
 whitechapel/vendor/google/file.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 90098249..cb5ade95 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -169,9 +169,6 @@ type persist_battery_file, file_type, vendor_persist_type;
 # CPU
 type sysfs_cpu, sysfs_type, fs_type;
 
-# GPU
-type sysfs_gpu, sysfs_type, fs_type;
-
 # Fabric
 type sysfs_fabric, sysfs_type, fs_type;
 

From 19073ba66c7c491a402974f2de935a9f204ad9ed Mon Sep 17 00:00:00 2001
From: chungkai <chungkai@google.com>
Date: Mon, 18 Apr 2022 13:53:42 +0000
Subject: [PATCH 594/921] sepolicy: fix avc denials

add potential paths for i2c peripheral devices
sine we enable parallel module loading

Bug: 229670628
Test: do bugreport without avc denials
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: I6747e6d36731664d7f2fd88382c8a6189c936860
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 9f1921d7..0dfba9b5 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -122,6 +122,13 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
@@ -441,6 +448,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0

From 11770d9dfef1407970152c943a9a23177389c3b2 Mon Sep 17 00:00:00 2001
From: chungkai <chungkai@google.com>
Date: Thu, 21 Apr 2022 01:39:18 +0000
Subject: [PATCH 595/921] sepolicy: Remove tracking denials files and fix avc
 problems

04-19 10:53:57.364 W binder:575_2: type=1400 audit(0.0:17):
avc: denied { read } for name="wakeup11" dev="sysfs" ino=59892
scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
permissive=0

Bug: 229670628
Test: pass
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: I6a83b77c4a4bb836e4014cf865cb720a360fd981
---
 whitechapel/vendor/google/genfs_contexts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 0dfba9b5..8f00b4d5 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -30,6 +30,13 @@ genfscon sysfs /devices/platform/10d50000.hsi2c
 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
 
+
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0

From 1291c3cec9dbab7b3837f11d0ed4beb5addbc988 Mon Sep 17 00:00:00 2001
From: Wei Wang <wvw@google.com>
Date: Sat, 23 Apr 2022 21:09:22 -0700
Subject: [PATCH 596/921] Grant trusty to power hal

Bug: 229350721
Test: UDFPS with stress
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: Ia88d6cff1d21940e22ae5122dbfcf52de27ad700
---
 whitechapel/vendor/google/file.te              | 3 +++
 whitechapel/vendor/google/genfs_contexts       | 4 ++++
 whitechapel/vendor/google/hal_power_default.te | 1 +
 3 files changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index cb5ade95..704e0753 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -203,3 +203,6 @@ userdebug_or_eng(`
 
 # SecureElement
 type sysfs_st33spi, sysfs_type, fs_type;
+
+# Trusty
+type sysfs_trusty, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8f00b4d5..881b7ef5 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -475,6 +475,10 @@ genfscon sysfs /devices/platform/100b0000.G3D                             u:obje
 genfscon sysfs /devices/platform/100b0000.ISP                             u:object_r:sysfs_thermal:s0
 genfscon sysfs /devices/platform/100b0000.TPU                             u:object_r:sysfs_thermal:s0
 
+# Trusty
+genfscon sysfs /module/trusty_virtio/parameters/use_high_wq               u:object_r:sysfs_trusty:s0
+genfscon sysfs /module/trusty_core/parameters/use_high_wq                 u:object_r:sysfs_trusty:s0
+
 # Coresight ETM
 genfscon sysfs /devices/platform/25840000.etm    u:object_r:sysfs_devices_cs_etm:s0
 genfscon sysfs /devices/platform/25940000.etm    u:object_r:sysfs_devices_cs_etm:s0
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
index 19cd0bb4..122661ae 100644
--- a/whitechapel/vendor/google/hal_power_default.te
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -10,6 +10,7 @@ allow hal_power_default sysfs_camera:file rw_file_perms;
 allow hal_power_default sysfs_display:file rw_file_perms;
 allow hal_power_default sysfs_bcl:dir r_dir_perms;
 allow hal_power_default sysfs_bcl:file rw_file_perms;
+allow hal_power_default sysfs_trusty:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
 set_prop(hal_power_default, vendor_camera_debug_prop)
 set_prop(hal_power_default, vendor_camera_fatp_prop)

From 2715a08a73662e3ce1e02121d95aaa3361531ab2 Mon Sep 17 00:00:00 2001
From: Edmond Chung <edmondchung@google.com>
Date: Sun, 24 Apr 2022 15:41:21 -0700
Subject: [PATCH 597/921] Camera: add setsched capability.

The camera HAL needs to configure schedule policies for
performance optimizations.

Bug: 228632527
Test: GCA, adb logcat
Change-Id: Ifbf433c026549ca774a9521704d0b0b75c9e9f23
---
 whitechapel/vendor/google/hal_camera_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 24246d2f..440b503c 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -1,6 +1,7 @@
 type hal_camera_default_tmpfs, file_type;
 
 allow hal_camera_default self:global_capability_class_set sys_nice;
+allow hal_camera_default kernel:process setsched;
 
 binder_use(hal_camera_default);
 vndbinder_use(hal_camera_default);

From 99b4aebb6a906941faf48127216fb72008f4cb73 Mon Sep 17 00:00:00 2001
From: Edmond Chung <edmondchung@google.com>
Date: Sun, 24 Apr 2022 15:41:21 -0700
Subject: [PATCH 598/921] Camera: add setsched capability.

The camera HAL needs to configure schedule policies for
performance optimizations.

Bug: 228632527
Test: adb logcat
Change-Id: Ifbf433c026549ca774a9521704d0b0b75c9e9f23
Merged-In: Ifbf433c026549ca774a9521704d0b0b75c9e9f23
Signed-off-by: Edmond Chung <edmondchung@google.com>
---
 whitechapel/vendor/google/hal_camera_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 24246d2f..440b503c 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -1,6 +1,7 @@
 type hal_camera_default_tmpfs, file_type;
 
 allow hal_camera_default self:global_capability_class_set sys_nice;
+allow hal_camera_default kernel:process setsched;
 
 binder_use(hal_camera_default);
 vndbinder_use(hal_camera_default);

From a53690ac43834232a7d8f592ea64c00d52efe8ed Mon Sep 17 00:00:00 2001
From: chiayupei <chiayupei@google.com>
Date: Tue, 12 Apr 2022 10:45:08 +0800
Subject: [PATCH 599/921] hal_sensors_default: Allow sensors HAL to access AoC
 properties.

Bug: 202901227
Test: Verify pass by checking device log.

Signed-off-by: chiayupei <chiayupei@google.com>
Change-Id: I917362ddf4b8e61810d2dd27da2b7775f1aec1e7
---
 usf/sensor_hal.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index ac9d5c2d..4a7bc628 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -49,6 +49,9 @@ allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
 # Allow sensor HAL to read AoC dumpstate.
 allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
 
+# Allow access for AoC properties.
+get_prop(hal_sensors_default, vendor_aoc_prop)
+
 # Allow access for dynamic sensor properties.
 get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
 

From 8c311f981b83cf84c557b517ba9cdcffae25146d Mon Sep 17 00:00:00 2001
From: Anthony Stange <stange@google.com>
Date: Tue, 12 Apr 2022 20:58:12 +0000
Subject: [PATCH 600/921] Update SELinux to allow CHRE to talk to the Wifi HAL

Bug: 206614765
Test: Run locally
Change-Id: I73bcf96ed1cab0a101e5f84852a1d82258b9c690
Merged-In: I73bcf96ed1cab0a101e5f84852a1d82258b9c690
---
 whitechapel/vendor/google/chre.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 7eca5e43..67ba090a 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -15,3 +15,6 @@ allow chre device:dir r_dir_perms;
 # Allow CHRE to use the USF low latency transport
 usf_low_latency_transport(chre)
 
+# Allow CHRE to talk to the WiFi HAL
+allow chre hal_wifi_ext:binder { call transfer };
+allow chre hal_wifi_ext_hwservice:hwservice_manager find;

From 15036785cfcf9b462b9cf001ed3c3d6d8358f034 Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Wed, 27 Apr 2022 13:37:16 +0800
Subject: [PATCH 601/921] sepolicy: allow access debugfs charger register dump

[  438.549652] type=1400 audit(1651035282.616:8): avc: denied { read } for comm="dumpstate@1.1-s" name="registers" dev="debugfs" ino=31549 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=0
[  438.550252] type=1400 audit(1651035282.616:9): avc: denied { read } for comm="dumpstate@1.1-s" name="registers" dev="debugfs" ino=31532 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=0

Bug: 230360103
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: I102a159ca23a65d99a52cac3d011f5ce535a37e7
---
 whitechapel/vendor/google/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 881b7ef5..b2833b78 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -405,6 +405,8 @@ genfscon debugfs /pm_genpd/pm_genpd_summary
 genfscon debugfs /regmap                                                                                  u:object_r:vendor_regmap_debugfs:s0
 genfscon debugfs /usb                                                                                     u:object_r:vendor_usb_debugfs:s0
 genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77759_chg                                                                            u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77729_pmic                                                                           u:object_r:vendor_charger_debugfs:s0
 genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
 genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0
 

From 615f85c22dc0f75452b3284dd4ba7a421d29a602 Mon Sep 17 00:00:00 2001
From: Wei Wang <wvw@google.com>
Date: Wed, 27 Apr 2022 13:18:28 -0700
Subject: [PATCH 602/921] allow udfps hal to access trusty

Bug: 229350721
Bug: 230492593
Test: UDFPS with stress
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: Ib1abe0e0318689528a6658f3597f1c11ad9fa1c3
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 2b2e852d..56b1605c 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -26,3 +26,6 @@ allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find;
 
 # Allow fingerprint to read sysfs_display
 allow hal_fingerprint_default sysfs_display:file r_file_perms;
+
+# Allow fingerprint to access trusty sysfs
+allow hal_fingerprint_default sysfs_trusty:file rw_file_perms;

From c6eea8a657cbd9001e52941522def2ab0cfdfb88 Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Wed, 20 Apr 2022 02:35:41 +0800
Subject: [PATCH 603/921] Allow hal_fingerprint_default to access
 hal_pixel_display_service

Fix the following avc denial:
avc: denied  { find } for pid=1158 uid=1000 name=com.google.hardware.pixel.display.IDisplay/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_pixel_display_service:s0 tclass=service_manager permissive=0
avc: denied { call } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_graphics_composer_default:s0 tclass=binder permissive=0

Bug: 229716695
Bug: 224573604
Test: build and test fingerprint on device.
Change-Id: Id24e65213221048d6dfdeae6ed2bcb7b762a0f75
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 56b1605c..aee24633 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -29,3 +29,7 @@ allow hal_fingerprint_default sysfs_display:file r_file_perms;
 
 # Allow fingerprint to access trusty sysfs
 allow hal_fingerprint_default sysfs_trusty:file rw_file_perms;
+
+# Allow fingerprint to access display hal
+allow hal_fingerprint_default hal_pixel_display_service:service_manager find;
+binder_call(hal_fingerprint_default, hal_graphics_composer_default)

From ee1758317e5887e346516f00fb7b4113aec5e438 Mon Sep 17 00:00:00 2001
From: Albert Wang <albertccwang@google.com>
Date: Wed, 27 Apr 2022 17:06:15 +0800
Subject: [PATCH 604/921] Expand the xHCI wakeup path for suspend_control

Error log:
Error opening kernel wakelock stats for: wakeup132 (../../devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1/wakeup/wakeup132): Permission denied
avc: denied { read } for name="wakeup132" dev="sysfs" ino=3607558 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0

Bug: 209745132
Test: test build to verify sepolicy log
Signed-off-by: Albert Wang <albertccwang@google.com>
Change-Id: I6c70272a79059f7ca4e3b0e525bbc09625e25135
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index d611ac9c..1569e07a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -129,11 +129,11 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_sup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2                                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3                                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/wakeup                                                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0

From dc8bd4652750f53da5d655371cbd2b8f2cac176b Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Wed, 30 Mar 2022 22:36:58 +0800
Subject: [PATCH 605/921] Update nfc from hidl to aidl service

Bug: 216290344
Test: atest NfcNciInstrumentationTests
Test: atest VtsAidlHalNfcTargetTest
Change-Id: I3d17eacddadaf78520edb1a94e17e091cbdba4c0
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 05e49591..c4f2166b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -284,7 +284,7 @@
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 

From c6ea8d1656662de3c7289f0040f16dc5a34550ab Mon Sep 17 00:00:00 2001
From: Asad Ali <asadabbasali@google.com>
Date: Tue, 26 Apr 2022 21:38:27 +0000
Subject: [PATCH 606/921] Allow chre to communicate with fwk_stats_service.

Bug: 230788686
Test: Logged atoms using CHRE + log atom extension.
Change-Id: I0683a224d61cdc8c927360ebad3de115ed431e1a
---
 whitechapel/vendor/google/chre.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 67ba090a..9dfd9bf6 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -18,3 +18,8 @@ usf_low_latency_transport(chre)
 # Allow CHRE to talk to the WiFi HAL
 allow chre hal_wifi_ext:binder { call transfer };
 allow chre hal_wifi_ext_hwservice:hwservice_manager find;
+
+# Allow CHRE host to talk to stats service
+allow chre fwk_stats_service:service_manager find;
+binder_call(chre, stats_service_server)
+

From 63c1e192e7d11129f9cb33fbb18a5b2876ee8ab8 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Fri, 29 Apr 2022 15:39:32 +0000
Subject: [PATCH 607/921] Revert "Update nfc from hidl to aidl service"

This reverts commit dc8bd4652750f53da5d655371cbd2b8f2cac176b.

Reason for revert: Broken tests
Bug: 230834308
Change-Id: I964632a92cb741c703e4d8d3e8623454541022e7
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c4f2166b..05e49591 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -284,7 +284,7 @@
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 

From 7bfcc6f4e5d0cc2b31e856a5820c92368a50a438 Mon Sep 17 00:00:00 2001
From: Asad Ali <asadabbasali@google.com>
Date: Tue, 26 Apr 2022 21:38:27 +0000
Subject: [PATCH 608/921] Allow chre to communicate with fwk_stats_service.

Bug: 230788686
Test: Logged atoms using CHRE + log atom extension.
Change-Id: I0683a224d61cdc8c927360ebad3de115ed431e1a
(cherry picked from commit c6ea8d1656662de3c7289f0040f16dc5a34550ab)
---
 whitechapel/vendor/google/chre.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 67ba090a..9dfd9bf6 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -18,3 +18,8 @@ usf_low_latency_transport(chre)
 # Allow CHRE to talk to the WiFi HAL
 allow chre hal_wifi_ext:binder { call transfer };
 allow chre hal_wifi_ext_hwservice:hwservice_manager find;
+
+# Allow CHRE host to talk to stats service
+allow chre fwk_stats_service:service_manager find;
+binder_call(chre, stats_service_server)
+

From 12b3700a38d57516ee02f162241f592c4f37bc31 Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Mon, 2 May 2022 10:09:57 -0700
Subject: [PATCH 609/921] genfs_contexts: add raw i2c-s2mpg10mfd and
 i2c-s2mpg11mfd nodes

This adds the [067]-001f and [178]-002f raw i2c numberings to the
sepolicy for the P21-mainline driver which doesn't use the i2c vendor
hook to rename these numberings. This is required for the thermal hal to
work.

Bug: 231155356
Signed-off-by: Will McVicker <willmcvicker@google.com>
Change-Id: I8e4bbbd0768e63e708f46eb42bddb5fc28b29caa
---
 whitechapel/vendor/google/genfs_contexts | 32 ++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 881b7ef5..0c514a82 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -267,40 +267,72 @@ genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci
 
 # ODPM
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0

From d99789413d089973057953d5e8c573993f5c0037 Mon Sep 17 00:00:00 2001
From: Ray Chi <raychi@google.com>
Date: Tue, 1 Mar 2022 21:54:40 +0800
Subject: [PATCH 610/921] Allow hal_usb_gadget_impl to access proc_irq

Bug: 220996010
Test: build pass
Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891
(cherry picked from commit 455c3c165348fa9ea65c65b004d4dda1426d04be)
---
 whitechapel/vendor/google/hal_usb_gadget_impl.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te
index 5170a8ae..7eb0f632 100644
--- a/whitechapel/vendor/google/hal_usb_gadget_impl.te
+++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te
@@ -12,3 +12,10 @@ set_prop(hal_usb_gadget_impl, vendor_usb_config_prop)
 allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms;
 allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms;
 allow hal_usb_gadget_impl sysfs_extcon:dir search;
+
+# parser the number of dwc3 irq
+allow hal_usb_gadget_impl proc_interrupts:file r_file_perms;
+
+# change irq to other cores
+allow hal_usb_gadget_impl proc_irq:dir r_dir_perms;
+allow hal_usb_gadget_impl proc_irq:file w_file_perms;

From bf9ec40ab79d9546ecbf7b5c8b8ac0779d8153dc Mon Sep 17 00:00:00 2001
From: Ray Chi <raychi@google.com>
Date: Wed, 4 May 2022 09:49:17 +0800
Subject: [PATCH 611/921] Revert "add sepolicy for set_usb_irq.sh"

This reverts commit 714075eba72067489d08c36b87bfed9656092b2c.

Bug: 194346886
Test: build pass
Change-Id: Ie275e48ee87c4e9f5c83b7802c3f3baa12ad30af
---
 whitechapel/vendor/google/file_contexts     |  1 -
 whitechapel/vendor/google/set-usb-irq-sh.te | 13 -------------
 2 files changed, 14 deletions(-)
 delete mode 100644 whitechapel/vendor/google/set-usb-irq-sh.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index e7725c37..c1337e6b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -282,7 +282,6 @@
 /vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
 
 # USB
-/vendor/bin/hw/set_usb_irq\.sh                    u:object_r:set-usb-irq-sh_exec:s0
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
diff --git a/whitechapel/vendor/google/set-usb-irq-sh.te b/whitechapel/vendor/google/set-usb-irq-sh.te
deleted file mode 100644
index a00fe3bb..00000000
--- a/whitechapel/vendor/google/set-usb-irq-sh.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type set-usb-irq-sh, domain;
-type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(set-usb-irq-sh)
-
-allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans;
-
-allow set-usb-irq-sh proc_irq:dir r_dir_perms;
-allow set-usb-irq-sh proc_irq:file w_file_perms;
-
-# AFAICT this happens if /proc/irq updates as we're running
-# and we end up trying to write into non-existing file,
-# which implies creation...
-dontaudit set-usb-irq-sh self:capability dac_override;

From 7ac349e932b66130d7351bd05fb462362f4d8eac Mon Sep 17 00:00:00 2001
From: Ray Chi <raychi@google.com>
Date: Tue, 1 Mar 2022 21:54:40 +0800
Subject: [PATCH 612/921] Allow hal_usb_gadget_impl to access proc_irq

Bug: 224699556
Test: build pass
Change-Id: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891
Merged-In: Id9a9adbdc921629b6e89d0850dd8acaf76b1a891
(cherry picked from commit 455c3c165348fa9ea65c65b004d4dda1426d04be)
---
 whitechapel/vendor/google/hal_usb_gadget_impl.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te
index 5170a8ae..7eb0f632 100644
--- a/whitechapel/vendor/google/hal_usb_gadget_impl.te
+++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te
@@ -12,3 +12,10 @@ set_prop(hal_usb_gadget_impl, vendor_usb_config_prop)
 allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms;
 allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms;
 allow hal_usb_gadget_impl sysfs_extcon:dir search;
+
+# parser the number of dwc3 irq
+allow hal_usb_gadget_impl proc_interrupts:file r_file_perms;
+
+# change irq to other cores
+allow hal_usb_gadget_impl proc_irq:dir r_dir_perms;
+allow hal_usb_gadget_impl proc_irq:file w_file_perms;

From 503fa0901031f42b064be9c3daf0827868a91b9e Mon Sep 17 00:00:00 2001
From: Ray Chi <raychi@google.com>
Date: Wed, 4 May 2022 09:49:17 +0800
Subject: [PATCH 613/921] Revert "add sepolicy for set_usb_irq.sh"

This reverts commit 714075eba72067489d08c36b87bfed9656092b2c.

Bug: 224699556
Test: build pass
Change-Id: Ie275e48ee87c4e9f5c83b7802c3f3baa12ad30af
Merged-In: Ie275e48ee87c4e9f5c83b7802c3f3baa12ad30af
(cherry picked from commit bf9ec40ab79d9546ecbf7b5c8b8ac0779d8153dc)
---
 whitechapel/vendor/google/file_contexts     |  1 -
 whitechapel/vendor/google/set-usb-irq-sh.te | 13 -------------
 2 files changed, 14 deletions(-)
 delete mode 100644 whitechapel/vendor/google/set-usb-irq-sh.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 05e49591..10ffc7af 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -280,7 +280,6 @@
 /vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
 
 # USB
-/vendor/bin/hw/set_usb_irq\.sh                    u:object_r:set-usb-irq-sh_exec:s0
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
diff --git a/whitechapel/vendor/google/set-usb-irq-sh.te b/whitechapel/vendor/google/set-usb-irq-sh.te
deleted file mode 100644
index a00fe3bb..00000000
--- a/whitechapel/vendor/google/set-usb-irq-sh.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type set-usb-irq-sh, domain;
-type set-usb-irq-sh_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(set-usb-irq-sh)
-
-allow set-usb-irq-sh vendor_toolbox_exec:file execute_no_trans;
-
-allow set-usb-irq-sh proc_irq:dir r_dir_perms;
-allow set-usb-irq-sh proc_irq:file w_file_perms;
-
-# AFAICT this happens if /proc/irq updates as we're running
-# and we end up trying to write into non-existing file,
-# which implies creation...
-dontaudit set-usb-irq-sh self:capability dac_override;

From 130f2b784e25c9cda51fa4a449503dc764ce172f Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Wed, 30 Mar 2022 22:36:58 +0800
Subject: [PATCH 614/921] Update nfc from hidl to aidl service

Bug: 216290344
Test: atest NfcNciInstrumentationTests
Test: atest VtsAidlHalNfcTargetTest
Change-Id: I288474f691670655516728fe0e164a3e5689875c
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 10ffc7af..5327e334 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -283,7 +283,7 @@
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 

From 9cbc9eceecefab98eebb7fd598aba4f8ff64f71d Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Thu, 5 May 2022 15:58:08 -0700
Subject: [PATCH 615/921] genfs_contexts: fix more i2c raw paths

These were added in commit 8a19d8be9c35 ("genfs_contexts: fix path for
i2c peripheral devices") to address missing i2c paths when kernel
modules are loaded in parallel. The raw i2c paths were not added in that
commit. So add them here in order to fix a vibrator crash for
P21-mainline due to not having the named i2c paths.

Bug: 231637004
Fixes: 8a19d8be9c35 ("genfs_contexts: fix path for i2c peripheral devices")
Change-Id: I02dfff504704f761c99c328b39595789c2cbeef5
---
 whitechapel/vendor/google/genfs_contexts | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 17a5a0bc..2e73f80d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -88,6 +88,13 @@ genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
@@ -202,15 +209,27 @@ genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                                                        u:object_r:sysfs_wakeup:s0

From 5675757d41bfcdfd84ad4e4cee4ea1f0938d4b05 Mon Sep 17 00:00:00 2001
From: Richard Hsu <hsuy@google.com>
Date: Sat, 7 May 2022 21:37:28 -0700
Subject: [PATCH 616/921] [SELinux] Allow NNAPI HAL to log traces to perfetto
 under userdebug builds

Allows DarwiNN NNAPI HAL to log traces to perfetto only under userdebug builds. This is similar to the camera HAL fix in ag/17080874

Error message:
TracingMuxer: type=1400 audit(0.0:486): avc: denied { write } for name="traced_producer" dev="tmpfs" ino=1116 scontext=u:r:hal_neuralnetworks_darwinn:s0

This rule is common for EdgeTPU in both WHI and PRO.

Bug: 231838536

Test: tested on PRO before and after the change, and the traces now shows up.

Example: https://ui.perfetto.dev/#!/?s=ab911b3972bc16a1a831e148a7446c09757a08426bbe3c3b16d31a728b1d923
https://screenshot.googleplex.com/3roWETkTFyiDjW9

Change-Id: I8d4a57e262087aa4ec6670a487d7b06d2f2cde69
---
 edgetpu/hal_neuralnetworks_darwinn.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
index 18960713..f301a729 100644
--- a/edgetpu/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/hal_neuralnetworks_darwinn.te
@@ -47,3 +47,7 @@ allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms;
 # Allows the NNAPI HAL to access the edgetpu_app_service
 allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find;
 binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server);
+
+# Allow NNAPI HAL to send trace packets to Perfetto with SELinux enabled
+# under userdebug builds.
+userdebug_or_eng(`perfetto_producer(hal_neuralnetworks_darwinn)')

From b71d24d62c578494fa381acbe63e3a51fca75811 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Tue, 10 May 2022 05:12:05 +0000
Subject: [PATCH 617/921] gs101: Add dontaudit statements to camera HAL policy.

The autogenerated dontaudit statements in tracking_denials are
actually the correct policy. Move them to the correct file and
add comments.

Fix: 178980085
Fix: 180567725
Test: build & camera check on raven
Change-Id: I3f3a1f64d403182d4f592f1cacc6ef8d1418062d
---
 tracking_denials/hal_camera_default.te          | 5 -----
 whitechapel/vendor/google/hal_camera_default.te | 8 ++++++++
 2 files changed, 8 insertions(+), 5 deletions(-)
 delete mode 100644 tracking_denials/hal_camera_default.te

diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
deleted file mode 100644
index 6ab5a51c..00000000
--- a/tracking_denials/hal_camera_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# b/178980085
-dontaudit hal_camera_default system_data_file:dir { search };
-# b/180567725
-dontaudit hal_camera_default traced:unix_stream_socket { connectto };
-dontaudit hal_camera_default traced_producer_socket:sock_file { write };
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 440b503c..2e36e4a8 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -96,3 +96,11 @@ allow hal_camera_default proc_interrupts:file r_file_perms;
 
 # Allow camera HAL to send trace packets to Perfetto
 userdebug_or_eng(`perfetto_producer(hal_camera_default)')
+
+# Some file searches attempt to access system data and are denied.
+# This is benign and can be ignored.
+dontaudit hal_camera_default system_data_file:dir { search };
+
+# google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
\ No newline at end of file

From 59f29edf9259012639d097f8781769b39bb9f4bb Mon Sep 17 00:00:00 2001
From: Lily Lin <chiayinglin@google.com>
Date: Thu, 28 Apr 2022 19:04:18 +0800
Subject: [PATCH 618/921] Add selinux permissions to r/w sysfs st33spi_state

Bug: 228655141
Test: Confirm can read/write st33spi_state
Change-Id: I65299414d6268580dc532170759459147378418b
---
 whitechapel/vendor/google/euiccpixel_app.te | 4 ++++
 whitechapel/vendor/google/file.te           | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te
index db71a871..8763117f 100644
--- a/whitechapel/vendor/google/euiccpixel_app.te
+++ b/whitechapel/vendor/google/euiccpixel_app.te
@@ -21,5 +21,9 @@ userdebug_or_eng(`
     # Access to directly upgrade firmware on st33spi_device used for engineering devices
     typeattribute st33spi_device mlstrustedobject;
     allow euiccpixel_app st33spi_device:chr_file rw_file_perms;
+
+    allow euiccpixel_app sysfs_st33spi:dir search;
+    allow euiccpixel_app sysfs_st33spi:file rw_file_perms;
+    allow euiccpixel_app sysfs_touch:dir search;
 ')
 
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 704e0753..673bc785 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -203,6 +203,9 @@ userdebug_or_eng(`
 
 # SecureElement
 type sysfs_st33spi, sysfs_type, fs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_st33spi mlstrustedobject;
+')
 
 # Trusty
 type sysfs_trusty, sysfs_type, fs_type;

From a5e9b426ebaec1757e01d82ae3e7f75cbc111634 Mon Sep 17 00:00:00 2001
From: Jerry Huang <huangjerry@google.com>
Date: Wed, 16 Feb 2022 01:15:03 +0800
Subject: [PATCH 619/921] Allow mediacodec to access vendor_data_file

For dumping output buffer of HDR to SDR fliter.

This patch fixes the following denial:

05-06 15:26:54.248  1046   856   856 W HwBinder:856_4: type=1400 audit(0.0:174404): avc: denied { getattr } for name="/" dev="dmabuf" ino=1 scontext=u:r:mediacodec:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=0

Bug: 229360116
Change-Id: I41acb29407a7ddb27279a834e27c5ee515efe666
---
 whitechapel/vendor/google/mediacodec.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index ed7c1adf..0c22d5bf 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -1,5 +1,7 @@
 userdebug_or_eng(`
   set_prop(mediacodec, vendor_codec2_debug_prop)
+  allow mediacodec vendor_media_data_file:dir rw_dir_perms;
+  allow mediacodec vendor_media_data_file:file create_file_perms;
 ')
 
 add_service(mediacodec, eco_service)

From 101a021277e957f1cda1038b7c6a4927e3a3d901 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Mon, 16 May 2022 11:58:55 +0800
Subject: [PATCH 620/921] Update avc error on ROM 8595544

Bug: 232714489
Bug: 231821875
Test: PtsSELinuxTestCases
Change-Id: I4dd2c51dd237b19a110b24cb7ac8e1cb2284f99c
---
 tracking_denials/bug_map            | 1 +
 tracking_denials/hal_drm_default.te | 2 ++
 2 files changed, 3 insertions(+)
 create mode 100644 tracking_denials/bug_map

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
new file mode 100644
index 00000000..41887edd
--- /dev/null
+++ b/tracking_denials/bug_map
@@ -0,0 +1 @@
+hal_drm_default default_prop file b/232714489
diff --git a/tracking_denials/hal_drm_default.te b/tracking_denials/hal_drm_default.te
index ee4ed089..872f5a0f 100644
--- a/tracking_denials/hal_drm_default.te
+++ b/tracking_denials/hal_drm_default.te
@@ -1,2 +1,4 @@
 # b/223502652
 dontaudit hal_drm_default vndbinder_device:chr_file { read };
+# b/232714489
+dontaudit hal_drm_default default_prop:file { read };

From 400d4fb7f42bdcdaf63fa381bfd7c5ba0e078651 Mon Sep 17 00:00:00 2001
From: Orion Hodson <oth@google.com>
Date: Mon, 16 May 2022 11:14:02 +0100
Subject: [PATCH 621/921] Remove incidentd denial for apex_info_file

Underlying issue addressed by https://r.android.com/1849822 which
gives incidentd r_file_perms for apex_info_file:file.

Fix: 187015816
Test: atest incidentd_test; adb logcat | grep denied
Change-Id: I90b57a5f01c97c8488c10692208080557a863051
---
 tracking_denials/incidentd.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
index 2187eab4..a67cc1b9 100644
--- a/tracking_denials/incidentd.te
+++ b/tracking_denials/incidentd.te
@@ -1,4 +1,2 @@
-# b/187015816
-dontaudit incidentd apex_info_file:file getattr;
 # b/190337296
 dontaudit incidentd debugfs_wakeup_sources:file read;

From 50ac49e19686cc9a800e60676549a70c61f0fb7e Mon Sep 17 00:00:00 2001
From: Orion Hodson <oth@google.com>
Date: Mon, 16 May 2022 14:51:11 +0100
Subject: [PATCH 622/921] Remove odsign_prop denial for postinstall_dexopt

Issue fixed in https://r.android.com/1771328.

Fix: 194142604
Test: N/A
Change-Id: Ib8f8c07dce9c5d393b858e4234e6da66513d181f
---
 private/postinstall_dexopt.te | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 private/postinstall_dexopt.te

diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
deleted file mode 100644
index 2b51e8b7..00000000
--- a/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/194142604
-dontaudit postinstall_dexopt odsign_prop:file read;

From d479f730b07c44abb199292d589bf1aa92fbb555 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Wed, 30 Mar 2022 22:36:58 +0800
Subject: [PATCH 623/921] Update nfc from hidl to aidl service

Bug: 216290344
Test: atest NfcNciInstrumentationTests
Test: atest VtsAidlHalNfcTargetTest
Merged-In: I288474f691670655516728fe0e164a3e5689875c
Change-Id: I288474f691670655516728fe0e164a3e5689875c
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 10ffc7af..5327e334 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -283,7 +283,7 @@
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 

From d6a8c63837a694a7aeb6ea9bc1f76030966924d7 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Wed, 30 Mar 2022 22:36:58 +0800
Subject: [PATCH 624/921] Update nfc from hidl to aidl service

Bug: 216290344
Test: atest NfcNciInstrumentationTests
Test: atest VtsAidlHalNfcTargetTest
Merged-In: I288474f691670655516728fe0e164a3e5689875c
Change-Id: I288474f691670655516728fe0e164a3e5689875c
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c1337e6b..ba232dd2 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -285,7 +285,7 @@
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 

From 94e2cdeb6e43049b0605bc9312d8ab9517acd4c8 Mon Sep 17 00:00:00 2001
From: Kyle Tso <kyletso@google.com>
Date: Mon, 16 May 2022 18:03:29 +0800
Subject: [PATCH 625/921] Add logbuffer_pogo_transfer file_contexts

Bug: 232556226
Signed-off-by: Kyle Tso <kyletso@google.com>
Change-Id: I1037d39f4187807e6aa9753339fae29e3bc89359
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c1337e6b..29fb7a39 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -101,6 +101,7 @@
 /dev/umts_boot0                u:object_r:radio_device:s0
 /dev/logbuffer_tcpm            u:object_r:logbuffer_device:s0
 /dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
+/dev/logbuffer_pogo_transport  u:object_r:logbuffer_device:s0
 /dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
 /dev/logbuffer_wireless        u:object_r:logbuffer_device:s0
 /dev/logbuffer_ttf             u:object_r:logbuffer_device:s0

From 9f214e0453df397eb7121c1c5e0b6c3601fe1343 Mon Sep 17 00:00:00 2001
From: jonerlin <jonerlin@google.com>
Date: Fri, 13 May 2022 14:39:00 +0800
Subject: [PATCH 626/921] Grant policy for BluetoothHal Extionsion feature

Bug: 228943442
Test: Manually
Change-Id: I00b37c1f74ca9b904df2319d2c58d34228e9678b
---
 bluetooth/hwservice_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts
index 1b4f5445..8480b4e1 100644
--- a/bluetooth/hwservice_contexts
+++ b/bluetooth/hwservice_contexts
@@ -3,3 +3,4 @@ hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r
 hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
 hardware.google.bluetooth.ccc::IBluetoothCcc                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
 hardware.google.bluetooth.ewp::IBluetoothEwp                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.ext::IBluetoothExt                          u:object_r:hal_bluetooth_coexistence_hwservice:s0

From 71db4c206b93f86490f836f808f0090b8f59eb81 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Thu, 19 May 2022 13:38:21 +0000
Subject: [PATCH 627/921] Revert "Update nfc from hidl to aidl service"

Revert submission 2098739-nfc_aidl_switch_gs101

Reason for revert: broken tests
Reverted Changes:
Ifde6ab418:Switch NFC from HIDL to AIDL
I288474f69:Update nfc from hidl to aidl service
Bug: 233194621
Change-Id: I1dad9c64073c8baffdf5f491c38bf1e568c9af29
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index ba232dd2..c1337e6b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -285,7 +285,7 @@
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 

From 7347d18b7392b84a570fd9df223e0ef0b089198b Mon Sep 17 00:00:00 2001
From: Kyle Tso <kyletso@google.com>
Date: Mon, 16 May 2022 18:03:29 +0800
Subject: [PATCH 628/921] Add logbuffer_pogo_transfer file_contexts

Bug: 232556226
Signed-off-by: Kyle Tso <kyletso@google.com>
Change-Id: I1037d39f4187807e6aa9753339fae29e3bc89359
Merged-In: I1037d39f4187807e6aa9753339fae29e3bc89359
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 10ffc7af..c98edb0c 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -96,6 +96,7 @@
 /dev/umts_boot0                u:object_r:radio_device:s0
 /dev/logbuffer_tcpm            u:object_r:logbuffer_device:s0
 /dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
+/dev/logbuffer_pogo_transport  u:object_r:logbuffer_device:s0
 /dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
 /dev/logbuffer_wireless        u:object_r:logbuffer_device:s0
 /dev/logbuffer_ttf             u:object_r:logbuffer_device:s0

From 3531538a258bbabe428417b8c619745dfb6de835 Mon Sep 17 00:00:00 2001
From: Jaegeuk Kim <jaegeuk@google.com>
Date: Mon, 23 May 2022 16:39:21 -0700
Subject: [PATCH 629/921] Allow sysfs_devices_block to f2fs-tools

The fsck.f2fs checks the sysfs entries of block devices to get disk
information. Note that, the block device entries are device-specific.

1. fsck.f2fs
avc: denied { search } for comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0
avc: denied { getattr } for comm="fsck.f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda7/partition" dev="sysfs" ino=60672 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0

2. mkfs.f2fs
avc: denied { search } for comm="make_f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0
avc: denied { getattr } for comm="make_f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda8/partition" dev="sysfs" ino=61046 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0

Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I409feec84565f965baa96b06a5b08bcfc1a8db02
---
 whitechapel/vendor/google/e2fs.te | 2 ++
 whitechapel/vendor/google/fsck.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/e2fs.te b/whitechapel/vendor/google/e2fs.te
index a6664594..3e72adfb 100644
--- a/whitechapel/vendor/google/e2fs.te
+++ b/whitechapel/vendor/google/e2fs.te
@@ -4,3 +4,5 @@ allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
 allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
   BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
 };
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/whitechapel/vendor/google/fsck.te b/whitechapel/vendor/google/fsck.te
index d29555b3..cb9470d0 100644
--- a/whitechapel/vendor/google/fsck.te
+++ b/whitechapel/vendor/google/fsck.te
@@ -1,3 +1,5 @@
 allow fsck persist_block_device:blk_file rw_file_perms;
 allow fsck efs_block_device:blk_file rw_file_perms;
 allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;

From 3b0a628ef4c756b97486ecd5a63d25f1df2afd74 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Wed, 30 Mar 2022 22:36:58 +0800
Subject: [PATCH 630/921] Update nfc from hidl to aidl service

Bug: 216290344
Test: atest NfcNciInstrumentationTests
Test: atest VtsAidlHalNfcTargetTest
Merged-In: I288474f691670655516728fe0e164a3e5689875c
Change-Id: I288474f691670655516728fe0e164a3e5689875c
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c98edb0c..2a802f4b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -284,7 +284,7 @@
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
 
 # NFC
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
 /dev/st21nfc                                                                          u:object_r:nfc_device:s0
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 

From f276625942b502cd5b481a8f175a79d2a755cdf6 Mon Sep 17 00:00:00 2001
From: Jidong Sun <jidong@google.com>
Date: Fri, 3 Jun 2022 17:16:47 -0700
Subject: [PATCH 631/921] gs101: Allow BootControl to access sysfs blow_ar

Bug: 232277507
Signed-off-by: Jidong Sun <jidong@google.com>
Change-Id: I120672722a5ab8b5cadf0dce6d872e00c9fae642
---
 whitechapel/vendor/google/file.te                | 3 +++
 whitechapel/vendor/google/genfs_contexts         | 3 +++
 whitechapel/vendor/google/hal_bootctl_default.te | 1 +
 3 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 673bc785..0c7a56d8 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -209,3 +209,6 @@ userdebug_or_eng(`
 
 # Trusty
 type sysfs_trusty, sysfs_type, fs_type;
+
+# BootControl
+type sysfs_bootctl, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 2e73f80d..d3300e28 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -541,3 +541,6 @@ genfscon sysfs /devices/platform/25c40000.etm    u:object_r:sysfs_devices_cs_etm
 genfscon sysfs /devices/platform/25d40000.etm    u:object_r:sysfs_devices_cs_etm:s0
 genfscon sysfs /devices/platform/25e40000.etm    u:object_r:sysfs_devices_cs_etm:s0
 genfscon sysfs /devices/platform/25f40000.etm    u:object_r:sysfs_devices_cs_etm:s0
+
+# BootControl
+genfscon sysfs /kernel/boot_control/blow_ar      u:object_r:sysfs_bootctl:s0
diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
index 30db79bd..a9f9cdea 100644
--- a/whitechapel/vendor/google/hal_bootctl_default.te
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -1,3 +1,4 @@
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sysfs_ota:file rw_file_perms;
+allow hal_bootctl_default sysfs_bootctl:file rw_file_perms;

From 1be95c2e338752cb24c596aaeb1252c16123b218 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Mon, 6 Jun 2022 20:36:44 +0800
Subject: [PATCH 632/921] modem_svc: Fix avc error

avc: denied { write } for comm="modem_svc_sit" name="modem_stat" dev="dm-42" ino=331 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0

Bug: 234844823
Change-Id: I51db41d73be317cc7fc84981ac5f04e254a360d0
---
 whitechapel/vendor/google/file_contexts    | 2 +-
 whitechapel/vendor/google/modem_svc_sit.te | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 29fb7a39..5e50dbf3 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -270,7 +270,7 @@
 
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0
-/data/vendor/modem_stat/debug\.txt  u:object_r:modem_stat_data_file:s0
+/data/vendor/modem_stat(/.*)?       u:object_r:modem_stat_data_file:s0
 
 # modem mnt files
 /mnt/vendor/efs(/.*)?                                         u:object_r:modem_efs_file:s0
diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
index eeba9976..f664359d 100644
--- a/whitechapel/vendor/google/modem_svc_sit.te
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -14,6 +14,7 @@ allow modem_svc_sit radio_device:chr_file rw_file_perms;
 # Grant vendor radio and modem file/dir creation permission
 allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms;
 allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
+allow modem_svc_sit modem_stat_data_file:dir create_dir_perms;
 allow modem_svc_sit modem_stat_data_file:file create_file_perms;
 
 allow modem_svc_sit mnt_vendor_file:dir search;

From 518c7910be6c6d39ef9f5656df6e2506b09cdb19 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 9 Jun 2022 11:05:03 +0800
Subject: [PATCH 633/921] remove obsolete sepolicy

Bug: 193474772
Bug: 193726003
Bug: 193009345
Bug: 190337283
Bug: 226717475
Test: boot with no relevant avc error shows up

Change-Id: I8af2693fb7726e49d9b6d1c13010840a0b581326
Merged-In: I8af2693fb7726e49d9b6d1c13010840a0b581326
---
 private/fsverity_init.te           | 2 --
 tracking_denials/dumpstate.te      | 2 --
 tracking_denials/init-insmod-sh.te | 4 ----
 tracking_denials/uwb_vendor_app.te | 2 --
 4 files changed, 10 deletions(-)
 delete mode 100644 private/fsverity_init.te
 delete mode 100644 tracking_denials/init-insmod-sh.te
 delete mode 100644 tracking_denials/uwb_vendor_app.te

diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index ed3728d6..00000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193474772
-dontaudit fsverity_init domain:key view;
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index fa9d5cec..ffb8518c 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,4 +1,2 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/190337283
-dontaudit dumpstate debugfs_wakeup_sources:file read;
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
deleted file mode 100644
index 8b2358b2..00000000
--- a/tracking_denials/init-insmod-sh.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/193474772
-dontaudit init-insmod-sh self:key write;
-# b/193726003
-dontaudit init-insmod-sh debugfs_bootreceiver_tracing:dir search;
diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te
deleted file mode 100644
index 91933c0d..00000000
--- a/tracking_denials/uwb_vendor_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193009345
-dontaudit uwb_vendor_app radio_service:service_manager find;

From acf18a6f23a2f98b0e31c6f03c4214fd38d2c496 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 9 Jun 2022 10:04:28 +0800
Subject: [PATCH 634/921] remove obsolete sepolicy

Bug: 193474772
Bug: 193726003
Bug: 193009345
Bug: 190337283
Bug: 226717475
Test: boot with no relevant avc error shows up
Change-Id: I8af2693fb7726e49d9b6d1c13010840a0b581326
---
 private/fsverity_init.te           | 2 --
 tracking_denials/dumpstate.te      | 4 ----
 tracking_denials/init-insmod-sh.te | 4 ----
 tracking_denials/uwb_vendor_app.te | 2 --
 4 files changed, 12 deletions(-)
 delete mode 100644 private/fsverity_init.te
 delete mode 100644 tracking_denials/init-insmod-sh.te
 delete mode 100644 tracking_denials/uwb_vendor_app.te

diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index ed3728d6..00000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193474772
-dontaudit fsverity_init domain:key view;
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index fc4afa4d..ffb8518c 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,6 +1,2 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/190337283
-dontaudit dumpstate debugfs_wakeup_sources:file read;
-# b/226717475
-dontaudit dumpstate app_zygote:process { signal };
diff --git a/tracking_denials/init-insmod-sh.te b/tracking_denials/init-insmod-sh.te
deleted file mode 100644
index 8b2358b2..00000000
--- a/tracking_denials/init-insmod-sh.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/193474772
-dontaudit init-insmod-sh self:key write;
-# b/193726003
-dontaudit init-insmod-sh debugfs_bootreceiver_tracing:dir search;
diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te
deleted file mode 100644
index 91933c0d..00000000
--- a/tracking_denials/uwb_vendor_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/193009345
-dontaudit uwb_vendor_app radio_service:service_manager find;

From 2bb24e91b3d7d2e5f60327c3532fd785427ca99e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 9 Jun 2022 11:59:06 +0800
Subject: [PATCH 635/921] remove obsolete entries

Bug: 190337296
Bug: 228181404
Test: adb bugreport
Change-Id: Ibd5ea9d9d56b7da9b17f78f22aef985d5f33df94
---
 tracking_denials/incidentd.te | 2 --
 tracking_denials/kernel.te    | 2 --
 2 files changed, 4 deletions(-)
 delete mode 100644 tracking_denials/incidentd.te
 delete mode 100644 tracking_denials/kernel.te

diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
deleted file mode 100644
index a67cc1b9..00000000
--- a/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190337296
-dontaudit incidentd debugfs_wakeup_sources:file read;
diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
deleted file mode 100644
index 21776b79..00000000
--- a/tracking_denials/kernel.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#b/228181404
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
\ No newline at end of file

From d7f53f60182fd47041716d1cf55d70c8e40dc446 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 9 Jun 2022 12:03:07 +0800
Subject: [PATCH 636/921] remove obsolete entries

Bug: 190337296
Bug: 228181404
Test: adb bugreport
Change-Id: Ibd5ea9d9d56b7da9b17f78f22aef985d5f33df94
Merged-In: Ibd5ea9d9d56b7da9b17f78f22aef985d5f33df94
---
 tracking_denials/incidentd.te | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 tracking_denials/incidentd.te

diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
deleted file mode 100644
index a67cc1b9..00000000
--- a/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190337296
-dontaudit incidentd debugfs_wakeup_sources:file read;

From fbcf66a04a78b7ec23946bddb5888b1c6fe95275 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Tue, 10 May 2022 05:12:05 +0000
Subject: [PATCH 637/921] gs101: Add dontaudit statements to camera HAL policy.

The autogenerated dontaudit statements in tracking_denials are
actually the correct policy. Move them to the correct file and
add comments.

Fix: 178980085
Fix: 180567725
Fix: 218585004
Test: build & camera check on raven
Change-Id: I3f3a1f64d403182d4f592f1cacc6ef8d1418062d
(cherry picked from commit b71d24d62c578494fa381acbe63e3a51fca75811)
---
 tracking_denials/hal_camera_default.te          | 5 -----
 whitechapel/vendor/google/hal_camera_default.te | 8 ++++++++
 2 files changed, 8 insertions(+), 5 deletions(-)
 delete mode 100644 tracking_denials/hal_camera_default.te

diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
deleted file mode 100644
index 6ab5a51c..00000000
--- a/tracking_denials/hal_camera_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# b/178980085
-dontaudit hal_camera_default system_data_file:dir { search };
-# b/180567725
-dontaudit hal_camera_default traced:unix_stream_socket { connectto };
-dontaudit hal_camera_default traced_producer_socket:sock_file { write };
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 440b503c..2e36e4a8 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -96,3 +96,11 @@ allow hal_camera_default proc_interrupts:file r_file_perms;
 
 # Allow camera HAL to send trace packets to Perfetto
 userdebug_or_eng(`perfetto_producer(hal_camera_default)')
+
+# Some file searches attempt to access system data and are denied.
+# This is benign and can be ignored.
+dontaudit hal_camera_default system_data_file:dir { search };
+
+# google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
\ No newline at end of file

From 61b72806e8b5778ff766229c4d6c20c53c47cafb Mon Sep 17 00:00:00 2001
From: Jidong Sun <jidong@google.com>
Date: Fri, 3 Jun 2022 17:16:47 -0700
Subject: [PATCH 638/921] gs101: Allow BootControl to access sysfs blow_ar

Bug: 232277507
Signed-off-by: Jidong Sun <jidong@google.com>
Merged-In: I120672722a5ab8b5cadf0dce6d872e00c9fae642
Change-Id: I120672722a5ab8b5cadf0dce6d872e00c9fae642
---
 whitechapel/vendor/google/file.te                | 3 +++
 whitechapel/vendor/google/genfs_contexts         | 3 +++
 whitechapel/vendor/google/hal_bootctl_default.te | 1 +
 3 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index f951e2e3..e4292523 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -200,3 +200,6 @@ type sysfs_sjtag, fs_type, sysfs_type;
 userdebug_or_eng(`
     typeattribute sysfs_sjtag mlstrustedobject;
 ')
+
+# BootControl
+type sysfs_bootctl, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1569e07a..eeced333 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -373,3 +373,6 @@ genfscon sysfs /devices/platform/25c40000.etm    u:object_r:sysfs_devices_cs_etm
 genfscon sysfs /devices/platform/25d40000.etm    u:object_r:sysfs_devices_cs_etm:s0
 genfscon sysfs /devices/platform/25e40000.etm    u:object_r:sysfs_devices_cs_etm:s0
 genfscon sysfs /devices/platform/25f40000.etm    u:object_r:sysfs_devices_cs_etm:s0
+
+# BootControl
+genfscon sysfs /kernel/boot_control/blow_ar      u:object_r:sysfs_bootctl:s0
diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
index 30db79bd..a9f9cdea 100644
--- a/whitechapel/vendor/google/hal_bootctl_default.te
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -1,3 +1,4 @@
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sysfs_ota:file rw_file_perms;
+allow hal_bootctl_default sysfs_bootctl:file rw_file_perms;

From d34b17e30eb8c0bb326bd95f89a9cb2a3a7bfd63 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 10 Jun 2022 06:29:39 +0000
Subject: [PATCH 639/921] suppress warning on writing key

Bug: 235553565
Test: boot to home with no relevant error
Change-Id: I43bd360eabb55f504b48bb940d951d197256c593
---
 whitechapel/vendor/google/init-insmod-sh.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
index 9b2da73d..34d5bc3f 100644
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -14,3 +14,4 @@ userdebug_or_eng(`
 ')
 
 dontaudit init-insmod-sh proc_cmdline:file r_file_perms;
+dontaudit init-insmod-sh self:key write;

From 143668225a66a443de0c6837a29f64acdee45fb4 Mon Sep 17 00:00:00 2001
From: JimiChen <jimichen@google.com>
Date: Sat, 11 Jun 2022 15:39:19 +0800
Subject: [PATCH 640/921] allow rlsservice read vendor camera property

Bug: 233020488
Test: no avc denied
Change-Id: I96dee4482d4c0ff5b7852db635dc100a7ea4874c
---
 whitechapel/vendor/google/rlsservice.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index 425620f3..3086bcad 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -32,3 +32,6 @@ usf_low_latency_transport(rlsservice)
 
 # For observing apex file changes
 allow rlsservice apex_info_file:file r_file_perms;
+
+# Allow read camera property
+get_prop(rlsservice, vendor_camera_prop);

From 5889704effb759a1ea12d7725c4eddf1551e1c12 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 14 Jun 2022 02:58:58 +0000
Subject: [PATCH 641/921] mute update_engine probing mnt_vendor_file

Bug: 187016910
Test: boot to home
Change-Id: I5f7141f817b543a1499ef5826177f3ac4945e857
---
 tracking_denials/update_engine.te          | 2 --
 whitechapel/vendor/google/update_engine.te | 3 +++
 2 files changed, 3 insertions(+), 2 deletions(-)
 delete mode 100644 tracking_denials/update_engine.te

diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te
deleted file mode 100644
index 98e7b851..00000000
--- a/tracking_denials/update_engine.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/187016910
-dontaudit update_engine mnt_vendor_file:dir search ;
diff --git a/whitechapel/vendor/google/update_engine.te b/whitechapel/vendor/google/update_engine.te
index a403d9e4..8342f126 100644
--- a/whitechapel/vendor/google/update_engine.te
+++ b/whitechapel/vendor/google/update_engine.te
@@ -1,3 +1,6 @@
 allow update_engine custom_ab_block_device:blk_file rw_file_perms;
 allow update_engine modem_block_device:blk_file rw_file_perms;
 allow update_engine proc_bootconfig:file r_file_perms;
+
+# update_engine probe mnt_vendor_file during OTA, which is a permission not required
+dontaudit update_engine mnt_vendor_file:dir search;

From bf1333f881ffe337a140982f5888b91be0797a6a Mon Sep 17 00:00:00 2001
From: matthuang <matthuang@google.com>
Date: Mon, 9 May 2022 15:19:36 +0800
Subject: [PATCH 642/921] Add acd-com.google.usf.non_wake_up file to AoC file
 context.

Bug: 195077076
Test: ls -lZ dev/acd-com.google.usf.non_wake_up
Change-Id: If9add3528bde47a618bd884ce28121b6fa32754c
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 2a802f4b..bcad888d 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -248,6 +248,7 @@
 # Sensors
 /data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
 /dev/acd-com.google.usf                u:object_r:aoc_device:s0
+/dev/acd-com.google.usf.non_wake_up    u:object_r:aoc_device:s0
 /dev/acd-logging                       u:object_r:aoc_device:s0
 /dev/aoc                               u:object_r:aoc_device:s0
 

From de88097de506840ba804992d930b37e40f561b96 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Mon, 20 Jun 2022 15:55:16 +0800
Subject: [PATCH 643/921] hal_dumpstate_default: fix avc error

avc: denied { search } for comm="dumpstate@1.1-s" name="modem_stat" dev="dm-44" ino=341 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:modem_stat_data_file:s0 tclass=dir

Bug: 235963885
Change-Id: Ib9625eefc367738bcd6594884b1f3b5e3ab5be54
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 612b3c0b..44d6ea65 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -67,6 +67,7 @@ allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
+allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms;
 allow hal_dumpstate_default modem_stat_data_file:file r_file_perms;
 allow hal_dumpstate_default vendor_slog_file:file r_file_perms;
 

From a9157994c3e376ff6fc12be5f31502c0cd447744 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Mon, 6 Jun 2022 20:36:44 +0800
Subject: [PATCH 644/921] modem_svc: Fix avc error

avc: denied { write } for comm="modem_svc_sit" name="modem_stat" dev="dm-42" ino=331 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0

Bug: 234844823
Change-Id: I51db41d73be317cc7fc84981ac5f04e254a360d0
Merged-In: I51db41d73be317cc7fc84981ac5f04e254a360d0
---
 whitechapel/vendor/google/file_contexts    | 2 +-
 whitechapel/vendor/google/modem_svc_sit.te | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 2a802f4b..4cb534ac 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -268,7 +268,7 @@
 
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0
-/data/vendor/modem_stat/debug\.txt  u:object_r:modem_stat_data_file:s0
+/data/vendor/modem_stat(/.*)?       u:object_r:modem_stat_data_file:s0
 
 # modem mnt files
 /mnt/vendor/efs(/.*)?                                         u:object_r:modem_efs_file:s0
diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
index eeba9976..f664359d 100644
--- a/whitechapel/vendor/google/modem_svc_sit.te
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -14,6 +14,7 @@ allow modem_svc_sit radio_device:chr_file rw_file_perms;
 # Grant vendor radio and modem file/dir creation permission
 allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms;
 allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
+allow modem_svc_sit modem_stat_data_file:dir create_dir_perms;
 allow modem_svc_sit modem_stat_data_file:file create_file_perms;
 
 allow modem_svc_sit mnt_vendor_file:dir search;

From 1a4cd82bc8a411c9c438fa31bafa6b976a05b373 Mon Sep 17 00:00:00 2001
From: sashwinbalaji <sashwinbalaji@google.com>
Date: Fri, 24 Jun 2022 13:54:24 +0800
Subject: [PATCH 645/921] thermal: added property
 persist.vendor.disable.thermal.dfs.control

Updated the sepolicy to access tmu register

Bug: 235156080
Test: Used local build to verify security context of tmu_reg files
Change-Id: Ia2a274ec3424bfeec25ae24e762f8ad41cb7ae86
---
 whitechapel/vendor/google/genfs_contexts | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index eeced333..cb84acc2 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -344,12 +344,7 @@ genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfre
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq             u:object_r:sysfs_camera:s0
 
 # thermal sysfs files
-genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_state            u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_current_temp     u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_rise_thres   u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_fall_thres   u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_rise_thres   u:object_r:sysfs_thermal:s0
-genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_fall_thres   u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs101_thermal/parameters            u:object_r:sysfs_thermal:s0
 
 # USB-C throttling stats
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time      u:object_r:sysfs_usbc_throttling_stats:s0

From 7835523aeaa6720b333b535a56c2e78363e7af51 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 5 Jul 2022 11:17:25 +0800
Subject: [PATCH 646/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 238038592
Change-Id: Id248ba82c49fa09be28f7a0219eb42b0ecc9e358
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 41887edd..c448a103 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1 +1,2 @@
 hal_drm_default default_prop file b/232714489
+shell sysfs_wlc dir b/238038592

From a8aeb4a6c91d672459f06a000044ff9152c080c2 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 6 Jul 2022 02:58:51 +0000
Subject: [PATCH 647/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 238143262
Bug: 238143381
Change-Id: Ibe3ce917418d71b61aa6d085041a51dda5998c74
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index c448a103..67fadcf9 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,2 +1,4 @@
 hal_drm_default default_prop file b/232714489
 shell sysfs_wlc dir b/238038592
+dumpstate hal_input_processor_default process b/238143262
+hal_googlebattery dumpstate fd b/238143381

From bc85d4604502ad06d06660b929ffde09738d058b Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 6 Jul 2022 14:40:23 +0800
Subject: [PATCH 648/921] ignore shell access on wlc

Bug: 238038592
Test: boot
Change-Id: I09b67ca07d7f9573d77f64686fb818d4dc1753cc
---
 tracking_denials/bug_map           | 1 -
 whitechapel/vendor/google/shell.te | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 67fadcf9..892c4dd5 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,3 @@
 hal_drm_default default_prop file b/232714489
-shell sysfs_wlc dir b/238038592
 dumpstate hal_input_processor_default process b/238143262
 hal_googlebattery dumpstate fd b/238143381
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index f982424d..e13e744e 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -8,3 +8,4 @@ userdebug_or_eng(`
 
 dontaudit shell proc_vendor_sched:dir search;
 dontaudit shell proc_vendor_sched:file write;
+dontaudit shell sysfs_wlc:dir search;

From 347e482d191867579aa1c0ed1f56dbcc8f34d5ae Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 7 Jul 2022 11:29:44 +0800
Subject: [PATCH 649/921] Update SELinux error

Test: checkLockScreen
Bug: 238263438
Bug: 238263568
Change-Id: I694924ceb031abb749e4b92a715d3b7dc87088be
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 892c4dd5..93e10b12 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,5 @@
 hal_drm_default default_prop file b/232714489
 dumpstate hal_input_processor_default process b/238143262
 hal_googlebattery dumpstate fd b/238143381
+dumpstate app_zygote process b/238263438
+incidentd debugfs_wakeup_sources file b/238263568

From 24553295365c7f5c11c7024ad405c79a1a743223 Mon Sep 17 00:00:00 2001
From: SalmaxChang <salmaxchang@google.com>
Date: Mon, 20 Jun 2022 15:55:16 +0800
Subject: [PATCH 650/921] hal_dumpstate_default: fix avc error

avc: denied { search } for comm="dumpstate@1.1-s" name="modem_stat" dev="dm-44" ino=341 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:modem_stat_data_file:s0 tclass=dir

Bug: 235963885
Change-Id: Ib9625eefc367738bcd6594884b1f3b5e3ab5be54
Merged-In: Ib9625eefc367738bcd6594884b1f3b5e3ab5be54
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 66c51b7c..01c69b49 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -67,6 +67,7 @@ allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
+allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms;
 allow hal_dumpstate_default modem_stat_data_file:file r_file_perms;
 allow hal_dumpstate_default vendor_slog_file:file r_file_perms;
 

From c6186c2960c0d1fb30877a27a5c76ec898395f3c Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 11 Jul 2022 10:24:12 +0800
Subject: [PATCH 651/921] Update SELinux error

Test: checkSensors
Bug: 238571420
Test: checkLockScreen
Bug: 238570971
Test: scanBugreport
Bug: 238571324
Change-Id: Ia6f2db6374d7ebe1a9c3f5b0bd8d152ed9d4a9a0
---
 tracking_denials/bug_map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 93e10b12..4e7c9cf6 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -3,3 +3,6 @@ dumpstate hal_input_processor_default process b/238143262
 hal_googlebattery dumpstate fd b/238143381
 dumpstate app_zygote process b/238263438
 incidentd debugfs_wakeup_sources file b/238263568
+dumpstate incident process b/238571420
+dumpstate incident process b/238570971
+dumpstate incident process b/238571324

From 74d2d8963fec9ba5afe2982cb24ce9b70b53176f Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 13 Jul 2022 11:01:28 +0800
Subject: [PATCH 652/921] Update error on ROM 8820442

Bug: 238825802
Test: testSysfsHealth
Change-Id: I607f78de19b18b258309f89669ded393dd74a2a7
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 4e7c9cf6..358c25e9 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -6,3 +6,4 @@ incidentd debugfs_wakeup_sources file b/238263568
 dumpstate incident process b/238571420
 dumpstate incident process b/238570971
 dumpstate incident process b/238571324
+su modem_img_file filesystem b/238825802

From 32d987cd244b1fb6d24a1445cd049ec916bde4d6 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 14 Jul 2022 06:47:23 +0000
Subject: [PATCH 653/921] Update SELinux error

Bug: 234547283
Change-Id: I50bd66a22755eefe7aa24ec1042e3b6cb627ad3d
---
 tracking_denials/bug_map | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 358c25e9..b36aa8ee 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,9 +1,9 @@
-hal_drm_default default_prop file b/232714489
-dumpstate hal_input_processor_default process b/238143262
-hal_googlebattery dumpstate fd b/238143381
 dumpstate app_zygote process b/238263438
-incidentd debugfs_wakeup_sources file b/238263568
-dumpstate incident process b/238571420
+dumpstate hal_input_processor_default process b/238143262
 dumpstate incident process b/238570971
 dumpstate incident process b/238571324
+dumpstate incident process b/238571420
+hal_drm_default default_prop file b/232714489
+hal_googlebattery dumpstate fd b/238143381
+incidentd debugfs_wakeup_sources file b/238263568
 su modem_img_file filesystem b/238825802

From 86ef69850bb74f047e2c93794122c180588d18f1 Mon Sep 17 00:00:00 2001
From: Minchan Kim <minchan@google.com>
Date: Wed, 13 Jul 2022 01:00:58 -0700
Subject: [PATCH 654/921] Remove vendor_init.te from tracking_denials

Since last error fixed, remove the vendor_init.te from tracking_denials.

Bug: 190337297
Signed-off-by: Minchan Kim <minchan@google.com>
Change-Id: I5178c864a70748c1dddf8c08baa8d653cd0225d9
---
 tracking_denials/vendor_init.te | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 tracking_denials/vendor_init.te

diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
deleted file mode 100644
index d27b8e95..00000000
--- a/tracking_denials/vendor_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/190337297
-dontaudit vendor_init vendor_page_pinner_debugfs:file setattr;

From 78011e9f3ad4fda62a32c6d8a18f154a35227b1c Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Fri, 15 Jul 2022 11:06:41 -0700
Subject: [PATCH 655/921] storageproxyd: Remove setuid/setgid SELinux
 permissions

Bug: 205904330
Test: boot
Change-Id: Iefecc29752781151679e9f798330a36d14447df9
---
 whitechapel/vendor/google/storageproxyd.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index ada64441..9b0289cc 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -11,7 +11,6 @@ allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee tee_data_file:dir create_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
-allow tee self:capability { setgid setuid };
 
 # Allow storageproxyd access to gsi_public_metadata_file
 read_fstab(tee)

From 0f7389240885c9e1597a6d2503a0b9af4dc4a46b Mon Sep 17 00:00:00 2001
From: timmyli <timmyli@google.com>
Date: Fri, 15 Jul 2022 18:59:11 +0000
Subject: [PATCH 656/921] Change SElinux so Aswang can be accessed

Need to add aswang here so that it can be accessed.

Bug: 234259081
Test: CTS
Change-Id: I3e701df76af8e803017bdfd04ce67093bf21a658
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 80344efc..a43d9084 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -225,6 +225,7 @@
 /dev/lwis-sensor-imx355-front                                           u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx363                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx386                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx471                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx586                                                 u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx663                                                 u:object_r:lwis_device:s0
 /dev/lwis-slc                                                           u:object_r:lwis_device:s0

From 55d41f1a3e89b1f4d2525d9925e3319ef59e2705 Mon Sep 17 00:00:00 2001
From: Jimmy Shiu <jimmyshiu@google.com>
Date: Fri, 24 Jun 2022 09:30:58 +0800
Subject: [PATCH 657/921] Remove dontaudit since read early_wakeup completed

The display file node, early_wakeup, just for trigger the worker for
display and it doesn't have meaningful read function. But PowerHAL read
all nodes and try to dump their valuesi while triggering bugreport. As
the read operation has been completed, so we can remove the clause.

07-02 00:53:56.888   522   522 W android.hardwar: type=1400 audit(0.0:8): avc: denied { dac_read_search } for capability=2 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0
07-02 00:53:56.888   522   522 W android.hardwar: type=1400 audit(0.0:9): avc: denied { dac_override } for capability=1 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0

Bug: 221384860
Bug: 192617242
Bug: 171760921
Test: adb shell dumpsys android.hardware.power.IPower/default
Change-Id: If0018499cc19f79819ef69794d7672d5a53de74e
---
 tracking_denials/hal_power_default.te | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 tracking_denials/hal_power_default.te

diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
deleted file mode 100644
index 47f5162e..00000000
--- a/tracking_denials/hal_power_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/192617242
-dontaudit hal_power_default hal_power_default:capability dac_read_search;
-dontaudit hal_power_default hal_power_default:capability dac_override;

From c96220c28241250b18ce5d86e4e40abd4290d64b Mon Sep 17 00:00:00 2001
From: matthuang <matthuang@google.com>
Date: Mon, 18 Jul 2022 15:12:45 +0800
Subject: [PATCH 658/921] Add security context for
 com.google.usf.non_wake_up/wakeup.

Bug: 195077076
Test: Confirm there is no avc denied log.
Change-Id: I8600283d9ff2ebcb45df95e5259484a60921fb1a
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index d3300e28..50853f0f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -205,6 +205,7 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0

From faec9385c49df9d1a120ec87f585acc1be3fd033 Mon Sep 17 00:00:00 2001
From: Stephane Lee <stayfan@google.com>
Date: Fri, 22 Jul 2022 16:55:22 -0700
Subject: [PATCH 659/921] Bug fixed in ag/19153533

Bug: 238143381
Test: N/A
Change-Id: If527ea681abaa221e55533a3dab1371ecac7a3b2
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index b36aa8ee..36e712d0 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -4,6 +4,5 @@ dumpstate incident process b/238570971
 dumpstate incident process b/238571324
 dumpstate incident process b/238571420
 hal_drm_default default_prop file b/232714489
-hal_googlebattery dumpstate fd b/238143381
 incidentd debugfs_wakeup_sources file b/238263568
 su modem_img_file filesystem b/238825802

From 2808c8b2898d2aac94aada024ac8afd57841e29d Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 15 Jul 2022 19:55:13 +0000
Subject: [PATCH 660/921] Remove vendor_service.

We want to avoid associating types with where they can be used.

Bug: 237115222
Test: build
Merged-In: I4766227e2261d0d57be090933926ff3b439694f6
Change-Id: I4766227e2261d0d57be090933926ff3b439694f6
---
 edgetpu/service.te                   | 4 ++--
 whitechapel/vendor/google/service.te | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/edgetpu/service.te b/edgetpu/service.te
index 46bee033..09fa9cba 100644
--- a/edgetpu/service.te
+++ b/edgetpu/service.te
@@ -1,5 +1,5 @@
 # EdgeTPU binder service type declaration.
 type edgetpu_app_service, service_manager_type;
 
-type edgetpu_vendor_service, service_manager_type, vendor_service;
-type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
+type edgetpu_vendor_service, service_manager_type, hal_service_type;
+type edgetpu_nnapi_service, app_api_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index aa60e3f7..8a6c2b75 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,3 +1,3 @@
-type hal_pixel_display_service, service_manager_type, vendor_service;
-type uwb_vendor_service, service_manager_type, vendor_service;
-type hal_uwb_vendor_service, service_manager_type, vendor_service;
+type hal_pixel_display_service, service_manager_type, hal_service_type;
+type uwb_hal_service_type, service_manager_type, hal_service_type;
+type hal_uwb_hal_service_type, service_manager_type, hal_service_type;

From d1ddd0917ee49aa21bb84c5d71c6247fa436e81d Mon Sep 17 00:00:00 2001
From: Lei Ju <leiju@google.com>
Date: Tue, 26 Jul 2022 13:44:31 -0700
Subject: [PATCH 661/921] Allow chre to use WakeLock on whitechapel.

Test: Manual test to confirm wakelock is acquired.
Bug: 202447392
Change-Id: I40b83fc22fea79613c060d03beb60857b1b6e0de
---
 whitechapel/vendor/google/chre.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 9dfd9bf6..cdf1b988 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -23,3 +23,6 @@ allow chre hal_wifi_ext_hwservice:hwservice_manager find;
 allow chre fwk_stats_service:service_manager find;
 binder_call(chre, stats_service_server)
 
+# Allow CHRE to use WakeLock
+wakelock_use(chre)
+

From 81ccf8d7192ebc37d9def36e23f91171d7a7344d Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 15 Jul 2022 19:55:13 +0000
Subject: [PATCH 662/921] Remove vendor_service.

We want to avoid associating types with where they can be used.

Bug: 237115222
Test: build
Change-Id: I4766227e2261d0d57be090933926ff3b439694f6
---
 edgetpu/service.te                   | 4 ++--
 whitechapel/vendor/google/service.te | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/edgetpu/service.te b/edgetpu/service.te
index 46bee033..09fa9cba 100644
--- a/edgetpu/service.te
+++ b/edgetpu/service.te
@@ -1,5 +1,5 @@
 # EdgeTPU binder service type declaration.
 type edgetpu_app_service, service_manager_type;
 
-type edgetpu_vendor_service, service_manager_type, vendor_service;
-type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
+type edgetpu_vendor_service, service_manager_type, hal_service_type;
+type edgetpu_nnapi_service, app_api_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 8d5dc1ee..b87c99e1 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,2 +1,2 @@
-type hal_pixel_display_service, service_manager_type, vendor_service;
-type hal_uwb_vendor_service, service_manager_type, vendor_service;
+type hal_pixel_display_service, service_manager_type, hal_service_type;
+type hal_uwb_vendor_service, service_manager_type, hal_service_type;

From 5ea60d634843ca867a47503b0d3fc6ec495b8aa5 Mon Sep 17 00:00:00 2001
From: Roger Liao <rogerliao@google.com>
Date: Thu, 28 Jul 2022 15:38:04 +0800
Subject: [PATCH 663/921] Fix build break if BOARD_WITHOUT_RADIO

Fix ERROR 'unknown type radio_vendor_data_file'

Bug: 235907512
Change-Id: I55e88c9364b42db262c057a2aa85816944c1c761
---
 telephony/user/file.te                  | 5 -----
 telephony/user/file_contexts            | 2 --
 whitechapel/vendor/google/file.te       | 6 ++++++
 whitechapel/vendor/google/file_contexts | 2 ++
 4 files changed, 8 insertions(+), 7 deletions(-)
 delete mode 100644 telephony/user/file.te

diff --git a/telephony/user/file.te b/telephony/user/file.te
deleted file mode 100644
index 05f3c5e2..00000000
--- a/telephony/user/file.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# Radio
-type radio_vendor_data_file, file_type, data_file_type;
-userdebug_or_eng(`
-  typeattribute radio_vendor_data_file mlstrustedobject;
-')
diff --git a/telephony/user/file_contexts b/telephony/user/file_contexts
index 1e0c1a44..1aafb7e3 100644
--- a/telephony/user/file_contexts
+++ b/telephony/user/file_contexts
@@ -1,5 +1,3 @@
 # ECC List
 /vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
-# Radio files.
-/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
 
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 0c7a56d8..847499d1 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -212,3 +212,9 @@ type sysfs_trusty, sysfs_type, fs_type;
 
 # BootControl
 type sysfs_bootctl, sysfs_type, fs_type;
+
+# Radio
+type radio_vendor_data_file, file_type, data_file_type;
+userdebug_or_eng(`
+  typeattribute radio_vendor_data_file mlstrustedobject;
+')
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 80344efc..253e7452 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -434,3 +434,5 @@
 # Raw HID device
 /dev/hidraw[0-9]*                        u:object_r:hidraw_device:s0
 
+# Radio files.
+/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0

From 479986a02020fa53ed4da504653129be6423ac1c Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 29 Jul 2022 10:18:10 +0800
Subject: [PATCH 664/921] Update SELinux error

Test: checkSensors
Bug: 240632824
Test: checkLockScreen
Bug: 240632824
Test: scanBugreport
Bug: 240632824
Change-Id: I4fee87636dc65765e4ab3e10e0b7080d7b4d44b2
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 36e712d0..f9fbf737 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -4,5 +4,6 @@ dumpstate incident process b/238570971
 dumpstate incident process b/238571324
 dumpstate incident process b/238571420
 hal_drm_default default_prop file b/232714489
+hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
 su modem_img_file filesystem b/238825802

From b20e917ebf90ea72c670f73905433a10cf99de61 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 15 Jul 2022 19:55:13 +0000
Subject: [PATCH 665/921] Remove vendor_service.

We want to avoid associating types with where they can be used.

Bug: 237115222
Test: build
Change-Id: I4766227e2261d0d57be090933926ff3b439694f6
Merged-In: I4766227e2261d0d57be090933926ff3b439694f6
(cherry picked from commit 81ccf8d7192ebc37d9def36e23f91171d7a7344d)
---
 edgetpu/service.te                   | 4 ++--
 whitechapel/vendor/google/service.te | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/edgetpu/service.te b/edgetpu/service.te
index 46bee033..09fa9cba 100644
--- a/edgetpu/service.te
+++ b/edgetpu/service.te
@@ -1,5 +1,5 @@
 # EdgeTPU binder service type declaration.
 type edgetpu_app_service, service_manager_type;
 
-type edgetpu_vendor_service, service_manager_type, vendor_service;
-type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;
+type edgetpu_vendor_service, service_manager_type, hal_service_type;
+type edgetpu_nnapi_service, app_api_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 8d5dc1ee..b87c99e1 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,2 +1,2 @@
-type hal_pixel_display_service, service_manager_type, vendor_service;
-type hal_uwb_vendor_service, service_manager_type, vendor_service;
+type hal_pixel_display_service, service_manager_type, hal_service_type;
+type hal_uwb_vendor_service, service_manager_type, hal_service_type;

From b577060b2d90a1207b8530fc288c33cf3f7aafe6 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Mon, 1 Aug 2022 18:41:24 +0000
Subject: [PATCH 666/921] Restore HAL type names.

Sed'd. TH not configured on AOSP. This is the change that is applied already internally.

Change-Id: I03be37c9e50280d6fa2cfdd69dca83c0535b2e35
---
 whitechapel/vendor/google/service.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 8a6c2b75..9334d143 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,3 +1,3 @@
 type hal_pixel_display_service, service_manager_type, hal_service_type;
-type uwb_hal_service_type, service_manager_type, hal_service_type;
-type hal_uwb_hal_service_type, service_manager_type, hal_service_type;
+type uwb_vendor_service, service_manager_type, hal_service_type;
+type hal_uwb_vendor_service, service_manager_type, hal_service_type;

From 1673f215452af160fe0bafd9f8632a70eaf3a70b Mon Sep 17 00:00:00 2001
From: Bruce Po <brucepo@google.com>
Date: Fri, 29 Jul 2022 23:43:45 +0000
Subject: [PATCH 667/921] Allow aocd to access acd-offload nodes

For 3-ch hotword feature, aocd daemon will access two new file nodes
(b/235648212), which will be used for transmitting audio to/from AOC.

BUG: 240744178
Change-Id: Ie0a9403d0dca06befdb807067adb9babc4f28bfc
---
 whitechapel/vendor/google/file_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 253e7452..da2222b2 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -319,6 +319,8 @@
 /dev/acd-debug                      u:object_r:aoc_device:s0
 /dev/acd-audio_tap[0-9]*            u:object_r:aoc_device:s0
 /dev/acd-audio_dcdoff_ref           u:object_r:aoc_device:s0
+/dev/acd-audio_ap_offload_rx        u:object_r:aoc_device:s0
+/dev/acd-audio_ap_offload_tx        u:object_r:aoc_device:s0
 /dev/amcs                           u:object_r:amcs_device:s0
 
 # AudioMetric

From ea1580002f6d9dd184eed78a8612cbd2f488ef67 Mon Sep 17 00:00:00 2001
From: Denny cy Lee <dennycylee@google.com>
Date: Thu, 28 Jul 2022 09:57:16 +0000
Subject: [PATCH 668/921] HwInfo: Move hardware info sepolicy to pixel common

Bug: 215271971
Test: no sepolicy for hardware info

Signed-off-by: Denny cy Lee <dennycylee@google.com>
Change-Id: Ia7bfd171fe724848e9a6f0c1adab59402d2788a9
---
 whitechapel/vendor/google/device.te           |  3 ---
 whitechapel/vendor/google/file.te             |  8 -------
 whitechapel/vendor/google/genfs_contexts      |  4 ++++
 .../vendor/google/hardware_info_app.te        | 24 -------------------
 whitechapel/vendor/google/seapp_contexts      |  3 ---
 5 files changed, 4 insertions(+), 38 deletions(-)
 delete mode 100644 whitechapel/vendor/google/hardware_info_app.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 94ec0bb4..7a70e332 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -42,9 +42,6 @@ type fingerprint_device, dev_type;
 # AMCS device
 type amcs_device, dev_type;
 
-# Battery history
-type battery_history_device, dev_type;
-
 # Raw HID device
 type hidraw_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 0c7a56d8..a393a8cd 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -78,7 +78,6 @@ type updated_wifi_firmware_data_file, file_type, data_file_type;
 type mediadrm_vendor_data_file, file_type, data_file_type;
 
 # Storage Health HAL
-type sysfs_scsi_devices_0000, sysfs_type, fs_type;
 type debugfs_f2fs, debugfs_type, fs_type;
 type proc_f2fs, proc_type, fs_type;
 
@@ -141,9 +140,6 @@ userdebug_or_eng(`
 type sysfs_gps, sysfs_type, fs_type;
 type sysfs_gps_assert, sysfs_type, fs_type;
 
-# Display
-type sysfs_display, sysfs_type, fs_type;
-
 # Backlight
 type sysfs_backlight, sysfs_type, fs_type;
 
@@ -160,7 +156,6 @@ type sysfs_bcl, sysfs_type, fs_type;
 # Chosen
 type sysfs_chosen, sysfs_type, fs_type;
 
-type sysfs_chip_id, sysfs_type, fs_type;
 type sysfs_spi, sysfs_type, fs_type;
 
 # Battery
@@ -186,9 +181,6 @@ type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 type persist_uwb_file, file_type, vendor_persist_type;
 type uwb_data_vendor, file_type, data_file_type;
 
-# PixelStats_vendor
-type sysfs_pixelstats, fs_type, sysfs_type;
-
 # WLC FW
 type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 493e5af9..ba9aa72d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -398,6 +398,10 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
 
+genfscon sysfs /devices/system/chip-id/unique_id                                                        u:object_r:sysfs_soc:s0
+genfscon sysfs /devices/soc0/machine                                                                    u:object_r:sysfs_soc:s0
+genfscon sysfs /devices/soc0/revision                                                                   u:object_r:sysfs_soc:s0
+
 # Devfreq directory
 genfscon sysfs /class/devfreq                                                                           u:object_r:sysfs_devfreq_dir:s0
 
diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
deleted file mode 100644
index 80b53377..00000000
--- a/whitechapel/vendor/google/hardware_info_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type hardware_info_app, domain;
-
-app_domain(hardware_info_app)
-
-allow hardware_info_app app_api_service:service_manager find;
-
-# Display
-allow hardware_info_app sysfs_display:dir search;
-allow hardware_info_app sysfs_display:file r_file_perms;
-
-# Audio
-allow hardware_info_app sysfs_pixelstats:dir search;
-allow hardware_info_app sysfs_pixelstats:file r_file_perms;
-
-# Storage
-allow hardware_info_app sysfs_scsi_devices_0000:dir search;
-allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms;
-
-# Battery
-allow hardware_info_app sysfs_batteryinfo:file r_file_perms;
-allow hardware_info_app sysfs_batteryinfo:dir search;
-
-# SoC
-allow hardware_info_app sysfs:file r_file_perms;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f866e37a..7c016d15 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -26,9 +26,6 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
 
-# Hardware Info Collection
-user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
-
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 

From 286d40c81b428abd0557f518566b721edfb947ea Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 3 Aug 2022 01:09:57 +0000
Subject: [PATCH 669/921] Update SELinux error

Test: checkSensors
Bug: 241172337
Test: scanBugreport
Bug: 241172490
Test: testAtomicWrite
Bug: 241172490
Test: testConfigMaxSectorsKB
Bug: 241172490
Test: testDirectWriteNormalReadInEncryptedDir
Bug: 241172391
Test: testInvalidWrite
Bug: 241172490
Test: testLoopMaxPartDefined
Bug: 241172391
Test: testNormalWriteDirectReadInEncryptedDir
Bug: 241172490
Test: testPinFile
Bug: 241172490
Test: testSmallFileInEncryptedDir
Bug: 241172490
Change-Id: Iee5a8e6fff46b62ec0a448b05db64a788b7d08fb
---
 tracking_denials/bug_map | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index f9fbf737..f925d140 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -6,4 +6,13 @@ dumpstate incident process b/238571420
 hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
+init app_data_file dir b/241172337
+init app_data_file dir b/241172490
+init gsi_data_file file b/241172337
+init gsi_data_file file b/241172391
+init gsi_data_file file b/241172490
+init privapp_data_file dir b/241172337
+init privapp_data_file dir b/241172490
+init system_app_data_file dir b/241172337
+init system_app_data_file dir b/241172490
 su modem_img_file filesystem b/238825802

From 0bbfb98cace63579ed685e0a3391d737e39a1a2d Mon Sep 17 00:00:00 2001
From: yixuanjiang <yixuanjiang@google.com>
Date: Mon, 8 Aug 2022 11:46:53 +0800
Subject: [PATCH 670/921] aoc: add audio property for pixellogger update
 control

Bug: 241059471
Test: local verify
Signed-off-by: yixuanjiang <yixuanjiang@google.com>
Change-Id: I13df2ea88b884756d3a872da545e877ed6b1e033
---
 whitechapel/vendor/google/property_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5eba1f8d..29e35d96 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -61,6 +61,8 @@ vendor.audiodump.log.ondemand           u:object_r:vendor_audio_prop:s0
 vendor.audiodump.log.config             u:object_r:vendor_audio_prop:s0
 vendor.audiodump.output.dir             u:object_r:vendor_audio_prop:s0
 vendor.audiodump.encode.disable         u:object_r:vendor_audio_prop:s0
+vendor.audiodump.log.cca.updated        u:object_r:vendor_audio_prop:s0
+vendor.audiodump.cca.config             u:object_r:vendor_audio_prop:s0
 
 
 # for display

From 7d6c4492615fdb3b719a2e0a4a6735f8ecc63181 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Mon, 15 Aug 2022 13:45:30 +1000
Subject: [PATCH 671/921] Revert "Update SELinux error"

This reverts commit 286d40c81b428abd0557f518566b721edfb947ea.

Test: TH
Bug: 241172186
Bug: 241172220
Bug: 241172337
Bug: 241172391
Bug: 241172490
Change-Id: Id3453e85aee3ee8e0255d3e53f37ca4488d7c9f9
---
 tracking_denials/bug_map | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index f925d140..f9fbf737 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -6,13 +6,4 @@ dumpstate incident process b/238571420
 hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
-init app_data_file dir b/241172337
-init app_data_file dir b/241172490
-init gsi_data_file file b/241172337
-init gsi_data_file file b/241172391
-init gsi_data_file file b/241172490
-init privapp_data_file dir b/241172337
-init privapp_data_file dir b/241172490
-init system_app_data_file dir b/241172337
-init system_app_data_file dir b/241172490
 su modem_img_file filesystem b/238825802

From 7e89415aaf3d31702db9fb87f8233c7d2f99da14 Mon Sep 17 00:00:00 2001
From: matthuang <matthuang@google.com>
Date: Mon, 15 Aug 2022 18:46:52 +0800
Subject: [PATCH 672/921] Add acd-com.google.usf.non_wake_up file to AoC file
 context.

Bug: 195077076
Test: ls -lZ dev/acd-com.google.usf.non_wake_up
Change-Id: If9add3528bde47a618bd884ce28121b6fa32754c
Merged-In: If9add3528bde47a618bd884ce28121b6fa32754c
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 5e50dbf3..1924f906 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -250,6 +250,7 @@
 # Sensors
 /data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
 /dev/acd-com.google.usf                u:object_r:aoc_device:s0
+/dev/acd-com.google.usf.non_wake_up    u:object_r:aoc_device:s0
 /dev/acd-logging                       u:object_r:aoc_device:s0
 /dev/aoc                               u:object_r:aoc_device:s0
 

From 62ba653669e9a2ad9b17ef140999bd3816d4cbe4 Mon Sep 17 00:00:00 2001
From: matthuang <matthuang@google.com>
Date: Mon, 15 Aug 2022 18:52:58 +0800
Subject: [PATCH 673/921] Add security context for
 com.google.usf.non_wake_up/wakeup.

Bug: 195077076
Test: Confirm there is no avc denied log.
Change-Id: I8600283d9ff2ebcb45df95e5259484a60921fb1a
Merged-In: I8600283d9ff2ebcb45df95e5259484a60921fb1a
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index cb84acc2..fb85b7c9 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -139,6 +139,7 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0

From 443da0523acd5530a69794f216eebd90867a36ed Mon Sep 17 00:00:00 2001
From: Wiwit Rifa'i <wiwitrifai@google.com>
Date: Tue, 16 Aug 2022 13:22:33 +0800
Subject: [PATCH 674/921] Add SE policies for HWC logs

Bug: 230361290
Test: adb bugreport
Test: adb shell vndservice call Exynos.HWCService 11 i32 0 i32 308 i32 1
Change-Id: I20ec7ee1856a45d271e0e6ebfd7eb74525b96f77
---
 whitechapel/vendor/google/file.te                          | 1 +
 whitechapel/vendor/google/file_contexts                    | 1 +
 whitechapel/vendor/google/hal_dumpstate_default.te         | 3 +++
 whitechapel/vendor/google/hal_graphics_composer_default.te | 4 ++++
 4 files changed, 9 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index ff41adfe..479732e4 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -7,6 +7,7 @@ type vendor_media_data_file, file_type, data_file_type;
 type vendor_log_file, file_type, data_file_type;
 type vendor_cbd_log_file, file_type, data_file_type;
 type vendor_dmd_log_file, file_type, data_file_type;
+type vendor_hwc_log_file, file_type, data_file_type;
 type vendor_rfsd_log_file, file_type, data_file_type;
 type vendor_dump_log_file, file_type, data_file_type;
 type vendor_rild_log_file, file_type, data_file_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index da2222b2..b258cc89 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -154,6 +154,7 @@
 /data/vendor/log(/.*)?       u:object_r:vendor_log_file:s0
 /data/vendor/log/cbd(/.*)?   u:object_r:vendor_cbd_log_file:s0
 /data/vendor/log/dmd(/.*)?   u:object_r:vendor_dmd_log_file:s0
+/data/vendor/log/hwc(/.*)?   u:object_r:vendor_hwc_log_file:s0
 /data/vendor/log/rfsd(/.*)?  u:object_r:vendor_rfsd_log_file:s0
 /data/vendor/log/dump(/.*)?  u:object_r:vendor_dump_log_file:s0
 /data/vendor/log/rild(/.*)?  u:object_r:vendor_rild_log_file:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 01c69b49..6dc4cde0 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -20,6 +20,9 @@ allow hal_dumpstate_default shell_data_file:file getattr;
 allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
 allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
 
+allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms;
+
 allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
 
diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/whitechapel/vendor/google/hal_graphics_composer_default.te
index 0562aa0e..2cf6140d 100644
--- a/whitechapel/vendor/google/hal_graphics_composer_default.te
+++ b/whitechapel/vendor/google/hal_graphics_composer_default.te
@@ -4,3 +4,7 @@ allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
 # allow HWC to access power hal
 binder_call(hal_graphics_composer_default, hal_power_default);
 hal_client_domain(hal_graphics_composer_default, hal_power);
+
+# allow HWC to write log file
+allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms;
+allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms;

From 0c9ace503c07ffa433beed313b013956f51e9ff8 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 16 Aug 2022 13:58:57 +0800
Subject: [PATCH 675/921] move bcmbt settings to gs-common

Bug: 242661555
Test: build pass
Change-Id: Ib02f88317c31438871ac84bbe71d359b7186394d
---
 bluetooth/device.te                |  3 ---
 bluetooth/file_contexts            |  6 ------
 bluetooth/genfs_contexts           |  7 -------
 bluetooth/hal_bluetooth_btlinux.te | 22 ----------------------
 bluetooth/hwservice.te             |  3 ---
 bluetooth/hwservice_contexts       |  6 ------
 6 files changed, 47 deletions(-)
 delete mode 100644 bluetooth/device.te
 delete mode 100644 bluetooth/file_contexts
 delete mode 100644 bluetooth/genfs_contexts
 delete mode 100644 bluetooth/hal_bluetooth_btlinux.te
 delete mode 100644 bluetooth/hwservice.te
 delete mode 100644 bluetooth/hwservice_contexts

diff --git a/bluetooth/device.te b/bluetooth/device.te
deleted file mode 100644
index a2563322..00000000
--- a/bluetooth/device.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Bt Wifi Coexistence device
-type wb_coexistence_dev, dev_type;
-
diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
deleted file mode 100644
index d4681dbd..00000000
--- a/bluetooth/file_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-# Bluetooth
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
-
-/dev/wbrc                           u:object_r:wb_coexistence_dev:s0
-/dev/ttySAC16                       u:object_r:hci_attach_dev:s0
-
diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts
deleted file mode 100644
index 607e1462..00000000
--- a/bluetooth/genfs_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state                             u:object_r:sysfs_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/timesync                                                               u:object_r:proc_bluetooth_writable:s0
-
diff --git a/bluetooth/hal_bluetooth_btlinux.te b/bluetooth/hal_bluetooth_btlinux.te
deleted file mode 100644
index f348099e..00000000
--- a/bluetooth/hal_bluetooth_btlinux.te
+++ /dev/null
@@ -1,22 +0,0 @@
-add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice);
-get_prop(hal_bluetooth_btlinux, boot_status_prop)
-
-allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms;
-allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms;
-binder_call(hal_bluetooth_btlinux, servicemanager)
-
-# power stats
-vndbinder_use(hal_bluetooth_btlinux)
-allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find;
-binder_call(hal_bluetooth_btlinux, hal_power_stats_default)
-
-allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
-allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms;
-
-userdebug_or_eng(`
-  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
-  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
-  allow hal_bluetooth_btlinux logbuffer_device:chr_file r_file_perms;
-')
diff --git a/bluetooth/hwservice.te b/bluetooth/hwservice.te
deleted file mode 100644
index 5e36cd0c..00000000
--- a/bluetooth/hwservice.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Bluetooth HAL extension
-type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
-
diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts
deleted file mode 100644
index 8480b4e1..00000000
--- a/bluetooth/hwservice_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-# Bluetooth HAL extension
-hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ccc::IBluetoothCcc                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ewp::IBluetoothEwp                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ext::IBluetoothExt                          u:object_r:hal_bluetooth_coexistence_hwservice:s0

From 4b4afb2eeae1e26a20b8346811fd5c8904f85b42 Mon Sep 17 00:00:00 2001
From: Robb Glasser <rglasser@google.com>
Date: Thu, 18 Aug 2022 16:54:46 -0700
Subject: [PATCH 676/921] Give permissions to save usf stats and dump them in
 bugreports.

Creating a mechanism to save some USF stat history to device and pipe it
to bugreports. Granting permissions so that this can work.

Bug: 242320914
Test: Stats save and are visible in a bugreport.
Change-Id: Ia1973800ed053f54da043d306e11c0a7b10132a7
---
 usf/file.te                                        | 4 ++++
 usf/file_contexts                                  | 2 ++
 usf/sensor_hal.te                                  | 6 ++++++
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ++++
 4 files changed, 16 insertions(+)

diff --git a/usf/file.te b/usf/file.te
index e264c277..8f49e32b 100644
--- a/usf/file.te
+++ b/usf/file.te
@@ -10,3 +10,7 @@ type persist_sensor_reg_file, file_type, vendor_persist_type;
 # end with "data_file".
 type sensor_reg_data_file, file_type, data_file_type;
 
+# Declare the sensor debug data file type. By convention, data file types
+# end with "data_file".
+type sensor_debug_data_file, file_type, data_file_type;
+
diff --git a/usf/file_contexts b/usf/file_contexts
index ff3d41d3..3c7833b1 100644
--- a/usf/file_contexts
+++ b/usf/file_contexts
@@ -8,3 +8,5 @@
 # Sensor registry data files.
 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
 
+# Sensor debug data files.
+/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index bda44c9f..491d6403 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -12,6 +12,12 @@ r_dir_file(hal_sensors_default, persist_camera_file)
 allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
 allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
 
+userdebug_or_eng(`
+    # Allow creation and writing of sensor debug data files.
+    allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms;
+    allow hal_sensors_default sensor_debug_data_file:file create_file_perms;
+')
+
 # Allow access to the AoC communication driver.
 allow hal_sensors_default aoc_device:chr_file rw_file_perms;
 
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 01c69b49..28137c77 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -35,6 +35,10 @@ allow hal_dumpstate_default vendor_log_file:dir search;
 allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;
 allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans;
 allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
+userdebug_or_eng(`
+  allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms;
+  allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms;
+')
 
 allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
 allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms;

From a5cbf912ce97899a0e2c4427f14848fd6d7119c2 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 30 Aug 2022 11:47:01 +0800
Subject: [PATCH 677/921] Move dauntless settings to gs-common

Bug: 242479757
Test: build pass on all Gchip devices
Change-Id: I9751e59b751f867d4cf734ffe7497a2e22c0c6f9
---
 gs101-sepolicy.mk                                  | 3 ---
 whitechapel/vendor/google/file_contexts            | 3 ---
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ----
 3 files changed, 10 deletions(-)

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index d33fcd4e..b9bb717f 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -20,9 +20,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/priv
 #
 # Pixel-wide
 #
-#   Dauntless (uses Citadel policy currently)
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
-
 #   PowerStats HAL
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index da2222b2..efdfd825 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -358,9 +358,6 @@
 # RILD files
 /data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
 
-# Citadel StrongBox
-/dev/gsc0                                                                   u:object_r:citadel_device:s0
-
 # Tetheroffload Service
 /dev/dit2                      u:object_r:vendor_toe_device:s0
 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service     u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 28137c77..ad36bd10 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -92,10 +92,6 @@ allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
 
-allow hal_dumpstate_default citadeld_service:service_manager find;
-allow hal_dumpstate_default citadel_updater_exec:file execute_no_trans;
-binder_call(hal_dumpstate_default, citadeld);
-
 allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
 binder_call(hal_dumpstate_default, hal_graphics_composer_default);
 allow hal_dumpstate_default sysfs_display:dir r_dir_perms;

From a8eab1aaaf14e031ef2e02f1ea30eab93a6ba119 Mon Sep 17 00:00:00 2001
From: Roger Fang <rogerfang@google.com>
Date: Tue, 23 Aug 2022 16:58:55 +0800
Subject: [PATCH 678/921] sepolicy: add permission for AMS rate of
 pixelstats-vend

I pixelstats-vend: type=1400 audit(0.0:1025): avc: denied { read } for name="ams_rate_read_once" dev="sysfs" ino=79714 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
I pixelstats-vend: type=1400 audit(0.0:1026): avc: denied { open } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=79714 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
pixelstats-vend: type=1400 audit(0.0:1027): avc: denied { getattr } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=79714 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Bug: 239508478
Test: Manually test passed

Signed-off-by: Roger Fang <rogerfang@google.com>
Change-Id: I5c47003bed664f2cd9b6fe3630a6445aca27d10d
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 50853f0f..bf33ed56 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -486,6 +486,7 @@ genfscon sysfs /devices/platform/audiometrics/speaker_temp             u:object_
 genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade       u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter    u:object_r:sysfs_pixelstats:s0
 genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number       u:object_r:sysfs_pixelstats:s0
+genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once       u:object_r:sysfs_pixelstats:s0
 
 # SJTAG
 genfscon sysfs /devices/platform/sjtag_ap/interface                    u:object_r:sysfs_sjtag:s0

From 5742be1014f3cb37b462495ccae45506d6f64de7 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 5 Sep 2022 11:38:18 +0800
Subject: [PATCH 679/921] move insmod script to gs-common

Bug: 243763292
Test: boot to home
Change-Id: If676806d806adcd7f1fcecc1199255788e8858ef
---
 whitechapel/vendor/google/file_contexts      |  3 ++-
 whitechapel/vendor/google/init-display-sh.te | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 whitechapel/vendor/google/init-display-sh.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 119b1253..049df568 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -280,7 +280,8 @@
 /mnt/vendor/persist/modem(/.*)?                               u:object_r:persist_modem_file:s0
 
 # Kernel modules related
-/vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
+/vendor/bin/insmod\.sh          u:object_r:init-insmod-sh_exec:s0
+/vendor/bin/init\.display\.sh   u:object_r:init-display-sh_exec:s0
 
 # USB
 /vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
diff --git a/whitechapel/vendor/google/init-display-sh.te b/whitechapel/vendor/google/init-display-sh.te
new file mode 100644
index 00000000..54ff7d6e
--- /dev/null
+++ b/whitechapel/vendor/google/init-display-sh.te
@@ -0,0 +1,10 @@
+type init-display-sh, domain;
+type init-display-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(init-display-sh)
+
+allow init-display-sh self:capability sys_module;
+allow init-display-sh vendor_kernel_modules:system module_load;
+allow init-display-sh vendor_toolbox_exec:file execute_no_trans;
+
+dontaudit init-display-sh proc_cmdline:file r_file_perms;
+

From c08f9cf882c799b1f72cae07c63609be6953ab0c Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 6 Sep 2022 10:40:01 +0800
Subject: [PATCH 680/921] move insert module script sepolicy to gs-common

Bug: 243763292
Test: boot to home with no relevant SELinux error
Change-Id: I52fe6631b3ec806a5624375457874d9248927b00
---
 whitechapel/vendor/google/file_contexts     |  4 ----
 whitechapel/vendor/google/init-insmod-sh.te | 20 --------------------
 whitechapel/vendor/google/insmod-sh.te      | 11 +++++++++++
 whitechapel/vendor/google/property.te       |  1 -
 whitechapel/vendor/google/property_contexts |  6 ------
 5 files changed, 11 insertions(+), 31 deletions(-)
 delete mode 100644 whitechapel/vendor/google/init-insmod-sh.te
 create mode 100644 whitechapel/vendor/google/insmod-sh.te

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 049df568..5e2efdda 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -280,7 +280,6 @@
 /mnt/vendor/persist/modem(/.*)?                               u:object_r:persist_modem_file:s0
 
 # Kernel modules related
-/vendor/bin/insmod\.sh          u:object_r:init-insmod-sh_exec:s0
 /vendor/bin/init\.display\.sh   u:object_r:init-display-sh_exec:s0
 
 # USB
@@ -367,9 +366,6 @@
 # battery history
 /dev/battery_history                                                                  u:object_r:battery_history_device:s0
 
-# Vendor_kernel_modules
-/vendor_dlkm/lib/modules/.*\.ko                                               u:object_r:vendor_kernel_modules:s0
-
 # Display
 /vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
deleted file mode 100644
index d345e193..00000000
--- a/whitechapel/vendor/google/init-insmod-sh.te
+++ /dev/null
@@ -1,20 +0,0 @@
-type init-insmod-sh, domain;
-type init-insmod-sh_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(init-insmod-sh)
-
-allow init-insmod-sh self:capability sys_module;
-allow init-insmod-sh sysfs_leds:dir r_dir_perms;
-allow init-insmod-sh vendor_kernel_modules:system module_load;
-allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans;
-
-allow init-insmod-sh self:capability sys_nice;
-allow init-insmod-sh kernel:process setsched;
-
-set_prop(init-insmod-sh, vendor_device_prop)
-
-userdebug_or_eng(`
-  allow init-insmod-sh vendor_regmap_debugfs:dir search;
-')
-
-dontaudit init-insmod-sh proc_cmdline:file r_file_perms;
-dontaudit init-insmod-sh self:key write;
diff --git a/whitechapel/vendor/google/insmod-sh.te b/whitechapel/vendor/google/insmod-sh.te
new file mode 100644
index 00000000..3c430ffb
--- /dev/null
+++ b/whitechapel/vendor/google/insmod-sh.te
@@ -0,0 +1,11 @@
+allow insmod-sh sysfs_leds:dir r_dir_perms;
+
+allow insmod-sh self:capability sys_nice;
+allow insmod-sh kernel:process setsched;
+
+userdebug_or_eng(`
+  allow insmod-sh vendor_regmap_debugfs:dir search;
+')
+
+dontaudit insmod-sh proc_cmdline:file r_file_perms;
+dontaudit insmod-sh self:key write;
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 31ee4b8f..cac5e483 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -4,7 +4,6 @@ vendor_internal_prop(vendor_rcs_prop)
 vendor_internal_prop(vendor_rild_prop)
 vendor_internal_prop(sensors_prop)
 vendor_internal_prop(vendor_ssrdump_prop)
-vendor_internal_prop(vendor_device_prop)
 vendor_internal_prop(vendor_usb_config_prop)
 vendor_internal_prop(vendor_secure_element_prop)
 vendor_internal_prop(vendor_cbd_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5eba1f8d..e5a1d673 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -15,12 +15,6 @@ persist.vendor.sys.crash_rcu    u:object_r:vendor_ramdump_prop:s0
 vendor.debug.ssrdump.           u:object_r:vendor_ssrdump_prop:s0
 persist.vendor.sys.ssr.         u:object_r:vendor_ssrdump_prop:s0
 
-# Kernel modules related
-vendor.common.modules.ready     u:object_r:vendor_device_prop:s0
-vendor.device.modules.ready     u:object_r:vendor_device_prop:s0
-vendor.all.modules.ready        u:object_r:vendor_device_prop:s0
-vendor.all.devices.ready        u:object_r:vendor_device_prop:s0
-
 # for codec2
 vendor.debug.c2.level       u:object_r:vendor_codec2_debug_prop:s0
 vendor.debug.c2.dump        u:object_r:vendor_codec2_debug_prop:s0

From f07279785dc9bcd377a3457092bf6e171f319e88 Mon Sep 17 00:00:00 2001
From: JJ Lee <leejj@google.com>
Date: Thu, 25 Aug 2022 11:52:28 +0800
Subject: [PATCH 681/921] sepolicy: add nodes for aoc memory votes stats

Bug: 223674292
Test: build pass, not blocking bugreport
Change-Id: I4732c8b3271f553edc423ac115eb8a6afaebff37
Signed-off-by: JJ Lee <leejj@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index bf33ed56..1f745777 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -14,7 +14,8 @@ genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup          u:ob
 genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup        u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception      u:object_r:sysfs_aoc_dumpstate:s0
-genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes          u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32      u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1      u:object_r:sysfs_aoc_dumpstate:s0
 
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0

From 7b5ed95fddad01d79b7e7ea734d8361b0b3dd437 Mon Sep 17 00:00:00 2001
From: Estefany Torres <estefanytorres@google.com>
Date: Fri, 9 Sep 2022 17:29:18 +0000
Subject: [PATCH 682/921] Add rules for letting logger app send the command to
 ril

08-31 23:40:57.354   458   458 E SELinux : avc:  denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:logger_app:s0:c252,c256,c512,c768 pid=2901 scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0
09-01 00:08:19.600  2881  2881 W oid.pixellogger: type=1400 audit(0.0:10): avc: denied { call } for scontext=u:r:logger_app:s0:c252,c256,c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=0 app=com.android.pixellogger

Bug: 241412942
Test: tested in C10 with pixel logger change
Change-Id: Idcd693790d654d0a9b7aba46a41764d65867a61c
---
 whitechapel/vendor/google/logger_app.te | 4 ++++
 whitechapel/vendor/google/rild.te       | 1 +
 2 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index be15d0e6..14196600 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -5,6 +5,10 @@ userdebug_or_eng(`
   allow logger_app vendor_gps_file:file create_file_perms;
   allow logger_app vendor_gps_file:dir create_dir_perms;
   allow logger_app sysfs_sscoredump_level:file r_file_perms;
+  allow logger_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+  binder_call(logger_app, rild)
+
   r_dir_file(logger_app, ramdump_vendor_data_file)
   r_dir_file(logger_app, sscoredump_vendor_data_coredump_file)
   r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file)
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index 5fc2159c..78b14e51 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -26,6 +26,7 @@ binder_call(rild, modem_svc_sit)
 binder_call(rild, vendor_ims_app)
 binder_call(rild, vendor_rcs_app)
 binder_call(rild, oemrilservice_app)
+binder_call(rild, logger_app)
 
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)

From 09e0e1b28039ccd105ff32aa9d735a99babb9ee7 Mon Sep 17 00:00:00 2001
From: Hana Kim <hanaa.kim@samsung.com>
Date: Thu, 12 May 2022 15:27:45 +0900
Subject: [PATCH 683/921] Sepolicy: add permission to allow create, connect udp
 socket

Bug: 226412527
Test: Build
Signed-off-by: Hana Kim <hanaa.kim@samsung.com>
Change-Id: Id9ba79ba87010326c53b6aec408e5cdb291122a6
---
 whitechapel/vendor/google/vendor_ims_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index 8d655747..b990b759 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -11,6 +11,8 @@ allow vendor_ims_app mediaserver_service:service_manager find;
 allow vendor_ims_app cameraserver_service:service_manager find;
 allow vendor_ims_app mediametrics_service:service_manager find;
 
+allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl };
+
 binder_call(vendor_ims_app, rild)
 set_prop(vendor_ims_app, vendor_rild_prop)
 set_prop(vendor_ims_app, radio_prop)

From 653e53d11dafc992df6ed020a5d9987b54407ff7 Mon Sep 17 00:00:00 2001
From: Jinhee Kim <jinhee.k@samsung.com>
Date: Fri, 9 Sep 2022 10:15:55 +0900
Subject: [PATCH 684/921] sepolicy: gs101: allowed permissions required for
 network access

avc: denied { write } for comm="Thread-102" name="dnsproxyd" dev="tmpfs" ino=1022 scontext=u:r:vendor_ims_app:s0:c251,c256,c512,c768 tcontext=u:object_r:dnsproxyd_socket:s0 tclass=sock_file permissive=0 app=com.shannon.imsservice
avc: denied { node_bind } for comm="Thread-102" src=50174 scontext=u:r:vendor_ims_app:s0:c251,c256,c512,c768 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=0 app=com.shannon.imsservice

Bug: 242231557
Test: Build
Change-Id: Icc3762cef7f9766d845f1e1a56af1315fc97163b
Signed-off-by: Jinhee Kim <jinhee.k@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
---
 whitechapel/vendor/google/vendor_ims_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index b990b759..140d9c25 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -1,5 +1,6 @@
 type vendor_ims_app, domain;
 app_domain(vendor_ims_app)
+net_domain(vendor_ims_app)
 
 allow vendor_ims_app app_api_service:service_manager find;
 allow vendor_ims_app audioserver_service:service_manager find;

From 908a8fcf14ba578aa3fecbaa421615083e5dc31c Mon Sep 17 00:00:00 2001
From: Jinhee Kim <jinhee.k@samsung.com>
Date: Fri, 9 Sep 2022 10:15:55 +0900
Subject: [PATCH 685/921] sepolicy: gs101: allowed permissions required for
 network access

avc: denied { write } for comm="Thread-102" name="dnsproxyd" dev="tmpfs" ino=1022 scontext=u:r:vendor_ims_app:s0:c251,c256,c512,c768 tcontext=u:object_r:dnsproxyd_socket:s0 tclass=sock_file permissive=0 app=com.shannon.imsservice
avc: denied { node_bind } for comm="Thread-102" src=50174 scontext=u:r:vendor_ims_app:s0:c251,c256,c512,c768 tcontext=u:object_r:node:s0 tclass=udp_socket permissive=0 app=com.shannon.imsservice

Bug: 242231557
Test: The tester verified IMS didn't crash and no avc denied log
Change-Id: Icc3762cef7f9766d845f1e1a56af1315fc97163b
Signed-off-by: Jinhee Kim <jinhee.k@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Merged-In: Icc3762cef7f9766d845f1e1a56af1315fc97163b
---
 whitechapel/vendor/google/vendor_ims_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index 8d655747..0b87783a 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -1,5 +1,6 @@
 type vendor_ims_app, domain;
 app_domain(vendor_ims_app)
+net_domain(vendor_ims_app)
 
 allow vendor_ims_app app_api_service:service_manager find;
 allow vendor_ims_app audioserver_service:service_manager find;

From 060b56231029ab628e5d33ecfae5f67af8a5b74c Mon Sep 17 00:00:00 2001
From: Hana Kim <hanaa.kim@samsung.com>
Date: Thu, 12 May 2022 15:27:45 +0900
Subject: [PATCH 686/921] Sepolicy: add permission to allow create, connect udp
 socket

Bug: 226412527
Test: The tester verified IMS didn't crash and no avc denied log
Signed-off-by: Hana Kim <hanaa.kim@samsung.com>
Change-Id: Id9ba79ba87010326c53b6aec408e5cdb291122a6
Merged-In: Id9ba79ba87010326c53b6aec408e5cdb291122a6
---
 whitechapel/vendor/google/vendor_ims_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
index 0b87783a..140d9c25 100644
--- a/whitechapel/vendor/google/vendor_ims_app.te
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -12,6 +12,8 @@ allow vendor_ims_app mediaserver_service:service_manager find;
 allow vendor_ims_app cameraserver_service:service_manager find;
 allow vendor_ims_app mediametrics_service:service_manager find;
 
+allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl };
+
 binder_call(vendor_ims_app, rild)
 set_prop(vendor_ims_app, vendor_rild_prop)
 set_prop(vendor_ims_app, radio_prop)

From 9a4545eafafa4b45c24e6d78796028b981354aba Mon Sep 17 00:00:00 2001
From: jintinglin <jintinglin@google.com>
Date: Mon, 19 Sep 2022 13:10:30 +0800
Subject: [PATCH 687/921] Allows modem_svc to read the logging related
 properties

avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=347 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0

Bug: 243039758
Change-Id: I80a6971a2c3e09320e780d1eff24e040cd8b3541
---
 whitechapel/vendor/google/modem_svc_sit.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
index eeba9976..fad6cca5 100644
--- a/whitechapel/vendor/google/modem_svc_sit.te
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -26,3 +26,6 @@ get_prop(modem_svc_sit, vendor_rild_prop)
 # hwservice permission
 allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find;
 get_prop(modem_svc_sit, hwservicemanager_prop)
+
+# logging property
+get_prop(modem_svc_sit, vendor_logger_prop)

From 3cd938479948f4a202d1b9dfcb0516d092d7aa3f Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 27 Sep 2022 17:03:38 +0800
Subject: [PATCH 688/921] dump f2fs in gs-common

Bug: 248143736
Test: adb bugreport
Change-Id: I902030f7960b2247e9b8e913e78d447741423efb
---
 whitechapel/vendor/google/file.te                  | 1 -
 whitechapel/vendor/google/genfs_contexts           | 1 -
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 ---
 3 files changed, 5 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 479732e4..baf55b15 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -79,7 +79,6 @@ type updated_wifi_firmware_data_file, file_type, data_file_type;
 type mediadrm_vendor_data_file, file_type, data_file_type;
 
 # Storage Health HAL
-type debugfs_f2fs, debugfs_type, fs_type;
 type proc_f2fs, proc_type, fs_type;
 
 type bootdevice_sysdev, dev_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5e7cd508..2c59fc03 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -62,7 +62,6 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
 
 # Storage
-genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
 genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
 genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt           u:object_r:sysfs_scsi_devices_0000:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index ab010490..9ac16fe6 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -110,7 +110,6 @@ userdebug_or_eng(`
   allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms;
 ')
 
-get_prop(hal_dumpstate_default, boottime_public_prop)
 get_prop(hal_dumpstate_default, vendor_gps_prop)
 set_prop(hal_dumpstate_default, vendor_modem_prop)
 get_prop(hal_dumpstate_default, vendor_rild_prop)
@@ -157,8 +156,6 @@ userdebug_or_eng(`
   allow hal_dumpstate_default sysfs_bcl:lnk_file read;
   allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms;
   allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms;
-  allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms;
-  allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
 
   set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop)
 ')

From d19e0dded9ffb34b9d8e58923d749ddf888f7986 Mon Sep 17 00:00:00 2001
From: Xusong Wang <xusongw@google.com>
Date: Fri, 13 May 2022 16:02:06 -0700
Subject: [PATCH 689/921] Configure Edge TPU DBA HAL sepolicy.

Bug: 245792277
Test: edgetpu_dba_hal_test
Change-Id: I567961327e00b728b1d188e07b6ae3f10f42d847
---
 edgetpu/edgetpu_dba_service.te | 38 ++++++++++++++++++++++++++++++++++
 edgetpu/file_contexts          |  5 +++++
 edgetpu/priv_app.te            |  3 +++
 edgetpu/service.te             |  1 +
 edgetpu/service_contexts       |  2 ++
 5 files changed, 49 insertions(+)
 create mode 100644 edgetpu/edgetpu_dba_service.te

diff --git a/edgetpu/edgetpu_dba_service.te b/edgetpu/edgetpu_dba_service.te
new file mode 100644
index 00000000..2e8f908a
--- /dev/null
+++ b/edgetpu/edgetpu_dba_service.te
@@ -0,0 +1,38 @@
+# EdgeTPU DBA service.
+type edgetpu_dba_server, domain;
+type edgetpu_dba_server_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_dba_server)
+
+# The vendor service will use binder calls.
+binder_use(edgetpu_dba_server);
+
+# The vendor service will serve a binder service.
+binder_service(edgetpu_dba_server);
+
+# EdgeTPU DBA service to register the service to service_manager.
+add_service(edgetpu_dba_server, edgetpu_dba_service);
+
+# Allow EdgeTPU DBA service to look for TPU instance in /dev/edgetpu or /dev/edgetpu-soc.
+allow edgetpu_dba_server edgetpu_device:chr_file rw_file_perms;
+
+# Allow EdgeTPU DBA service to request power hints from the Power Service.
+hal_client_domain(edgetpu_dba_server, hal_power)
+
+# Allow EdgeTPU DBA service to access hardware buffers and ION memory.
+allow edgetpu_dba_server hal_allocator:fd use;
+allow edgetpu_dba_server hal_graphics_mapper_hwservice:hwservice_manager find;
+allow edgetpu_dba_server hal_graphics_allocator:fd use;
+allow edgetpu_dba_server gpu_device:chr_file rw_file_perms;
+allow edgetpu_dba_server gpu_device:dir r_dir_perms;
+allow edgetpu_dba_server ion_device:chr_file r_file_perms;
+
+# Allow EdgeTPU DBA service to read the overcommit_memory info.
+allow edgetpu_dba_server proc_overcommit_memory:file r_file_perms;
+
+# Allow EdgeTPU DBA service to read the kernel version.
+# This is done inside the InitGoogle.
+allow edgetpu_dba_server proc_version:file r_file_perms;
+
+# Allow EdgeTPU DBA service to send trace packets to Perfetto with SELinux enabled
+# under userdebug builds.
+userdebug_or_eng(`perfetto_producer(edgetpu_dba_server)')
diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index 04f8491f..bfd5f608 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -25,3 +25,8 @@
 
 # EdgeTPU metrics logging service.
 /vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU DBA service
+/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu.dba-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libedgetpu_dba_hal\.so u:object_r:same_process_hal_file:s0
diff --git a/edgetpu/priv_app.te b/edgetpu/priv_app.te
index db6e0a27..63f76b8a 100644
--- a/edgetpu/priv_app.te
+++ b/edgetpu/priv_app.te
@@ -10,3 +10,6 @@ allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
 
 # Allows privileged applications to access the PowerHAL.
 hal_client_domain(priv_app, hal_power)
+
+# Allows privileged applications to discover the EdgeTPU DBA service.
+allow priv_app edgetpu_dba_service:service_manager find;
diff --git a/edgetpu/service.te b/edgetpu/service.te
index 09fa9cba..08658685 100644
--- a/edgetpu/service.te
+++ b/edgetpu/service.te
@@ -3,3 +3,4 @@ type edgetpu_app_service, service_manager_type;
 
 type edgetpu_vendor_service, service_manager_type, hal_service_type;
 type edgetpu_nnapi_service, app_api_service, service_manager_type;
+type edgetpu_dba_service, app_api_service, service_manager_type;
diff --git a/edgetpu/service_contexts b/edgetpu/service_contexts
index 76fe43da..23a0fab8 100644
--- a/edgetpu/service_contexts
+++ b/edgetpu/service_contexts
@@ -5,3 +5,5 @@ com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_ve
 # TPU NNAPI Service
 android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
 
+# EdgeTPU DBA Service
+com.google.edgetpu.dba.IDevice/default                     u:object_r:edgetpu_dba_service:s0

From a190e33522012ff73bc9701a2ecb569ab1903aef Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 28 Sep 2022 13:20:33 +0800
Subject: [PATCH 690/921] move UFS dump to gs-common

Bug: 248143736
Test: adb bugreport
Change-Id: I3446ab420a0e8a0104dcc63c1cfd4c1a04060cdd
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 9ac16fe6..3889387f 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -92,9 +92,6 @@ allow hal_dumpstate_default sysfs_chip_id:file r_file_perms;
 allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
 allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
 
-allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
-
 allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
 binder_call(hal_dumpstate_default, hal_graphics_composer_default);
 allow hal_dumpstate_default sysfs_display:dir r_dir_perms;

From 2acd1c0e73e31a70af25fe58bc081ac65791c38b Mon Sep 17 00:00:00 2001
From: Rajesh Nyamagoud <nyamagoud@google.com>
Date: Thu, 22 Sep 2022 20:42:30 +0000
Subject: [PATCH 691/921] Updated confirmationui HAL binary name.

Ignore-AOSP-First: Dependent on internal change.
Bug: b/205760172
Test: Run confirmation UI test using CTS Verifier
Change-Id: I690f6eb49f47bdf2d2790b0a6c9b0c45ca819a31
---
 confirmationui/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/confirmationui/file_contexts b/confirmationui/file_contexts
index 49db4171..377857d0 100644
--- a/confirmationui/file_contexts
+++ b/confirmationui/file_contexts
@@ -1,4 +1,4 @@
 /vendor/bin/securedpud\.slider                                                   u:object_r:securedpud_slider_exec:s0
-/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 
 /dev/tui-driver                                                                  u:object_r:tui_device:s0

From d0af280f501bd17dc59b3529af7bd38cab1f5d8b Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 29 Sep 2022 15:17:08 +0800
Subject: [PATCH 692/921] move ramdump relate dumpstate to gs-common

Bug: 248428203
Test: adb bugreport
Change-Id: I16898410318dd8f396c68cd9096a4eb49358b784
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 3889387f..38e2abfc 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -103,8 +103,6 @@ allow hal_dumpstate_default proc_vendor_sched:file r_file_perms;
 
 userdebug_or_eng(`
   allow hal_dumpstate_default mnt_vendor_file:dir search;
-  allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search;
-  allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms;
 ')
 
 get_prop(hal_dumpstate_default, vendor_gps_prop)
@@ -193,8 +191,6 @@ dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
 dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
 
 dontaudit hal_dumpstate_default mnt_vendor_file:dir r_dir_perms;
-dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir search;
-dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms;
 
 dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms;
 dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms;

From ac878d3f629291bc6229dad4315da40f7b372cc2 Mon Sep 17 00:00:00 2001
From: Vaibhav Devmurari <vdevmurari@google.com>
Date: Mon, 3 Oct 2022 13:01:26 +0000
Subject: [PATCH 693/921] Add SePolicy for system_server accessing sysfs for
 USB devices

Add SePolicy to allow Android input manager accessing sysfs nodes
for external USB devices

To support input device lights manager feature in frameworks, provide
sysfs node access to system server process.
DD: go/pk_backlight_control (For keyboard backlight control for external
keyboards)

Kernel provides a standardized LED interface to expose LED controls
over sysfs: https://docs.kernel.org/leds/leds-class.html
The feature will be provided for devices with kernel sysfs class led
support and vendor kernel driver for input controllers that do have
lights. The kernel sysfs class led support is a kernel config option
(LEDS_CLASS), and an input device driver will create the sysfs class
node interface.
By giving system_server the access to these sysfs nodes, the feature
will work on devices with the kernel option and kernel input/hid driver
support. We do use CTS tests to enforce the kernel options and the
input device drivers.

What's already supported?
- We already support access to UHID sysfs node which used for all
bluetooth based external peripherals

What's included in this CL?
- Adding support to access sysfs nodes for USB based external devices

Test: manual
Bug: 245506418
Change-Id: Ieb55614ed651b85f0e6752a17d02f4d370fd1e6f
---
 whitechapel/vendor/google/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 2c59fc03..aabe7653 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -259,6 +259,10 @@ genfscon proc  /nvt_pen_diff
 genfscon proc  /nvt_raw                                                         u:object_r:proc_touch:s0
 genfscon proc  /nvt_selftest                                                    u:object_r:proc_touch:s0
 
+# Input
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
+genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
+
 # GPS
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
 genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed                         u:object_r:sysfs_gps_assert:s0

From 6d2d8a991491294373cc6c8ce9b0e4ef4a7164bb Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 4 Oct 2022 09:06:15 +0800
Subject: [PATCH 694/921] move trusty dump from gs101 to gs-common

Bug: 244504232
Test: adb bugreport
Change-Id: I7a93c9ef7d07e92f0fd508c016a264c26a4e0b1e
---
 whitechapel/vendor/google/file_contexts | 1 -
 whitechapel/vendor/google/logd.te       | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 3f10d22c..9d3df942 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -339,7 +339,6 @@
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
 /mnt/vendor/persist/ss(/.*)?         u:object_r:persist_ss_file:s0
 /dev/sg1                             u:object_r:sg_device:s0
-/dev/trusty-log0                     u:object_r:logbuffer_device:s0
 
 # Battery
 /mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0
diff --git a/whitechapel/vendor/google/logd.te b/whitechapel/vendor/google/logd.te
index cc55e204..ca969d80 100644
--- a/whitechapel/vendor/google/logd.te
+++ b/whitechapel/vendor/google/logd.te
@@ -1,2 +1,4 @@
 r_dir_file(logd, logbuffer_device)
 allow logd logbuffer_device:chr_file r_file_perms;
+allow logd trusty_log_device:chr_file r_file_perms;
+

From 0508a69dbda819b7ae16296ccebb3d12b3f3f915 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 4 Oct 2022 12:56:28 +0800
Subject: [PATCH 695/921] move soc dump to gs-common

Bug: 248428203
Test: adb bugreport
Change-Id: I09c8279685626125ab1c5a6b73d1143de7ae2f1d
---
 whitechapel/vendor/google/genfs_contexts           | 7 -------
 whitechapel/vendor/google/hal_dumpstate_default.te | 1 -
 2 files changed, 8 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 2c59fc03..e58f4441 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -366,13 +366,6 @@ genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/gpu_light_clk_ratio
 # Chosen
 genfscon sysfs /firmware/devicetree/base/chosen                                u:object_r:sysfs_chosen:s0
 
-genfscon sysfs /devices/system/chip-id/ap_hw_tune_str  u:object_r:sysfs_chip_id:s0
-genfscon sysfs /devices/system/chip-id/evt_ver         u:object_r:sysfs_chip_id:s0
-genfscon sysfs /devices/system/chip-id/lot_id          u:object_r:sysfs_chip_id:s0
-genfscon sysfs /devices/system/chip-id/product_id      u:object_r:sysfs_chip_id:s0
-genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:s0
-genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
-
 # OTA
 genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled                                                     u:object_r:sysfs_ota:s0
 
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 38e2abfc..67d59413 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -87,7 +87,6 @@ allow hal_dumpstate_default proc_touch:file rw_file_perms;
 allow hal_dumpstate_default sysfs_batteryinfo:dir search;
 allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms;
-allow hal_dumpstate_default sysfs_chip_id:file r_file_perms;
 
 allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
 allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;

From cba306cc3baf8601fb138b1300fdc02e314642b9 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 5 Oct 2022 10:30:09 +0800
Subject: [PATCH 696/921] move modem dump to gs-common

Bug: 250475732
Test: adb bugreport
Change-Id: I07bc213a6136d5803316062c3fddd55fc557c4b2
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 67d59413..ac963609 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -23,9 +23,6 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
 allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms;
 
-allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms;
-allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
-
 # camera debugging dump file access
 allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms;
@@ -43,9 +40,6 @@ userdebug_or_eng(`
   allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms;
 ')
 
-allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-
 allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
 
@@ -74,8 +68,6 @@ allow hal_dumpstate_default sysfs_thermal:lnk_file read;
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
-allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms;
-allow hal_dumpstate_default modem_stat_data_file:file r_file_perms;
 allow hal_dumpstate_default vendor_slog_file:file r_file_perms;
 
 allow hal_dumpstate_default block_device:dir r_dir_perms;

From f15d1599ef63056498e1bce3644c113f6f534fcc Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 12 Oct 2022 11:31:57 +0800
Subject: [PATCH 697/921] remove redundant permission that has moved to
 gs-common

Bug: 248426917
Test: adb bugreport
Change-Id: I2b1f26164e9590dadd6eae4c14cb65a1c34197fa
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index ac963609..20981247 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -43,9 +43,6 @@ userdebug_or_eng(`
 allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
 
-allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms;
-
 allow hal_dumpstate_default sysfs_spi:dir search;
 allow hal_dumpstate_default sysfs_spi:file rw_file_perms;
 

From 2933a7f1057337477afac2292234c3e3973bd66e Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 12 Oct 2022 15:25:17 +0800
Subject: [PATCH 698/921] upgrade dumpstate from hidl to aidl

Bug: 240530709
Test: adb bugreport
Change-Id: If5f81174f7881100bff21462ff4aef9ff62357d4
---
 whitechapel/vendor/google/file_contexts            | 2 +-
 whitechapel/vendor/google/hal_dumpstate_default.te | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 9d3df942..63017f38 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -27,7 +27,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm                        u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm                        u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm                u:object_r:hal_gnss_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101                      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel                       u:object_r:hal_memtrack_default_exec:s0
 # Wireless charger HAL
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 20981247..b1f59800 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -7,6 +7,7 @@ allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms;
 allow hal_dumpstate_default sysfs_memory:file r_file_perms;
 allow hal_dumpstate_default sysfs_cpu:file r_file_perms;
 
+binder_use(hal_dumpstate_default)
 vndbinder_use(hal_dumpstate_default)
 
 allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms;

From 5de95a5dd930cc8d4b0651a92525fcd35248c582 Mon Sep 17 00:00:00 2001
From: Rajesh Nyamagoud <nyamagoud@google.com>
Date: Thu, 22 Sep 2022 20:42:30 +0000
Subject: [PATCH 699/921] Updated confirmationui HAL binary name.

Ignore-AOSP-First: Dependent on internal change.
Bug: b/205760172
Test: Run confirmation UI test using CTS Verifier
Change-Id: I690f6eb49f47bdf2d2790b0a6c9b0c45ca819a31
(cherry picked from commit 2acd1c0e73e31a70af25fe58bc081ac65791c38b)
Merged-In: I690f6eb49f47bdf2d2790b0a6c9b0c45ca819a31
---
 confirmationui/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/confirmationui/file_contexts b/confirmationui/file_contexts
index 49db4171..377857d0 100644
--- a/confirmationui/file_contexts
+++ b/confirmationui/file_contexts
@@ -1,4 +1,4 @@
 /vendor/bin/securedpud\.slider                                                   u:object_r:securedpud_slider_exec:s0
-/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 
 /dev/tui-driver                                                                  u:object_r:tui_device:s0

From ff0d3717a6edd5bcb094ebb6895adf8061314271 Mon Sep 17 00:00:00 2001
From: Rajesh Nyamagoud <nyamagoud@google.com>
Date: Thu, 22 Sep 2022 20:42:30 +0000
Subject: [PATCH 700/921] Updated confirmationui HAL binary name.

Ignore-AOSP-First: Dependent on internal change.
Bug: b/205760172
Test: Run confirmation UI test using CTS Verifier
Change-Id: I690f6eb49f47bdf2d2790b0a6c9b0c45ca819a31
---
 confirmationui/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/confirmationui/file_contexts b/confirmationui/file_contexts
index 49db4171..377857d0 100644
--- a/confirmationui/file_contexts
+++ b/confirmationui/file_contexts
@@ -1,4 +1,4 @@
 /vendor/bin/securedpud\.slider                                                   u:object_r:securedpud_slider_exec:s0
-/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 
 /dev/tui-driver                                                                  u:object_r:tui_device:s0

From ecd597b98adf0c6c0c3807708760b61fae57bfba Mon Sep 17 00:00:00 2001
From: timmyli <timmyli@google.com>
Date: Fri, 14 Oct 2022 01:55:04 +0000
Subject: [PATCH 701/921] Add aoc_device access to P21 devices. Camera hal

Since we plan to apply rls refactor to P21 devices
as well. Add access to camera_hal to aoc_device for
these devices.

Bug: 253493159
Test: Compiles
Change-Id: I43728c723e0cfc7cdde5377260af6075d4672e7b
---
 whitechapel/vendor/google/hal_camera_default.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 2e36e4a8..d78cf7ad 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -103,4 +103,7 @@ dontaudit hal_camera_default system_data_file:dir { search };
 
 # google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
 dontaudit hal_camera_default traced:unix_stream_socket { connectto };
-dontaudit hal_camera_default traced_producer_socket:sock_file { write };
\ No newline at end of file
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+
+# Allow access to always-on compute device node
+allow hal_camera_default aoc_device:chr_file rw_file_perms;

From 2118dfb684cb49da4047e5f698d6db83bcf2d2cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Fri, 14 Oct 2022 13:48:36 +0000
Subject: [PATCH 702/921] Use generic wildcard for vendor libprotobuf.

The suffix changes on each upgrade and the newest release uses
a two-part version number instead of a three-part one. Use a regex
that will match any suffix.

Bug: 203713560
Test: presubmit, log check
Change-Id: I27d7bd10e469b794226fe0c77b02c57d876729b1
---
 whitechapel/vendor/google/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 1bedda99..e813af5a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -429,7 +429,7 @@
 # Statsd service to support EdgeTPU metrics logging service.
 /vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
-/vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
 
 # Raw HID device
 /dev/hidraw[0-9]*                        u:object_r:hidraw_device:s0

From 4dc474a7b3ae6a52848bf4b36d6931f3126f018f Mon Sep 17 00:00:00 2001
From: Chungkai Mei <chungkai@google.com>
Date: Wed, 12 Oct 2022 17:06:05 +0000
Subject: [PATCH 703/921] sepolicy: ignore and fix avc denial

ignore and fix avc denial

Bug: 228181404
Test: boot without avc denial
Signed-off-by: Chungkai Mei <chungkai@google.com>
Change-Id: I83640aae46bd1823c4e4dcf15f00e64fa7a87aef
---
 whitechapel/vendor/google/genfs_contexts | 306 +++++++++++++++++++----
 whitechapel/vendor/google/kernel.te      |   1 +
 2 files changed, 257 insertions(+), 50 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5e7cd508..e128cca5 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -31,7 +31,12 @@ genfscon sysfs /devices/platform/10d50000.hsi2c
 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
 
-
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412                                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
@@ -56,6 +61,11 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/chg_stats                          u:object_r:sysfs_pca:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats                          u:object_r:sysfs_pca:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats                          u:object_r:sysfs_pca:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats                          u:object_r:sysfs_pca:s0
@@ -86,9 +96,17 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee80215
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net                      u:object_r:sysfs_net:s0
 
 # Vibrator
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-005a            u:object_r:sysfs_vibrator:s0
@@ -96,7 +114,16 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
@@ -110,12 +137,31 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a      u:object
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
 
 # System_suspend
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
@@ -137,6 +183,20 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
@@ -214,22 +274,64 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wake
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
@@ -287,48 +389,14 @@ genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
 
 # ODPM
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
@@ -337,6 +405,62 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
@@ -355,6 +479,79 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-mete
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
 genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio        u:object_r:sysfs_bcl:s0
@@ -429,6 +626,10 @@ genfscon sysfs /devices/platform/1c500000.mali/kprcs
 genfscon sysfs /devices/platform/1c500000.mali/power_policy                                             u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/0-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/1-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/2-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/3-00500/nvmem                              u:object_r:sysfs_memory:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/5-00500/nvmem                              u:object_r:sysfs_memory:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/6-00500/nvmem                              u:object_r:sysfs_memory:s0
@@ -440,6 +641,9 @@ genfscon sysfs /module/bcmdhd4389
 
 # Power Stats
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
@@ -510,6 +714,8 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index c34e7f72..fa6c2fac 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -9,3 +9,4 @@ allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
 
 dontaudit kernel vendor_battery_debugfs:dir search;
+dontaudit kernel vendor_maxfg_debugfs:dir { search };

From 8d802db37aa159c8fe7421eddfe9c6858ad2dbdc Mon Sep 17 00:00:00 2001
From: Chungjui Fan <chungjuifan@google.com>
Date: Mon, 17 Oct 2022 12:23:00 +0000
Subject: [PATCH 704/921] sepolicy: gs101: allow fastbootd to access gsc device
 node

avc:  denied  { getattr } for  pid=469 comm="fastbootd"
path="/dev/gsc0" dev="tmpfs" ino=470 scontext=u:r:fastbootd:s0
tcontext=u:object_r:citadel_device:s0
tclass=chr_file permissive=0

Bug: 248301125

Change-Id: Ic1aec8874636437b9b8d795b46fae72fa8533302
Signed-off-by: Chungjui Fan <chungjuifan@google.com>
---
 whitechapel/vendor/google/fastbootd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index d6cf7315..e350e0f3 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -5,4 +5,5 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
 allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
+allow fastbootd citadel_device:chr_file rw_file_perms;
 ')

From 536b9a4ee6c901daaa7a18509a845c5ecffb5054 Mon Sep 17 00:00:00 2001
From: Michael Butler <butlermichael@google.com>
Date: Wed, 19 Oct 2022 10:29:23 -0700
Subject: [PATCH 705/921] Remove same_process_hal_file attribute from
 libedgetpu_dba_hal

libedgetpu_dba_hal.so is changed from /vendor to /system_ext in this
topic, so this CL removes the now-unnecessary same_process_hal_file
attribute from libedgetpu_dba_hal and its AIDL interface.

Bug: 245792277
Test: mma
Test: atest edgetpu_dba_hal_test
Change-Id: Ibbe58fa8c0992f28b54b69308345b3729d77ef90
---
 edgetpu/file_contexts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index bfd5f608..62002307 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -28,5 +28,3 @@
 
 # EdgeTPU DBA service
 /vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu.dba-V1-ndk\.so u:object_r:same_process_hal_file:s0
-/vendor/lib64/libedgetpu_dba_hal\.so u:object_r:same_process_hal_file:s0

From 72aa5a98fc5c0bda216afa60dbf0cc962f20e270 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 20 Oct 2022 11:22:30 +0800
Subject: [PATCH 706/921] move aoc settings to gs-common

Bug: 248426917
Test: boot with aoc launched
Change-Id: I891767f10dfac7528b76e27fd2756b77ed46e45c
---
 whitechapel/vendor/google/aocd.te             | 21 -----------
 whitechapel/vendor/google/aocdump.te          | 19 ----------
 whitechapel/vendor/google/device.te           |  6 ---
 whitechapel/vendor/google/file.te             | 13 -------
 whitechapel/vendor/google/file_contexts       | 37 -------------------
 whitechapel/vendor/google/genfs_contexts      | 12 ------
 .../vendor/google/hal_audio_default.te        | 35 ------------------
 .../google/hal_audiometricext_default.te      | 12 ------
 whitechapel/vendor/google/hwservice.te        |  6 ---
 whitechapel/vendor/google/hwservice_contexts  |  6 ---
 whitechapel/vendor/google/property.te         |  4 --
 whitechapel/vendor/google/property_contexts   | 16 --------
 12 files changed, 187 deletions(-)
 delete mode 100644 whitechapel/vendor/google/aocd.te
 delete mode 100644 whitechapel/vendor/google/aocdump.te
 delete mode 100644 whitechapel/vendor/google/hal_audio_default.te
 delete mode 100644 whitechapel/vendor/google/hal_audiometricext_default.te

diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te
deleted file mode 100644
index 69b0af0d..00000000
--- a/whitechapel/vendor/google/aocd.te
+++ /dev/null
@@ -1,21 +0,0 @@
-type aocd, domain;
-type aocd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(aocd)
-
-# access persist files
-allow aocd mnt_vendor_file:dir search;
-allow aocd persist_file:dir search;
-r_dir_file(aocd, persist_aoc_file);
-
-# sysfs operations
-allow aocd sysfs_aoc:dir search;
-allow aocd sysfs_aoc_firmware:file w_file_perms;
-
-# dev operations
-allow aocd aoc_device:chr_file rw_file_perms;
-
-# allow inotify to watch for additions/removals from /dev
-allow aocd device:dir r_dir_perms;
-
-# set properties
-set_prop(aocd, vendor_aoc_prop)
diff --git a/whitechapel/vendor/google/aocdump.te b/whitechapel/vendor/google/aocdump.te
deleted file mode 100644
index ca468a35..00000000
--- a/whitechapel/vendor/google/aocdump.te
+++ /dev/null
@@ -1,19 +0,0 @@
-type aocdump, domain;
-type aocdump_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(aocdump)
-
-userdebug_or_eng(`
-    # Permit communication with AoC
-    allow aocdump aoc_device:chr_file rw_file_perms;
-
-    allow aocdump radio_vendor_data_file:dir rw_dir_perms;
-    allow aocdump radio_vendor_data_file:file create_file_perms;
-    allow aocdump wifi_logging_data_file:dir create_dir_perms;
-    allow aocdump wifi_logging_data_file:file create_file_perms;
-    set_prop(aocdump, vendor_audio_prop);
-    r_dir_file(aocdump, proc_asound)
-
-    allow aocdump self:unix_stream_socket create_stream_socket_perms;
-    allow aocdump property_socket:sock_file { write };
-    allow aocdump audio_vendor_data_file:sock_file { create unlink };
-')
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 7a70e332..c2701d05 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -33,15 +33,9 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
 #vscaler-secure DMA-BUF heap
 type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
 
-# AOC device
-type aoc_device, dev_type;
-
 # Fingerprint device
 type fingerprint_device, dev_type;
 
-# AMCS device
-type amcs_device, dev_type;
-
 # Raw HID device
 type hidraw_device, dev_type;
 
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index baf55b15..3f3c8534 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -90,19 +90,6 @@ type per_boot_file, file_type, data_file_type, core_data_file_type;
 type proc_touch, proc_type, fs_type, mlstrustedobject;
 type sysfs_touch, sysfs_type, fs_type;
 
-# AOC
-type sysfs_aoc_dumpstate, sysfs_type, fs_type;
-type sysfs_aoc_boottime, sysfs_type, fs_type;
-type sysfs_aoc_firmware, sysfs_type, fs_type;
-type sysfs_aoc, sysfs_type, fs_type;
-type sysfs_aoc_reset, sysfs_type, fs_type;
-
-# Audio
-type persist_audio_file, file_type, vendor_persist_type;
-type persist_aoc_file, file_type, vendor_persist_type;
-type audio_vendor_data_file, file_type, data_file_type;
-type aoc_audio_file, file_type, vendor_file_type;
-
 # RILD
 type rild_vendor_data_file, file_type, data_file_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 6077cd7a..98c76319 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -249,10 +249,6 @@
 
 # Sensors
 /data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
-/dev/acd-com.google.usf                u:object_r:aoc_device:s0
-/dev/acd-com.google.usf.non_wake_up    u:object_r:aoc_device:s0
-/dev/acd-logging                       u:object_r:aoc_device:s0
-/dev/aoc                               u:object_r:aoc_device:s0
 
 # Contexthub
 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
@@ -266,9 +262,6 @@
 /vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
 /data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
 
-# Audio logging
-/vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
-
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0
 /data/vendor/modem_stat(/.*)?       u:object_r:modem_stat_data_file:s0
@@ -302,33 +295,6 @@
 /dev/logbuffer_btlpm                u:object_r:logbuffer_device:s0
 /dev/logbuffer_tty16                u:object_r:logbuffer_device:s0
 
-# Audio
-/mnt/vendor/persist/aoc(/.*)?       u:object_r:persist_aoc_file:s0
-/mnt/vendor/persist/audio(/.*)?     u:object_r:persist_audio_file:s0
-/data/vendor/audio(/.*)?            u:object_r:audio_vendor_data_file:s0
-/vendor/etc/aoc(/.*)?               u:object_r:aoc_audio_file:s0
-/dev/acd-audio_output_tuning        u:object_r:aoc_device:s0
-/dev/acd-audio_bulk_tx              u:object_r:aoc_device:s0
-/dev/acd-audio_bulk_rx              u:object_r:aoc_device:s0
-/dev/acd-audio_input_tuning         u:object_r:aoc_device:s0
-/dev/acd-audio_input_bulk_tx        u:object_r:aoc_device:s0
-/dev/acd-audio_input_bulk_rx        u:object_r:aoc_device:s0
-/dev/acd-sound_trigger              u:object_r:aoc_device:s0
-/dev/acd-hotword_notification       u:object_r:aoc_device:s0
-/dev/acd-hotword_pcm                u:object_r:aoc_device:s0
-/dev/acd-ambient_pcm                u:object_r:aoc_device:s0
-/dev/acd-model_data                 u:object_r:aoc_device:s0
-/dev/acd-debug                      u:object_r:aoc_device:s0
-/dev/acd-audio_tap[0-9]*            u:object_r:aoc_device:s0
-/dev/acd-audio_dcdoff_ref           u:object_r:aoc_device:s0
-/dev/acd-audio_ap_offload_rx        u:object_r:aoc_device:s0
-/dev/acd-audio_ap_offload_tx        u:object_r:aoc_device:s0
-/dev/amcs                           u:object_r:amcs_device:s0
-
-# AudioMetric
-/(vendor|system/vendor)/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor     u:object_r:hal_audiometricext_default_exec:s0
-
-
 # Trusty
 /vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
@@ -343,9 +309,6 @@
 # Battery
 /mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0
 
-# AoC file contexts.
-/vendor/bin/aocd   u:object_r:aocd_exec:s0
-
 # GRIL
 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 4b257a44..5c7b98c9 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -681,18 +681,6 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count
 # mediacodec
 genfscon sysfs /devices/platform/mfc/video4linux/video                                                  u:object_r:sysfs_video:s0
 
-# pixelstat_vendor
-genfscon sysfs /devices/platform/audiometrics/codec_state              u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/hs_codec_state           u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/speaker_impedance        u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/speaker_excursion        u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat        u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/speaker_temp             u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade       u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter    u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number       u:object_r:sysfs_pixelstats:s0
-genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once       u:object_r:sysfs_pixelstats:s0
-
 # SJTAG
 genfscon sysfs /devices/platform/sjtag_ap/interface                    u:object_r:sysfs_sjtag:s0
 genfscon sysfs /devices/platform/sjtag_gsa/interface                   u:object_r:sysfs_sjtag:s0
diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
deleted file mode 100644
index 0755cba1..00000000
--- a/whitechapel/vendor/google/hal_audio_default.te
+++ /dev/null
@@ -1,35 +0,0 @@
-vndbinder_use(hal_audio_default)
-hwbinder_use(hal_audio_default)
-
-allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms;
-allow hal_audio_default audio_vendor_data_file:file create_file_perms;
-
-r_dir_file(hal_audio_default, aoc_audio_file);
-r_dir_file(hal_audio_default, mnt_vendor_file);
-r_dir_file(hal_audio_default, persist_audio_file);
-
-allow hal_audio_default persist_file:dir search;
-allow hal_audio_default aoc_device:file rw_file_perms;
-allow hal_audio_default aoc_device:chr_file rw_file_perms;
-
-allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add };
-
-allow hal_audio_default amcs_device:file rw_file_perms;
-allow hal_audio_default amcs_device:chr_file rw_file_perms;
-allow hal_audio_default sysfs_pixelstats:file rw_file_perms;
-
-#allow access to DMABUF Heaps for AAudio API
-allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;
-
-get_prop(hal_audio_default, vendor_audio_prop);
-
-hal_client_domain(hal_audio_default, hal_health);
-hal_client_domain(hal_audio_default, hal_thermal);
-allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find;
-
-userdebug_or_eng(`
-    allow hal_audio_default self:unix_stream_socket create_stream_socket_perms;
-    allow hal_audio_default audio_vendor_data_file:sock_file { create unlink };
-')
-
-wakelock_use(hal_audio_default);
diff --git a/whitechapel/vendor/google/hal_audiometricext_default.te b/whitechapel/vendor/google/hal_audiometricext_default.te
deleted file mode 100644
index 5358eac4..00000000
--- a/whitechapel/vendor/google/hal_audiometricext_default.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type hal_audiometricext_default, domain;
-type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(hal_audiometricext_default)
-
-allow hal_audiometricext_default amcs_device:chr_file rw_file_perms;
-allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms;
-
-get_prop(hal_audiometricext_default, vendor_audio_prop);
-get_prop(hal_audiometricext_default, hwservicemanager_prop);
-
-hwbinder_use(hal_audiometricext_default);
-add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice);
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
index a3a3ead1..8afa89a5 100644
--- a/whitechapel/vendor/google/hwservice.te
+++ b/whitechapel/vendor/google/hwservice.te
@@ -10,15 +10,9 @@ type hal_exynos_rild_hwservice, hwservice_manager_type;
 # GRIL service
 type hal_radioext_hwservice, hwservice_manager_type;
 
-# Audio
-type hal_audio_ext_hwservice, hwservice_manager_type;
-
 # WLC
 type hal_wlc_hwservice, hwservice_manager_type;
 
 # Fingerprint
 type hal_fingerprint_ext_hwservice, hwservice_manager_type;
 
-# AudioMetric
-type hal_audiometricext_hwservice, hwservice_manager_type;
-
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
index 30207772..baf720bf 100644
--- a/whitechapel/vendor/google/hwservice_contexts
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -17,15 +17,9 @@ android.hardware.media.c2::IConfigurable                        u:object_r:hal_c
 # GRIL HAL
 vendor.google.radioext::IRadioExt                               u:object_r:hal_radioext_hwservice:s0
 
-#Audio
-vendor.google.whitechapel.audio.audioext::IAudioExt             u:object_r:hal_audio_ext_hwservice:s0
-
 # Wireless charger hal
 vendor.google.wireless_charger::IWirelessCharger                u:object_r:hal_wlc_hwservice:s0
 
 # Fingerprint
 vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon  u:object_r:hal_fingerprint_ext_hwservice:s0
 
-#Audio
-vendor.google.audiometricext::IAudioMetricExt             u:object_r:hal_audiometricext_hwservice:s0
-
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index cac5e483..02c40756 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -14,7 +14,6 @@ vendor_internal_prop(vendor_persist_config_default_prop)
 vendor_internal_prop(vendor_sys_default_prop)
 vendor_internal_prop(vendor_ro_sys_default_prop)
 vendor_internal_prop(vendor_persist_sys_default_prop)
-vendor_internal_prop(vendor_audio_prop)
 vendor_internal_prop(vendor_codec2_debug_prop)
 vendor_internal_prop(vendor_display_prop)
 vendor_internal_prop(vendor_camera_prop)
@@ -28,9 +27,6 @@ vendor_internal_prop(vendor_battery_defender_prop)
 # Battery profile for harness mode
 vendor_internal_prop(vendor_battery_profile_prop)
 
-# AoC
-vendor_internal_prop(vendor_aoc_prop)
-
 # Logger
 vendor_internal_prop(vendor_logger_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 1085b3b5..4c8eb701 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -46,19 +46,6 @@ vendor.sys.                  u:object_r:vendor_sys_default_prop:s0
 ro.vendor.sys.               u:object_r:vendor_ro_sys_default_prop:s0
 persist.vendor.sys.          u:object_r:vendor_persist_sys_default_prop:s0
 
-
-# for audio
-vendor.audio_hal.period_multiplier      u:object_r:vendor_audio_prop:s0
-vendor.audiodump.enable                 u:object_r:vendor_audio_prop:s0
-persist.vendor.audio.                   u:object_r:vendor_audio_prop:s0
-vendor.audiodump.log.ondemand           u:object_r:vendor_audio_prop:s0
-vendor.audiodump.log.config             u:object_r:vendor_audio_prop:s0
-vendor.audiodump.output.dir             u:object_r:vendor_audio_prop:s0
-vendor.audiodump.encode.disable         u:object_r:vendor_audio_prop:s0
-vendor.audiodump.log.cca.updated        u:object_r:vendor_audio_prop:s0
-vendor.audiodump.cca.config             u:object_r:vendor_audio_prop:s0
-
-
 # for display
 ro.vendor.hwc.drm.device                u:object_r:vendor_display_prop:s0
 
@@ -84,9 +71,6 @@ vendor.battery.defender.                        u:object_r:vendor_battery_defend
 # test battery profile
 persist.vendor.testing_battery_profile          u:object_r:vendor_battery_profile_prop:s0
 
-# AoC
-vendor.aoc.firmware.version                     u:object_r:vendor_aoc_prop:s0
-
 # WiFi
 vendor.wlan.driver.version                      u:object_r:vendor_wifi_version:s0
 vendor.wlan.firmware.version                    u:object_r:vendor_wifi_version:s0

From 24160a4bcb27b0de4e66082c2c4b8081f8f306cf Mon Sep 17 00:00:00 2001
From: Gabriel Biren <gbiren@google.com>
Date: Thu, 20 Oct 2022 16:54:19 +0000
Subject: [PATCH 707/921] Update gs101 sepolicy to allow the wifi_ext AIDL
 service.

Bug: 205044134
Test: Start wifi on an Oriole device using both the
      HIDL and AIDL versions of wifi_ext.
Change-Id: I45cbc86e4d4feb2aa99641175108dd9745c1715e
---
 whitechapel/vendor/google/chre.te            | 1 +
 whitechapel/vendor/google/grilservice_app.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 9dfd9bf6..4d23fceb 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -18,6 +18,7 @@ usf_low_latency_transport(chre)
 # Allow CHRE to talk to the WiFi HAL
 allow chre hal_wifi_ext:binder { call transfer };
 allow chre hal_wifi_ext_hwservice:hwservice_manager find;
+allow chre hal_wifi_ext_service:service_manager find;
 
 # Allow CHRE host to talk to stats service
 allow chre fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
index 50ff22a5..c0ba5764 100644
--- a/whitechapel/vendor/google/grilservice_app.te
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -5,6 +5,7 @@ allow grilservice_app app_api_service:service_manager find;
 allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
 allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
 allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_service:service_manager find;
 allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find;
 binder_call(grilservice_app, hal_bluetooth_btlinux)
 binder_call(grilservice_app, hal_radioext_default)

From 5851e176055b694887d717d3872f8d0e2d33854f Mon Sep 17 00:00:00 2001
From: Lucas Wei <lucaswei@google.com>
Date: Wed, 5 Oct 2022 16:41:47 +0800
Subject: [PATCH 708/921] votable: update SEpolicy error

Bug: 247905787
Signed-off-by: Lucas Wei <lucaswei@google.com>
Change-Id: Ia6dfb7796ab46b0ac339b98465ccd91624b655ed
---
 tracking_denials/kernel.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/kernel.te

diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
new file mode 100644
index 00000000..45ce8edc
--- /dev/null
+++ b/tracking_denials/kernel.te
@@ -0,0 +1,2 @@
+#b/247905787
+dontaudit kernel vendor_votable_debugfs:dir { search };

From 91960cb2d754c7f2dc86195584f11dcac511be23 Mon Sep 17 00:00:00 2001
From: Lucas Wei <lucaswei@google.com>
Date: Wed, 5 Oct 2022 16:41:47 +0800
Subject: [PATCH 709/921] votable: update SEpolicy error

Bug: 247905787
Signed-off-by: Lucas Wei <lucaswei@google.com>
Change-Id: Ia6dfb7796ab46b0ac339b98465ccd91624b655ed
Merged-In: Ia6dfb7796ab46b0ac339b98465ccd91624b655ed
---
 tracking_denials/kernel.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
index 21776b79..7901bdcf 100644
--- a/tracking_denials/kernel.te
+++ b/tracking_denials/kernel.te
@@ -1,2 +1,4 @@
 #b/228181404
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
\ No newline at end of file
+dontaudit kernel vendor_maxfg_debugfs:dir { search };
+#b/247905787
+dontaudit kernel vendor_votable_debugfs:dir { search };

From 768196f828d63a613c94a15ead6597972ec1a4cb Mon Sep 17 00:00:00 2001
From: Sam Ou <samou@google.com>
Date: Thu, 29 Sep 2022 06:59:27 +0000
Subject: [PATCH 710/921] sepolicy: fix odpm avc denials

add wakeup permissions for odpm driver
since we update acc_data based on alarmtimer

Bug: 250813284
Change-Id: Id7f70d02475a03e53a206dde3b8efa584cacef85
Signed-off-by: Sam Ou <samou@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5c7b98c9..38147d5f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -555,6 +555,26 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-mete
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
 genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio        u:object_r:sysfs_bcl:s0

From 0127869bfdb77d250d9b119b0a85a83e5ab1c626 Mon Sep 17 00:00:00 2001
From: Sam Ou <samou@google.com>
Date: Thu, 29 Sep 2022 06:59:27 +0000
Subject: [PATCH 711/921] sepolicy: fix odpm avc denials

add wakeup permissions for odpm driver
since we update acc_data based on alarmtimer

Bug: 250813284
Change-Id: Id7f70d02475a03e53a206dde3b8efa584cacef85
Merged-In: Id7f70d02475a03e53a206dde3b8efa584cacef85
Signed-off-by: Sam Ou <samou@google.com>
Signed-off-by: Lucas Wei <lucaswei@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1f745777..42ae9f93 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -355,6 +355,26 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-mete
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
 genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio        u:object_r:sysfs_bcl:s0

From 07a5f33a8dd3aaf013e0391dd0660343a3e609df Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 21 Oct 2022 12:19:44 +0800
Subject: [PATCH 712/921] move brcm gps solution to gs-common

Bug: 254758553
Test: google map can locate on pixel
Change-Id: Iaf954f3af043dc5080b0be473ed8b78b1c6d0e22
---
 whitechapel/vendor/google/device.te           |  3 ++-
 whitechapel/vendor/google/file.te             |  2 --
 whitechapel/vendor/google/file_contexts       | 14 -----------
 whitechapel/vendor/google/genfs_contexts      |  4 ----
 whitechapel/vendor/google/gpsd.te             | 19 ---------------
 whitechapel/vendor/google/hal_gnss_default.te |  4 ----
 whitechapel/vendor/google/lhd.te              | 23 -------------------
 whitechapel/vendor/google/scd.te              | 17 --------------
 8 files changed, 2 insertions(+), 84 deletions(-)
 delete mode 100644 whitechapel/vendor/google/hal_gnss_default.te
 delete mode 100644 whitechapel/vendor/google/lhd.te
 delete mode 100644 whitechapel/vendor/google/scd.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index c2701d05..17dede95 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -7,7 +7,6 @@ type sda_block_device, dev_type;
 type mfg_data_block_device, dev_type;
 
 # Exynos devices
-type vendor_gnss_device, dev_type;
 type vendor_toe_device, dev_type;
 type custom_ab_block_device, dev_type;
 type devinfo_block_device, dev_type;
@@ -43,3 +42,5 @@ type hidraw_device, dev_type;
 type st54spi_device, dev_type;
 type st33spi_device, dev_type;
 
+# GPS
+type vendor_gnss_device, dev_type;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 3f3c8534..0eb457cb 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -124,8 +124,6 @@ type vendor_gps_file, file_type, data_file_type;
 userdebug_or_eng(`
     typeattribute vendor_gps_file mlstrustedobject;
 ')
-type sysfs_gps, sysfs_type, fs_type;
-type sysfs_gps_assert, sysfs_type, fs_type;
 
 # Backlight
 type sysfs_backlight, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 98c76319..79e381de 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -24,9 +24,6 @@
 # HALs
 #
 /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs101                   u:object_r:hal_bootctl_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm                        u:object_r:hal_gnss_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm                        u:object_r:hal_gnss_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm                u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101                      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel                       u:object_r:hal_memtrack_default_exec:s0
@@ -83,9 +80,7 @@
 # Exynos Devices
 #
 /dev/gnss_ipc                  u:object_r:vendor_gnss_device:s0
-/dev/bbd_control               u:object_r:vendor_gnss_device:s0
 /dev/bbd_pwrstat               u:object_r:power_stats_device:s0
-/dev/ttyBCM                    u:object_r:vendor_gnss_device:s0
 /dev/radio0                    u:object_r:radio_device:s0
 /dev/dri/card0                 u:object_r:graphics_device:s0
 /dev/fimg2d                    u:object_r:graphics_device:s0
@@ -134,20 +129,11 @@
 # Exynos Daemon Exec
 #
 /(vendor|system/vendor)/bin/cbd                u:object_r:cbd_exec:s0
-/(vendor|system/vendor)/bin/hw/scd             u:object_r:scd_exec:s0
-/(vendor|system/vendor)/bin/hw/gpsd            u:object_r:gpsd_exec:s0
-/(vendor|system/vendor)/bin/hw/lhd             u:object_r:lhd_exec:s0
 /(vendor|system/vendor)/bin/hw/rild_exynos     u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/rfsd               u:object_r:rfsd_exec:s0
 /(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
 /(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
 
-#
-# Exynos Data Files
-#
-# gnss/gps data/log files
-/data/vendor/gps(/.*)?       u:object_r:vendor_gps_file:s0
-
 #
 # Exynos Log Files
 #
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 5c7b98c9..cc39236d 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -365,10 +365,6 @@ genfscon proc  /nvt_selftest
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
 
-# GPS
-genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
-genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed                         u:object_r:sysfs_gps_assert:s0
-
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
diff --git a/whitechapel/vendor/google/gpsd.te b/whitechapel/vendor/google/gpsd.te
index 791a02e4..79055ecc 100644
--- a/whitechapel/vendor/google/gpsd.te
+++ b/whitechapel/vendor/google/gpsd.te
@@ -1,28 +1,9 @@
 type gpsd, domain;
 type gpsd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(gpsd)
-
 # Allow gpsd access PixelLogger unix socket in debug build only
 userdebug_or_eng(`
     typeattribute gpsd mlstrustedsubject;
     allow gpsd logger_app:unix_stream_socket connectto;
 ')
 
-# Allow gpsd to obtain wakelock
-wakelock_use(gpsd)
 
-# Allow gpsd access data vendor gps files
-allow gpsd vendor_gps_file:dir create_dir_perms;
-allow gpsd vendor_gps_file:file create_file_perms;
-allow gpsd vendor_gps_file:fifo_file create_file_perms;
-
-# Allow gpsd to access rild
-binder_call(gpsd, rild);
-allow gpsd hal_exynos_rild_hwservice:hwservice_manager find;
-
-# Allow gpsd to access sensor service
-binder_call(gpsd, system_server);
-allow gpsd fwk_sensor_hwservice:hwservice_manager find;
-
-# Allow gpsd to access pps gpio
-allow gpsd sysfs_gps_assert:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_gnss_default.te b/whitechapel/vendor/google/hal_gnss_default.te
deleted file mode 100644
index e3004237..00000000
--- a/whitechapel/vendor/google/hal_gnss_default.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Allow hal_gnss_default access data vendor gps files
-allow hal_gnss_default vendor_gps_file:dir create_dir_perms;
-allow hal_gnss_default vendor_gps_file:file create_file_perms;
-allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms;
diff --git a/whitechapel/vendor/google/lhd.te b/whitechapel/vendor/google/lhd.te
deleted file mode 100644
index e980897c..00000000
--- a/whitechapel/vendor/google/lhd.te
+++ /dev/null
@@ -1,23 +0,0 @@
-type lhd, domain;
-type lhd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(lhd)
-
-# Allow lhd access PixelLogger unix socket in debug build only
-userdebug_or_eng(`
-    typeattribute lhd mlstrustedsubject;
-    allow lhd logger_app:unix_stream_socket connectto;
-')
-
-# Allow lhd access data vendor gps files
-allow lhd vendor_gps_file:dir create_dir_perms;
-allow lhd vendor_gps_file:file create_file_perms;
-allow lhd vendor_gps_file:fifo_file create_file_perms;
-
-# Allow lhd to obtain wakelock
-wakelock_use(lhd)
-
-# Allow lhd access /dev/bbd_control file
-allow lhd vendor_gnss_device:chr_file rw_file_perms;
-
-# Allow lhd access nstandby gpio
-allow lhd sysfs_gps:file rw_file_perms;
diff --git a/whitechapel/vendor/google/scd.te b/whitechapel/vendor/google/scd.te
deleted file mode 100644
index 28aaee0a..00000000
--- a/whitechapel/vendor/google/scd.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type scd, domain;
-type scd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(scd)
-
-# Allow scd access PixelLogger unix socket in debug build only
-userdebug_or_eng(`
-    typeattribute scd mlstrustedsubject;
-    allow scd logger_app:unix_stream_socket connectto;
-')
-
-# Allow a base set of permissions required for network access.
-net_domain(scd);
-
-# Allow scd access data vendor gps files
-allow scd vendor_gps_file:dir create_dir_perms;
-allow scd vendor_gps_file:file create_file_perms;
-allow scd vendor_gps_file:fifo_file create_file_perms;

From 632c5dba75358d59152180431adf3c4e84caca74 Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Fri, 28 Oct 2022 22:22:24 +0800
Subject: [PATCH 713/921] Add permission for logbuffer_bd

Bug: 242679204
Change-Id: I134bf8611441274e8438fa06b5ca6c186efb331a
Signed-off-by: Jenny Ho <hsiufangho@google.com>
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index da2222b2..a75eff9e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -108,6 +108,7 @@
 /dev/logbuffer_pca9468_tcpm    u:object_r:logbuffer_device:s0
 /dev/logbuffer_pca9468         u:object_r:logbuffer_device:s0
 /dev/logbuffer_cpm             u:object_r:logbuffer_device:s0
+/dev/logbuffer_bd              u:object_r:logbuffer_device:s0
 
 /dev/logbuffer_maxfg_monitor        u:object_r:logbuffer_device:s0
 /dev/logbuffer_maxfg_base_monitor   u:object_r:logbuffer_device:s0

From b00f9adf6157ff13dcb955b5e7827d48644e7121 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 8 Nov 2022 10:05:37 +0800
Subject: [PATCH 714/921] remove raven touch dump

Bug: 256521567
Test: adb bugreport
Change-Id: Idfa891c545994f457004b99be1ddda14f971142f
---
 whitechapel/vendor/google/genfs_contexts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 12571aa4..0b0dabf3 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -348,7 +348,6 @@ genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0
 genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0            u:object_r:sysfs_touch:s0
 genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
 genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
-genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
 genfscon sysfs /devices/virtual/input/input2                                    u:object_r:sysfs_touch:s0
 genfscon sysfs /devices/virtual/input/input3                                    u:object_r:sysfs_touch:s0
 genfscon sysfs /devices/virtual/input/nvt_touch                                 u:object_r:sysfs_touch:s0

From 84b32a700f578e8a59def6b24745070e261bdde4 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 8 Nov 2022 13:15:28 +0800
Subject: [PATCH 715/921] move edgetpu to gs-common

Bug: 258114806
Test: build pass
Change-Id: Ie576f6511dc60db59bc44567ff0a929506224203
---
 edgetpu/device.te                             |  2 -
 edgetpu/edgetpu_app_service.te                | 38 -------------
 edgetpu/edgetpu_logging.te                    | 15 ------
 edgetpu/edgetpu_vendor_service.te             | 31 -----------
 edgetpu/file.te                               |  9 ----
 edgetpu/file_contexts                         | 30 -----------
 edgetpu/genfs_contexts                        |  4 --
 edgetpu/hal_neuralnetworks_darwinn.te         | 53 -------------------
 edgetpu/priv_app.te                           | 15 ------
 edgetpu/property.te                           |  4 --
 edgetpu/property_contexts                     |  3 --
 edgetpu/service.te                            |  6 ---
 edgetpu/service_contexts                      |  9 ----
 edgetpu/untrusted_app_all.te                  |  7 ---
 edgetpu/vendor_init.te                        |  1 -
 .../vendor/google}/edgetpu_dba_service.te     |  0
 whitechapel/vendor/google/file_contexts       |  7 +++
 whitechapel/vendor/google/genfs_contexts      |  4 ++
 whitechapel/vendor/google/priv_app.te         |  5 ++
 whitechapel/vendor/google/service.te          |  1 +
 whitechapel/vendor/google/service_contexts    |  3 ++
 21 files changed, 20 insertions(+), 227 deletions(-)
 delete mode 100644 edgetpu/device.te
 delete mode 100644 edgetpu/edgetpu_app_service.te
 delete mode 100644 edgetpu/edgetpu_logging.te
 delete mode 100644 edgetpu/edgetpu_vendor_service.te
 delete mode 100644 edgetpu/file.te
 delete mode 100644 edgetpu/file_contexts
 delete mode 100644 edgetpu/genfs_contexts
 delete mode 100644 edgetpu/hal_neuralnetworks_darwinn.te
 delete mode 100644 edgetpu/priv_app.te
 delete mode 100644 edgetpu/property.te
 delete mode 100644 edgetpu/property_contexts
 delete mode 100644 edgetpu/service.te
 delete mode 100644 edgetpu/service_contexts
 delete mode 100644 edgetpu/untrusted_app_all.te
 delete mode 100644 edgetpu/vendor_init.te
 rename {edgetpu => whitechapel/vendor/google}/edgetpu_dba_service.te (100%)
 create mode 100644 whitechapel/vendor/google/priv_app.te

diff --git a/edgetpu/device.te b/edgetpu/device.te
deleted file mode 100644
index 9296ba50..00000000
--- a/edgetpu/device.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# EdgeTPU device (DarwiNN)
-type edgetpu_device, dev_type, mlstrustedobject;
diff --git a/edgetpu/edgetpu_app_service.te b/edgetpu/edgetpu_app_service.te
deleted file mode 100644
index 58ce2464..00000000
--- a/edgetpu/edgetpu_app_service.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# EdgeTPU app server process which runs the EdgeTPU binder service.
-type edgetpu_app_server, coredomain, domain;
-type edgetpu_app_server_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(edgetpu_app_server)
-
-# The server will use binder calls.
-binder_use(edgetpu_app_server);
-
-# The server will serve a binder service.
-binder_service(edgetpu_app_server);
-
-# EdgeTPU server to register the service to service_manager.
-add_service(edgetpu_app_server, edgetpu_app_service);
-
-# EdgeTPU service needs to access /dev/abrolhos.
-allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms;
-allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms;
-allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms;
-
-# Applications are not allowed to open the EdgeTPU device directly.
-neverallow appdomain edgetpu_device:chr_file { open };
-
-# Allow EdgeTPU service to access the Package Manager service.
-allow edgetpu_app_server package_native_service:service_manager find;
-binder_call(edgetpu_app_server, system_server);
-
-# Allow EdgeTPU service to read EdgeTPU service related system properties.
-get_prop(edgetpu_app_server, vendor_edgetpu_service_prop);
-
-# Allow EdgeTPU service to generate Perfetto traces.
-perfetto_producer(edgetpu_app_server);
-
-# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
-allow edgetpu_app_server edgetpu_vendor_service:service_manager find;
-binder_call(edgetpu_app_server, edgetpu_vendor_server);
-
-# Allow EdgeTPU service to log to stats service. (metrics)
-allow edgetpu_app_server fwk_stats_service:service_manager find;
diff --git a/edgetpu/edgetpu_logging.te b/edgetpu/edgetpu_logging.te
deleted file mode 100644
index 8c2f0dc7..00000000
--- a/edgetpu/edgetpu_logging.te
+++ /dev/null
@@ -1,15 +0,0 @@
-type edgetpu_logging, domain;
-type edgetpu_logging_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(edgetpu_logging)
-
-# The logging service accesses /dev/abrolhos
-allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;
-
-# Allows the logging service to access /sys/class/edgetpu
-allow edgetpu_logging sysfs_edgetpu:dir search;
-allow edgetpu_logging sysfs_edgetpu:file rw_file_perms;
-
-# Allow TPU logging service to log to stats service. (metrics)
-allow edgetpu_logging fwk_stats_service:service_manager find;
-binder_call(edgetpu_logging, system_server);
-binder_use(edgetpu_logging)
diff --git a/edgetpu/edgetpu_vendor_service.te b/edgetpu/edgetpu_vendor_service.te
deleted file mode 100644
index 10605107..00000000
--- a/edgetpu/edgetpu_vendor_service.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# EdgeTPU vendor service.
-type edgetpu_vendor_server, domain;
-type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(edgetpu_vendor_server)
-
-# The vendor service will use binder calls.
-binder_use(edgetpu_vendor_server);
-
-# The vendor service will serve a binder service.
-binder_service(edgetpu_vendor_server);
-
-# EdgeTPU vendor service to register the service to service_manager.
-add_service(edgetpu_vendor_server, edgetpu_vendor_service);
-
-# Allow communications between other vendor services.
-allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map };
-
-# Allow EdgeTPU vendor service to access its data files.
-allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms;
-allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms;
-
-# Allow EdgeTPU vendor service to access Android shared memory allocated
-# by the camera hal for on-device compilation.
-allow edgetpu_vendor_server hal_camera_default:fd use;
-
-# Allow EdgeTPU vendor service to read the kernel version.
-# This is done inside the InitGoogle.
-allow edgetpu_vendor_server proc_version:file r_file_perms;
-
-# Allow EdgeTPU vendor service to read the overcommit_memory info.
-allow edgetpu_vendor_server proc_overcommit_memory:file r_file_perms;
diff --git a/edgetpu/file.te b/edgetpu/file.te
deleted file mode 100644
index 2482dbf3..00000000
--- a/edgetpu/file.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# EdgeTPU sysfs
-type sysfs_edgetpu, sysfs_type, fs_type;
-
-# EdgeTPU hal data file
-type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
-
-# EdgeTPU vendor service data file
-type edgetpu_vendor_service_data_file, file_type, data_file_type;
-
diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
deleted file mode 100644
index 62002307..00000000
--- a/edgetpu/file_contexts
+++ /dev/null
@@ -1,30 +0,0 @@
-# EdgeTPU logging service
-/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
-
-# EdgeTPU device (DarwiNN)
-/dev/abrolhos                      u:object_r:edgetpu_device:s0
-
-# EdgeTPU service binaries and libraries
-/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
-/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU vendor service
-/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU runtime libraries
-/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU data files
-/data/vendor/edgetpu(/.*)?                              u:object_r:edgetpu_vendor_service_data_file:s0
-/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
-
-# NeuralNetworks file contexts
-/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
-
-# EdgeTPU metrics logging service.
-/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU DBA service
-/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0
diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts
deleted file mode 100644
index 345d2990..00000000
--- a/edgetpu/genfs_contexts
+++ /dev/null
@@ -1,4 +0,0 @@
-# EdgeTPU
-genfscon sysfs /devices/platform/1ce00000.abrolhos                              u:object_r:sysfs_edgetpu:s0
-genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
-
diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
deleted file mode 100644
index f301a729..00000000
--- a/edgetpu/hal_neuralnetworks_darwinn.te
+++ /dev/null
@@ -1,53 +0,0 @@
-type hal_neuralnetworks_darwinn, domain;
-hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks)
-
-type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_neuralnetworks_darwinn)
-
-# The TPU HAL looks for TPU instance in /dev/abrolhos
-allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms;
-
-# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/.
-allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
-
-# Allow DarwiNN service to access data files.
-allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms;
-allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms;
-
-# Allow DarwiNN service to access unix sockets for IPC.
-allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms };
-
-# Register to hwbinder service.
-# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te
-hwbinder_use(hal_neuralnetworks_darwinn)
-get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop)
-
-# Allow TPU HAL to read the kernel version.
-# This is done inside the InitGoogle.
-allow hal_neuralnetworks_darwinn proc_version:file r_file_perms;
-
-# Allow TPU NNAPI HAL to log to stats service. (metrics)
-allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find;
-binder_call(hal_neuralnetworks_darwinn, system_server);
-binder_use(hal_neuralnetworks_darwinn)
-
-# Allow TPU NNAPI HAL to request power hints from the Power Service
-hal_client_domain(hal_neuralnetworks_darwinn, hal_power)
-
-# TPU NNAPI to register the service to service_manager.
-add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service);
-
-# Allow TPU NNAPI HAL to read the overcommit_memory info.
-allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms;
-
-# Allows the logging service to access /sys/class/edgetpu
-allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms;
-allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms;
-
-# Allows the NNAPI HAL to access the edgetpu_app_service
-allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find;
-binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server);
-
-# Allow NNAPI HAL to send trace packets to Perfetto with SELinux enabled
-# under userdebug builds.
-userdebug_or_eng(`perfetto_producer(hal_neuralnetworks_darwinn)')
diff --git a/edgetpu/priv_app.te b/edgetpu/priv_app.te
deleted file mode 100644
index 63f76b8a..00000000
--- a/edgetpu/priv_app.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# Allows privileged applications to discover the EdgeTPU service.
-allow priv_app edgetpu_app_service:service_manager find;
-
-# Allows privileged applications to discover the NNAPI TPU service.
-allow priv_app edgetpu_nnapi_service:service_manager find;
-
-# Allows privileged applications to access the EdgeTPU device, except open,
-# which is guarded by the EdgeTPU service.
-allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-# Allows privileged applications to access the PowerHAL.
-hal_client_domain(priv_app, hal_power)
-
-# Allows privileged applications to discover the EdgeTPU DBA service.
-allow priv_app edgetpu_dba_service:service_manager find;
diff --git a/edgetpu/property.te b/edgetpu/property.te
deleted file mode 100644
index ed93d448..00000000
--- a/edgetpu/property.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# EdgeTPU service requires system public properties
-# since it lives under /system_ext/.
-system_public_prop(vendor_edgetpu_service_prop)
-
diff --git a/edgetpu/property_contexts b/edgetpu/property_contexts
deleted file mode 100644
index 130cfefe..00000000
--- a/edgetpu/property_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# for EdgeTPU
-vendor.edgetpu.service.                         u:object_r:vendor_edgetpu_service_prop:s0
-
diff --git a/edgetpu/service.te b/edgetpu/service.te
deleted file mode 100644
index 08658685..00000000
--- a/edgetpu/service.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# EdgeTPU binder service type declaration.
-type edgetpu_app_service, service_manager_type;
-
-type edgetpu_vendor_service, service_manager_type, hal_service_type;
-type edgetpu_nnapi_service, app_api_service, service_manager_type;
-type edgetpu_dba_service, app_api_service, service_manager_type;
diff --git a/edgetpu/service_contexts b/edgetpu/service_contexts
deleted file mode 100644
index 23a0fab8..00000000
--- a/edgetpu/service_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-# EdgeTPU service
-com.google.edgetpu.IEdgeTpuAppService/default              u:object_r:edgetpu_app_service:s0
-com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
-
-# TPU NNAPI Service
-android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
-
-# EdgeTPU DBA Service
-com.google.edgetpu.dba.IDevice/default                     u:object_r:edgetpu_dba_service:s0
diff --git a/edgetpu/untrusted_app_all.te b/edgetpu/untrusted_app_all.te
deleted file mode 100644
index 9abec616..00000000
--- a/edgetpu/untrusted_app_all.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Allows applications to discover the EdgeTPU service.
-allow untrusted_app_all edgetpu_app_service:service_manager find;
-
-# Allows applications to access the EdgeTPU device, except open, which is guarded
-# by the EdgeTPU service.
-allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
-
diff --git a/edgetpu/vendor_init.te b/edgetpu/vendor_init.te
deleted file mode 100644
index aec79583..00000000
--- a/edgetpu/vendor_init.te
+++ /dev/null
@@ -1 +0,0 @@
-set_prop(vendor_init, vendor_edgetpu_service_prop)
diff --git a/edgetpu/edgetpu_dba_service.te b/whitechapel/vendor/google/edgetpu_dba_service.te
similarity index 100%
rename from edgetpu/edgetpu_dba_service.te
rename to whitechapel/vendor/google/edgetpu_dba_service.te
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 5a9738a0..ca85bf7f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -27,6 +27,10 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101                      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel                       u:object_r:hal_memtrack_default_exec:s0
+
+# EdgeTPU DBA service
+/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0
+
 # Wireless charger HAL
 /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor             u:object_r:hal_wlc_exec:s0
 
@@ -113,6 +117,9 @@
 /dev/umts_dm0                  u:object_r:radio_device:s0
 /dev/umts_router               u:object_r:radio_device:s0
 
+# EdgeTPU device (DarwiNN)
+/dev/abrolhos                  u:object_r:edgetpu_device:s0
+
 # OEM IPC device
 /dev/oem_ipc[0-7]              u:object_r:radio_device:s0
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 12571aa4..ad4b887b 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -17,6 +17,10 @@ genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception      u:ob
 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1      u:object_r:sysfs_aoc_dumpstate:s0
 
+# EdgeTPU
+genfscon sysfs /devices/platform/1ce00000.abrolhos                          u:object_r:sysfs_edgetpu:s0
+genfscon sysfs /devices/platform/abrolhos                                   u:object_r:sysfs_edgetpu:s0
+
 # WiFi
 genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0
 # Battery
diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te
new file mode 100644
index 00000000..9d2aa14d
--- /dev/null
+++ b/whitechapel/vendor/google/priv_app.te
@@ -0,0 +1,5 @@
+# Allows privileged applications to access the PowerHAL.
+hal_client_domain(priv_app, hal_power)
+
+# Allows privileged applications to discover the EdgeTPU DBA service.
+allow priv_app edgetpu_dba_service:service_manager find;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index b87c99e1..7d105d49 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,2 +1,3 @@
 type hal_pixel_display_service, service_manager_type, hal_service_type;
 type hal_uwb_vendor_service, service_manager_type, hal_service_type;
+type edgetpu_dba_service, app_api_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 25108867..d00c633e 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,3 +1,6 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_vendor_service:s0
 android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_service:s0
+
+# EdgeTPU DBA Service
+com.google.edgetpu.dba.IDevice/default                     u:object_r:edgetpu_dba_service:s0

From 90aeb6e15cef4087947dab96f91a478a2f52242d Mon Sep 17 00:00:00 2001
From: joenchen <joenchen@google.com>
Date: Wed, 7 Sep 2022 12:55:19 +0000
Subject: [PATCH 716/921] RRS: Apply the default config from persist prop

vendor_config plays as another role to control the display config during
the boot time. To change the default configuration of the user selected
mode, we use persist config to store the value.

Bug: 244492960
Test: Boot w/ and w/o user selected configs and check the resolution
Change-Id: Ic3eb4e1c8a2c5eed83d10799a1965dd7a6be58e1
---
 display/gs101/hal_graphics_composer_default.te | 4 ++--
 whitechapel/vendor/google/property_contexts    | 1 +
 whitechapel/vendor/google/vendor_init.te       | 3 +++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index c1eac9ce..dccddf0e 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -25,8 +25,8 @@ allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
 # allow HWC to get vendor_persist_sys_default_prop
 get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
 
-# allow HWC to get vendor_display_prop
-get_prop(hal_graphics_composer_default, vendor_display_prop)
+# allow HWC to get/set vendor_display_prop
+set_prop(hal_graphics_composer_default, vendor_display_prop)
 
 # allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags
 get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5eba1f8d..9f4e8dc9 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -65,6 +65,7 @@ vendor.audiodump.encode.disable         u:object_r:vendor_audio_prop:s0
 
 # for display
 ro.vendor.hwc.drm.device                u:object_r:vendor_display_prop:s0
+persist.vendor.display.                 u:object_r:vendor_display_prop:s0
 
 # for camera
 persist.vendor.camera.               u:object_r:vendor_camera_prop:s0
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index dfd8e996..9686bccb 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -35,3 +35,6 @@ set_prop(vendor_init, vendor_battery_defender_prop)
 
 # Fingerprint property
 set_prop(vendor_init, vendor_fingerprint_prop)
+
+# Display
+set_prop(vendor_init, vendor_display_prop)

From bd36256badf8e1fe2ab1990653291b4e91b89740 Mon Sep 17 00:00:00 2001
From: Rick Chen <rickctchen@google.com>
Date: Tue, 8 Nov 2022 22:41:26 +0800
Subject: [PATCH 717/921] Allow CHRE to use EPOLLWAKEUP [DO NOT MERGE]

avc: denied { block_suspend } for comm="UsfTransport" capability=36 scontext=u:r:chre:s0 tcontext=u:r:chre:s0 tclass=capability2 permissive=0

Bug: 238666865
Test: Check no chre avc denied.
Change-Id: Ifd2c37c58c548aec46a2c46891a1fc4d1f83f9be
Signed-off-by: Rick Chen <rickctchen@google.com>
---
 whitechapel/vendor/google/chre.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 9dfd9bf6..26c1675f 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -23,3 +23,5 @@ allow chre hal_wifi_ext_hwservice:hwservice_manager find;
 allow chre fwk_stats_service:service_manager find;
 binder_call(chre, stats_service_server)
 
+# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP.
+allow chre self:global_capability2_class_set block_suspend;

From c76556752479a59b7ba006d45792e9ff152e7292 Mon Sep 17 00:00:00 2001
From: Siarhei Vishniakou <svv@google.com>
Date: Thu, 16 Jun 2022 15:59:46 -0700
Subject: [PATCH 718/921] Allow InputProcessor HAL to read display resolution

Currently, there's no API to read the resolution from the system domain,
so the HAL has to read this from the sysprop provided by the display
code.

Allow the HAL to do so in this CL.

Bug: 244492960
Test: adb shell dmesg | grep input_processor
Change-Id: Ibdc3589234bbee8641e3c1f7a300b622803ca1a9
---
 whitechapel/vendor/google/hal_input_processor_default.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_input_processor_default.te

diff --git a/whitechapel/vendor/google/hal_input_processor_default.te b/whitechapel/vendor/google/hal_input_processor_default.te
new file mode 100644
index 00000000..00d4c695
--- /dev/null
+++ b/whitechapel/vendor/google/hal_input_processor_default.te
@@ -0,0 +1,2 @@
+# allow InputProcessor HAL to read the display resolution system property
+get_prop(hal_input_processor_default, vendor_display_prop)

From d140706db9bc8c39b9e560741db28b9e7cbab068 Mon Sep 17 00:00:00 2001
From: Rick Chen <rickctchen@google.com>
Date: Tue, 8 Nov 2022 22:41:26 +0800
Subject: [PATCH 719/921] Allow CHRE to use EPOLLWAKEUP

avc: denied { block_suspend } for comm="UsfTransport" capability=36 scontext=u:r:chre:s0 tcontext=u:r:chre:s0 tclass=capability2 permissive=0

Bug: 238666865
Test: Check no chre avc denied.
Change-Id: Ifd2c37c58c548aec46a2c46891a1fc4d1f83f9be
Signed-off-by: Rick Chen <rickctchen@google.com>
---
 whitechapel/vendor/google/chre.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index 7cedce68..2531af89 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -27,3 +27,5 @@ binder_call(chre, stats_service_server)
 # Allow CHRE to use WakeLock
 wakelock_use(chre)
 
+# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP.
+allow chre self:global_capability2_class_set block_suspend;

From ea632b0eb11dfeb13d391012dccbb286109cf9f0 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 10 Nov 2022 15:02:08 +0800
Subject: [PATCH 720/921] move sensors dump to gs-common

Bug: 250475720
Test: adb bugreport
Change-Id: I1cadc20635358c72c9571a2abaa7055efcc50adc
---
 whitechapel/vendor/google/file.te                  | 2 --
 whitechapel/vendor/google/file_contexts            | 2 --
 whitechapel/vendor/google/hal_dumpstate_default.te | 8 --------
 3 files changed, 12 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 0eb457cb..0aa0ec1b 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -47,8 +47,6 @@ type vendor_fw_file, vendor_file_type, file_type;
 type sysfs_acpm_stats, sysfs_type, fs_type;
 
 # Vendor tools
-type vendor_usf_stats, vendor_file_type, file_type;
-type vendor_usf_reg_edit, vendor_file_type, file_type;
 type vendor_dumpsys, vendor_file_type, file_type;
 
 # Sensors
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index ca85bf7f..eb6ac79e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -16,8 +16,6 @@
 /(vendor|system/vendor)/lib(64)?/libdmabufheap\.so                                              u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so                                         u:object_r:same_process_hal_file:s0
 
-/vendor/bin/usf_stats                                                                           u:object_r:vendor_usf_stats:s0
-/vendor/bin/usf_reg_edit                                                                        u:object_r:vendor_usf_reg_edit:s0
 /vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0
 
 #
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index b1f59800..0c461592 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -33,13 +33,7 @@ get_prop(hal_dumpstate_default, vendor_camera_debug_prop);
 
 allow hal_dumpstate_default vendor_log_file:dir search;
 
-allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;
-allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans;
 allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
-userdebug_or_eng(`
-  allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms;
-  allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms;
-')
 
 allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
@@ -47,9 +41,7 @@ allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
 allow hal_dumpstate_default sysfs_spi:dir search;
 allow hal_dumpstate_default sysfs_spi:file rw_file_perms;
 
-allow hal_dumpstate_default device:dir r_dir_perms;
 allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms;
-allow hal_dumpstate_default aoc_device:chr_file rw_file_perms;
 
 allow hal_dumpstate_default sysfs_wifi:dir search;
 allow hal_dumpstate_default sysfs_wifi:file r_file_perms;

From 36dc4e181da6e9d3493a68b5076d6b8a05fa8828 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 15 Nov 2022 14:02:15 +0800
Subject: [PATCH 721/921] move thermal dump to gs-common

Bug: 257880034
Test: adb bugreport
Change-Id: Ib3efb17fcc3f69fac565599cffb06eff83e7cc8e
---
 whitechapel/vendor/google/file_contexts            | 5 -----
 whitechapel/vendor/google/genfs_contexts           | 3 ---
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ----
 3 files changed, 12 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index eb6ac79e..78b5983f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -230,11 +230,6 @@
 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service                 u:object_r:mediacodec_exec:s0
 /data/vendor/media(/.*)?                                                u:object_r:vendor_media_data_file:s0
 
-# thermal sysfs files
-/sys/class/thermal(/.*)?               u:object_r:sysfs_thermal:s0
-/sys/devices/virtual/thermal(/.*)?     u:object_r:sysfs_thermal:s0
-
-
 # IMS VoWiFi
 /data/vendor/misc(/.*)?                u:object_r:vendor_misc_data_file:s0
 /data/vendor/VoWiFi(/.*)?              u:object_r:vendor_ims_data_file:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index ad4b887b..210a4d6a 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -709,9 +709,6 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface                   u:object_
 genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq       u:object_r:sysfs_camera:s0
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq             u:object_r:sysfs_camera:s0
 
-# thermal sysfs files
-genfscon sysfs /module/gs101_thermal/parameters            u:object_r:sysfs_thermal:s0
-
 # USB-C throttling stats
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time      u:object_r:sysfs_usbc_throttling_stats:s0
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time   u:object_r:sysfs_usbc_throttling_stats:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 0c461592..d3cbd6d6 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -51,10 +51,6 @@ allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
 allow hal_dumpstate_default proc_touch:file rw_file_perms;
 
-allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
-allow hal_dumpstate_default sysfs_thermal:lnk_file read;
-
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;

From 2db05a27596e26ec54c3b777dc810e698c9d10e1 Mon Sep 17 00:00:00 2001
From: Salmax Chang <salmaxchang@google.com>
Date: Thu, 17 Nov 2022 13:47:57 +0800
Subject: [PATCH 722/921] modem_svc_sit: grant the modem property access

Bug: 250779114
Change-Id: I17a3c12d2610c34191ba150ac6fb3a2ac6da2d23
---
 whitechapel/vendor/google/modem_svc_sit.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
index d5540e31..63dec363 100644
--- a/whitechapel/vendor/google/modem_svc_sit.te
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -30,3 +30,6 @@ get_prop(modem_svc_sit, hwservicemanager_prop)
 
 # logging property
 get_prop(modem_svc_sit, vendor_logger_prop)
+
+# Modem property
+set_prop(modem_svc_sit, vendor_modem_prop)

From 7aeb6fe8e79e7f3a8a3e65eab86b8fab46816c8f Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 22 Nov 2022 22:30:24 +0000
Subject: [PATCH 723/921] Allow Trusty storageproxy property

Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready
when the data filesystems are ready for use, and allows vendor init to
query and wait on this property.

Test: m raven-userdebug, flash, test app loading
Bug: 258018785
Change-Id: If995d35be490fbca6c99ef9f73f2842f5c488bd4
---
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/storageproxyd.te  | 2 ++
 whitechapel/vendor/google/vendor_init.te    | 3 +++
 4 files changed, 11 insertions(+)

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 02c40756..b792d530 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -50,3 +50,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop)
 
 # UWB calibration
 system_vendor_config_prop(vendor_uwb_calibration_prop)
+
+# Trusty storage FS ready
+vendor_internal_prop(vendor_trusty_storage_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 38abacb3..b663df4b 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -95,3 +95,6 @@ vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor
 
 # uwb
 ro.vendor.uwb.calibration.                      u:object_r:vendor_uwb_calibration_prop:s0 exact string
+
+# Trusty
+ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage_prop:s0
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index 9b0289cc..e803c0c6 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -18,3 +18,5 @@ read_fstab(tee)
 # storageproxyd starts before /data is mounted. It handles /data not being there
 # gracefully. However, attempts to access /data trigger a denial.
 dontaudit tee unlabeled:dir { search };
+
+set_prop(tee, vendor_trusty_storage_prop)
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 9686bccb..8ebe5e52 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -38,3 +38,6 @@ set_prop(vendor_init, vendor_fingerprint_prop)
 
 # Display
 set_prop(vendor_init, vendor_display_prop)
+
+# Trusty storage FS ready
+get_prop(vendor_init, vendor_trusty_storage_prop)

From 502c76f22b6b06adc0784cfe9e20364cd2348d06 Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 22 Nov 2022 22:30:24 +0000
Subject: [PATCH 724/921] Allow Trusty storageproxy property

Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready
when the data filesystems are ready for use, and allows vendor init to
query and wait on this property.

Test: m raven-userdebug, flash, test app loading
Bug: 258018785
Change-Id: If995d35be490fbca6c99ef9f73f2842f5c488bd4
Merged-In: If995d35be490fbca6c99ef9f73f2842f5c488bd4
---
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/storageproxyd.te  | 2 ++
 whitechapel/vendor/google/vendor_init.te    | 3 +++
 4 files changed, 11 insertions(+)

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 31ee4b8f..70c72b68 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -55,3 +55,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop)
 
 # UWB calibration
 system_vendor_config_prop(vendor_uwb_calibration_prop)
+
+# Trusty storage FS ready
+vendor_internal_prop(vendor_trusty_storage_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index eabb6f69..0dd3d463 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -117,3 +117,6 @@ vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor
 
 # uwb
 ro.vendor.uwb.calibration.                      u:object_r:vendor_uwb_calibration_prop:s0 exact string
+
+# Trusty
+ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage_prop:s0
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index ada64441..bf29cbf2 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -19,3 +19,5 @@ read_fstab(tee)
 # storageproxyd starts before /data is mounted. It handles /data not being there
 # gracefully. However, attempts to access /data trigger a denial.
 dontaudit tee unlabeled:dir { search };
+
+set_prop(tee, vendor_trusty_storage_prop)
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 9686bccb..8ebe5e52 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -38,3 +38,6 @@ set_prop(vendor_init, vendor_fingerprint_prop)
 
 # Display
 set_prop(vendor_init, vendor_display_prop)
+
+# Trusty storage FS ready
+get_prop(vendor_init, vendor_trusty_storage_prop)

From 4519dff25261ca935a67e2ecf313acf0c97bae52 Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 22 Nov 2022 07:18:59 +0000
Subject: [PATCH 725/921] Allow Trusty storageproxy property

Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready
when the data filesystems are ready for use, and allows vendor init to
query and wait on this property.

Test: m raven-userdebug, flash, test app loading
Bug: 258018785
Change-Id: If995d35be490fbca6c99ef9f73f2842f5c488bd4
Merged-In: If995d35be490fbca6c99ef9f73f2842f5c488bd4
---
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/storageproxyd.te  | 2 ++
 whitechapel/vendor/google/vendor_init.te    | 3 +++
 4 files changed, 11 insertions(+)

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 31ee4b8f..70c72b68 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -55,3 +55,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop)
 
 # UWB calibration
 system_vendor_config_prop(vendor_uwb_calibration_prop)
+
+# Trusty storage FS ready
+vendor_internal_prop(vendor_trusty_storage_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 5eba1f8d..b56b86ab 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -114,3 +114,6 @@ vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor
 
 # uwb
 ro.vendor.uwb.calibration.                      u:object_r:vendor_uwb_calibration_prop:s0 exact string
+
+# Trusty
+ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage_prop:s0
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index 9b0289cc..e803c0c6 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -18,3 +18,5 @@ read_fstab(tee)
 # storageproxyd starts before /data is mounted. It handles /data not being there
 # gracefully. However, attempts to access /data trigger a denial.
 dontaudit tee unlabeled:dir { search };
+
+set_prop(tee, vendor_trusty_storage_prop)
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index dfd8e996..a27c5caa 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -35,3 +35,6 @@ set_prop(vendor_init, vendor_battery_defender_prop)
 
 # Fingerprint property
 set_prop(vendor_init, vendor_fingerprint_prop)
+
+# Trusty storage FS ready
+get_prop(vendor_init, vendor_trusty_storage_prop)

From 702b5768e6447800dbc8b7518ddb8bc65fb39d6d Mon Sep 17 00:00:00 2001
From: Ziyi Cui <ziyic@google.com>
Date: Thu, 17 Nov 2022 19:14:01 +0000
Subject: [PATCH 726/921] gs101-sepolicy: pixelstats: enable pixelstats access
 to temp-residency-metrics

enable pixelstats access to sysfs path
Bug: 246799997
Test: Verified the existence of atom and correctness of atom stats
Change-Id: If329f2a65ed4cf347bd57150c637d38312f3dcb1
Signed-off-by: Ziyi Cui <ziyic@google.com>
---
 whitechapel/vendor/google/pixelstats_vendor.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index f0cca685..ccc572d2 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -23,6 +23,10 @@ allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
 
+#vendor-metrics
+r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)
+allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms;
+
 # BCL
 allow pixelstats_vendor sysfs_bcl:dir search;
 allow pixelstats_vendor sysfs_bcl:file r_file_perms;

From 3ed3d201333e686078b2c2f8dcd87ee41bf220d0 Mon Sep 17 00:00:00 2001
From: Cheng Chang <chengcha@google.com>
Date: Wed, 23 Nov 2022 07:01:46 +0000
Subject: [PATCH 727/921] gps: nstandby path depend on platform

Bug: 259353063
Test: no avc denied about nstandby
Change-Id: Ia90cf2d66e4f6071f38db815d4458889b278f025
---
 whitechapel/vendor/google/genfs_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 2e1084dc..26151e91 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -368,6 +368,9 @@ genfscon proc  /nvt_selftest
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
 
+# GPS
+genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
+
 # Display
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0

From 35492ad70f7d446954ec4c5d30215e9150d18edf Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 28 Nov 2022 14:08:51 +0800
Subject: [PATCH 728/921] use touch dump from gs-common

Bug: 256521567
Test: adb bugreport
Change-Id: I02a5831e6282eb431f2cbf89941ef188e801bd09
---
 whitechapel/vendor/google/file.te               |  4 ----
 whitechapel/vendor/google/genfs_contexts        | 17 -----------------
 .../vendor/google/hal_dumpstate_default.te      |  6 ------
 3 files changed, 27 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 0aa0ec1b..d76960c8 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -84,10 +84,6 @@ type bootdevice_sysdev, dev_type;
 # ZRam
 type per_boot_file, file_type, data_file_type, core_data_file_type;
 
-# Touch
-type proc_touch, proc_type, fs_type, mlstrustedobject;
-type sysfs_touch, sysfs_type, fs_type;
-
 # RILD
 type rild_vendor_data_file, file_type, data_file_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 26151e91..72ba7811 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -347,23 +347,6 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup
 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup                                                                       u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/sound-aoc/wakeup                                                                           u:object_r:sysfs_wakeup:s0
 
-# Touch
-genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0          u:object_r:sysfs_touch:s0
-genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0            u:object_r:sysfs_touch:s0
-genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
-genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
-genfscon sysfs /devices/virtual/input/input2                                    u:object_r:sysfs_touch:s0
-genfscon sysfs /devices/virtual/input/input3                                    u:object_r:sysfs_touch:s0
-genfscon sysfs /devices/virtual/input/nvt_touch                                 u:object_r:sysfs_touch:s0
-genfscon proc  /nvt_baseline                                                    u:object_r:proc_touch:s0
-genfscon proc  /nvt_cc_uniformity                                               u:object_r:proc_touch:s0
-genfscon proc  /nvt_diff                                                        u:object_r:proc_touch:s0
-genfscon proc  /nvt_fw_version                                                  u:object_r:proc_touch:s0
-genfscon proc  /nvt_heatmap                                                     u:object_r:proc_touch:s0
-genfscon proc  /nvt_pen_diff                                                    u:object_r:proc_touch:s0
-genfscon proc  /nvt_raw                                                         u:object_r:proc_touch:s0
-genfscon proc  /nvt_selftest                                                    u:object_r:proc_touch:s0
-
 # Input
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index d3cbd6d6..10f9b38a 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -46,11 +46,6 @@ allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms;
 allow hal_dumpstate_default sysfs_wifi:dir search;
 allow hal_dumpstate_default sysfs_wifi:file r_file_perms;
 
-# Touch sysfs interface
-allow hal_dumpstate_default sysfs_touch:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_touch:file rw_file_perms;
-allow hal_dumpstate_default proc_touch:file rw_file_perms;
-
 # Modem logs
 allow hal_dumpstate_default modem_efs_file:dir search;
 allow hal_dumpstate_default modem_efs_file:file r_file_perms;
@@ -60,7 +55,6 @@ allow hal_dumpstate_default block_device:dir r_dir_perms;
 
 allow hal_dumpstate_default proc_f2fs:dir r_dir_perms;
 allow hal_dumpstate_default proc_f2fs:file r_file_perms;
-allow hal_dumpstate_default proc_touch:file rw_file_perms;
 
 allow hal_dumpstate_default sysfs_batteryinfo:dir search;
 allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms;

From dc7ea2f09b1fc164d2b5201fa134e99dc2fac651 Mon Sep 17 00:00:00 2001
From: Nicolas Geoffray <ngeoffray@google.com>
Date: Mon, 28 Nov 2022 09:31:01 +0000
Subject: [PATCH 729/921] Allow ssr_detector_app writes to
 system_app_data_file.

Bug: 260557058

Change-Id: I65697c3afb9cfd11d5235d15aa20633f1a96fdbb
---
 whitechapel/vendor/google/ssr_detector.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 934028e1..e638566d 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -4,7 +4,8 @@ app_domain(ssr_detector_app)
 allow ssr_detector_app app_api_service:service_manager find;
 allow ssr_detector_app radio_service:service_manager find;
 
-allow ssr_detector_app system_app_data_file:dir r_dir_perms;
+allow ssr_detector_app system_app_data_file:dir rw_dir_perms;
+allow ssr_detector_app system_app_data_file:file rw_file_perms;
 
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;

From 1af71fc9ff1381cb64e179059c282406e4918d58 Mon Sep 17 00:00:00 2001
From: Nicolas Geoffray <ngeoffray@google.com>
Date: Mon, 28 Nov 2022 09:31:01 +0000
Subject: [PATCH 730/921] Allow ssr_detector_app writes to
 system_app_data_file.

Bug: 260557058
Test: m

(cherry picked from commit dc7ea2f09b1fc164d2b5201fa134e99dc2fac651)

Merged-In: I65697c3afb9cfd11d5235d15aa20633f1a96fdbb
Change-Id: Iaeb69d0c1e46e3e28cd75109ebfe3c494dd7c150
---
 whitechapel/vendor/google/ssr_detector.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 934028e1..e638566d 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -4,7 +4,8 @@ app_domain(ssr_detector_app)
 allow ssr_detector_app app_api_service:service_manager find;
 allow ssr_detector_app radio_service:service_manager find;
 
-allow ssr_detector_app system_app_data_file:dir r_dir_perms;
+allow ssr_detector_app system_app_data_file:dir rw_dir_perms;
+allow ssr_detector_app system_app_data_file:file rw_file_perms;
 
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;

From 86d7d36fcfa70e384207e79c0e6ecdb1d6dc4fef Mon Sep 17 00:00:00 2001
From: Ziyi Cui <ziyic@google.com>
Date: Thu, 17 Nov 2022 19:14:01 +0000
Subject: [PATCH 731/921] [ DO NOT MERGE ] gs101-sepolicy: pixelstats: enable
 pixelstats access to temp-residency-metrics

enable pixelstats access to sysfs path
Bug: 246799997
Test: Verified the existence of atom and correctness of atom stats
Change-Id: If329f2a65ed4cf347bd57150c637d38312f3dcb1
Signed-off-by: Ziyi Cui <ziyic@google.com>
---
 whitechapel/vendor/google/file.te              | 3 +++
 whitechapel/vendor/google/genfs_contexts       | 3 +++
 whitechapel/vendor/google/pixelstats_vendor.te | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 847499d1..48cb759d 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -213,6 +213,9 @@ type sysfs_trusty, sysfs_type, fs_type;
 # BootControl
 type sysfs_bootctl, sysfs_type, fs_type;
 
+#vendor-metrics
+type sysfs_vendor_metrics, fs_type, sysfs_type;
+
 # Radio
 type radio_vendor_data_file, file_type, data_file_type;
 userdebug_or_eng(`
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 42ae9f93..9f2f3c89 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -551,6 +551,9 @@ genfscon sysfs /devices/platform/100b0000.G3D                             u:obje
 genfscon sysfs /devices/platform/100b0000.ISP                             u:object_r:sysfs_thermal:s0
 genfscon sysfs /devices/platform/100b0000.TPU                             u:object_r:sysfs_thermal:s0
 
+#vendor-metrics
+genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats    u:object_r:sysfs_vendor_metrics:s0
+
 # Trusty
 genfscon sysfs /module/trusty_virtio/parameters/use_high_wq               u:object_r:sysfs_trusty:s0
 genfscon sysfs /module/trusty_core/parameters/use_high_wq                 u:object_r:sysfs_trusty:s0
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index f0cca685..eb255475 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -23,6 +23,9 @@ allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
 
+#vendor-metrics
+r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)
+
 # BCL
 allow pixelstats_vendor sysfs_bcl:dir search;
 allow pixelstats_vendor sysfs_bcl:file r_file_perms;

From 713d3ebf052b474043a8d5f40ef0ac5b7f4ecb2b Mon Sep 17 00:00:00 2001
From: Ziyi Cui <ziyic@google.com>
Date: Tue, 29 Nov 2022 10:55:04 -0800
Subject: [PATCH 732/921] gs101-sepolicy:dumpstate: allow dumpstate access
 sysfs_vendor_metrics

Test: "adb bugreport" includes metrics capture.

Bug: 246799997
Test: "adb bugreport" includes metrics capture.
Change-Id: I48247f8378e52d15b264c37342dee5a938ba90a1
Signed-off-by: Ziyi Cui <ziyic@google.com>
---
 whitechapel/vendor/google/hal_dumpstate_default.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 28137c77..314546f2 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -143,6 +143,9 @@ userdebug_or_eng(`
   allow hal_dumpstate_default vendor_maxfg_debugfs:dir search;
   allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
 
+  allow hal_dumpstate_default sysfs_vendor_metrics:dir search;
+  allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms;
+
   allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
   allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
 
@@ -173,6 +176,9 @@ dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms;
 dontaudit hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
 dontaudit hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
 
+dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search;
+dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms;
+
 dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
 dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search;
 

From 1a39bb777e42b42cc4ff224fd77ccccd2e1dd074 Mon Sep 17 00:00:00 2001
From: Ziyi Cui <ziyic@google.com>
Date: Tue, 29 Nov 2022 12:12:43 -0800
Subject: [PATCH 733/921] [ DO NOT MERGE ] gs101-sepolicy: pixelstats: enable
 pixelstats access to perf-metrics

enable pixelstats access to sysfs path, define sysfs_perfmetrics

Bug: 227809911
Bug: 232541623
Test: Verified the existence of atom and correctness of resume latency, irq stats
Change-Id: Ia0da1afb96b7f364d018d48d5cc8768c7b67f067
Signed-off-by: Ziyi Cui <ziyic@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 9f2f3c89..8bb12c67 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -553,6 +553,8 @@ genfscon sysfs /devices/platform/100b0000.TPU                             u:obje
 
 #vendor-metrics
 genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats    u:object_r:sysfs_vendor_metrics:s0
+genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics      u:object_r:sysfs_vendor_metrics:s0
+genfscon sysfs /kernel/metrics/irq/long_irq_metrics                       u:object_r:sysfs_vendor_metrics:s0
 
 # Trusty
 genfscon sysfs /module/trusty_virtio/parameters/use_high_wq               u:object_r:sysfs_trusty:s0

From 5a7fd4f558e868a4215646e06eb72921bf039617 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 5 Dec 2022 11:11:25 +0800
Subject: [PATCH 734/921] remove sysfs_touch setting

spi6.0 was other devices' touch setting
Bug: 256521567
Test: build pass
Change-Id: I96120b4e4930b16dcf5cbc9eba68c6a150ff0306
---
 whitechapel/vendor/google/euiccpixel_app.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te
index 8763117f..c276cb9b 100644
--- a/whitechapel/vendor/google/euiccpixel_app.te
+++ b/whitechapel/vendor/google/euiccpixel_app.te
@@ -24,6 +24,5 @@ userdebug_or_eng(`
 
     allow euiccpixel_app sysfs_st33spi:dir search;
     allow euiccpixel_app sysfs_st33spi:file rw_file_perms;
-    allow euiccpixel_app sysfs_touch:dir search;
 ')
 

From 594052a664907436c802f40ec50e148c329a49a6 Mon Sep 17 00:00:00 2001
From: Nicolas Geoffray <ngeoffray@google.com>
Date: Mon, 5 Dec 2022 13:56:52 +0000
Subject: [PATCH 735/921] Allow ssr_detector_app to create files of type
 system_app_data_file.

Bug: 260557058
Test: m
Change-Id: I8545deddd64d7eec61c5065f364a87b8726b1472
---
 whitechapel/vendor/google/ssr_detector.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index e638566d..feaa1294 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -5,7 +5,7 @@ allow ssr_detector_app app_api_service:service_manager find;
 allow ssr_detector_app radio_service:service_manager find;
 
 allow ssr_detector_app system_app_data_file:dir rw_dir_perms;
-allow ssr_detector_app system_app_data_file:file rw_file_perms;
+allow ssr_detector_app system_app_data_file:file create_file_perms;
 
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;

From 1d7352fb4d772093a4f07d7407b7e0b8b264bc15 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 6 Jul 2022 14:40:23 +0800
Subject: [PATCH 736/921] ignore shell access on wlc

Bug: 261804136
Test: boot
Change-Id: I09b67ca07d7f9573d77f64686fb818d4dc1753cc
Merged-In: I09b67ca07d7f9573d77f64686fb818d4dc1753cc
---
 whitechapel/vendor/google/shell.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index f982424d..e13e744e 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -8,3 +8,4 @@ userdebug_or_eng(`
 
 dontaudit shell proc_vendor_sched:dir search;
 dontaudit shell proc_vendor_sched:file write;
+dontaudit shell sysfs_wlc:dir search;

From 356b4a4755b555ecb1f83d964f60925155fdea72 Mon Sep 17 00:00:00 2001
From: Nicolas Geoffray <ngeoffray@google.com>
Date: Thu, 8 Dec 2022 14:38:08 +0000
Subject: [PATCH 737/921] Also put .ShannonImsService in the vendor_ims_app
 domain.

For consistency when running com.shannon.imsservice code.

Test: m
Bug: 260557058
Change-Id: I5242479d32eb9362326544516c06e6a52cd30a6e
---
 whitechapel/vendor/google/seapp_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f866e37a..ed5f5d76 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -10,6 +10,7 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma
 user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all
 
 # Samsung S.LSI IMS
+user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all

From 85bd1b844189d26b8d77275f3e39eae820f3e308 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 6 Jul 2022 14:40:23 +0800
Subject: [PATCH 738/921] ignore shell access on wlc

Bug: 261804136
Test: boot
Change-Id: I09b67ca07d7f9573d77f64686fb818d4dc1753cc
Merged-In: I09b67ca07d7f9573d77f64686fb818d4dc1753cc
---
 whitechapel/vendor/google/shell.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index f982424d..e13e744e 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -8,3 +8,4 @@ userdebug_or_eng(`
 
 dontaudit shell proc_vendor_sched:dir search;
 dontaudit shell proc_vendor_sched:file write;
+dontaudit shell sysfs_wlc:dir search;

From 807f7b2efab6c29ba23f6ba01577fd3a4da21380 Mon Sep 17 00:00:00 2001
From: Taylor Nelms <tknelms@google.com>
Date: Mon, 5 Dec 2022 16:32:21 +0000
Subject: [PATCH 739/921] Modify permissions to allow dumpstate process to
 access decon_counters node

Bug: 240346564
Test: Build for Oriole device with "user" build, check bugreport for decon_counters content
Change-Id: I71883632857e76cfead39b16560b3695e13a6746
Signed-off-by: Taylor Nelms <tknelms@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 72ba7811..92087feb 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -369,6 +369,9 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c300000.drmdecon/counters                                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c301000.drmdecon/counters                                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c302000.drmdecon/counters                                         u:object_r:sysfs_display:s0
 
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0

From aede443b8629b9702fe59c557d2ec440b115afbb Mon Sep 17 00:00:00 2001
From: Devin Moore <devinmoore@google.com>
Date: Mon, 19 Dec 2022 23:42:23 +0000
Subject: [PATCH 740/921] Allow pixelstats hal to talk to the new AIDL
 sensorservice

This is being used in libsensorndkbridge now, so permissions are
required.

Test: m
Bug: 205764765
Change-Id: I65945c8b259538d274da23d8ecc6cf4d2362dcbd
---
 whitechapel/vendor/google/pixelstats_vendor.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index f0cca685..996c31a6 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -18,7 +18,10 @@ allow pixelstats_vendor sysfs_wlc:file rw_file_perms;
 allow pixelstats_vendor sysfs_pca:file rw_file_perms;
 
 # OrientationCollector
+# HIDL sensorservice
 allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow pixelstats_vendor fwk_sensor_service:service_manager find;
 
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;

From 33f94a542800f590ee73ba7247dea8ac8ed8afec Mon Sep 17 00:00:00 2001
From: Ken Yang <yangken@google.com>
Date: Fri, 16 Dec 2022 05:50:44 +0000
Subject: [PATCH 741/921] WLC: Add gs101 specific sepolicy for wireless_charger

Bug: 237600973
Change-Id: If25a921ba9f0261c7f71cb88425526f307df9064
Signed-off-by: Ken Yang <yangken@google.com>
---
 whitechapel/vendor/google/file.te         | 3 ---
 whitechapel/vendor/google/platform_app.te | 6 +++---
 whitechapel/vendor/google/system_app.te   | 6 +++---
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index d76960c8..c60ec008 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -101,9 +101,6 @@ allow modem_img_file self:filesystem associate;
 # TCP logging
 type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 
-# Wireless
-type sysfs_wlc, sysfs_type, fs_type;
-
 # Pca
 type sysfs_pca, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
index 49fb531b..4f0f89a2 100644
--- a/whitechapel/vendor/google/platform_app.te
+++ b/whitechapel/vendor/google/platform_app.te
@@ -1,9 +1,6 @@
 binder_call(platform_app, rild)
 allow platform_app hal_exynos_rild_hwservice:hwservice_manager find;
 
-allow platform_app hal_wlc_hwservice:hwservice_manager find;
-binder_call(platform_app, hal_wlc)
-
 allow platform_app proc_vendor_sched:dir r_dir_perms;
 allow platform_app proc_vendor_sched:file w_file_perms;
 
@@ -18,3 +15,6 @@ get_prop(platform_app, fingerprint_ghbm_prop)
 
 allow platform_app hal_pixel_display_service:service_manager find;
 binder_call(platform_app, hal_graphics_composer_default)
+
+allow platform_app hal_wireless_charger_service:service_manager find;
+binder_call(platform_app, hal_wireless_charger)
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
index 8c9d5345..735d1c67 100644
--- a/whitechapel/vendor/google/system_app.te
+++ b/whitechapel/vendor/google/system_app.te
@@ -1,8 +1,8 @@
 allow system_app proc_vendor_sched:dir r_dir_perms;
 allow system_app proc_vendor_sched:file w_file_perms;
 
-allow system_app hal_wlc_hwservice:hwservice_manager find;
-binder_call(system_app, hal_wlc)
-
 allow system_app fwk_stats_hwservice:hwservice_manager find;
 allow system_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+allow system_app hal_wireless_charger_service:service_manager find;
+binder_call(system_app, hal_wireless_charger)

From 46285b5dd5dff706fd9872c37d267b039d7596bf Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 5 Jan 2023 11:04:58 +0800
Subject: [PATCH 742/921] Update SELinux error

Test: scanBugreport
Bug: 264483156
Change-Id: Ifa7de8df3b09eabee7df8008dbb381854e18f48f
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index f9fbf737..7046ab51 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -3,6 +3,7 @@ dumpstate hal_input_processor_default process b/238143262
 dumpstate incident process b/238570971
 dumpstate incident process b/238571324
 dumpstate incident process b/238571420
+dumpstate system_data_file dir b/264483156
 hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568

From afe63f78ccb3a15d911e9724bd7148c4e4299c34 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 5 Jan 2023 11:05:13 +0800
Subject: [PATCH 743/921] Update SELinux error

Test: scanBugreport
Bug: 264483673
Test: scanAvcDeniedLogRightAfterReboot
Change-Id: I954f764f035fcffa06c1c940bece36f0d7e42711
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 7046ab51..6c50a280 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -4,6 +4,7 @@ dumpstate incident process b/238570971
 dumpstate incident process b/238571324
 dumpstate incident process b/238571420
 dumpstate system_data_file dir b/264483156
+dumpstate system_data_file dir b/264483673
 hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568

From f5ee8054e0d939bb5a314c3e3c02dffd39637d36 Mon Sep 17 00:00:00 2001
From: Chungkai Mei <chungkai@google.com>
Date: Thu, 5 Jan 2023 09:36:24 +0000
Subject: [PATCH 744/921] sepolicy: fix avc denial

fix avc denial when applying aosp/2333702

Bug: 261678056
Test: boot without avc denial
Change-Id: I4674a5cb13f2f06f011c380699353b1a561ad290
Signed-off-by: Chungkai Mei <chungkai@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 92087feb..fa8cf415 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -271,48 +271,56 @@ genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0

From 776148c9364da0d5da3245bd36a0c367e07fedad Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 6 Jan 2023 10:30:37 +0800
Subject: [PATCH 745/921] update error on ROM

Bug: 242203678
Test: pass boot test
Change-Id: Ib50c5aed2787d068e589491373a75de47cbe48ee
Merged-In: Ifa7de8df3b09eabee7df8008dbb381854e18f48f
---
 tracking_denials/bug_map | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 tracking_denials/bug_map

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
new file mode 100644
index 00000000..6c50a280
--- /dev/null
+++ b/tracking_denials/bug_map
@@ -0,0 +1,11 @@
+dumpstate app_zygote process b/238263438
+dumpstate hal_input_processor_default process b/238143262
+dumpstate incident process b/238570971
+dumpstate incident process b/238571324
+dumpstate incident process b/238571420
+dumpstate system_data_file dir b/264483156
+dumpstate system_data_file dir b/264483673
+hal_drm_default default_prop file b/232714489
+hal_power_default hal_power_default capability b/240632824
+incidentd debugfs_wakeup_sources file b/238263568
+su modem_img_file filesystem b/238825802

From 902db3961f8d7bc78fda9d657e0f57f8867f1421 Mon Sep 17 00:00:00 2001
From: Kyle Zhang <kelzhan@google.com>
Date: Fri, 30 Dec 2022 01:03:59 +0000
Subject: [PATCH 746/921] Add hal_drm_widevine for Widevine exec sepolicy

Bug: 243699259
Test: atp v2/widevine-eng/drm_compliance
Change-Id: Ifede19e690cb7b7333016df08fb146a0ec8f7409
---
 tracking_denials/hal_drm_default.te           |  4 ----
 tracking_denials/hal_drm_widevine.te          |  4 ++++
 whitechapel/vendor/google/file_contexts       |  2 +-
 whitechapel/vendor/google/hal_drm_widevine.te | 12 ++++++++++++
 4 files changed, 17 insertions(+), 5 deletions(-)
 delete mode 100644 tracking_denials/hal_drm_default.te
 create mode 100644 tracking_denials/hal_drm_widevine.te
 create mode 100644 whitechapel/vendor/google/hal_drm_widevine.te

diff --git a/tracking_denials/hal_drm_default.te b/tracking_denials/hal_drm_default.te
deleted file mode 100644
index 872f5a0f..00000000
--- a/tracking_denials/hal_drm_default.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/223502652
-dontaudit hal_drm_default vndbinder_device:chr_file { read };
-# b/232714489
-dontaudit hal_drm_default default_prop:file { read };
diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te
new file mode 100644
index 00000000..01581ca2
--- /dev/null
+++ b/tracking_denials/hal_drm_widevine.te
@@ -0,0 +1,4 @@
+# b/223502652
+dontaudit hal_drm_widevine vndbinder_device:chr_file { read };
+# b/232714489
+dontaudit hal_drm_widevine default_prop:file { read };
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 78b5983f..8f010c5a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -1,7 +1,7 @@
 #
 # Exynos HAL
 #
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_widevine_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_drm_widevine.te b/whitechapel/vendor/google/hal_drm_widevine.te
new file mode 100644
index 00000000..753f5e66
--- /dev/null
+++ b/whitechapel/vendor/google/hal_drm_widevine.te
@@ -0,0 +1,12 @@
+type hal_drm_widevine, domain;
+type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+# L1
+allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms;
\ No newline at end of file

From a49c3a54797192c87fbd2b52a81163bcab616008 Mon Sep 17 00:00:00 2001
From: Ken Yang <yangken@google.com>
Date: Thu, 5 Jan 2023 09:24:08 +0000
Subject: [PATCH 747/921] WLC: Cleanup the sysfs_wlc policies

The sepolicy must be self-contained without including wirelss_charger to
avoid build break in AOSP

Bug: 263830018
Change-Id: I4eee380ae61f83c5563ee8842a94fd1fb9e520ef
Signed-off-by: Ken Yang <yangken@google.com>
---
 usf/sensor_hal.te                                  | 1 -
 whitechapel/vendor/google/file.te                  | 3 +++
 whitechapel/vendor/google/hal_dumpstate_default.te | 3 ---
 whitechapel/vendor/google/hal_health_default.te    | 1 -
 whitechapel/vendor/google/hal_wireless_charger.te  | 2 ++
 whitechapel/vendor/google/pixelstats_vendor.te     | 3 ---
 whitechapel/vendor/google/service.te               | 3 +++
 whitechapel/vendor/google/service_contexts         | 2 ++
 whitechapel/vendor/google/shell.te                 | 1 -
 9 files changed, 10 insertions(+), 9 deletions(-)
 create mode 100644 whitechapel/vendor/google/hal_wireless_charger.te

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 595aeef6..b54c1bb3 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -37,7 +37,6 @@ allow hal_sensors_default sysfs_leds:file rw_file_perms;
 
 # Allow access to the power supply files for MagCC.
 r_dir_file(hal_sensors_default, sysfs_batteryinfo)
-allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
 
 # Allow access to sensor service for sensor_listener.
 binder_call(hal_sensors_default, system_server);
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index c60ec008..cb5e495f 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -186,3 +186,6 @@ type radio_vendor_data_file, file_type, data_file_type;
 userdebug_or_eng(`
   typeattribute radio_vendor_data_file mlstrustedobject;
 ')
+
+# WLC
+type sysfs_wlc, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 9f87b53e..4bc1bba7 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -13,9 +13,6 @@ vndbinder_use(hal_dumpstate_default)
 allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_gps_file:file r_file_perms;
 
-allow hal_dumpstate_default sysfs_wlc:dir search;
-allow hal_dumpstate_default sysfs_wlc:file r_file_perms;
-
 allow hal_dumpstate_default shell_data_file:file getattr;
 
 allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
index a28e5c12..c371547c 100644
--- a/whitechapel/vendor/google/hal_health_default.te
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -9,7 +9,6 @@ r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
 allow hal_health_default fwk_stats_service:service_manager find;
 binder_use(hal_health_default)
 
-allow hal_health_default sysfs_wlc:dir search;
 allow hal_health_default sysfs_batteryinfo:file w_file_perms;
 allow hal_health_default sysfs_thermal:dir search;
 allow hal_health_default sysfs_thermal:file w_file_perms;
diff --git a/whitechapel/vendor/google/hal_wireless_charger.te b/whitechapel/vendor/google/hal_wireless_charger.te
new file mode 100644
index 00000000..04b3e5e2
--- /dev/null
+++ b/whitechapel/vendor/google/hal_wireless_charger.te
@@ -0,0 +1,2 @@
+type hal_wireless_charger, domain;
+type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type;
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 12234047..4d1a6677 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -10,9 +10,6 @@ allow pixelstats_vendor fwk_stats_service:service_manager find;
 allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
 allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;
 
-# Wireless charge
-allow pixelstats_vendor sysfs_wlc:dir search;
-allow pixelstats_vendor sysfs_wlc:file rw_file_perms;
 
 # Pca charge
 allow pixelstats_vendor sysfs_pca:file rw_file_perms;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 7d105d49..08f5ad82 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,3 +1,6 @@
 type hal_pixel_display_service, service_manager_type, hal_service_type;
 type hal_uwb_vendor_service, service_manager_type, hal_service_type;
 type edgetpu_dba_service, app_api_service, service_manager_type;
+
+# WLC
+type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index d00c633e..3569b943 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -4,3 +4,5 @@ android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_se
 
 # EdgeTPU DBA Service
 com.google.edgetpu.dba.IDevice/default                     u:object_r:edgetpu_dba_service:s0
+
+vendor.google.wireless_charger.IWirelessCharger/default                      u:object_r:hal_wireless_charger_service:s0
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index e13e744e..f982424d 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -8,4 +8,3 @@ userdebug_or_eng(`
 
 dontaudit shell proc_vendor_sched:dir search;
 dontaudit shell proc_vendor_sched:file write;
-dontaudit shell sysfs_wlc:dir search;

From ad0f7df5bc7178d9f60dd3f949ae2c0c84101ff7 Mon Sep 17 00:00:00 2001
From: Orion Hodson <oth@google.com>
Date: Tue, 17 Jan 2023 15:02:07 +0000
Subject: [PATCH 748/921] Remove the dontaudit suppressions for dex2oat.te

`system/sepolicy/private/dex2oat.te` has rules for these now.

Bug: 187016929
Test: m
Change-Id: Idb34a644af6620c45f044f98c3d2686fca8ced05
---
 private/dex2oat.te | 59 ----------------------------------------------
 1 file changed, 59 deletions(-)
 delete mode 100644 private/dex2oat.te

diff --git a/private/dex2oat.te b/private/dex2oat.te
deleted file mode 100644
index 50d7852c..00000000
--- a/private/dex2oat.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# b/187016929
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat proc_filesystems:file read ;
-dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat proc_filesystems:file read ;
-dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;
-dontaudit dex2oat vendor_overlay_file:file read ;

From 5eea830c6e7eadbc4b7249fe78760050d5341136 Mon Sep 17 00:00:00 2001
From: Victor Barr <vbarr@google.com>
Date: Wed, 21 Dec 2022 21:57:04 +0000
Subject: [PATCH 749/921] Move Support for DBA HAL in common edgetpu packages

Previously supported in some cases. Now extend it to all common cases.

Bug: 263394888
Test: Built and ran DBA HAL on Android Device
Change-Id: I70db1fae6b9f5787c635bb2fcbabc7ee0e064a9f
---
 .../vendor/google/edgetpu_dba_service.te      | 38 -------------------
 whitechapel/vendor/google/file_contexts       |  3 --
 whitechapel/vendor/google/priv_app.te         |  3 --
 whitechapel/vendor/google/service.te          |  2 -
 whitechapel/vendor/google/service_contexts    |  4 --
 5 files changed, 50 deletions(-)
 delete mode 100644 whitechapel/vendor/google/edgetpu_dba_service.te

diff --git a/whitechapel/vendor/google/edgetpu_dba_service.te b/whitechapel/vendor/google/edgetpu_dba_service.te
deleted file mode 100644
index 2e8f908a..00000000
--- a/whitechapel/vendor/google/edgetpu_dba_service.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# EdgeTPU DBA service.
-type edgetpu_dba_server, domain;
-type edgetpu_dba_server_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(edgetpu_dba_server)
-
-# The vendor service will use binder calls.
-binder_use(edgetpu_dba_server);
-
-# The vendor service will serve a binder service.
-binder_service(edgetpu_dba_server);
-
-# EdgeTPU DBA service to register the service to service_manager.
-add_service(edgetpu_dba_server, edgetpu_dba_service);
-
-# Allow EdgeTPU DBA service to look for TPU instance in /dev/edgetpu or /dev/edgetpu-soc.
-allow edgetpu_dba_server edgetpu_device:chr_file rw_file_perms;
-
-# Allow EdgeTPU DBA service to request power hints from the Power Service.
-hal_client_domain(edgetpu_dba_server, hal_power)
-
-# Allow EdgeTPU DBA service to access hardware buffers and ION memory.
-allow edgetpu_dba_server hal_allocator:fd use;
-allow edgetpu_dba_server hal_graphics_mapper_hwservice:hwservice_manager find;
-allow edgetpu_dba_server hal_graphics_allocator:fd use;
-allow edgetpu_dba_server gpu_device:chr_file rw_file_perms;
-allow edgetpu_dba_server gpu_device:dir r_dir_perms;
-allow edgetpu_dba_server ion_device:chr_file r_file_perms;
-
-# Allow EdgeTPU DBA service to read the overcommit_memory info.
-allow edgetpu_dba_server proc_overcommit_memory:file r_file_perms;
-
-# Allow EdgeTPU DBA service to read the kernel version.
-# This is done inside the InitGoogle.
-allow edgetpu_dba_server proc_version:file r_file_perms;
-
-# Allow EdgeTPU DBA service to send trace packets to Perfetto with SELinux enabled
-# under userdebug builds.
-userdebug_or_eng(`perfetto_producer(edgetpu_dba_server)')
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 8f010c5a..d09d288b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -26,9 +26,6 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel                       u:object_r:hal_memtrack_default_exec:s0
 
-# EdgeTPU DBA service
-/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0
-
 # Wireless charger HAL
 /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor             u:object_r:hal_wlc_exec:s0
 
diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te
index 9d2aa14d..a6e6bb68 100644
--- a/whitechapel/vendor/google/priv_app.te
+++ b/whitechapel/vendor/google/priv_app.te
@@ -1,5 +1,2 @@
 # Allows privileged applications to access the PowerHAL.
 hal_client_domain(priv_app, hal_power)
-
-# Allows privileged applications to discover the EdgeTPU DBA service.
-allow priv_app edgetpu_dba_service:service_manager find;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 08f5ad82..62b0b767 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -1,6 +1,4 @@
 type hal_pixel_display_service, service_manager_type, hal_service_type;
 type hal_uwb_vendor_service, service_manager_type, hal_service_type;
-type edgetpu_dba_service, app_api_service, service_manager_type;
-
 # WLC
 type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 3569b943..32ac11bd 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -1,8 +1,4 @@
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_vendor_service:s0
 android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_service:s0
-
-# EdgeTPU DBA Service
-com.google.edgetpu.dba.IDevice/default                     u:object_r:edgetpu_dba_service:s0
-
 vendor.google.wireless_charger.IWirelessCharger/default                      u:object_r:hal_wireless_charger_service:s0

From ae39e117c1d2d796819839716b516f178746caa9 Mon Sep 17 00:00:00 2001
From: Taylor Nelms <tknelms@google.com>
Date: Mon, 5 Dec 2022 16:32:21 +0000
Subject: [PATCH 750/921] Modify permissions to allow dumpstate process to
 access decon_counters node

Bug: 240346564
Test: Build for Oriole device with "user" build,
check bugreport for decon_counters content
Merged-In: I71883632857e76cfead39b16560b3695e13a6746
Change-Id: I010a9e8809192a5a1ee5842d5ac973d874836cea
Signed-off-by: Taylor Nelms <tknelms@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8bb12c67..bd291349 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -279,6 +279,9 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c300000.drmdecon/counters                                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c301000.drmdecon/counters                                         u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c302000.drmdecon/counters                                         u:object_r:sysfs_display:s0
 
 # Modem
 genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0

From fc3e9e0070e259bb4508ab435b9a72f1257f1f87 Mon Sep 17 00:00:00 2001
From: Long Ling <longling@google.com>
Date: Thu, 26 Jan 2023 18:40:19 -0800
Subject: [PATCH 751/921] display: set context for sysfs file refresh_rate

Bug: 263821118
Change-Id: I125f8d0ed2f9197041f0913097d15a696c01a516
---
 display/gs101/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts
index 8ea3b669..99badab8 100644
--- a/display/gs101/genfs_contexts
+++ b/display/gs101/genfs_contexts
@@ -1,11 +1,13 @@
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate              u:object_r:sysfs_display:s0
 genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible                 u:object_r:sysfs_display:s0
 
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate              u:object_r:sysfs_display:s0
 genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible                 u:object_r:sysfs_display:s0
 
 genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0

From fcb9c033a1caafa185eb01e986b0d166b36ccaec Mon Sep 17 00:00:00 2001
From: Ken Yang <yangken@google.com>
Date: Tue, 31 Jan 2023 15:02:51 +0000
Subject: [PATCH 752/921] WLC: Add required sysfs_wlc sepolicies

The sysfs_wlc is still required for certain services like
hal_health_default. Add these sepolicies to pass the tests.

Bug: 267171670
Change-Id: Ic4dca7a34e8ed9b096a650b1df4bb58290425117
Signed-off-by: Ken Yang <yangken@google.com>
---
 usf/sensor_hal.te                                  | 1 +
 whitechapel/vendor/google/hal_dumpstate_default.te | 4 ++++
 whitechapel/vendor/google/hal_health_default.te    | 2 ++
 whitechapel/vendor/google/pixelstats_vendor.te     | 3 +++
 whitechapel/vendor/google/shell.te                 | 1 +
 5 files changed, 11 insertions(+)

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index b54c1bb3..595aeef6 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -37,6 +37,7 @@ allow hal_sensors_default sysfs_leds:file rw_file_perms;
 
 # Allow access to the power supply files for MagCC.
 r_dir_file(hal_sensors_default, sysfs_batteryinfo)
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
 
 # Allow access to sensor service for sensor_listener.
 binder_call(hal_sensors_default, system_server);
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 4bc1bba7..dbb17904 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -13,6 +13,10 @@ vndbinder_use(hal_dumpstate_default)
 allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_gps_file:file r_file_perms;
 
+allow hal_dumpstate_default sysfs_wlc:dir search;
+allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_wlc:file r_file_perms;
+
 allow hal_dumpstate_default shell_data_file:file getattr;
 
 allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
index c371547c..85b10163 100644
--- a/whitechapel/vendor/google/hal_health_default.te
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -14,3 +14,5 @@ allow hal_health_default sysfs_thermal:dir search;
 allow hal_health_default sysfs_thermal:file w_file_perms;
 allow hal_health_default sysfs_thermal:lnk_file read;
 allow hal_health_default thermal_link_device:dir search;
+
+allow hal_health_default sysfs_wlc:dir search;
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 4d1a6677..12234047 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -10,6 +10,9 @@ allow pixelstats_vendor fwk_stats_service:service_manager find;
 allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
 allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;
 
+# Wireless charge
+allow pixelstats_vendor sysfs_wlc:dir search;
+allow pixelstats_vendor sysfs_wlc:file rw_file_perms;
 
 # Pca charge
 allow pixelstats_vendor sysfs_pca:file rw_file_perms;
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index f982424d..e13e744e 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -8,3 +8,4 @@ userdebug_or_eng(`
 
 dontaudit shell proc_vendor_sched:dir search;
 dontaudit shell proc_vendor_sched:file write;
+dontaudit shell sysfs_wlc:dir search;

From 9828cc747a31ce31f5c6c687356dc1a302a8f90a Mon Sep 17 00:00:00 2001
From: Ray Chi <raychi@google.com>
Date: Thu, 2 Feb 2023 15:21:35 +0800
Subject: [PATCH 753/921] [ DO NOT MERGE ] usb: Add sepolicy for extcon access

USB gadget hal will access extcon folder so that this patch
will add new rule to allow USB gadget hal to access extcon.

Bug: 263435622
Test: verified pass
Change-Id: I8c265919f7ae4b18aa304b0a584536d2a0f4b27a
---
 whitechapel/vendor/google/hal_usb_gadget_impl.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te
index 7eb0f632..31216c98 100644
--- a/whitechapel/vendor/google/hal_usb_gadget_impl.te
+++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te
@@ -19,3 +19,6 @@ allow hal_usb_gadget_impl proc_interrupts:file r_file_perms;
 # change irq to other cores
 allow hal_usb_gadget_impl proc_irq:dir r_dir_perms;
 allow hal_usb_gadget_impl proc_irq:file w_file_perms;
+
+# allow gadget hal to access extcon node
+allow hal_usb_gadget_impl sysfs_extcon:file r_file_perms;

From 514eb95f8ee6b332ca6cc573fdf602cea922289a Mon Sep 17 00:00:00 2001
From: Nicolas Geoffray <ngeoffray@google.com>
Date: Fri, 3 Feb 2023 13:06:50 +0000
Subject: [PATCH 754/921] Allow ssr_detector_app directory creation in
 system_app_data_file.

Bug: 260557058
Test: m
Change-Id: Iad7bb0609d7ca3ae89d6583ba3638e36300538a1
---
 whitechapel/vendor/google/ssr_detector.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index feaa1294..f27fcc5b 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -4,7 +4,7 @@ app_domain(ssr_detector_app)
 allow ssr_detector_app app_api_service:service_manager find;
 allow ssr_detector_app radio_service:service_manager find;
 
-allow ssr_detector_app system_app_data_file:dir rw_dir_perms;
+allow ssr_detector_app system_app_data_file:dir create_dir_perms;
 allow ssr_detector_app system_app_data_file:file create_file_perms;
 
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;

From b4ec2efe4b8ef55f9f0a241a6cd506b6c20589aa Mon Sep 17 00:00:00 2001
From: Subrahmanyaman <subrahmanyaman@google.com>
Date: Tue, 7 Feb 2023 22:09:59 +0000
Subject: [PATCH 755/921] Map AIDL Gatekeeper to same policy as HIDL version

Bug: 268342724
Test: VtsHalGatekeeperTargetTest
Change-Id: I050860bfeb0e87830e554ed19bc1efe54e7db0a5
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 932f3987..6d4c5864 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -331,6 +331,7 @@
 /vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty                     u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0

From 8835275413daef98f1c0c7cc723a053bc137ffdc Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Fri, 10 Feb 2023 10:20:35 +0800
Subject: [PATCH 756/921] Update SELinux error

Test: scanBugreport
Bug: 268411073
Bug: 268147283
Bug: 268146971
Change-Id: I60fdc8e3d44da7632522f57adc01c0e6879be83c
---
 tracking_denials/bug_map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6c50a280..20de156b 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,5 @@
+dump_pixel_metrics sysfs file b/268411073
+dump_stm sysfs_spi dir b/268147283
 dumpstate app_zygote process b/238263438
 dumpstate hal_input_processor_default process b/238143262
 dumpstate incident process b/238570971
@@ -8,4 +10,5 @@ dumpstate system_data_file dir b/264483673
 hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
+incidentd incidentd anon_inode b/268146971
 su modem_img_file filesystem b/238825802

From d48a10f9b089aab9ec4c77247140c33bd839ca09 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Mon, 13 Feb 2023 10:41:23 +0800
Subject: [PATCH 757/921] Update SELinux error

Test: scanBugreport
Bug: 269045042
Change-Id: I6291a7d3fd3b75d68548bd2fb7287b8ff754684a
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 20de156b..dded4c93 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,6 @@
 dump_pixel_metrics sysfs file b/268411073
 dump_stm sysfs_spi dir b/268147283
+dump_trusty radio_vendor_data_file file b/269045042
 dumpstate app_zygote process b/238263438
 dumpstate hal_input_processor_default process b/238143262
 dumpstate incident process b/238570971

From 9a7bb8df869d6512dbfceed29cd310db3e535dc0 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 13 Feb 2023 14:56:30 +0800
Subject: [PATCH 758/921] Move memory dump to gs-common

Bug: 240530709
Test: adb bugreport
Change-Id: I78433d8d170af54a4daee6c9a9218ce35e78e730
---
 whitechapel/vendor/google/dumpstate.te             |  1 -
 whitechapel/vendor/google/file.te                  |  2 --
 whitechapel/vendor/google/genfs_contexts           |  2 --
 whitechapel/vendor/google/hal_dumpstate_default.te | 10 ----------
 4 files changed, 15 deletions(-)

diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index cdf6e8ef..e715ad95 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -14,4 +14,3 @@ allow dumpstate modem_img_file:dir getattr;
 allow dumpstate modem_userdata_file:dir getattr;
 allow dumpstate fuse:dir search;
 
-dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index cb5e495f..e20541cc 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -23,8 +23,6 @@ type vendor_rpmbmock_data_file, file_type, data_file_type;
 
 # Exynos debugfs
 type vendor_ion_debugfs, fs_type, debugfs_type;
-type vendor_dmabuf_debugfs, fs_type, debugfs_type;
-type vendor_page_pinner_debugfs, fs_type, debugfs_type;
 type vendor_mali_debugfs, fs_type, debugfs_type;
 type vendor_dri_debugfs, fs_type, debugfs_type;
 type vendor_pm_genpd_debugfs, fs_type, debugfs_type;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index fa8cf415..78ca2633 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -670,10 +670,8 @@ genfscon sysfs /devices/platform/14520000.pcie/power_stats
 genfscon debugfs /maxfg                                                                                   u:object_r:vendor_maxfg_debugfs:s0
 genfscon debugfs /maxfg_base                                                                              u:object_r:vendor_maxfg_debugfs:s0
 genfscon debugfs /maxfg_flip                                                                              u:object_r:vendor_maxfg_debugfs:s0
-genfscon debugfs /dma_buf/bufinfo                                                                         u:object_r:vendor_dmabuf_debugfs:s0
 genfscon debugfs /dri/0/crtc-                                                                             u:object_r:vendor_dri_debugfs:s0
 genfscon debugfs /ion                                                                                     u:object_r:vendor_ion_debugfs:s0
-genfscon debugfs /page_pinner                                                                             u:object_r:vendor_page_pinner_debugfs:s0
 genfscon debugfs /pm_genpd/pm_genpd_summary                                                               u:object_r:vendor_pm_genpd_debugfs:s0
 genfscon debugfs /regmap                                                                                  u:object_r:vendor_regmap_debugfs:s0
 genfscon debugfs /usb                                                                                     u:object_r:vendor_usb_debugfs:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index dbb17904..be51f49a 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -86,9 +86,6 @@ userdebug_or_eng(`
   allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
   allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
 
-  allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search;
-  allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms;
-
   allow hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
   allow hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
 
@@ -100,8 +97,6 @@ userdebug_or_eng(`
   allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
   allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
 
-  allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
-
   allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
   allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
 
@@ -133,9 +128,6 @@ userdebug_or_eng(`
 dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
 dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
 
-dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search;
-dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms;
-
 dontaudit hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
 dontaudit hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
 
@@ -150,8 +142,6 @@ dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
 dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
 dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
 
-dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
-
 dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
 dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
 

From 14c66190df25a0e0694144e0445a24f3b4125c33 Mon Sep 17 00:00:00 2001
From: leochuang <leochuang@google.com>
Date: Tue, 14 Feb 2023 15:46:17 +0800
Subject: [PATCH 759/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 269218654
Test: scanBugreport
Bug: 269218638
Change-Id: If7d4633aa4f4f10cf3b56640ae6661a2a9b20b91
---
 tracking_denials/bug_map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index dded4c93..2efceedb 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,5 @@
+dump_lsi radio_vendor_data_file file b/269218638
+dump_lsi vendor_slog_file file b/269218638
 dump_pixel_metrics sysfs file b/268411073
 dump_stm sysfs_spi dir b/268147283
 dump_trusty radio_vendor_data_file file b/269045042
@@ -12,4 +14,5 @@ hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
+rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802

From 74d31a156821c8f7f2c1bf263ab36ddea6ebfc05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Wagner?= <jorwag@google.com>
Date: Tue, 27 Dec 2022 08:55:27 +0000
Subject: [PATCH 760/921] Update Mali DDK to r40 : Additional SELinux settings

Expose DDK's dynamic configuration options through the Android Sysprop
interface, following recommendations from Arm's Android Integration
Manual.

b/261718474

Change-Id: I5c69a8bafe3a4c738c124facb1f437ec721cc3ea
---
 whitechapel/vendor/google/domain.te         | 4 ++++
 whitechapel/vendor/google/property.te       | 4 ++++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/vendor_init.te    | 4 ++++
 4 files changed, 15 insertions(+)

diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te
index fd876e09..ad32036f 100644
--- a/whitechapel/vendor/google/domain.te
+++ b/whitechapel/vendor/google/domain.te
@@ -1,2 +1,6 @@
 allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms;
 allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms;
+
+# Mali
+get_prop(domain, vendor_arm_runtime_option_prop)
+
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index b792d530..08cccec0 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -53,3 +53,7 @@ system_vendor_config_prop(vendor_uwb_calibration_prop)
 
 # Trusty storage FS ready
 vendor_internal_prop(vendor_trusty_storage_prop)
+
+# Mali Integration
+vendor_public_prop(vendor_arm_runtime_option_prop)
+
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index b663df4b..41ad0485 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -98,3 +98,6 @@ ro.vendor.uwb.calibration.                      u:object_r:vendor_uwb_calibratio
 
 # Trusty
 ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage_prop:s0
+
+# Mali GPU driver configuration and debug options
+vendor.mali.                                    u:object_r:vendor_arm_runtime_option_prop:s0 prefix
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 8ebe5e52..928bc021 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -41,3 +41,7 @@ set_prop(vendor_init, vendor_display_prop)
 
 # Trusty storage FS ready
 get_prop(vendor_init, vendor_trusty_storage_prop)
+
+# Mali
+set_prop(vendor_init, vendor_arm_runtime_option_prop)
+

From beacc5b05fc339ff79b1dc5e57dea35baf22447b Mon Sep 17 00:00:00 2001
From: Ray Chi <raychi@google.com>
Date: Thu, 2 Feb 2023 15:21:35 +0800
Subject: [PATCH 761/921] [ DO NOT MERGE ] usb: Add sepolicy for extcon access

USB gadget hal will access extcon folder so that this patch
will add new rule to allow USB gadget hal to access extcon.

Bug: 263435622
Test: verified pass
Change-Id: I8c265919f7ae4b18aa304b0a584536d2a0f4b27a
(cherry picked from commit 9828cc747a31ce31f5c6c687356dc1a302a8f90a)
Merged-In: I8c265919f7ae4b18aa304b0a584536d2a0f4b27a
---
 whitechapel/vendor/google/hal_usb_gadget_impl.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/hal_usb_gadget_impl.te b/whitechapel/vendor/google/hal_usb_gadget_impl.te
index 7eb0f632..31216c98 100644
--- a/whitechapel/vendor/google/hal_usb_gadget_impl.te
+++ b/whitechapel/vendor/google/hal_usb_gadget_impl.te
@@ -19,3 +19,6 @@ allow hal_usb_gadget_impl proc_interrupts:file r_file_perms;
 # change irq to other cores
 allow hal_usb_gadget_impl proc_irq:dir r_dir_perms;
 allow hal_usb_gadget_impl proc_irq:file w_file_perms;
+
+# allow gadget hal to access extcon node
+allow hal_usb_gadget_impl sysfs_extcon:file r_file_perms;

From 10d08a16e1a2ba1f164e40def4d035969b16d84b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Wed, 15 Feb 2023 10:19:58 +1100
Subject: [PATCH 762/921] Remove bug_map entry for incident

Bug: 238570971
Bug: 238571324
Bug: 238571420
Test: presubmit
Change-Id: Ib24d85aaed87e6e5dc0b0281d65407e8c45e017c
---
 tracking_denials/bug_map | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6c50a280..057655be 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,8 +1,5 @@
 dumpstate app_zygote process b/238263438
 dumpstate hal_input_processor_default process b/238143262
-dumpstate incident process b/238570971
-dumpstate incident process b/238571324
-dumpstate incident process b/238571420
 dumpstate system_data_file dir b/264483156
 dumpstate system_data_file dir b/264483673
 hal_drm_default default_prop file b/232714489

From e5b2d04476813ee256a01490cae960affa61e421 Mon Sep 17 00:00:00 2001
From: leochuang <leochuang@google.com>
Date: Wed, 15 Feb 2023 10:25:40 +0800
Subject: [PATCH 763/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 269218654
Test: scanBugreport
Bug: 269370106
Bug: 269045042
Change-Id: Ief58a1f19580251476c71602951550388015df01
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 2efceedb..42d06011 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,6 @@
 dump_lsi radio_vendor_data_file file b/269218638
 dump_lsi vendor_slog_file file b/269218638
+dump_modem radio_vendor_data_file file b/269370106
 dump_pixel_metrics sysfs file b/268411073
 dump_stm sysfs_spi dir b/268147283
 dump_trusty radio_vendor_data_file file b/269045042
@@ -11,6 +12,7 @@ dumpstate incident process b/238571420
 dumpstate system_data_file dir b/264483156
 dumpstate system_data_file dir b/264483673
 hal_drm_default default_prop file b/232714489
+hal_dumpstate_default dump_lsi process b/269045042
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971

From 5a70bbb33573d00484596b0a023f2a79728fe503 Mon Sep 17 00:00:00 2001
From: Lucas Wei <lucaswei@google.com>
Date: Tue, 14 Feb 2023 14:25:37 +0800
Subject: [PATCH 764/921] votable: Update don't audit file entry

Test: No votable avc errors in dmesg
Bug: 247905787
Change-Id: I95ab4dd7750e9b0f26d41fece50dc6d0aa73dd41
Signed-off-by: Lucas Wei <lucaswei@google.com>
---
 tracking_denials/kernel.te          | 2 --
 whitechapel/vendor/google/kernel.te | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)
 delete mode 100644 tracking_denials/kernel.te

diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te
deleted file mode 100644
index 45ce8edc..00000000
--- a/tracking_denials/kernel.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#b/247905787
-dontaudit kernel vendor_votable_debugfs:dir { search };
diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index fa6c2fac..c1d73c68 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -10,3 +10,4 @@ allow kernel self:perf_event cpu;
 
 dontaudit kernel vendor_battery_debugfs:dir search;
 dontaudit kernel vendor_maxfg_debugfs:dir { search };
+dontaudit kernel vendor_votable_debugfs:dir { search };

From 6964113b1ce0cca046005a50994d09a0cdf721c4 Mon Sep 17 00:00:00 2001
From: Ken Tsou <kentsou@google.com>
Date: Thu, 16 Feb 2023 10:35:10 +0800
Subject: [PATCH 765/921] hal_health_default: allow to access
 persist.vendor.shutdown.*

msg='avc: denied { set } for property=persist.vendor.shutdown.voltage_avg pid=908 uid=1000 gid=1000 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0'

Bug: 266181615
Change-Id: Ia87610f0363bbfbe4fe446244b44818c273841f4
Signed-off-by: Ken Tsou <kentsou@google.com>
---
 whitechapel/vendor/google/hal_health_default.te | 1 +
 whitechapel/vendor/google/property.te           | 3 +++
 whitechapel/vendor/google/property_contexts     | 1 +
 3 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
index 85b10163..9954bee0 100644
--- a/whitechapel/vendor/google/hal_health_default.te
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -4,6 +4,7 @@ allow hal_health_default persist_battery_file:file create_file_perms;
 allow hal_health_default persist_battery_file:dir rw_dir_perms;
 
 set_prop(hal_health_default, vendor_battery_defender_prop)
+set_prop(hal_health_default, vendor_shutdown_prop)
 r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
 
 allow hal_health_default fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index b792d530..cec78c3a 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -27,6 +27,9 @@ vendor_internal_prop(vendor_battery_defender_prop)
 # Battery profile for harness mode
 vendor_internal_prop(vendor_battery_profile_prop)
 
+# hal_health
+vendor_internal_prop(vendor_shutdown_prop)
+
 # Logger
 vendor_internal_prop(vendor_logger_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index b663df4b..8a3f95dc 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -68,6 +68,7 @@ persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
 
 # Battery
 vendor.battery.defender.                        u:object_r:vendor_battery_defender_prop:s0
+persist.vendor.shutdown.                        u:object_r:vendor_shutdown_prop:s0
 
 # test battery profile
 persist.vendor.testing_battery_profile          u:object_r:vendor_battery_profile_prop:s0

From 3194ab09f9c4efe20b9c8f6f6ed230fa014f22ea Mon Sep 17 00:00:00 2001
From: Ken Tsou <kentsou@google.com>
Date: Thu, 16 Feb 2023 10:35:10 +0800
Subject: [PATCH 766/921] [DO NOT MERGE] hal_health_default: access
 persist.vendor.shutdown.*

msg='avc: denied { set } for property=persist.vendor.shutdown.voltage_avg pid=908 uid=1000 gid=1000 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0'

Bug: 266181615
Change-Id: Ia87610f0363bbfbe4fe446244b44818c273841f4
Signed-off-by: Ken Tsou <kentsou@google.com>
---
 whitechapel/vendor/google/hal_health_default.te | 1 +
 whitechapel/vendor/google/property.te           | 3 +++
 whitechapel/vendor/google/property_contexts     | 1 +
 3 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
index a28e5c12..65a5d483 100644
--- a/whitechapel/vendor/google/hal_health_default.te
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -4,6 +4,7 @@ allow hal_health_default persist_battery_file:file create_file_perms;
 allow hal_health_default persist_battery_file:dir rw_dir_perms;
 
 set_prop(hal_health_default, vendor_battery_defender_prop)
+set_prop(hal_health_default, vendor_shutdown_prop)
 r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
 
 allow hal_health_default fwk_stats_service:service_manager find;
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 70c72b68..f1430adf 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -29,6 +29,9 @@ vendor_internal_prop(vendor_battery_defender_prop)
 # Battery profile for harness mode
 vendor_internal_prop(vendor_battery_profile_prop)
 
+# hal_health
+vendor_internal_prop(vendor_shutdown_prop)
+
 # AoC
 vendor_internal_prop(vendor_aoc_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 0dd3d463..c9e16156 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -87,6 +87,7 @@ persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
 
 # Battery
 vendor.battery.defender.                        u:object_r:vendor_battery_defender_prop:s0
+persist.vendor.shutdown.                        u:object_r:vendor_shutdown_prop:s0
 
 # test battery profile
 persist.vendor.testing_battery_profile          u:object_r:vendor_battery_profile_prop:s0

From ba6c4e189c503bdbeed49d9eda3f3824c1e5d80a Mon Sep 17 00:00:00 2001
From: leochuang <leochuang@google.com>
Date: Mon, 20 Feb 2023 08:55:57 +0800
Subject: [PATCH 767/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 269964825
Test: scanBugreport
Bug: 269964913
Change-Id: Ie0086b87af77e8b6feb86d796c7fa897038f973b
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index d40544ac..a257f96a 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,5 @@
 dump_lsi radio_vendor_data_file file b/269218638
+dump_lsi vendor_camera_data_file file b/269964913
 dump_lsi vendor_slog_file file b/269218638
 dump_modem radio_vendor_data_file file b/269370106
 dump_pixel_metrics sysfs file b/268411073
@@ -15,3 +16,4 @@ incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
+vndservicemanager hal_keymint_citadel binder b/269964825

From b5b0e0908ffaefa0c7663eed7d1c6d0f6f9d42c0 Mon Sep 17 00:00:00 2001
From: leochuang <leochuang@google.com>
Date: Tue, 21 Feb 2023 08:50:06 +0800
Subject: [PATCH 768/921] Update SELinux error

Test: scanBugreport
Bug: 270080367
Change-Id: Ifed87779021a6faa4cd8d0ea3431436acd1de365
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index a257f96a..6e54fcfe 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,5 @@
+dump_aoc radio_vendor_data_file file b/270080367
+dump_aoc vendor_camera_data_file file b/270080367
 dump_lsi radio_vendor_data_file file b/269218638
 dump_lsi vendor_camera_data_file file b/269964913
 dump_lsi vendor_slog_file file b/269218638

From 4fe64170d372f699d54b9e2dfdb769d8cb5b1967 Mon Sep 17 00:00:00 2001
From: leochuang <leochuang@google.com>
Date: Wed, 22 Feb 2023 10:30:02 +0800
Subject: [PATCH 769/921] Update SELinux error

Test: scanBugreport
Bug: 270247432
Change-Id: Ia5e76ee1c027ac2b1cbbbc6a20a20f3ea609a1b7
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index d40544ac..979cfabb 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -10,6 +10,7 @@ dumpstate system_data_file dir b/264483156
 dumpstate system_data_file dir b/264483673
 hal_drm_default default_prop file b/232714489
 hal_dumpstate_default dump_lsi process b/269045042
+hal_dumpstate_default dump_thermal process b/270247432
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971

From 7d3f25d95bc8e7e6857ccee3e63991d23e7f6962 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 7 Mar 2023 13:01:05 +0800
Subject: [PATCH 770/921] Move display dump to gs-common

Bug: 269212897
Test: adb bugreport
Change-Id: Id40661687bbd04d7eba4790dc5fe17ca5c79e47d
---
 whitechapel/vendor/google/file.te                  |  2 --
 whitechapel/vendor/google/file_contexts            |  1 -
 whitechapel/vendor/google/genfs_contexts           |  1 -
 whitechapel/vendor/google/hal_dumpstate_default.te | 14 --------------
 whitechapel/vendor/google/vndservice.te            |  1 -
 whitechapel/vendor/google/vndservice_contexts      |  1 -
 6 files changed, 20 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e20541cc..b6248205 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -7,7 +7,6 @@ type vendor_media_data_file, file_type, data_file_type;
 type vendor_log_file, file_type, data_file_type;
 type vendor_cbd_log_file, file_type, data_file_type;
 type vendor_dmd_log_file, file_type, data_file_type;
-type vendor_hwc_log_file, file_type, data_file_type;
 type vendor_rfsd_log_file, file_type, data_file_type;
 type vendor_dump_log_file, file_type, data_file_type;
 type vendor_rild_log_file, file_type, data_file_type;
@@ -24,7 +23,6 @@ type vendor_rpmbmock_data_file, file_type, data_file_type;
 # Exynos debugfs
 type vendor_ion_debugfs, fs_type, debugfs_type;
 type vendor_mali_debugfs, fs_type, debugfs_type;
-type vendor_dri_debugfs, fs_type, debugfs_type;
 type vendor_pm_genpd_debugfs, fs_type, debugfs_type;
 type vendor_regmap_debugfs, fs_type, debugfs_type;
 type vendor_usb_debugfs, fs_type, debugfs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c2e8117a..aa0f2f78 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -143,7 +143,6 @@
 /data/vendor/log(/.*)?       u:object_r:vendor_log_file:s0
 /data/vendor/log/cbd(/.*)?   u:object_r:vendor_cbd_log_file:s0
 /data/vendor/log/dmd(/.*)?   u:object_r:vendor_dmd_log_file:s0
-/data/vendor/log/hwc(/.*)?   u:object_r:vendor_hwc_log_file:s0
 /data/vendor/log/rfsd(/.*)?  u:object_r:vendor_rfsd_log_file:s0
 /data/vendor/log/dump(/.*)?  u:object_r:vendor_dump_log_file:s0
 /data/vendor/log/rild(/.*)?  u:object_r:vendor_rild_log_file:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 78ca2633..1c6c211e 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -670,7 +670,6 @@ genfscon sysfs /devices/platform/14520000.pcie/power_stats
 genfscon debugfs /maxfg                                                                                   u:object_r:vendor_maxfg_debugfs:s0
 genfscon debugfs /maxfg_base                                                                              u:object_r:vendor_maxfg_debugfs:s0
 genfscon debugfs /maxfg_flip                                                                              u:object_r:vendor_maxfg_debugfs:s0
-genfscon debugfs /dri/0/crtc-                                                                             u:object_r:vendor_dri_debugfs:s0
 genfscon debugfs /ion                                                                                     u:object_r:vendor_ion_debugfs:s0
 genfscon debugfs /pm_genpd/pm_genpd_summary                                                               u:object_r:vendor_pm_genpd_debugfs:s0
 genfscon debugfs /regmap                                                                                  u:object_r:vendor_regmap_debugfs:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index be51f49a..86e5f6de 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -22,9 +22,6 @@ allow hal_dumpstate_default shell_data_file:file getattr;
 allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
 allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
 
-allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms;
-allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms;
-
 # camera debugging dump file access
 allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms;
 allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms;
@@ -64,11 +61,6 @@ allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms;
 allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
 allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
 
-allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
-binder_call(hal_dumpstate_default, hal_graphics_composer_default);
-allow hal_dumpstate_default sysfs_display:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_display:file r_file_perms;
-
 allow hal_dumpstate_default proc_vendor_sched:file read;
 allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms;
 allow hal_dumpstate_default proc_vendor_sched:file r_file_perms;
@@ -89,9 +81,6 @@ userdebug_or_eng(`
   allow hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
   allow hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
 
-  allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
-  allow hal_dumpstate_default vendor_dri_debugfs:dir search;
-
   allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
 
   allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
@@ -134,9 +123,6 @@ dontaudit hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
 dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search;
 dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms;
 
-dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
-dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search;
-
 dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
 
 dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/vndservice.te b/whitechapel/vendor/google/vndservice.te
index f70a26fe..bd59e836 100644
--- a/whitechapel/vendor/google/vndservice.te
+++ b/whitechapel/vendor/google/vndservice.te
@@ -1,4 +1,3 @@
 type rls_service, vndservice_manager_type;
 type vendor_surfaceflinger_vndservice, vndservice_manager_type;
-type vendor_displaycolor_service, vndservice_manager_type;
 type eco_service, vndservice_manager_type;
diff --git a/whitechapel/vendor/google/vndservice_contexts b/whitechapel/vendor/google/vndservice_contexts
index d44e1cb8..d272fe16 100644
--- a/whitechapel/vendor/google/vndservice_contexts
+++ b/whitechapel/vendor/google/vndservice_contexts
@@ -1,4 +1,3 @@
 Exynos.HWCService     u:object_r:vendor_surfaceflinger_vndservice:s0
 rlsservice            u:object_r:rls_service:s0
-displaycolor          u:object_r:vendor_displaycolor_service:s0
 media.ecoservice      u:object_r:eco_service:s0

From b2635623608505714d2b2e8a309e9b0f11858086 Mon Sep 17 00:00:00 2001
From: Jasmine Cha <chajasmine@google.com>
Date: Thu, 9 Mar 2023 10:10:18 +0800
Subject: [PATCH 771/921] audio: move sepolicy about audio to gs-common

Bug: 259161622
Test: build pass and check with audio ext hidl/aidl

Change-Id: Ie1499be82e405c2ddf4cd1a62ee7ff2823befd8e
Signed-off-by: Jasmine Cha <chajasmine@google.com>
---
 whitechapel/vendor/google/rild.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index 78b14e51..2f1d8ff9 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -30,7 +30,6 @@ binder_call(rild, logger_app)
 
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)
-allow rild hal_audio_ext_hwservice:hwservice_manager find;
 
 # Allow rild to access files on modem img.
 allow rild modem_img_file:dir r_dir_perms;

From 89581ecfe54510a487e72dbb541847e19e7faa9b Mon Sep 17 00:00:00 2001
From: Woody Lin <woodylin@google.com>
Date: Mon, 6 Feb 2023 08:54:20 +0000
Subject: [PATCH 772/921] Revert "Update SELinux error"

This reverts commit afe63f78ccb3a15d911e9724bd7148c4e4299c34.

Reason for revert: fixed by aosp/2422419

Bug: 260366497
Bug: 264600011
Change-Id: I4877527b78f99da935548a1e5b70dab4009ed0bf
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index a6928438..15fcacb3 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -10,7 +10,6 @@ dump_trusty radio_vendor_data_file file b/269045042
 dumpstate app_zygote process b/238263438
 dumpstate hal_input_processor_default process b/238143262
 dumpstate system_data_file dir b/264483156
-dumpstate system_data_file dir b/264483673
 hal_drm_default default_prop file b/232714489
 hal_dumpstate_default dump_lsi process b/269045042
 hal_dumpstate_default dump_thermal process b/270247432

From 687bb4fae48c5e7f272c72f9456f3debd6009975 Mon Sep 17 00:00:00 2001
From: Woody Lin <woodylin@google.com>
Date: Mon, 6 Feb 2023 08:54:21 +0000
Subject: [PATCH 773/921] Revert "Update SELinux error"

This reverts commit 46285b5dd5dff706fd9872c37d267b039d7596bf.

Reason for revert: fixed by aosp/2422419

Bug: 260366497
Bug: 264600011
Change-Id: I1c5962ab5900d5b2342411b352b502a6545eb0ad
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 15fcacb3..f051b9a0 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -9,7 +9,6 @@ dump_stm sysfs_spi dir b/268147283
 dump_trusty radio_vendor_data_file file b/269045042
 dumpstate app_zygote process b/238263438
 dumpstate hal_input_processor_default process b/238143262
-dumpstate system_data_file dir b/264483156
 hal_drm_default default_prop file b/232714489
 hal_dumpstate_default dump_lsi process b/269045042
 hal_dumpstate_default dump_thermal process b/270247432

From 893d8ddff7f4eb0018c5248384ac42a3c5c9e259 Mon Sep 17 00:00:00 2001
From: Enzo Liao <enzoliao@google.com>
Date: Fri, 10 Mar 2023 15:20:15 +0800
Subject: [PATCH 774/921] SSRestarDetector: modify the SELinux policy to allow
 access files owned by system for Whitechapel.

It needs to access a file pushed by hosts of test suites (details: http://go/pd-client-for-lab#heading=h.wtp07hbqvwgx)

Bug: 234359369
Design: http://go/pd-client-for-lab
Test: manual (http://b/271555983#comment3)
Change-Id: I1c9544ca2ebe1857c439f00c4589f739aca8e157
---
 whitechapel/vendor/google/ssr_detector.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
index 934028e1..f27fcc5b 100644
--- a/whitechapel/vendor/google/ssr_detector.te
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -4,7 +4,8 @@ app_domain(ssr_detector_app)
 allow ssr_detector_app app_api_service:service_manager find;
 allow ssr_detector_app radio_service:service_manager find;
 
-allow ssr_detector_app system_app_data_file:dir r_dir_perms;
+allow ssr_detector_app system_app_data_file:dir create_dir_perms;
+allow ssr_detector_app system_app_data_file:file create_file_perms;
 
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
 allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;

From 4d9aa0b28f2e1d7caf73c4f8b4520467382059e9 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 21 Mar 2023 12:41:23 +0800
Subject: [PATCH 775/921] use devfreq dump from gs-common

Bug: 273380985
Test: adb bugreport
Change-Id: I0ea6767fd7640c2ee1be66f659f94c15cb4766cd
---
 whitechapel/vendor/google/file.te                  |  5 -----
 whitechapel/vendor/google/genfs_contexts           | 13 -------------
 whitechapel/vendor/google/hal_dumpstate_default.te |  3 ---
 3 files changed, 21 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index b6248205..0a615415 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -32,8 +32,6 @@ type vendor_votable_debugfs, fs_type, debugfs_type;
 type vendor_battery_debugfs, fs_type, debugfs_type;
 
 # Exynos sysfs
-type sysfs_exynos_bts, sysfs_type, fs_type;
-type sysfs_exynos_bts_stats, sysfs_type, fs_type;
 type sysfs_ota, sysfs_type, fs_type;
 
 # Exynos Firmware
@@ -133,9 +131,6 @@ type sysfs_spi, sysfs_type, fs_type;
 # Battery
 type persist_battery_file, file_type, vendor_persist_type;
 
-# CPU
-type sysfs_cpu, sysfs_type, fs_type;
-
 # Fabric
 type sysfs_fabric, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 1c6c211e..59e5b2f9 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -591,22 +591,9 @@ genfscon sysfs /devices/platform/acpm_stats
 
 genfscon sysfs /devices/platform/10d40000.spi/spi_master                                                u:object_r:sysfs_spi:s0
 
-# Exynos
-genfscon sysfs /devices/platform/exynos-bts                                                             u:object_r:sysfs_exynos_bts:s0
-genfscon sysfs /devices/platform/exynos-bts/bts_stats                                                   u:object_r:sysfs_exynos_bts_stats:s0
-
 # CPU
-genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state        u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state                                              u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state  u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state        u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state      u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state        u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/time_in_state                                            u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state                                        u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state          u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
-genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
 
 genfscon sysfs /devices/system/chip-id/unique_id                                                        u:object_r:sysfs_soc:s0
 genfscon sysfs /devices/soc0/machine                                                                    u:object_r:sysfs_soc:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
index 86e5f6de..6ef848c7 100644
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -1,6 +1,3 @@
-allow hal_dumpstate_default sysfs_exynos_bts:dir search;
-allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms;
-
 allow hal_dumpstate_default sysfs_bcmdhd:dir search;
 allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms;
 

From cb6bad65e7f05b4b2bf840a3b654d1eeea4505a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Wagner?= <jorwag@google.com>
Date: Tue, 27 Dec 2022 08:55:27 +0000
Subject: [PATCH 776/921] Update Mali DDK to r40 : Additional SELinux settings

Expose DDK's dynamic configuration options through the Android Sysprop
interface, following recommendations from Arm's Android Integration
Manual.

Bug: 261718474

(cherry picked from commit 74d31a156821c8f7f2c1bf263ab36ddea6ebfc05)
Merged-In: I5c69a8bafe3a4c738c124facb1f437ec721cc3ea
Change-Id: I7e6734cb79b38898eb65a0194b37381a1367fc36
---
 whitechapel/vendor/google/domain.te         | 4 ++++
 whitechapel/vendor/google/property.te       | 4 ++++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/vendor_init.te    | 4 ++++
 4 files changed, 15 insertions(+)

diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te
index fd876e09..ad32036f 100644
--- a/whitechapel/vendor/google/domain.te
+++ b/whitechapel/vendor/google/domain.te
@@ -1,2 +1,6 @@
 allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms;
 allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms;
+
+# Mali
+get_prop(domain, vendor_arm_runtime_option_prop)
+
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index cec78c3a..0c34c631 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -56,3 +56,7 @@ system_vendor_config_prop(vendor_uwb_calibration_prop)
 
 # Trusty storage FS ready
 vendor_internal_prop(vendor_trusty_storage_prop)
+
+# Mali Integration
+vendor_public_prop(vendor_arm_runtime_option_prop)
+
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 8a3f95dc..d952d5d3 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -99,3 +99,6 @@ ro.vendor.uwb.calibration.                      u:object_r:vendor_uwb_calibratio
 
 # Trusty
 ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage_prop:s0
+
+# Mali GPU driver configuration and debug options
+vendor.mali.                                    u:object_r:vendor_arm_runtime_option_prop:s0 prefix
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 8ebe5e52..928bc021 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -41,3 +41,7 @@ set_prop(vendor_init, vendor_display_prop)
 
 # Trusty storage FS ready
 get_prop(vendor_init, vendor_trusty_storage_prop)
+
+# Mali
+set_prop(vendor_init, vendor_arm_runtime_option_prop)
+

From d678ee322642eeb99b1d5fd66677b13fb74492a5 Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Tue, 21 Mar 2023 20:18:28 +0800
Subject: [PATCH 777/921] Allow fingerprint hal to read sysfs_leds

Fix the following avc denials:
avc: denied { search } for name="backlight" dev="sysfs" ino=79316
scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0
tclass=dir permissive=1

avc: denied { read } for name="state" dev="sysfs" ino=79365
scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0
tclass=file permissive=1

Bug: 271072126
Test: Authenticate fingerprint.
Change-Id: I67f5502bc7b4b1d6e14cf493f1bc6575980bcd0d
---
 whitechapel/vendor/google/hal_fingerprint_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index aee24633..69549701 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -33,3 +33,7 @@ allow hal_fingerprint_default sysfs_trusty:file rw_file_perms;
 # Allow fingerprint to access display hal
 allow hal_fingerprint_default hal_pixel_display_service:service_manager find;
 binder_call(hal_fingerprint_default, hal_graphics_composer_default)
+
+# allow fingerprint to read sysfs_leds
+allow hal_fingerprint_default sysfs_leds:file r_file_perms;
+allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;

From e7ea94d8e1bc2cbae2e774247f62617d56e7f417 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 24 Mar 2023 13:52:34 +0800
Subject: [PATCH 778/921] Move cma dump to itself

Bug: 273380985
Test: adb bugreport
Change-Id: I40ecb631c7fbbea216f5c56857b92152c997e466
---
 whitechapel/vendor/google/dump_gs101.te | 5 +++++
 whitechapel/vendor/google/file_contexts | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 whitechapel/vendor/google/dump_gs101.te

diff --git a/whitechapel/vendor/google/dump_gs101.te b/whitechapel/vendor/google/dump_gs101.te
new file mode 100644
index 00000000..8192ce33
--- /dev/null
+++ b/whitechapel/vendor/google/dump_gs101.te
@@ -0,0 +1,5 @@
+pixel_bugreport(dump_gs101)
+allow dump_gs101 sysfs_pixel_stat:dir r_dir_perms;
+allow dump_gs101 sysfs_pixel_stat:file r_file_perms;
+allow dump_gs101 vendor_toolbox_exec:file execute_no_trans;
+
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index aa0f2f78..662c143b 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -17,6 +17,7 @@
 /(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so                                         u:object_r:same_process_hal_file:s0
 
 /vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0
+/vendor/bin/dump/dump_gs101.sh                                                                  u:object_r:dump_gs101_exec:s0
 
 #
 # HALs

From 2bd6ae14f355640d8a142e3757d581c54fd9f1ab Mon Sep 17 00:00:00 2001
From: chenkris <chenkris@google.com>
Date: Fri, 24 Mar 2023 04:15:14 +0000
Subject: [PATCH 779/921] Remove tracking_denials/hal_fingerprint_default.te

Bug: 187015705
Bug: 183338543
Test: build and test fingerprint on device.
Test: no fingerprint avc denials in logcat.
Change-Id: I1dde2c0d8c8ab2610c2b8147c15ac5c9f813345a
---
 tracking_denials/hal_fingerprint_default.te | 9 ---------
 1 file changed, 9 deletions(-)
 delete mode 100644 tracking_denials/hal_fingerprint_default.te

diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
deleted file mode 100644
index 9a2d37e5..00000000
--- a/tracking_denials/hal_fingerprint_default.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# b/183338543
-dontaudit hal_fingerprint_default system_data_root_file:file { read };
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-dontaudit hal_fingerprint_default system_data_root_file:file { open };
-# b/187015705
-dontaudit hal_fingerprint_default property_socket:sock_file write;

From 5bfe1bdd6d554d8ec1d9b95d9c2821df5e169137 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 27 Mar 2023 10:37:02 +0800
Subject: [PATCH 780/921] Move camera text dump to dump_gs101

Bug: 273380985
Test: adb bugreport
Change-Id: Iba138e608885a1215515ec8cc5f5e997dfcfcf3f
---
 whitechapel/vendor/google/dump_gs101.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/dump_gs101.te b/whitechapel/vendor/google/dump_gs101.te
index 8192ce33..7c10cd68 100644
--- a/whitechapel/vendor/google/dump_gs101.te
+++ b/whitechapel/vendor/google/dump_gs101.te
@@ -3,3 +3,6 @@ allow dump_gs101 sysfs_pixel_stat:dir r_dir_perms;
 allow dump_gs101 sysfs_pixel_stat:file r_file_perms;
 allow dump_gs101 vendor_toolbox_exec:file execute_no_trans;
 
+allow dump_gs101 vendor_camera_data_file:dir r_dir_perms;
+allow dump_gs101 vendor_camera_data_file:file r_file_perms;
+

From 7cc3817f71007ac547b6b763b798114fd2b2f4ef Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 28 Mar 2023 14:52:04 +0800
Subject: [PATCH 781/921] Move power dump text section out of
 hal_dumpstate_default

Bug: 273380985
Test: adb bugreport
Change-Id: I77b59ea719055972429b2b8a1349e52e0e1fe395
---
 whitechapel/vendor/google/dump_gs101.te | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/dump_gs101.te b/whitechapel/vendor/google/dump_gs101.te
index 7c10cd68..a624ee96 100644
--- a/whitechapel/vendor/google/dump_gs101.te
+++ b/whitechapel/vendor/google/dump_gs101.te
@@ -2,7 +2,30 @@ pixel_bugreport(dump_gs101)
 allow dump_gs101 sysfs_pixel_stat:dir r_dir_perms;
 allow dump_gs101 sysfs_pixel_stat:file r_file_perms;
 allow dump_gs101 vendor_toolbox_exec:file execute_no_trans;
-
 allow dump_gs101 vendor_camera_data_file:dir r_dir_perms;
 allow dump_gs101 vendor_camera_data_file:file r_file_perms;
+allow dump_gs101 sysfs_acpm_stats:dir r_dir_perms;
+allow dump_gs101 sysfs_acpm_stats:file r_file_perms;
+allow dump_gs101 sysfs_batteryinfo:dir r_dir_perms;
+allow dump_gs101 sysfs_bcl:dir r_dir_perms;
+allow dump_gs101 sysfs_bcl:file r_file_perms;
+allow dump_gs101 sysfs_cpu:file r_file_perms;
+allow dump_gs101 logbuffer_device:chr_file r_file_perms;
+allow dump_gs101 sysfs_batteryinfo:file r_file_perms;
+allow dump_gs101 sysfs:dir r_dir_perms;
+allow dump_gs101 sysfs_wlc:dir r_dir_perms;
+allow dump_gs101 sysfs_wlc:file r_file_perms;
+userdebug_or_eng(`
+  allow dump_gs101 vendor_battery_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_battery_debugfs:file r_file_perms;
+  allow dump_gs101 vendor_charger_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_charger_debugfs:file r_file_perms;
+  allow dump_gs101 vendor_pm_genpd_debugfs:file r_file_perms;
+  allow dump_gs101 vendor_usb_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_usb_debugfs:file r_file_perms;
+  allow dump_gs101 debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_maxfg_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_votable_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_votable_debugfs:file r_file_perms;
+')
 

From 28afe7393f5cd36158262c7b604f30e6d21dac39 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 24 Mar 2023 11:11:57 +0800
Subject: [PATCH 782/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 275002227
Change-Id: If2133d83efbfa00ee9643a25047f465c60d2d3c4
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 979cfabb..419ffd2a 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -8,6 +8,8 @@ dumpstate app_zygote process b/238263438
 dumpstate hal_input_processor_default process b/238143262
 dumpstate system_data_file dir b/264483156
 dumpstate system_data_file dir b/264483673
+hal_camera_default boot_status_prop file b/275002227
+hal_camera_default edgetpu_app_service service_manager b/275002227
 hal_drm_default default_prop file b/232714489
 hal_dumpstate_default dump_lsi process b/269045042
 hal_dumpstate_default dump_thermal process b/270247432

From accb299d5d8042b27189836ddee72f2f788032d3 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 31 Mar 2023 10:55:58 +0800
Subject: [PATCH 783/921] Update SELinux error

Test: scanBugreport
Bug: 276385941
Change-Id: I54627db892f95ac7ee6e9b08762b7a72793d4a00
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 979cfabb..aa3c13c1 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -2,6 +2,8 @@ dump_lsi radio_vendor_data_file file b/269218638
 dump_lsi vendor_slog_file file b/269218638
 dump_modem radio_vendor_data_file file b/269370106
 dump_pixel_metrics sysfs file b/268411073
+dump_ramdump radio_vendor_data_file file b/276385941
+dump_ramdump vendor_camera_data_file file b/276385941
 dump_stm sysfs_spi dir b/268147283
 dump_trusty radio_vendor_data_file file b/269045042
 dumpstate app_zygote process b/238263438

From a55bb8682ce605763fc04aab0e550dc04f3b0df0 Mon Sep 17 00:00:00 2001
From: Victor Liu <victorliu@google.com>
Date: Thu, 27 Oct 2022 12:22:27 -0700
Subject: [PATCH 784/921] uwb:  add permission for ccc ranging

Bug: 255649425
Change-Id: I05aac586146bf25569b5f6251d2fd62b921631be
---
 whitechapel/vendor/google/hal_nfc_default.te | 1 +
 whitechapel/vendor/google/property.te        | 2 ++
 whitechapel/vendor/google/property_contexts  | 1 +
 whitechapel/vendor/google/uwb_vendor_app.te  | 3 +++
 4 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te
index 247ca3d7..56b6e2e2 100644
--- a/whitechapel/vendor/google/hal_nfc_default.te
+++ b/whitechapel/vendor/google/hal_nfc_default.te
@@ -13,3 +13,4 @@ allow hal_nfc_default uwb_data_vendor:file r_file_perms;
 
 # allow nfc to read uwb calibration file
 get_prop(hal_nfc_default, vendor_uwb_calibration_prop)
+get_prop(hal_nfc_default, vendor_uwb_calibration_country_code)
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 0c34c631..58fd5dbb 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -53,6 +53,8 @@ vendor_internal_prop(vendor_dynamic_sensor_prop)
 
 # UWB calibration
 system_vendor_config_prop(vendor_uwb_calibration_prop)
+# Country code must be vendor_public to be written by UwbVendorService and read by NFC HAL
+vendor_internal_prop(vendor_uwb_calibration_country_code)
 
 # Trusty storage FS ready
 vendor_internal_prop(vendor_trusty_storage_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index d952d5d3..272b086d 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -96,6 +96,7 @@ vendor.dynamic_sensor.                          u:object_r:vendor_dynamic_sensor
 
 # uwb
 ro.vendor.uwb.calibration.                      u:object_r:vendor_uwb_calibration_prop:s0 exact string
+vendor.uwb.calibration.country_code             u:object_r:vendor_uwb_calibration_country_code:s0 exact string
 
 # Trusty
 ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage_prop:s0
diff --git a/whitechapel/vendor/google/uwb_vendor_app.te b/whitechapel/vendor/google/uwb_vendor_app.te
index 68edcb1b..9db45475 100644
--- a/whitechapel/vendor/google/uwb_vendor_app.te
+++ b/whitechapel/vendor/google/uwb_vendor_app.te
@@ -15,7 +15,10 @@ allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
 allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice };
 allow hal_uwb_vendor_default kernel:process { setsched };
+# UwbVendorService must be able to read USRA version from vendor_secure_element_prop
 get_prop(uwb_vendor_app, vendor_secure_element_prop)
+# UwbVendorService must be able to write country code prop
+set_prop(uwb_vendor_app, vendor_uwb_calibration_country_code)
 
 binder_call(uwb_vendor_app, hal_uwb_vendor_default)
 ')

From 78386038280d7a059493d811ed2bcd5a08a6e228 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <ambroisie@google.com>
Date: Fri, 31 Mar 2023 12:57:10 +0000
Subject: [PATCH 785/921] Use restricted vendor property for ARM runtime
 options

They need to be read by everything that links with libmali, but we don't
expect anybody to actually write to them.

Bug: b/272740524
Test: CtsDeqpTestCases (dEQP-VK.protected_memory.stack.stacksize_*)
Change-Id: I963fb55fb92ef5f91426dbec913c901e58cacf64
---
 whitechapel/vendor/google/property.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 0c34c631..c1884200 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -58,5 +58,4 @@ system_vendor_config_prop(vendor_uwb_calibration_prop)
 vendor_internal_prop(vendor_trusty_storage_prop)
 
 # Mali Integration
-vendor_public_prop(vendor_arm_runtime_option_prop)
-
+vendor_restricted_prop(vendor_arm_runtime_option_prop)

From 391f954d5d6fe39547e5984e006b96565c93aba4 Mon Sep 17 00:00:00 2001
From: feiyuchen <feiyuchen@google.com>
Date: Tue, 4 Apr 2023 21:31:28 +0000
Subject: [PATCH 786/921] Allow camera HAL to access edgetpu_app_service in
 gs101

We are seeing SELinux error b/276911450. It turns out that I only added the SE policy for 2023 device ag/22248613, but I forgot to add it for gs101 and gs201. So I created this CL.

See more background in ag/22248613.

Test: For gs201, I tested on my Pixel7 and I saw no more error. For gs101, I just did mm.
Bug: 275016466
Bug: 276911450
Change-Id: I3d691128daa2d7115f80c378f7b42de334cd8ed5
---
 whitechapel/vendor/google/hal_camera_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index d78cf7ad..07789692 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -23,6 +23,10 @@ allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
 allow hal_camera_default sysfs_edgetpu:file r_file_perms;
 allow hal_camera_default edgetpu_vendor_service:service_manager find;
 binder_call(hal_camera_default, edgetpu_vendor_server)
+# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging
+# library has a dependency on edgetpu_app_service, see b/275016466.
+allow hal_camera_default edgetpu_app_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_app_server)
 
 # Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;

From 9539d15b4fd813f7a4feafbf1927d5a8d2d6f68f Mon Sep 17 00:00:00 2001
From: Mike McTernan <mikemcternan@google.com>
Date: Tue, 4 Apr 2023 22:59:45 +0100
Subject: [PATCH 787/921] confirmationui: Allow securedpud to access the
 systemsuspend HAL.

In order to use a wakelock, securedpud needs access to binder and the
system_suspend_service HAL.

Bug: 274851247
Test: manual, trigger TUI and check for AVC denials
Change-Id: Ibd27d32e092269f91d6557ebddcd27d4ccf1355a
---
 confirmationui/securedpud.slider.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/confirmationui/securedpud.slider.te b/confirmationui/securedpud.slider.te
index fd553a30..e0d272f1 100644
--- a/confirmationui/securedpud.slider.te
+++ b/confirmationui/securedpud.slider.te
@@ -3,6 +3,8 @@ type securedpud_slider_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(securedpud_slider)
 
+wakelock_use(securedpud_slider)
+
 allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms;
 allow securedpud_slider ion_device:chr_file r_file_perms;
 allow securedpud_slider tee_device:chr_file rw_file_perms;

From 240c4351743a63c710645b55886bc33c24bcc382 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 29 Mar 2023 14:16:02 +0800
Subject: [PATCH 788/921] use dumpsate from gs-common

Bug: 273380985
Test: adb bugreport
Change-Id: I9092e2e004e3ad0b3667b948ed4d633cd50d088c
---
 whitechapel/vendor/google/file.te             |   7 -
 whitechapel/vendor/google/file_contexts       |   3 -
 .../vendor/google/hal_dumpstate_default.te    | 153 ------------------
 whitechapel/vendor/google/property.te         |   4 -
 whitechapel/vendor/google/property_contexts   |   2 -
 5 files changed, 169 deletions(-)
 delete mode 100644 whitechapel/vendor/google/hal_dumpstate_default.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 0a615415..bae11314 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -101,7 +101,6 @@ type sysfs_pca, sysfs_type, fs_type;
 # Camera
 type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;
-type vendor_camera_data_file, file_type, data_file_type;
 type sysfs_camera, sysfs_type, fs_type;
 
 # GPS
@@ -172,11 +171,5 @@ type sysfs_trusty, sysfs_type, fs_type;
 # BootControl
 type sysfs_bootctl, sysfs_type, fs_type;
 
-# Radio
-type radio_vendor_data_file, file_type, data_file_type;
-userdebug_or_eng(`
-  typeattribute radio_vendor_data_file mlstrustedobject;
-')
-
 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 662c143b..232d332f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -161,7 +161,6 @@
 /vendor/lib64/camera/slider_.*\.binarypb                                u:object_r:vendor_camera_tuning_file:s0
 /vendor/bin/rlsservice                                                  u:object_r:rlsservice_exec:s0
 /mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
-/data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
 /vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libGralloc4Wrapper\.so                                 u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so                             u:object_r:same_process_hal_file:s0
@@ -379,5 +378,3 @@
 # Raw HID device
 /dev/hidraw[0-9]*                        u:object_r:hidraw_device:s0
 
-# Radio files.
-/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
deleted file mode 100644
index 6ef848c7..00000000
--- a/whitechapel/vendor/google/hal_dumpstate_default.te
+++ /dev/null
@@ -1,153 +0,0 @@
-allow hal_dumpstate_default sysfs_bcmdhd:dir search;
-allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms;
-
-allow hal_dumpstate_default sysfs_memory:file r_file_perms;
-allow hal_dumpstate_default sysfs_cpu:file r_file_perms;
-
-binder_use(hal_dumpstate_default)
-vndbinder_use(hal_dumpstate_default)
-
-allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms;
-allow hal_dumpstate_default vendor_gps_file:file r_file_perms;
-
-allow hal_dumpstate_default sysfs_wlc:dir search;
-allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_wlc:file r_file_perms;
-
-allow hal_dumpstate_default shell_data_file:file getattr;
-
-allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
-allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
-
-# camera debugging dump file access
-allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms;
-allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms;
-
-# camera prop access
-get_prop(hal_dumpstate_default, vendor_camera_debug_prop);
-
-allow hal_dumpstate_default vendor_log_file:dir search;
-
-allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
-
-allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
-
-allow hal_dumpstate_default sysfs_spi:dir search;
-allow hal_dumpstate_default sysfs_spi:file rw_file_perms;
-
-allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms;
-
-allow hal_dumpstate_default sysfs_wifi:dir search;
-allow hal_dumpstate_default sysfs_wifi:file r_file_perms;
-
-# Modem logs
-allow hal_dumpstate_default modem_efs_file:dir search;
-allow hal_dumpstate_default modem_efs_file:file r_file_perms;
-allow hal_dumpstate_default vendor_slog_file:file r_file_perms;
-
-allow hal_dumpstate_default block_device:dir r_dir_perms;
-
-allow hal_dumpstate_default proc_f2fs:dir r_dir_perms;
-allow hal_dumpstate_default proc_f2fs:file r_file_perms;
-
-allow hal_dumpstate_default sysfs_batteryinfo:dir search;
-allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms;
-allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms;
-
-allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
-allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
-
-allow hal_dumpstate_default proc_vendor_sched:file read;
-allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms;
-allow hal_dumpstate_default proc_vendor_sched:file r_file_perms;
-
-userdebug_or_eng(`
-  allow hal_dumpstate_default mnt_vendor_file:dir search;
-')
-
-get_prop(hal_dumpstate_default, vendor_gps_prop)
-set_prop(hal_dumpstate_default, vendor_modem_prop)
-get_prop(hal_dumpstate_default, vendor_rild_prop)
-set_prop(hal_dumpstate_default, vendor_logger_prop)
-
-userdebug_or_eng(`
-  allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
-  allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
-  allow hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
-
-  allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
-  allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
-  allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default vendor_maxfg_debugfs:dir search;
-  allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default sysfs_vendor_metrics:dir search;
-  allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms;
-
-  allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
-  allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default debugfs:dir r_dir_perms;
-  allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
-  allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
-  allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
-
-  allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms;
-  allow hal_dumpstate_default sysfs_bcl:file r_file_perms;
-  allow hal_dumpstate_default sysfs_bcl:lnk_file read;
-  allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms;
-  allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms;
-
-  set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop)
-')
-
-dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
-dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms;
-dontaudit hal_dumpstate_default sysfs_pixel_stat:file r_file_perms;
-
-dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search;
-dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms;
-
-dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
-dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
-dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search;
-dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
-dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default debugfs:dir r_dir_perms;
-dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
-dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
-dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
-
-dontaudit hal_dumpstate_default mnt_vendor_file:dir r_dir_perms;
-
-dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms;
-dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms;
-
-dontaudit hal_dumpstate_default rootfs:dir r_dir_perms;
-
-dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms;
-dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms;
-dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms;
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 58fd5dbb..2255c49c 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -17,7 +17,6 @@ vendor_internal_prop(vendor_persist_sys_default_prop)
 vendor_internal_prop(vendor_codec2_debug_prop)
 vendor_internal_prop(vendor_display_prop)
 vendor_internal_prop(vendor_camera_prop)
-vendor_internal_prop(vendor_camera_debug_prop)
 vendor_internal_prop(vendor_camera_fatp_prop)
 vendor_internal_prop(vendor_gps_prop)
 
@@ -30,9 +29,6 @@ vendor_internal_prop(vendor_battery_profile_prop)
 # hal_health
 vendor_internal_prop(vendor_shutdown_prop)
 
-# Logger
-vendor_internal_prop(vendor_logger_prop)
-
 # NFC
 vendor_internal_prop(vendor_nfc_prop)
 
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 272b086d..4c01239d 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -27,7 +27,6 @@ vendor.usb.            u:object_r:vendor_usb_config_prop:s0
 # for logger app
 vendor.pixellogger.          u:object_r:vendor_logger_prop:s0
 persist.vendor.pixellogger.  u:object_r:vendor_logger_prop:s0
-persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0
 
 # for cbd
 vendor.cbd.                  u:object_r:vendor_cbd_prop:s0
@@ -53,7 +52,6 @@ persist.vendor.display.                 u:object_r:vendor_display_prop:s0
 # for camera
 persist.vendor.camera.               u:object_r:vendor_camera_prop:s0
 vendor.camera.                       u:object_r:vendor_camera_prop:s0
-vendor.camera.debug.                 u:object_r:vendor_camera_debug_prop:s0
 vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
 
 # for gps

From 816622f35218b73827abce52efb72e4525aeaa86 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 7 Apr 2023 14:56:08 +0800
Subject: [PATCH 789/921] Update error on ROM 9891405

Bug: 277155042
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: Ic2129188db52ec85a8afaf92c507a42695e82804
---
 tracking_denials/dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index ffb8518c..7f51e2b5 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,2 +1,4 @@
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
+# b/277155042
+dontaudit dumpstate default_android_service:service_manager { find };

From c41cb55d4ffa6726c7caa15738fd9b6e10a27655 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 10 Apr 2023 11:02:52 +0800
Subject: [PATCH 790/921] Update SELinux error

Test: scanBugreport
Bug: 277528855
Change-Id: Ia59cd4045433f2e82a602672fe533e27e87b0275
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 0279d66c..2c22c60c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -4,6 +4,8 @@ dump_modem radio_vendor_data_file file b/269370106
 dump_pixel_metrics sysfs file b/268411073
 dump_ramdump radio_vendor_data_file file b/276385941
 dump_ramdump vendor_camera_data_file file b/276385941
+dump_sensors radio_vendor_data_file file b/277528855
+dump_sensors vendor_camera_data_file file b/277528855
 dump_stm sysfs_spi dir b/268147283
 dump_trusty radio_vendor_data_file file b/269045042
 dumpstate app_zygote process b/238263438

From b2c082f631ebca849abe37ca33168f4d228fbb6c Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 11 Apr 2023 03:48:08 +0000
Subject: [PATCH 791/921] Remove obsolete entries

Bug: 270080367
Bug: 270080367
Bug: 269218638
Bug: 269964913
Bug: 269218638
Bug: 269370106
Bug: 268411073
Bug: 276385941
Bug: 276385941
Bug: 277528855
Bug: 277528855
Bug: 268147283
Bug: 269045042
Bug: 238263438
Bug: 238143262
Bug: 264483156
Bug: 264483673
Bug: 275002227
Bug: 275002227
Bug: 232714489
Bug: 269045042
Bug: 270247432
Bug: 240632824
Bug: 238263568
Bug: 268146971
Bug: 185723618
Bug: 277155042
Test: adb bugreport
Change-Id: If99cfe07ec85c285d2acdc712d5120c7ee6f06d9
---
 tracking_denials/bug_map      | 19 -------------------
 tracking_denials/dumpstate.te |  4 ----
 2 files changed, 23 deletions(-)
 delete mode 100644 tracking_denials/dumpstate.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index f6da4dfa..d5e1bf3b 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,25 +1,6 @@
-dump_aoc radio_vendor_data_file file b/270080367
-dump_aoc vendor_camera_data_file file b/270080367
-dump_lsi radio_vendor_data_file file b/269218638
-dump_lsi vendor_camera_data_file file b/269964913
-dump_lsi vendor_slog_file file b/269218638
-dump_modem radio_vendor_data_file file b/269370106
-dump_pixel_metrics sysfs file b/268411073
-dump_ramdump radio_vendor_data_file file b/276385941
-dump_ramdump vendor_camera_data_file file b/276385941
-dump_sensors radio_vendor_data_file file b/277528855
-dump_sensors vendor_camera_data_file file b/277528855
-dump_stm sysfs_spi dir b/268147283
-dump_trusty radio_vendor_data_file file b/269045042
-dumpstate app_zygote process b/238263438
-dumpstate hal_input_processor_default process b/238143262
-dumpstate system_data_file dir b/264483156
-dumpstate system_data_file dir b/264483673
 hal_camera_default boot_status_prop file b/275002227
 hal_camera_default edgetpu_app_service service_manager b/275002227
 hal_drm_default default_prop file b/232714489
-hal_dumpstate_default dump_lsi process b/269045042
-hal_dumpstate_default dump_thermal process b/270247432
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
deleted file mode 100644
index 7f51e2b5..00000000
--- a/tracking_denials/dumpstate.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/185723618
-dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/277155042
-dontaudit dumpstate default_android_service:service_manager { find };

From b46b936df8f77905f15d47f3a4e5e51b21d0d849 Mon Sep 17 00:00:00 2001
From: Mike McTernan <mikemcternan@google.com>
Date: Tue, 4 Apr 2023 22:59:45 +0100
Subject: [PATCH 792/921] confirmationui: Allow securedpud to access the
 systemsuspend HAL.

In order to use a wakelock, securedpud needs access to binder and the
system_suspend_service HAL.

Bug: 274851247
Test: manual, trigger TUI and check for AVC denials
Change-Id: Ibd27d32e092269f91d6557ebddcd27d4ccf1355a
---
 confirmationui/securedpud.slider.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/confirmationui/securedpud.slider.te b/confirmationui/securedpud.slider.te
index fd553a30..e0d272f1 100644
--- a/confirmationui/securedpud.slider.te
+++ b/confirmationui/securedpud.slider.te
@@ -3,6 +3,8 @@ type securedpud_slider_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(securedpud_slider)
 
+wakelock_use(securedpud_slider)
+
 allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms;
 allow securedpud_slider ion_device:chr_file r_file_perms;
 allow securedpud_slider tee_device:chr_file rw_file_perms;

From 69f0507e294dac6c68f3e7cc61ef682c01c21c2b Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Tue, 11 Apr 2023 11:30:57 +0800
Subject: [PATCH 793/921] Remove obsolete entries

Bug: 269218638
Bug: 269218638
Bug: 269370106
Bug: 268411073
Bug: 276385941
Bug: 276385941
Bug: 268147283
Bug: 269045042
Bug: 238263438
Bug: 238143262
Bug: 264483156
Bug: 264483673
Bug: 269045042
Bug: 270247432
Test: adb bugreport
Change-Id: I29268e10a370146b5d3405edfdec35645a3adc35
Merged-In: If99cfe07ec85c285d2acdc712d5120c7ee6f06d9
---
 tracking_denials/bug_map      | 16 ----------------
 tracking_denials/dumpstate.te |  4 ----
 2 files changed, 20 deletions(-)
 delete mode 100644 tracking_denials/dumpstate.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 2c22c60c..1eb8c777 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,22 +1,6 @@
-dump_lsi radio_vendor_data_file file b/269218638
-dump_lsi vendor_slog_file file b/269218638
-dump_modem radio_vendor_data_file file b/269370106
-dump_pixel_metrics sysfs file b/268411073
-dump_ramdump radio_vendor_data_file file b/276385941
-dump_ramdump vendor_camera_data_file file b/276385941
-dump_sensors radio_vendor_data_file file b/277528855
-dump_sensors vendor_camera_data_file file b/277528855
-dump_stm sysfs_spi dir b/268147283
-dump_trusty radio_vendor_data_file file b/269045042
-dumpstate app_zygote process b/238263438
-dumpstate hal_input_processor_default process b/238143262
-dumpstate system_data_file dir b/264483156
-dumpstate system_data_file dir b/264483673
 hal_camera_default boot_status_prop file b/275002227
 hal_camera_default edgetpu_app_service service_manager b/275002227
 hal_drm_default default_prop file b/232714489
-hal_dumpstate_default dump_lsi process b/269045042
-hal_dumpstate_default dump_thermal process b/270247432
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
deleted file mode 100644
index 7f51e2b5..00000000
--- a/tracking_denials/dumpstate.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/185723618
-dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/277155042
-dontaudit dumpstate default_android_service:service_manager { find };

From e10e3380327b78a8ce17e5887d40fdeaa7a4199d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 13 Apr 2023 09:34:11 +0800
Subject: [PATCH 794/921] Update error on ROM 9930000

Bug: 277989397
Bug: 277155042
Bug: 277989067
Test: scanBugreport
Change-Id: I38a3f852e2f5f0f6895db15141825909361a267d
---
 tracking_denials/bug_map                  | 1 +
 tracking_denials/dumpstate.te             | 4 ++++
 tracking_denials/hal_dumpstate_default.te | 2 ++
 3 files changed, 7 insertions(+)
 create mode 100644 tracking_denials/dumpstate.te
 create mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 1eb8c777..ed8da81d 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,4 @@
+dump_stm sysfs_spi dir b/277989397
 hal_camera_default boot_status_prop file b/275002227
 hal_camera_default edgetpu_app_service service_manager b/275002227
 hal_drm_default default_prop file b/232714489
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
new file mode 100644
index 00000000..6025bd5d
--- /dev/null
+++ b/tracking_denials/dumpstate.te
@@ -0,0 +1,4 @@
+# b/277155042
+dontaudit dumpstate app_zygote:process { signal };
+dontaudit dumpstate default_android_service:service_manager { find };
+dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
new file mode 100644
index 00000000..dbcd88e9
--- /dev/null
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/277989067
+dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans };

From 26e3d2abd0545f2eedae173d3457aa038170c5ac Mon Sep 17 00:00:00 2001
From: jimsun <jimsun@google.com>
Date: Fri, 17 Mar 2023 13:17:51 +0800
Subject: [PATCH 795/921] rild: allow rild to ptrace

06-20 18:47:41.940000  8708  8708 I auditd  : type=1400 audit(0.0:7): avc: denied { ptrace } for comm="libmemunreachab" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=process permissive=0
06-20 18:47:41.940000  8708  8708 W libmemunreachab: type=1400 audit(0.0:7): avc: denied { ptrace } for scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=process permissive=0

Bug: 263757077
Test: manual
Change-Id: I35ad31e6cc4e2942c671e51720f28a9abce3dcca
---
 whitechapel/vendor/google/rild.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index 2f1d8ff9..5108b452 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -35,3 +35,8 @@ add_hwservice(rild, hal_exynos_rild_hwservice)
 allow rild modem_img_file:dir r_dir_perms;
 allow rild modem_img_file:file r_file_perms;
 allow rild modem_img_file:lnk_file r_file_perms;
+
+# Allow rild to ptrace for memory leak detection
+userdebug_or_eng(`
+allow rild self:process ptrace;
+')

From 0f99f3e63450befc661d38827e9afc853ca9257a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <ambroisie@google.com>
Date: Thu, 6 Apr 2023 13:49:34 +0000
Subject: [PATCH 796/921] Add ArmNN config sysprops SELinux rules

Bug: b/205202540
Test: manual - reboot device and check the absence of AVC denials
Change-Id: I70c89dcc4b2bbe665d69cc4be1ac2f6cf8155a10
---
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/vendor_init.te    | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 934e13a9..34f17a70 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -57,3 +57,6 @@ vendor_internal_prop(vendor_trusty_storage_prop)
 
 # Mali Integration
 vendor_restricted_prop(vendor_arm_runtime_option_prop)
+
+# ArmNN configuration
+vendor_internal_prop(vendor_armnn_config_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 4c01239d..17e9af59 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -101,3 +101,6 @@ ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage
 
 # Mali GPU driver configuration and debug options
 vendor.mali.                                    u:object_r:vendor_arm_runtime_option_prop:s0 prefix
+
+# ArmNN configuration
+ro.vendor.armnn.                                u:object_r:vendor_armnn_config_prop:s0 prefix
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 928bc021..1707ef8b 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -45,3 +45,5 @@ get_prop(vendor_init, vendor_trusty_storage_prop)
 # Mali
 set_prop(vendor_init, vendor_arm_runtime_option_prop)
 
+# ArmNN
+set_prop(vendor_init, vendor_armnn_config_prop)

From e4254a16aa516f5960f48732b078aad4ed63df6f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <ambroisie@google.com>
Date: Thu, 6 Apr 2023 10:38:27 +0000
Subject: [PATCH 797/921] Remove 'hal_neuralnetworks_armnn' sysprop exceptions

Bug: b/205202540
Test: manual - reboot device and check the absence of AVC denials
Change-Id: Ied38dc6b323911aa909f4f42b66ee404fc7062fa
---
 tracking_denials/hal_neuralnetworks_armnn.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
index 120510fd..04941460 100644
--- a/tracking_denials/hal_neuralnetworks_armnn.te
+++ b/tracking_denials/hal_neuralnetworks_armnn.te
@@ -1,5 +1,3 @@
 # b/180550063
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
-# b/190563897
-dontaudit hal_neuralnetworks_armnn default_prop:file read;

From 347dfbe925e2218189d82d37697540af25401a22 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <ambroisie@google.com>
Date: Thu, 6 Apr 2023 15:20:15 +0000
Subject: [PATCH 798/921] Remove 'hal_neuralnetworks_armnn' '/data' access
 exception

The mali driver has been configured not to look there anymore.

Bug: b/205779871
Test: manual - reboot device and check the absence of AVC denials
Change-Id: Ic8bf0d51414461689ee5768821a2a1acda923c41
---
 tracking_denials/hal_neuralnetworks_armnn.te | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te

diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
deleted file mode 100644
index 04941460..00000000
--- a/tracking_denials/hal_neuralnetworks_armnn.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/180550063
-dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
-dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };

From 843b0ad6b4043aabd04fc2bb106a42823696e006 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 24 Apr 2023 09:58:14 +0800
Subject: [PATCH 799/921] Update error on ROM 9930000

Bug: 277989397
Bug: 277155042
Bug: 277989067
Test: scanBugreport
Change-Id: I38a3f852e2f5f0f6895db15141825909361a267d
Merged-In: I38a3f852e2f5f0f6895db15141825909361a267d
---
 tracking_denials/dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 7f51e2b5..f7b2ebd4 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,3 +1,5 @@
+# b/277155042
+dontaudit dumpstate app_zygote:process { signal };
 # b/185723618
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
 # b/277155042

From ac6f4e0d00b5c42b007ea996873155cd13c583a0 Mon Sep 17 00:00:00 2001
From: Joseph Jang <josephjang@google.com>
Date: Mon, 24 Apr 2023 08:09:23 +0000
Subject: [PATCH 800/921] Move recovery.te to
 device/google/gs-common/dauntless/sepolicy

Bug: 279381809
Change-Id: If41449f97e729053caa98930cc7f2ef9fd6d844e
---
 whitechapel/vendor/google/fastbootd.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index e350e0f3..d6cf7315 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -5,5 +5,4 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;
 allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
-allow fastbootd citadel_device:chr_file rw_file_perms;
 ')

From a66855541904bbeaafcfc9170e048a584174e489 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <ambroisie@google.com>
Date: Thu, 6 Apr 2023 13:49:34 +0000
Subject: [PATCH 801/921] Add ArmNN config sysprops SELinux rules

Bug: 205202540
Bug: 264489188
Test: manual - reboot device and check the absence of AVC denials
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0f99f3e63450befc661d38827e9afc853ca9257a)
Merged-In: I70c89dcc4b2bbe665d69cc4be1ac2f6cf8155a10
Change-Id: I70c89dcc4b2bbe665d69cc4be1ac2f6cf8155a10
---
 whitechapel/vendor/google/property.te       | 3 +++
 whitechapel/vendor/google/property_contexts | 3 +++
 whitechapel/vendor/google/vendor_init.te    | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 934e13a9..34f17a70 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -57,3 +57,6 @@ vendor_internal_prop(vendor_trusty_storage_prop)
 
 # Mali Integration
 vendor_restricted_prop(vendor_arm_runtime_option_prop)
+
+# ArmNN configuration
+vendor_internal_prop(vendor_armnn_config_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 4c01239d..17e9af59 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -101,3 +101,6 @@ ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage
 
 # Mali GPU driver configuration and debug options
 vendor.mali.                                    u:object_r:vendor_arm_runtime_option_prop:s0 prefix
+
+# ArmNN configuration
+ro.vendor.armnn.                                u:object_r:vendor_armnn_config_prop:s0 prefix
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 928bc021..1707ef8b 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -45,3 +45,5 @@ get_prop(vendor_init, vendor_trusty_storage_prop)
 # Mali
 set_prop(vendor_init, vendor_arm_runtime_option_prop)
 
+# ArmNN
+set_prop(vendor_init, vendor_armnn_config_prop)

From b4001ec206a8318ce1e4aa95811f6a8a836db384 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <ambroisie@google.com>
Date: Thu, 6 Apr 2023 10:38:27 +0000
Subject: [PATCH 802/921] Remove 'hal_neuralnetworks_armnn' sysprop exceptions

Bug: 205202540
Bug: 264489188
Test: manual - reboot device and check the absence of AVC denials
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e4254a16aa516f5960f48732b078aad4ed63df6f)
Merged-In: Ied38dc6b323911aa909f4f42b66ee404fc7062fa
Change-Id: Ied38dc6b323911aa909f4f42b66ee404fc7062fa
---
 tracking_denials/hal_neuralnetworks_armnn.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
index 120510fd..04941460 100644
--- a/tracking_denials/hal_neuralnetworks_armnn.te
+++ b/tracking_denials/hal_neuralnetworks_armnn.te
@@ -1,5 +1,3 @@
 # b/180550063
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
-# b/190563897
-dontaudit hal_neuralnetworks_armnn default_prop:file read;

From 9702cb57f20ed964d6cecf3f4b2396d1c2caa06d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <ambroisie@google.com>
Date: Thu, 6 Apr 2023 15:20:15 +0000
Subject: [PATCH 803/921] Remove 'hal_neuralnetworks_armnn' '/data' access
 exception

The mali driver has been configured not to look there anymore.

Bug: 205779871
Bug: 264489188
Test: manual - reboot device and check the absence of AVC denials
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:347dfbe925e2218189d82d37697540af25401a22)
Merged-In: Ic8bf0d51414461689ee5768821a2a1acda923c41
Change-Id: Ic8bf0d51414461689ee5768821a2a1acda923c41
---
 tracking_denials/hal_neuralnetworks_armnn.te | 3 ---
 1 file changed, 3 deletions(-)
 delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te

diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
deleted file mode 100644
index 04941460..00000000
--- a/tracking_denials/hal_neuralnetworks_armnn.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/180550063
-dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
-dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };

From 6be45972bbc5ecc94468e5d20d9b5c93152d741a Mon Sep 17 00:00:00 2001
From: martinwu <martinwu@google.com>
Date: Mon, 24 Apr 2023 16:26:22 +0000
Subject: [PATCH 804/921] Remove tcpdump sepolicy from gs101 and move sepolicy
 to gs-common

Bug: 264490014
Test: 1. Enable tcpdump_logger always-on function
      2. Dump bugreport
      3. Pull dumpstate_board.bin and chagne it to zip
      4. Unzip dumpstate_board.zip and check if tcpdump files
         are there.
Change-Id: I3d0cb388cf9b7c96d2856f46c0440b4017477480
---
 whitechapel/vendor/google/file.te       | 3 ---
 whitechapel/vendor/google/file_contexts | 1 -
 2 files changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index bae11314..d8cce99a 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -92,9 +92,6 @@ type persist_modem_file, file_type, vendor_persist_type;
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
 
-# TCP logging
-type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-
 # Pca
 type sysfs_pca, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 232d332f..961d9c27 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -243,7 +243,6 @@
 
 # TCP logging
 /vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
-/data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
 
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0

From e30ee618d6c59f36e3d520014563d62622fbde87 Mon Sep 17 00:00:00 2001
From: Martin Wu <martinwu@google.com>
Date: Thu, 27 Apr 2023 02:20:48 +0000
Subject: [PATCH 805/921] Revert "Remove tcpdump sepolicy from gs101 and move
 sepolicy to ..."

Revert submission 22814097-Fix-tcpdump-sepolicy

Reason for revert: build break

Reverted changes: /q/submissionid:22814097-Fix-tcpdump-sepolicy

Change-Id: I3d47d22250b435416c4ca44ff1956569662591ee
---
 whitechapel/vendor/google/file.te       | 3 +++
 whitechapel/vendor/google/file_contexts | 1 +
 2 files changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index d8cce99a..bae11314 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -92,6 +92,9 @@ type persist_modem_file, file_type, vendor_persist_type;
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
 
+# TCP logging
+type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
 # Pca
 type sysfs_pca, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 961d9c27..232d332f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -243,6 +243,7 @@
 
 # TCP logging
 /vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
+/data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
 
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0

From 3055e06f0a3610c510dec974a6853ce3b0196aee Mon Sep 17 00:00:00 2001
From: martinwu <martinwu@google.com>
Date: Mon, 24 Apr 2023 16:26:22 +0000
Subject: [PATCH 806/921] [TSV2] Remove tcpdump sepolicy from gs101 and move
 sepolicy to gs-common

Bug: 264490014
Test: 1. Enable tcpdump_logger always-on function
      2. Dump bugreport
      3. Pull dumpstate_board.bin and chagne it to zip
      4. Unzip dumpstate_board.zip and check if tcpdump files
         are there.
Change-Id: Iea67de1e645592c6993a3ee6f2ca8e6bf3c6c949
---
 whitechapel/vendor/google/file.te       | 3 ---
 whitechapel/vendor/google/file_contexts | 1 -
 2 files changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index bae11314..d8cce99a 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -92,9 +92,6 @@ type persist_modem_file, file_type, vendor_persist_type;
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
 
-# TCP logging
-type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-
 # Pca
 type sysfs_pca, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 232d332f..961d9c27 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -243,7 +243,6 @@
 
 # TCP logging
 /vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
-/data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
 
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0

From 42a0c820659d811932a58ed1e66478ee9556cecc Mon Sep 17 00:00:00 2001
From: Jinyoung Jeong <jinjeong@google.com>
Date: Wed, 26 Apr 2023 06:00:46 +0000
Subject: [PATCH 807/921] Fix SELinux error for com.google.android.euicc

bug: 279548423
Test: http://fusion2/bb76429b-7d84-4e14-b127-8458abb3e2ed
Change-Id: I00bdf71f04eec985147189eb1b474c7ff6797023
---
 private/property.te                           |  8 +++++++
 private/property_contexts                     |  2 ++
 .../vendor/google/certs/EuiccGoogle.x509.pem  | 23 +++++++++++++++++++
 whitechapel/vendor/google/euicc_app.te        | 15 ++++++++++++
 whitechapel/vendor/google/keys.conf           |  3 +++
 whitechapel/vendor/google/mac_permissions.xml |  3 +++
 whitechapel/vendor/google/seapp_contexts      |  3 +++
 7 files changed, 57 insertions(+)
 create mode 100644 private/property.te
 create mode 100644 private/property_contexts
 create mode 100644 whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
 create mode 100644 whitechapel/vendor/google/euicc_app.te

diff --git a/private/property.te b/private/property.te
new file mode 100644
index 00000000..a6bee3b3
--- /dev/null
+++ b/private/property.te
@@ -0,0 +1,8 @@
+product_restricted_prop(masterclear_esim_prop)
+product_restricted_prop(euicc_seamless_transfer_prop)
+
+neverallow { domain -init } masterclear_esim_prop:property_service set;
+neverallow { domain -init } euicc_seamless_transfer_prop:property_service set;
+
+get_prop(appdomain, masterclear_esim_prop)
+get_prop(appdomain, euicc_seamless_transfer_prop)
diff --git a/private/property_contexts b/private/property_contexts
new file mode 100644
index 00000000..843f2976
--- /dev/null
+++ b/private/property_contexts
@@ -0,0 +1,2 @@
+masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool
+euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool
diff --git a/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem b/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
new file mode 100644
index 00000000..be6c715c
--- /dev/null
+++ b/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG
+A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz
+WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
+TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu
+ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc
+PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw
+/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm
+1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx
+anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO
+JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU
+lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC
+NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt
+CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS
+Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ
+0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr
+mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X
+iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb
+0QMwPRPLbQ==
+-----END CERTIFICATE-----
diff --git a/whitechapel/vendor/google/euicc_app.te b/whitechapel/vendor/google/euicc_app.te
new file mode 100644
index 00000000..d7259159
--- /dev/null
+++ b/whitechapel/vendor/google/euicc_app.te
@@ -0,0 +1,15 @@
+type euicc_app, domain;
+app_domain(euicc_app)
+
+allow euicc_app activity_service:service_manager find;
+allow euicc_app radio_service:service_manager find;
+allow euicc_app content_capture_service:service_manager find;
+allow euicc_app virtual_device_service:service_manager find;
+allow euicc_app game_service:service_manager find;
+allow euicc_app netstats_service:service_manager find;
+allow euicc_app registry_service:service_manager find;
+
+get_prop(euicc_app, setupwizard_esim_prop)
+get_prop(euicc_app, bootloader_prop)
+get_prop(euicc_app, exported_default_prop)
+get_prop(euicc_app, vendor_modem_prop)
diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index fb6e52b6..d609a05d 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,3 +6,6 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
+
+[@EUICCGOOGLE]
+ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index 6cb7113c..e4658cc5 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,4 +30,7 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
+    <signer signature="@EUICCGOOGLE" >
+      <seinfo value="EuiccGoogle" />
+    </signer>
 </policy>
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e724de28..e84832b6 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -52,5 +52,8 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
+# Domain for EuiccGoogle
+user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all
+
 # CccDkTimeSyncService
 user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all

From 3785b0d271758391034cdd1add11d89221831751 Mon Sep 17 00:00:00 2001
From: martinwu <martinwu@google.com>
Date: Mon, 24 Apr 2023 16:26:22 +0000
Subject: [PATCH 808/921] [TSV2] Remove tcpdump sepolicy from gs101 and move
 sepolicy to gs-common

Bug: 264490014
Test: 1. Enable tcpdump_logger always-on function
      2. Dump bugreport
      3. Pull dumpstate_board.bin and chagne it to zip
      4. Unzip dumpstate_board.zip and check if tcpdump files
         are there.
Change-Id: Iea67de1e645592c6993a3ee6f2ca8e6bf3c6c949
Merged-In: Iea67de1e645592c6993a3ee6f2ca8e6bf3c6c949
---
 whitechapel/vendor/google/file.te       | 3 ---
 whitechapel/vendor/google/file_contexts | 1 -
 2 files changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index bae11314..d8cce99a 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -92,9 +92,6 @@ type persist_modem_file, file_type, vendor_persist_type;
 type modem_img_file, contextmount_type, file_type, vendor_file_type;
 allow modem_img_file self:filesystem associate;
 
-# TCP logging
-type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-
 # Pca
 type sysfs_pca, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 232d332f..961d9c27 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -243,7 +243,6 @@
 
 # TCP logging
 /vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
-/data/vendor/tcpdump_logger(/.*)?   u:object_r:tcpdump_vendor_data_file:s0
 
 # modem_svc_sit files
 /vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0

From d3a021480143531414341b26403cce8c6b65eae5 Mon Sep 17 00:00:00 2001
From: Jinyoung Jeong <jinjeong@google.com>
Date: Tue, 2 May 2023 10:14:29 +0000
Subject: [PATCH 809/921] Fix LPA crash due to selinux denial

Bug: 280336861
Test: No crash found during LPA basic tests: download eSIM,
enable/disalbe eSIM.

Change-Id: I15227415993ef3975e183f500711416f8eb8e62c
---
 whitechapel/vendor/google/euicc_app.te | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/whitechapel/vendor/google/euicc_app.te b/whitechapel/vendor/google/euicc_app.te
index d7259159..2e36435b 100644
--- a/whitechapel/vendor/google/euicc_app.te
+++ b/whitechapel/vendor/google/euicc_app.te
@@ -1,14 +1,12 @@
 type euicc_app, domain;
 app_domain(euicc_app)
+net_domain(euicc_app)
 
-allow euicc_app activity_service:service_manager find;
+allow euicc_app app_api_service:service_manager find;
 allow euicc_app radio_service:service_manager find;
-allow euicc_app content_capture_service:service_manager find;
-allow euicc_app virtual_device_service:service_manager find;
-allow euicc_app game_service:service_manager find;
-allow euicc_app netstats_service:service_manager find;
-allow euicc_app registry_service:service_manager find;
+allow euicc_app cameraserver_service:service_manager find;
 
+get_prop(euicc_app, camera_config_prop)
 get_prop(euicc_app, setupwizard_esim_prop)
 get_prop(euicc_app, bootloader_prop)
 get_prop(euicc_app, exported_default_prop)

From 98247ad9f4ea92dd610afc29bfd045fe11e37123 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 4 May 2023 13:53:09 +0000
Subject: [PATCH 810/921] Add sepolicy for aidl bt extension hal

Bug: 274906319
Test: make sepolicy and manual test
Change-Id: I6aa9ebe87c743ceb09067a581f64f6cdc0b7d335
---
 raven-sepolicy.mk           | 2 ++
 raven/cccdk_timesync_app.te | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 raven-sepolicy.mk
 create mode 100644 raven/cccdk_timesync_app.te

diff --git a/raven-sepolicy.mk b/raven-sepolicy.mk
new file mode 100644
index 00000000..91d85cd4
--- /dev/null
+++ b/raven-sepolicy.mk
@@ -0,0 +1,2 @@
+# Ravne only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/raven
diff --git a/raven/cccdk_timesync_app.te b/raven/cccdk_timesync_app.te
new file mode 100644
index 00000000..1a4264db
--- /dev/null
+++ b/raven/cccdk_timesync_app.te
@@ -0,0 +1 @@
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find;

From 38640e48ddc13ac996ba69fb31637905bd9cdaed Mon Sep 17 00:00:00 2001
From: sashwinbalaji <sashwinbalaji@google.com>
Date: Mon, 8 May 2023 12:59:36 +0800
Subject: [PATCH 811/921] thermal: thermal_metrics: Update selinux to reset
 stats

Bug: 193833982
Test: Local build and verify statsD logs
adb shell cmd stats print-logs && adb logcat -b all | grep -i 105045
Change-Id: I79710aa05ff52caf9d08f21fa7a36c46a1b2a3d9
---
 whitechapel/vendor/google/pixelstats_vendor.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 12234047..7496a7ce 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -29,6 +29,7 @@ allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
 #vendor-metrics
 r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)
 allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms;
+allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms;
 
 # BCL
 allow pixelstats_vendor sysfs_bcl:dir search;

From 69e2720089050163124b7823dac64d713fe3ad1d Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 10 May 2023 01:48:48 +0000
Subject: [PATCH 812/921] introduce a new sepolicy owner

Bug: 281631102
Test: N/A
Change-Id: Ie1221e85bbfabf18c3bdd1a248b768e92f092426
---
 OWNERS | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/OWNERS b/OWNERS
index 791abb4a..5232bc31 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
-include platform/system/sepolicy:/OWNERS
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
 
-rurumihong@google.com

From 4876a744a5bcd405b9eaa33a472f1bd07d2efe8f Mon Sep 17 00:00:00 2001
From: JohnnLee <johnnlee@google.com>
Date: Tue, 9 May 2023 17:24:46 +0800
Subject: [PATCH 813/921] Remove obsolete entries

Test: adb bugreport
Bug: 268146971
Bug: 238825802
Bug: 269964825
Bug: 277989067
Bug: 238263568
Change-Id: I67da2c4ea8bf1da24b9dcecde7019007e3182ff7
---
 tracking_denials/bug_map                  | 4 ----
 tracking_denials/hal_dumpstate_default.te | 2 --
 2 files changed, 6 deletions(-)
 delete mode 100644 tracking_denials/hal_dumpstate_default.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index b0b93724..ecf73774 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -3,8 +3,4 @@ hal_camera_default boot_status_prop file b/275002227
 hal_camera_default edgetpu_app_service service_manager b/275002227
 hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
-incidentd debugfs_wakeup_sources file b/238263568
-incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
-su modem_img_file filesystem b/238825802
-vndservicemanager hal_keymint_citadel binder b/269964825
diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
deleted file mode 100644
index dbcd88e9..00000000
--- a/tracking_denials/hal_dumpstate_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/277989067
-dontaudit hal_dumpstate_default vendor_shell_exec:file { execute_no_trans };

From 20364fe3b3b68cd7ac93c6404a2c5dd1bf829737 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 10 May 2023 20:01:52 +0800
Subject: [PATCH 814/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 281814691
Change-Id: I2f73f5b75aec1145dee615499a7442400defbf8a
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 2c22c60c..03d8f7b9 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -22,3 +22,4 @@ incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
+system_server system_userdir_file dir b/281814691

From e6ddf5d1f6711544ecbccdb0b433d99f9d403330 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Sat, 6 May 2023 04:13:36 +0000
Subject: [PATCH 815/921] Add sepolicy for aidl bt extension hal in grilservice
 app

Bug: 280970790
Test: make sepolicy and manual test
Change-Id: Ic0dab76988ee80cae72091d6e8eb0e97c651e594
---
 oriole-sepolicy.mk        | 2 ++
 oriole/grilservice_app.te | 1 +
 raven/grilservice_app.te  | 1 +
 3 files changed, 4 insertions(+)
 create mode 100644 oriole-sepolicy.mk
 create mode 100644 oriole/grilservice_app.te
 create mode 100644 raven/grilservice_app.te

diff --git a/oriole-sepolicy.mk b/oriole-sepolicy.mk
new file mode 100644
index 00000000..a4f28b2a
--- /dev/null
+++ b/oriole-sepolicy.mk
@@ -0,0 +1,2 @@
+# Oriole only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/oriole
diff --git a/oriole/grilservice_app.te b/oriole/grilservice_app.te
new file mode 100644
index 00000000..ad0a7796
--- /dev/null
+++ b/oriole/grilservice_app.te
@@ -0,0 +1 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
diff --git a/raven/grilservice_app.te b/raven/grilservice_app.te
new file mode 100644
index 00000000..ad0a7796
--- /dev/null
+++ b/raven/grilservice_app.te
@@ -0,0 +1 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;

From a1f81bef7a5d273afae14228f5e7047f6bc21518 Mon Sep 17 00:00:00 2001
From: allieliu <allieliu@google.com>
Date: Fri, 12 May 2023 08:04:59 +0000
Subject: [PATCH 816/921] vendor_init: add esim_modem_prop

Bug: 279988311

Change-Id: I5f8759baff65073b758ce335772e72a383827d05
Signed-off-by: allieliu <allieliu@google.com>
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 1707ef8b..b03c7bb5 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -13,6 +13,7 @@ set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
 set_prop(vendor_init, vendor_logger_prop)
+set_prop(vendor_init, esim_modem_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From d569008b77d108dcdde0156ca5958d318159bd92 Mon Sep 17 00:00:00 2001
From: Jin Jeong <jinjeong@google.com>
Date: Fri, 12 May 2023 04:18:25 +0000
Subject: [PATCH 817/921] Revert "Fix LPA crash due to selinux denial"

Revert submission 22955599-euicc_selinux_fix2

Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules

Bug: 279988311
Reverted changes: /q/submissionid:22955599-euicc_selinux_fix2

Change-Id: I6421319ba280fb11d05f2e107754449e54e5afa4
---
 whitechapel/vendor/google/euicc_app.te | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/euicc_app.te b/whitechapel/vendor/google/euicc_app.te
index 2e36435b..d7259159 100644
--- a/whitechapel/vendor/google/euicc_app.te
+++ b/whitechapel/vendor/google/euicc_app.te
@@ -1,12 +1,14 @@
 type euicc_app, domain;
 app_domain(euicc_app)
-net_domain(euicc_app)
 
-allow euicc_app app_api_service:service_manager find;
+allow euicc_app activity_service:service_manager find;
 allow euicc_app radio_service:service_manager find;
-allow euicc_app cameraserver_service:service_manager find;
+allow euicc_app content_capture_service:service_manager find;
+allow euicc_app virtual_device_service:service_manager find;
+allow euicc_app game_service:service_manager find;
+allow euicc_app netstats_service:service_manager find;
+allow euicc_app registry_service:service_manager find;
 
-get_prop(euicc_app, camera_config_prop)
 get_prop(euicc_app, setupwizard_esim_prop)
 get_prop(euicc_app, bootloader_prop)
 get_prop(euicc_app, exported_default_prop)

From 15e18323961765f09824e43decbf5bfff50b18da Mon Sep 17 00:00:00 2001
From: Jin Jeong <jinjeong@google.com>
Date: Fri, 12 May 2023 04:17:26 +0000
Subject: [PATCH 818/921] Revert "Fix SELinux error for
 com.google.android.euicc"

Revert submission 22899490-euicc_selinux_fix

Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules

Bug: 279988311
Reverted changes: /q/submissionid:22899490-euicc_selinux_fix

Change-Id: I72da756853a540d6251e074313b1880c9c9038e8
---
 private/property.te                           |  8 -------
 private/property_contexts                     |  2 --
 .../vendor/google/certs/EuiccGoogle.x509.pem  | 23 -------------------
 whitechapel/vendor/google/euicc_app.te        | 15 ------------
 whitechapel/vendor/google/keys.conf           |  3 ---
 whitechapel/vendor/google/mac_permissions.xml |  3 ---
 whitechapel/vendor/google/seapp_contexts      |  3 ---
 7 files changed, 57 deletions(-)
 delete mode 100644 private/property.te
 delete mode 100644 private/property_contexts
 delete mode 100644 whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
 delete mode 100644 whitechapel/vendor/google/euicc_app.te

diff --git a/private/property.te b/private/property.te
deleted file mode 100644
index a6bee3b3..00000000
--- a/private/property.te
+++ /dev/null
@@ -1,8 +0,0 @@
-product_restricted_prop(masterclear_esim_prop)
-product_restricted_prop(euicc_seamless_transfer_prop)
-
-neverallow { domain -init } masterclear_esim_prop:property_service set;
-neverallow { domain -init } euicc_seamless_transfer_prop:property_service set;
-
-get_prop(appdomain, masterclear_esim_prop)
-get_prop(appdomain, euicc_seamless_transfer_prop)
diff --git a/private/property_contexts b/private/property_contexts
deleted file mode 100644
index 843f2976..00000000
--- a/private/property_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool
-euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool
diff --git a/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem b/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
deleted file mode 100644
index be6c715c..00000000
--- a/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
-aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG
-A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz
-WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
-TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu
-ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc
-PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw
-/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm
-1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx
-anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO
-JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU
-lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC
-NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt
-CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS
-Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ
-0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr
-mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X
-iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb
-0QMwPRPLbQ==
------END CERTIFICATE-----
diff --git a/whitechapel/vendor/google/euicc_app.te b/whitechapel/vendor/google/euicc_app.te
deleted file mode 100644
index d7259159..00000000
--- a/whitechapel/vendor/google/euicc_app.te
+++ /dev/null
@@ -1,15 +0,0 @@
-type euicc_app, domain;
-app_domain(euicc_app)
-
-allow euicc_app activity_service:service_manager find;
-allow euicc_app radio_service:service_manager find;
-allow euicc_app content_capture_service:service_manager find;
-allow euicc_app virtual_device_service:service_manager find;
-allow euicc_app game_service:service_manager find;
-allow euicc_app netstats_service:service_manager find;
-allow euicc_app registry_service:service_manager find;
-
-get_prop(euicc_app, setupwizard_esim_prop)
-get_prop(euicc_app, bootloader_prop)
-get_prop(euicc_app, exported_default_prop)
-get_prop(euicc_app, vendor_modem_prop)
diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index d609a05d..fb6e52b6 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,6 +6,3 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
-
-[@EUICCGOOGLE]
-ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccGoogle.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index e4658cc5..6cb7113c 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,7 +30,4 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
-    <signer signature="@EUICCGOOGLE" >
-      <seinfo value="EuiccGoogle" />
-    </signer>
 </policy>
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e84832b6..e724de28 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -52,8 +52,5 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
-# Domain for EuiccGoogle
-user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all
-
 # CccDkTimeSyncService
 user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all

From 16e12a6cf1e4682003fd01fcff1f374b95137a44 Mon Sep 17 00:00:00 2001
From: allieliu <allieliu@google.com>
Date: Fri, 12 May 2023 08:04:59 +0000
Subject: [PATCH 819/921] vendor_init: add esim_prop

Bug: 279988311

Change-Id: I5f8759baff65073b758ce335772e72a383827d05
Signed-off-by: allieliu <allieliu@google.com>
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 8ebe5e52..1193c361 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -13,6 +13,7 @@ set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
 set_prop(vendor_init, vendor_logger_prop)
+set_prop(vendor_init, esim_modem_prop)
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From b6d74a5196dfeab2d34a6d55ee8d3d3fb00a21d1 Mon Sep 17 00:00:00 2001
From: Jinyoung Jeong <jinjeong@google.com>
Date: Mon, 15 May 2023 10:18:11 +0000
Subject: [PATCH 820/921] [GS101][eSIM] Add system properties rule

Bug: 279988311
Test: https://fusion2.corp.google.com/d517f34a-3242-40b1-adf6-acb6035ff2cb , b/282901698
Change-Id: I6caed744d2bba7882f80f8ace229f6c4b4133c65
---
 system_ext/private/euicc_app.te      | 13 +++++++++++++
 system_ext/private/property.te       |  5 +++++
 system_ext/private/property_contexts |  3 +++
 system_ext/private/seapp_contexts    |  2 ++
 system_ext/public/property.te        |  3 +++
 5 files changed, 26 insertions(+)
 create mode 100644 system_ext/private/euicc_app.te
 create mode 100644 system_ext/private/property.te
 create mode 100644 system_ext/private/seapp_contexts

diff --git a/system_ext/private/euicc_app.te b/system_ext/private/euicc_app.te
new file mode 100644
index 00000000..842f1ec7
--- /dev/null
+++ b/system_ext/private/euicc_app.te
@@ -0,0 +1,13 @@
+type euicc_app, domain, coredomain;
+app_domain(euicc_app)
+net_domain(euicc_app)
+bluetooth_domain(euicc_app)
+
+allow euicc_app app_api_service:service_manager find;
+allow euicc_app radio_service:service_manager find;
+allow euicc_app cameraserver_service:service_manager find;
+
+get_prop(euicc_app, camera_config_prop)
+get_prop(euicc_app, bootloader_prop)
+get_prop(euicc_app, exported_default_prop)
+get_prop(euicc_app, esim_modem_prop)
diff --git a/system_ext/private/property.te b/system_ext/private/property.te
new file mode 100644
index 00000000..714108b1
--- /dev/null
+++ b/system_ext/private/property.te
@@ -0,0 +1,5 @@
+neverallow {
+  domain
+  -init
+  -vendor_init
+} esim_modem_prop:property_service set;
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index 9cf97280..790ba63b 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -6,3 +6,6 @@ persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
 persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
 persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
 persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
+
+# Properties for euicc
+persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
new file mode 100644
index 00000000..8c2178a8
--- /dev/null
+++ b/system_ext/private/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for EuiccGoogle
+user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
index 8908e485..bb07d927 100644
--- a/system_ext/public/property.te
+++ b/system_ext/public/property.te
@@ -1,2 +1,5 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 system_vendor_config_prop(fingerprint_ghbm_prop)
+
+# eSIM properties
+system_vendor_config_prop(esim_modem_prop)

From 59c1582928f2065cc9656da722efcd7b15286a88 Mon Sep 17 00:00:00 2001
From: Donnie Pollitz <donpollitz@google.com>
Date: Wed, 24 May 2023 16:51:22 +0200
Subject: [PATCH 821/921] Allow vendor_init to fix permissions of TEE data file

Background:
* vendor_init needs to be able to possibly fix ownership of
  tee_data_file

Bug: 280325952
Test: Changed permissions and confirmed user transitions
Change-Id: I26aaf70548a3ad132e5d0da2c10a2753a0954ffc
Signed-off-by: Donnie Pollitz <donpollitz@google.com>
---
 whitechapel/vendor/google/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index b03c7bb5..43e2056c 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -42,6 +42,7 @@ set_prop(vendor_init, vendor_display_prop)
 
 # Trusty storage FS ready
 get_prop(vendor_init, vendor_trusty_storage_prop)
+allow vendor_init tee_data_file:lnk_file read;
 
 # Mali
 set_prop(vendor_init, vendor_arm_runtime_option_prop)

From 7c2e5a665a2b5692cc241752e7d02b9078fb0cdc Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 4 May 2023 13:53:09 +0000
Subject: [PATCH 822/921] Add sepolicy for aidl bt extension hal

Bug: 274906319
Bug: 282685427
Test: make sepolicy and manual test
Change-Id: I6aa9ebe87c743ceb09067a581f64f6cdc0b7d335
Merged-In: I6aa9ebe87c743ceb09067a581f64f6cdc0b7d335
---
 raven-sepolicy.mk           | 2 ++
 raven/cccdk_timesync_app.te | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 raven-sepolicy.mk
 create mode 100644 raven/cccdk_timesync_app.te

diff --git a/raven-sepolicy.mk b/raven-sepolicy.mk
new file mode 100644
index 00000000..91d85cd4
--- /dev/null
+++ b/raven-sepolicy.mk
@@ -0,0 +1,2 @@
+# Ravne only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/raven
diff --git a/raven/cccdk_timesync_app.te b/raven/cccdk_timesync_app.te
new file mode 100644
index 00000000..1a4264db
--- /dev/null
+++ b/raven/cccdk_timesync_app.te
@@ -0,0 +1 @@
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find;

From 1dc0476a0a27f15828b1777c42be5d04d5d0ce0f Mon Sep 17 00:00:00 2001
From: DesmondH <desmondh@google.com>
Date: Wed, 31 May 2023 01:51:55 +0000
Subject: [PATCH 823/921] Remove obsolete entries

Bug: 275002227
Fix: 232714489
Fix: 269218654
Fix: 281814691
Fix: 176868297
Fix: 184593993
Change-Id: Iab4e5928bca173c76cb083e608edd67d5f7aad52
---
 tracking_denials/bug_map             | 5 -----
 tracking_denials/hal_drm_widevine.te | 2 --
 tracking_denials/surfaceflinger.te   | 2 --
 tracking_denials/untrusted_app.te    | 4 ----
 4 files changed, 13 deletions(-)
 delete mode 100644 tracking_denials/surfaceflinger.te
 delete mode 100644 tracking_denials/untrusted_app.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index accf1a9d..cd9f9cdf 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,7 +1,2 @@
 dump_stm sysfs_spi dir b/277989397
-hal_camera_default boot_status_prop file b/275002227
-hal_camera_default edgetpu_app_service service_manager b/275002227
-hal_drm_default default_prop file b/232714489
 hal_power_default hal_power_default capability b/240632824
-rfsd vendor_rild_prop property_service b/269218654
-system_server system_userdir_file dir b/281814691
diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te
index 01581ca2..d1190b16 100644
--- a/tracking_denials/hal_drm_widevine.te
+++ b/tracking_denials/hal_drm_widevine.te
@@ -1,4 +1,2 @@
 # b/223502652
 dontaudit hal_drm_widevine vndbinder_device:chr_file { read };
-# b/232714489
-dontaudit hal_drm_widevine default_prop:file { read };
diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te
deleted file mode 100644
index 2db24d73..00000000
--- a/tracking_denials/surfaceflinger.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/176868297
-dontaudit surfaceflinger hal_graphics_composer_default:dir search ;
diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te
deleted file mode 100644
index 9b098f88..00000000
--- a/tracking_denials/untrusted_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/184593993
-dontaudit untrusted_app vendor_camera_prop:file { read };
-dontaudit untrusted_app vendor_camera_prop:file { read };
-dontaudit untrusted_app vendor_camera_prop:file { read };

From 03c6806df93dcc9f0c9b448a42ca04af352a9aca Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Tue, 6 Jun 2023 16:32:12 +0800
Subject: [PATCH 824/921] Add permissions for read maxfg debugfs

Bug: 286001476
Change-Id: I787a8af17963c612dbbb9172fc539172f6633ca2
Signed-off-by: Jenny Ho <hsiufangho@google.com>
---
 whitechapel/vendor/google/dump_gs101.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/dump_gs101.te b/whitechapel/vendor/google/dump_gs101.te
index a624ee96..d1eb528c 100644
--- a/whitechapel/vendor/google/dump_gs101.te
+++ b/whitechapel/vendor/google/dump_gs101.te
@@ -25,6 +25,7 @@ userdebug_or_eng(`
   allow dump_gs101 vendor_usb_debugfs:file r_file_perms;
   allow dump_gs101 debugfs:dir r_dir_perms;
   allow dump_gs101 vendor_maxfg_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_maxfg_debugfs:file r_file_perms;
   allow dump_gs101 vendor_votable_debugfs:dir r_dir_perms;
   allow dump_gs101 vendor_votable_debugfs:file r_file_perms;
 ')

From c1034c26c107fadb12e31f5a1877a164c2a14698 Mon Sep 17 00:00:00 2001
From: Seongsik Kim <sz.kim@samsung.com>
Date: Fri, 12 May 2023 20:18:34 +0900
Subject: [PATCH 825/921] Enable PacketRouter to use radio device

Bug: 279716766
Test: Patch verified by CP crash testing.
      VoWiFi can re-register successfully

Change-Id: I86b307d5269232ee290431264ab2f28fd21a922f
Signed-off-by: Seongsik Kim <sz.kim@samsung.com>
---
 telephony/pktrouter/pktrouter.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/telephony/pktrouter/pktrouter.te b/telephony/pktrouter/pktrouter.te
index e06c8db6..b7d2e112 100644
--- a/telephony/pktrouter/pktrouter.te
+++ b/telephony/pktrouter/pktrouter.te
@@ -6,6 +6,7 @@ net_domain(pktrouter)
 domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper);
 
 allow pktrouter pktrouter_device:chr_file rw_file_perms;
+allow pktrouter radio_device:chr_file r_file_perms;
 allow pktrouter self:netlink_route_socket nlmsg_write;
 allow pktrouter self:packet_socket { bind create read write getattr shutdown};
 allow pktrouter self:capability net_raw;

From b6099f09239aed61ea1b480dcf12e2b9caf292ce Mon Sep 17 00:00:00 2001
From: Lily Lin <chiayinglin@google.com>
Date: Thu, 8 Jun 2023 21:58:24 +0800
Subject: [PATCH 826/921] add sysfs_touch setting for esim firmware upgrade

Bug: 284945094
Test: P21 can upgrade esim firmware successfully
Change-Id: Ica0fa588e7c15002368af007158753caa0523a46
---
 oriole/euiccpixel_app.te | 6 ++++++
 raven/euiccpixel_app.te  | 6 ++++++
 2 files changed, 12 insertions(+)
 create mode 100644 oriole/euiccpixel_app.te
 create mode 100644 raven/euiccpixel_app.te

diff --git a/oriole/euiccpixel_app.te b/oriole/euiccpixel_app.te
new file mode 100644
index 00000000..54726589
--- /dev/null
+++ b/oriole/euiccpixel_app.te
@@ -0,0 +1,6 @@
+# EuiccSupportPixel app
+
+userdebug_or_eng(`
+    allow euiccpixel_app sysfs_touch:dir search;
+')
+
diff --git a/raven/euiccpixel_app.te b/raven/euiccpixel_app.te
new file mode 100644
index 00000000..54726589
--- /dev/null
+++ b/raven/euiccpixel_app.te
@@ -0,0 +1,6 @@
+# EuiccSupportPixel app
+
+userdebug_or_eng(`
+    allow euiccpixel_app sysfs_touch:dir search;
+')
+

From 677d3faab4e290676addcfeccad8f199aa24bc8f Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 8 Jun 2023 13:46:00 +0000
Subject: [PATCH 827/921] Add bluetooth extension related sepolicy

Bug: 286371097
Test: make
Change-Id: Ic252f91c56672b270d24863c5ed617f0fc9cb4e7
Merged-In: Ic0dab76988ee80cae72091d6e8eb0e97c651e594
---
 oriole-sepolicy.mk        | 2 ++
 oriole/grilservice_app.te | 2 ++
 raven/grilservice_app.te  | 2 ++
 3 files changed, 6 insertions(+)
 create mode 100644 oriole-sepolicy.mk
 create mode 100644 oriole/grilservice_app.te
 create mode 100644 raven/grilservice_app.te

diff --git a/oriole-sepolicy.mk b/oriole-sepolicy.mk
new file mode 100644
index 00000000..a4f28b2a
--- /dev/null
+++ b/oriole-sepolicy.mk
@@ -0,0 +1,2 @@
+# Oriole only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/oriole
diff --git a/oriole/grilservice_app.te b/oriole/grilservice_app.te
new file mode 100644
index 00000000..c5b61460
--- /dev/null
+++ b/oriole/grilservice_app.te
@@ -0,0 +1,2 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
+
diff --git a/raven/grilservice_app.te b/raven/grilservice_app.te
new file mode 100644
index 00000000..c5b61460
--- /dev/null
+++ b/raven/grilservice_app.te
@@ -0,0 +1,2 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
+

From 12abc8ef4aa73a849d72f13ab18bf901b2543703 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 14 Jun 2023 15:30:31 +0800
Subject: [PATCH 828/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 287169829
Change-Id: I0a245d81ae243a0461c19583e19912566062bb71
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 03d8f7b9..69c51137 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -22,4 +22,5 @@ incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
+system_app proc_pagetypeinfo file b/287169829
 system_server system_userdir_file dir b/281814691

From 918140b833a1dd10474d062df065da7a2181f4f4 Mon Sep 17 00:00:00 2001
From: DesmondH <desmondh@google.com>
Date: Wed, 14 Jun 2023 17:02:02 +0000
Subject: [PATCH 829/921] Remove fixed or obsolete entries

Bug: 277989397
Change-Id: I38a21959e9ff361ec4b54fd98849e4c5a789f87d
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index cd9f9cdf..0b3e8343 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,2 +1 @@
-dump_stm sysfs_spi dir b/277989397
 hal_power_default hal_power_default capability b/240632824

From f2d94bd9772fd122f6e68b6cfd51c4564bf38354 Mon Sep 17 00:00:00 2001
From: Yen-Chao Chem <davidycchen@google.com>
Date: Mon, 26 Jun 2023 16:26:12 +0800
Subject: [PATCH 830/921] Remove sysfs_spi

Remove sysfs_spi because it's already defined in gs-common.

Bug: 288814327
Test: trigger bugreport.

Change-Id: Ibbe418bfc6091b82ac0569e02f6825a6c139d5b6
Signed-off-by: Yen-Chao Chem <davidycchen@google.com>
---
 whitechapel/vendor/google/file.te        | 2 --
 whitechapel/vendor/google/genfs_contexts | 2 --
 2 files changed, 4 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index d8cce99a..39717d07 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -122,8 +122,6 @@ type sysfs_bcl, sysfs_type, fs_type;
 # Chosen
 type sysfs_chosen, sysfs_type, fs_type;
 
-type sysfs_spi, sysfs_type, fs_type;
-
 # Battery
 type persist_battery_file, file_type, vendor_persist_type;
 
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 59e5b2f9..545ecbaa 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -589,8 +589,6 @@ genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled
 # ACPM
 genfscon sysfs /devices/platform/acpm_stats                                                             u:object_r:sysfs_acpm_stats:s0
 
-genfscon sysfs /devices/platform/10d40000.spi/spi_master                                                u:object_r:sysfs_spi:s0
-
 # CPU
 genfscon sysfs /devices/platform/1c500000.mali/time_in_state                                            u:object_r:sysfs_cpu:s0
 genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state                                        u:object_r:sysfs_cpu:s0

From 68893eb7e3a1b1f778537108aa536cc53c8e5dd0 Mon Sep 17 00:00:00 2001
From: Samuel Huang <shengsiang@google.com>
Date: Wed, 28 Jun 2023 06:02:13 +0000
Subject: [PATCH 831/921] Create telephony.ril.silent_reset system_ext property
 for RILD restart

RILD listens for changes to this property. If the value changes to 1,
RILD will restart itself and set this property back to 0.

The TelephonyGoogle app will set this property to 1 when it receives a
request from the SCONE app. Since TelephonyGoogle runs in the
com.android.phone process, we also need to give the radio domain
permission to set the telephony.ril.silent_reset property.

Bug: 286476107
Test: manual
Change-Id: I9f41aab747c075dd3a20d66f011e10ffee5a7608
---
 system_ext/private/property_contexts | 3 +++
 system_ext/public/property.te        | 7 +++++++
 whitechapel/vendor/google/radio.te   | 2 ++
 whitechapel/vendor/google/rild.te    | 2 ++
 4 files changed, 14 insertions(+)

diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index 790ba63b..b8f09520 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -9,3 +9,6 @@ persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
 
 # Properties for euicc
 persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
+
+# Telephony
+telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
\ No newline at end of file
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
index bb07d927..1abcc84a 100644
--- a/system_ext/public/property.te
+++ b/system_ext/public/property.te
@@ -3,3 +3,10 @@ system_vendor_config_prop(fingerprint_ghbm_prop)
 
 # eSIM properties
 system_vendor_config_prop(esim_modem_prop)
+
+# Telephony
+system_public_prop(telephony_ril_prop)
+
+userdebug_or_eng(`
+  set_prop(shell, telephony_ril_prop)
+')
\ No newline at end of file
diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te
index baa356bd..a604c720 100644
--- a/whitechapel/vendor/google/radio.te
+++ b/whitechapel/vendor/google/radio.te
@@ -1,3 +1,5 @@
+set_prop(radio, telephony_ril_prop)
+
 allow radio hal_exynos_rild_hwservice:hwservice_manager find;
 allow radio proc_vendor_sched:dir r_dir_perms;
 allow radio proc_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
index 5108b452..e578ec4c 100644
--- a/whitechapel/vendor/google/rild.te
+++ b/whitechapel/vendor/google/rild.te
@@ -7,6 +7,8 @@ set_prop(rild, vendor_sys_default_prop)
 get_prop(rild, sota_prop)
 get_prop(rild, system_boot_reason_prop)
 
+set_prop(rild, telephony_ril_prop)
+
 allow rild proc_net:file rw_file_perms;
 allow rild radio_vendor_data_file:dir create_dir_perms;
 allow rild radio_vendor_data_file:file create_file_perms;

From 73a74266f9e22ea26aee40133805c695dca62752 Mon Sep 17 00:00:00 2001
From: Patty Huang <plhuang@google.com>
Date: Wed, 28 Jun 2023 22:18:38 +0800
Subject: [PATCH 832/921] Allow bthal to access vendor bluetooth folder

Bug: 289055382
Test: enable vendor debug log and check the vendor snoop log contain the
vendor log

Change-Id: I25d7080f89ef1ca5836315097eab3c2916c9f4c0
---
 whitechapel/vendor/google/file.te                  | 3 +++
 whitechapel/vendor/google/file_contexts            | 1 +
 whitechapel/vendor/google/hal_bluetooth_btlinux.te | 3 +++
 3 files changed, 7 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_bluetooth_btlinux.te

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index d8cce99a..8eec86af 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -55,6 +55,9 @@ type sysfs_fingerprint, sysfs_type, fs_type;
 # CHRE
 type chre_socket, file_type;
 
+# BT
+type vendor_bt_data_file, file_type, data_file_type;
+
 # IOMMU
 type sysfs_iommu, sysfs_type, fs_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 961d9c27..ce7e5631 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -153,6 +153,7 @@
 
 # data files
 /data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
 
 # Camera
 /vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
new file mode 100644
index 00000000..851dc894
--- /dev/null
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -0,0 +1,3 @@
+allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms;
+allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms;
+

From 31e0460cba60100db6fa29d76c921e24a147c2cd Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 5 Jul 2023 08:06:25 +0000
Subject: [PATCH 833/921] Revert "Update SELinux error"

This reverts commit 12abc8ef4aa73a849d72f13ab18bf901b2543703.

Bug: 287169829
Change-Id: If92a6a0fc90d70a49999ce6004bcbd5d58565e51
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 69c51137..03d8f7b9 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -22,5 +22,4 @@ incidentd debugfs_wakeup_sources file b/238263568
 incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
-system_app proc_pagetypeinfo file b/287169829
 system_server system_userdir_file dir b/281814691

From a2a1f803559732812d7e495ccca9be9c8c2dfec2 Mon Sep 17 00:00:00 2001
From: Renato Grottesi <otaner@google.com>
Date: Wed, 28 Jun 2023 12:57:26 +0000
Subject: [PATCH 834/921] Remove settings for old ArmNN HIDL backend

Compile ArmNN shim over the support library.

Remove SELinux permissions and settings for the old HIDL backend.
The new ones will be in the gs-common folder.

Test: Local run of CtsNNAPITestCases
Test: Local run of VtsHalNeuralnetworksTargetTest
Test: Local run of MLTS Benchmark
Bug: 283724775
Change-Id: Ic77de74f1723f314dbfaa0cf948351cefd460b76
---
 neuralnetworks/file_contexts               | 1 -
 neuralnetworks/hal_neuralnetworks_armnn.te | 9 ---------
 2 files changed, 10 deletions(-)
 delete mode 100644 neuralnetworks/file_contexts
 delete mode 100644 neuralnetworks/hal_neuralnetworks_armnn.te

diff --git a/neuralnetworks/file_contexts b/neuralnetworks/file_contexts
deleted file mode 100644
index fc151ab9..00000000
--- a/neuralnetworks/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/neuralnetworks/hal_neuralnetworks_armnn.te b/neuralnetworks/hal_neuralnetworks_armnn.te
deleted file mode 100644
index c9872853..00000000
--- a/neuralnetworks/hal_neuralnetworks_armnn.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type hal_neuralnetworks_armnn, domain;
-hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
-
-type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
-
-allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms;
-
-init_daemon_domain(hal_neuralnetworks_armnn)
-

From 801af7e71316891d897683ec9da3a149a6cac478 Mon Sep 17 00:00:00 2001
From: Jinyoung Jeong <jinjeong@google.com>
Date: Mon, 15 May 2023 10:18:11 +0000
Subject: [PATCH 835/921] [GS101][eSIM] Add system properties rule

Bug: 279988311
Test: https://fusion2.corp.google.com/d517f34a-3242-40b1-adf6-acb6035ff2cb , b/282901698
Change-Id: I6caed744d2bba7882f80f8ace229f6c4b4133c65
Merged-In: I6caed744d2bba7882f80f8ace229f6c4b4133c65
---
 system_ext/private/euicc_app.te      | 13 +++++++++++++
 system_ext/private/property.te       |  5 +++++
 system_ext/private/property_contexts |  3 +++
 system_ext/private/seapp_contexts    |  2 ++
 system_ext/public/property.te        |  3 +++
 5 files changed, 26 insertions(+)
 create mode 100644 system_ext/private/euicc_app.te
 create mode 100644 system_ext/private/property.te
 create mode 100644 system_ext/private/seapp_contexts

diff --git a/system_ext/private/euicc_app.te b/system_ext/private/euicc_app.te
new file mode 100644
index 00000000..842f1ec7
--- /dev/null
+++ b/system_ext/private/euicc_app.te
@@ -0,0 +1,13 @@
+type euicc_app, domain, coredomain;
+app_domain(euicc_app)
+net_domain(euicc_app)
+bluetooth_domain(euicc_app)
+
+allow euicc_app app_api_service:service_manager find;
+allow euicc_app radio_service:service_manager find;
+allow euicc_app cameraserver_service:service_manager find;
+
+get_prop(euicc_app, camera_config_prop)
+get_prop(euicc_app, bootloader_prop)
+get_prop(euicc_app, exported_default_prop)
+get_prop(euicc_app, esim_modem_prop)
diff --git a/system_ext/private/property.te b/system_ext/private/property.te
new file mode 100644
index 00000000..714108b1
--- /dev/null
+++ b/system_ext/private/property.te
@@ -0,0 +1,5 @@
+neverallow {
+  domain
+  -init
+  -vendor_init
+} esim_modem_prop:property_service set;
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index 9cf97280..790ba63b 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -6,3 +6,6 @@ persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
 persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
 persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
 persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
+
+# Properties for euicc
+persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
new file mode 100644
index 00000000..8c2178a8
--- /dev/null
+++ b/system_ext/private/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for EuiccGoogle
+user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
index 8908e485..bb07d927 100644
--- a/system_ext/public/property.te
+++ b/system_ext/public/property.te
@@ -1,2 +1,5 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 system_vendor_config_prop(fingerprint_ghbm_prop)
+
+# eSIM properties
+system_vendor_config_prop(esim_modem_prop)

From ba43d8a084a5f7906b3652d54f28661b351a9970 Mon Sep 17 00:00:00 2001
From: Android Culprit Assistant
 <boq-android-culprit-assistant@system.gserviceaccount.com>
Date: Wed, 12 Jul 2023 20:43:46 +0000
Subject: [PATCH 836/921] Revert "Remove settings for old ArmNN HIDL backend"

This revert was created by Android Culprit Assistant. The culprit was identified in the following culprit search session (http://go/aca-get/123b2665-83ef-4fd0-904d-a0d8c5782db9).

Change-Id: Ia25d50cb9e645e77283edb3540be18781ff58f05
---
 neuralnetworks/file_contexts               | 1 +
 neuralnetworks/hal_neuralnetworks_armnn.te | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 neuralnetworks/file_contexts
 create mode 100644 neuralnetworks/hal_neuralnetworks_armnn.te

diff --git a/neuralnetworks/file_contexts b/neuralnetworks/file_contexts
new file mode 100644
index 00000000..fc151ab9
--- /dev/null
+++ b/neuralnetworks/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/neuralnetworks/hal_neuralnetworks_armnn.te b/neuralnetworks/hal_neuralnetworks_armnn.te
new file mode 100644
index 00000000..c9872853
--- /dev/null
+++ b/neuralnetworks/hal_neuralnetworks_armnn.te
@@ -0,0 +1,9 @@
+type hal_neuralnetworks_armnn, domain;
+hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
+
+type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
+
+allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms;
+
+init_daemon_domain(hal_neuralnetworks_armnn)
+

From c3596854021b6c90a5bda3bdbcb4fd07fc4f8d66 Mon Sep 17 00:00:00 2001
From: Renato Grottesi <otaner@google.com>
Date: Thu, 13 Jul 2023 08:40:59 +0000
Subject: [PATCH 837/921] Revert^2 "Remove settings for old ArmNN HIDL backend"

ba43d8a084a5f7906b3652d54f28661b351a9970

Compile ArmNN shim over the support library.

Remove SELinux permissions and settings for the old HIDL backend.
The new ones will be in the gs-common folder.

Test: Local run of CtsNNAPITestCases
Test: Local run of VtsHalNeuralnetworksTargetTest
Test: Local run of MLTS Benchmark
Bug: 283724775
Change-Id: Ib72308547f08bc21a5a205ec158e297cb8fe9083
---
 neuralnetworks/file_contexts               | 1 -
 neuralnetworks/hal_neuralnetworks_armnn.te | 9 ---------
 2 files changed, 10 deletions(-)
 delete mode 100644 neuralnetworks/file_contexts
 delete mode 100644 neuralnetworks/hal_neuralnetworks_armnn.te

diff --git a/neuralnetworks/file_contexts b/neuralnetworks/file_contexts
deleted file mode 100644
index fc151ab9..00000000
--- a/neuralnetworks/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/neuralnetworks/hal_neuralnetworks_armnn.te b/neuralnetworks/hal_neuralnetworks_armnn.te
deleted file mode 100644
index c9872853..00000000
--- a/neuralnetworks/hal_neuralnetworks_armnn.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type hal_neuralnetworks_armnn, domain;
-hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
-
-type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
-
-allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms;
-
-init_daemon_domain(hal_neuralnetworks_armnn)
-

From ddefd11361a16d04d713e47c319cc600de1c161f Mon Sep 17 00:00:00 2001
From: Renato Grottesi <otaner@google.com>
Date: Thu, 13 Jul 2023 18:46:26 +0000
Subject: [PATCH 838/921] Remove settings for old ArmNN HIDL backend

Compile ArmNN shim over the support library.

Remove SELinux permissions and settings for the old HIDL backend.
The AIDL settings will be in the gs-common folder.

Test: Local run of CtsNNAPITestCases
Test: Local run of VtsHalNeuralnetworksTargetTest
Test: Local run of MLTS Benchmark
Bug: 283724775
Merged-In: Ib72308547f08bc21a5a205ec158e297cb8fe9083
Change-Id: Ic75d022824bd62bef48a8b0db80237b1370ac570
---
 neuralnetworks/file_contexts               | 1 -
 neuralnetworks/hal_neuralnetworks_armnn.te | 9 ---------
 2 files changed, 10 deletions(-)
 delete mode 100644 neuralnetworks/file_contexts
 delete mode 100644 neuralnetworks/hal_neuralnetworks_armnn.te

diff --git a/neuralnetworks/file_contexts b/neuralnetworks/file_contexts
deleted file mode 100644
index fc151ab9..00000000
--- a/neuralnetworks/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/neuralnetworks/hal_neuralnetworks_armnn.te b/neuralnetworks/hal_neuralnetworks_armnn.te
deleted file mode 100644
index c9872853..00000000
--- a/neuralnetworks/hal_neuralnetworks_armnn.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type hal_neuralnetworks_armnn, domain;
-hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
-
-type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
-
-allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms;
-
-init_daemon_domain(hal_neuralnetworks_armnn)
-

From 6efcea55dcf824f144c3c5b56a4f071402765d7f Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 14 Jul 2023 20:16:05 +0800
Subject: [PATCH 839/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 291237382
Change-Id: Ie3f2e61a1103edcaeffb985a926de1480f2ea7ef
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 03d8f7b9..9d1293e6 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -23,3 +23,4 @@ incidentd incidentd anon_inode b/268146971
 rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
 system_server system_userdir_file dir b/281814691
+system_suspend sysfs_aoc dir b/291237382

From 3c8d114e48a75505a39138a640c8731ab2e8340b Mon Sep 17 00:00:00 2001
From: Utku Utkan <utkan@google.com>
Date: Tue, 11 Jul 2023 17:44:08 -0700
Subject: [PATCH 840/921] Introduce CameraServices seinfo tag for
 PixelCameraServices

Bug: 287069860
Test: m && flashall && check against 'avc: denied' errors
Change-Id: I9e9d3914499550d9e9b6c8ea7c4a7cabd9e9a5dd
---
 whitechapel/vendor/google/keys.conf           | 3 +++
 whitechapel/vendor/google/mac_permissions.xml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index fb6e52b6..3c9dee72 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,3 +6,6 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
+
+[@CAMERASERVICES]
+ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index 6cb7113c..b51e565e 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,4 +30,7 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
+    <signer signature="@CAMERASERVICES" >
+      <seinfo value="CameraServices" />
+    </signer>
 </policy>

From 722322664c17b91280253c68cd65ef77b7af3cd2 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Wed, 19 Jul 2023 01:15:07 +0000
Subject: [PATCH 841/921] Revert "Introduce CameraServices seinfo tag for
 PixelCameraServices"

Revert submission 24056607-pixel-camera-services-extensions-sepolicy

Reason for revert: build breakage on git_main-without-vendor

Reverted changes: /q/submissionid:24056607-pixel-camera-services-extensions-sepolicy

Change-Id: I0654c7c4ef296b4594db86cc8af5a73627e2b7d7
---
 whitechapel/vendor/google/keys.conf           | 3 ---
 whitechapel/vendor/google/mac_permissions.xml | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index 3c9dee72..fb6e52b6 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,6 +6,3 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
-
-[@CAMERASERVICES]
-ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index b51e565e..6cb7113c 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,7 +30,4 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
-    <signer signature="@CAMERASERVICES" >
-      <seinfo value="CameraServices" />
-    </signer>
 </policy>

From e10372e111cb83fedfc7993460f8b5322de5e087 Mon Sep 17 00:00:00 2001
From: Utku Utkan <utkan@google.com>
Date: Wed, 19 Jul 2023 02:47:43 +0000
Subject: [PATCH 842/921] Revert^2 "Introduce CameraServices seinfo tag for
 PixelCameraServices"

Revert submission 24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL

Reason for revert: Relanding the original topic after copying the certificates under `device/google` for `without-vendor` branches

Reverted changes: /q/submissionid:24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL

Bug: 287069860
Test: m && flashall
Change-Id: Icf52453dc2a0a4d60958b8fe76509f385ac6fae2
---
 ...ogle_android_apps_camera_services.x509.pem | 30 +++++++++++++++++++
 whitechapel/vendor/google/keys.conf           |  3 ++
 whitechapel/vendor/google/mac_permissions.xml |  3 ++
 3 files changed, 36 insertions(+)
 create mode 100644 whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem

diff --git a/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem b/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
new file mode 100644
index 00000000..7b8c5b22
--- /dev/null
+++ b/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz
+MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
+b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G
+A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP
+1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR
+UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5
+4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL
+jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8
+pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0
+VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3
+A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO
+sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV
+eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO
+nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI
+hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5
+YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm
+FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr
+njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI
+hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e
+JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3
+IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA
+V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H
+r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F
+DB17LhMLl0GxX9j1
+-----END CERTIFICATE-----
diff --git a/whitechapel/vendor/google/keys.conf b/whitechapel/vendor/google/keys.conf
index fb6e52b6..0693d7c5 100644
--- a/whitechapel/vendor/google/keys.conf
+++ b/whitechapel/vendor/google/keys.conf
@@ -6,3 +6,6 @@ ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
+
+[@CAMERASERVICES]
+ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
diff --git a/whitechapel/vendor/google/mac_permissions.xml b/whitechapel/vendor/google/mac_permissions.xml
index 6cb7113c..b51e565e 100644
--- a/whitechapel/vendor/google/mac_permissions.xml
+++ b/whitechapel/vendor/google/mac_permissions.xml
@@ -30,4 +30,7 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
+    <signer signature="@CAMERASERVICES" >
+      <seinfo value="CameraServices" />
+    </signer>
 </policy>

From e2aaff8d5ef58e55f531024cccd4eded2990e955 Mon Sep 17 00:00:00 2001
From: Kiyoung Kim <kiyoungkim@google.com>
Date: Thu, 20 Jul 2023 09:53:15 +0900
Subject: [PATCH 843/921] Move file context on vendor libdmabufheap to
 system/sepolicy

libdmabufheap is former VNDK-SP library, and will be marked as sp-hal
sepolicy label by default. Current definition on gs-101 creates conflict
with generic sepolicy update. This change removes label on libdmabufheap
from gs101 and move it to generic sepolicy.

Bug: 291673098
Test: N/A
Change-Id: Ida23dc71e9794aa86e8b50ed927dc6b5fa57ea91
---
 whitechapel/vendor/google/file_contexts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 7315a919..da3b275a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -13,7 +13,6 @@
 
 /(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so                                            u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so                                              u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so                                         u:object_r:same_process_hal_file:s0
 
 /vendor/bin/usf_stats                                                                           u:object_r:vendor_usf_stats:s0

From d9478e1c21bcff60f25d605c25df71f11ac5792d Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 21 Jul 2023 14:46:14 +0900
Subject: [PATCH 844/921] Move coredomain seapp contexts to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: TH
Change-Id: I68d6564ca9e5ba77d3562b6c73b32cd1713001f7
---
 ambient/seapp_contexts                   | 2 --
 system_ext/private/seapp_contexts        | 9 +++++++++
 whitechapel/vendor/google/seapp_contexts | 6 ------
 3 files changed, 9 insertions(+), 8 deletions(-)
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a8..234cccaf 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,11 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for Exo app
+user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e724de28..7711c447 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,18 +24,12 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 694fd0935a60fbe9e19cb93b2b985eee357d4d69 Mon Sep 17 00:00:00 2001
From: Ken Yang <yangken@google.com>
Date: Thu, 27 Jul 2023 01:41:08 +0000
Subject: [PATCH 845/921] SELinux: fix sysfs_wlc avc denials

Bug: 291541479
Change-Id: I40b0cdea1681a8de24dede4aca830097812c736a
Signed-off-by: Ken Yang <yangken@google.com>
---
 whitechapel/vendor/google/genfs_contexts          | 11 +++++++++++
 whitechapel/vendor/google/hal_wireless_charger.te |  5 +++++
 2 files changed, 16 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 545ecbaa..37edc728 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -75,6 +75,17 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats                          u:object_r:sysfs_pca:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
 
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-9/9-003c              u:object_r:sysfs_wlc:s0
+
 # Storage
 genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
 genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
diff --git a/whitechapel/vendor/google/hal_wireless_charger.te b/whitechapel/vendor/google/hal_wireless_charger.te
index 04b3e5e2..8d6c0118 100644
--- a/whitechapel/vendor/google/hal_wireless_charger.te
+++ b/whitechapel/vendor/google/hal_wireless_charger.te
@@ -1,2 +1,7 @@
 type hal_wireless_charger, domain;
 type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type;
+
+r_dir_file(hal_wireless_charger, sysfs_wlc)
+
+allow hal_wireless_charger sysfs_wlc:dir search;
+allow hal_wireless_charger sysfs_wlc:file rw_file_perms;

From 53081f7032713f6879e36b3872dc9ce1f0a66d7e Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 28 Jul 2023 06:02:59 +0000
Subject: [PATCH 846/921] Revert "Move coredomain seapp contexts to system_ext"

This reverts commit d9478e1c21bcff60f25d605c25df71f11ac5792d.

Reason for revert: breaking build. b/293539702

Change-Id: Ie8a66971fcf249c9d08b4898e24b962d6aaf3ce6
---
 ambient/seapp_contexts                   | 2 ++
 system_ext/private/seapp_contexts        | 9 ---------
 whitechapel/vendor/google/seapp_contexts | 6 ++++++
 3 files changed, 8 insertions(+), 9 deletions(-)
 create mode 100644 ambient/seapp_contexts

diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
new file mode 100644
index 00000000..8024688c
--- /dev/null
+++ b/ambient/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for Exo app
+user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 234cccaf..8c2178a8 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,11 +1,2 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
-
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
-
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 7711c447..e724de28 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,12 +24,18 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 40bf4a249dc920856f7451df7374b4d6ba30462e Mon Sep 17 00:00:00 2001
From: Roy Luo <royluo@google.com>
Date: Wed, 16 Aug 2023 19:04:51 +0000
Subject: [PATCH 847/921] Support monitoring USB sysfs attributes in USB HAL

Grant access to USB sysfs attributes.

Bug: 285199434
Test: no audit log in logcat after command execution
Change-Id: Ic9c61cb5153e06eb9db15f4451a4e6769d688431
---
 whitechapel/vendor/google/hal_usb_impl.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
index 97ec1c7c..cd2cbf89 100644
--- a/whitechapel/vendor/google/hal_usb_impl.te
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -26,3 +26,7 @@ allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms;
 
 # For checking contaminant detection status
 get_prop(hal_usb_impl, vendor_usb_config_prop);
+
+# For monitoring usb sysfs attributes
+allow hal_usb_impl sysfs_wakeup:dir search;
+allow hal_usb_impl sysfs_wakeup:file r_file_perms;

From bbef712e8418cfe8688eedd0294a1f484c3e6725 Mon Sep 17 00:00:00 2001
From: Renato Grottesi <otaner@google.com>
Date: Thu, 17 Aug 2023 08:57:45 +0000
Subject: [PATCH 848/921] Cleanup unused ArmNN settings.

Test: pre-submit
Bug: 294463729
Change-Id: I1008e2c14ae8d9c7950e5d6add49372fa2b42ce2
---
 whitechapel/vendor/google/property.te       | 3 ---
 whitechapel/vendor/google/property_contexts | 3 ---
 whitechapel/vendor/google/vendor_init.te    | 3 ---
 3 files changed, 9 deletions(-)

diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 34f17a70..934e13a9 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -57,6 +57,3 @@ vendor_internal_prop(vendor_trusty_storage_prop)
 
 # Mali Integration
 vendor_restricted_prop(vendor_arm_runtime_option_prop)
-
-# ArmNN configuration
-vendor_internal_prop(vendor_armnn_config_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 17e9af59..4c01239d 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -101,6 +101,3 @@ ro.vendor.trusty.storage.fs_ready               u:object_r:vendor_trusty_storage
 
 # Mali GPU driver configuration and debug options
 vendor.mali.                                    u:object_r:vendor_arm_runtime_option_prop:s0 prefix
-
-# ArmNN configuration
-ro.vendor.armnn.                                u:object_r:vendor_armnn_config_prop:s0 prefix
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 43e2056c..5ff78d4d 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -46,6 +46,3 @@ allow vendor_init tee_data_file:lnk_file read;
 
 # Mali
 set_prop(vendor_init, vendor_arm_runtime_option_prop)
-
-# ArmNN
-set_prop(vendor_init, vendor_armnn_config_prop)

From 80c26d25240fc9923e7dce8ed30e71a442a206f4 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Mon, 21 Aug 2023 17:31:29 +0900
Subject: [PATCH 849/921] Start tracking vendor seapp coredomain violations

As part of Treble, enforce that vendor's seapp_contexts can't label apps
using coredomains. Apps installed to system/system_ext/product should be
labeled with platform side sepolicy.

This change marks violating domains that need to be fixed.

Bug: 296512193
Test: build oriole and see build log
Change-Id: I7d5b91014362a64f3d66b3913d4d1bc773d922c8
---
 ambient/exo_app.te                            | 3 +++
 whitechapel/vendor/google/con_monitor.te      | 3 +++
 whitechapel/vendor/google/hbmsvmanager_app.te | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
index 3a88eebb..9b4fd0b6 100644
--- a/ambient/exo_app.te
+++ b/ambient/exo_app.te
@@ -1,5 +1,8 @@
 type exo_app, coredomain, domain;
 
+# TODO(b/296512193): move exo_app out of vendor sepolicy
+typeattribute exo_app vendor_seapp_assigns_coredomain_violators;
+
 app_domain(exo_app)
 net_domain(exo_app)
 
diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index 8695ccaa..ab17c826 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -1,6 +1,9 @@
 # ConnectivityMonitor app
 type con_monitor_app, domain, coredomain;
 
+# TODO(b/296512193): move con_monitor_app out of vendor sepolicy
+typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators;
+
 app_domain(con_monitor_app)
 
 set_prop(con_monitor_app, radio_prop)
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index b7058090..2acbaa8a 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -1,5 +1,8 @@
 type hbmsvmanager_app, domain, coredomain;
 
+# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy
+typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators;
+
 app_domain(hbmsvmanager_app);
 
 allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;

From 115679f21199c31b9af9c112c0b4832d6037117a Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 4 Sep 2023 15:33:41 +0800
Subject: [PATCH 850/921] Update SELinux error

Bug: 290766628
Merged-In: Ieecf2602f481d8c45d6b213aff8c390c3a32d68c
Change-Id: I13d2fb464c80b0be2d6524a58b441fcd8eaaa830
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 69c51137..4df791a3 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -24,3 +24,4 @@ rfsd vendor_rild_prop property_service b/269218654
 su modem_img_file filesystem b/238825802
 system_app proc_pagetypeinfo file b/287169829
 system_server system_userdir_file dir b/281814691
+platform_app hal_uwb_vendor_service find b/290766628

From a785706208f7b31e542ffa82e817a69c70e82bdf Mon Sep 17 00:00:00 2001
From: yixuanjiang <yixuanjiang@google.com>
Date: Thu, 20 Jul 2023 18:07:47 +0800
Subject: [PATCH 851/921] Label AoC wakeup for system suspend

Bug: 291237382
Change-Id: Iddcee44cbe921b590a240c75504a0a44634a244d
Signed-off-by: yixuanjiang <yixuanjiang@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 37edc728..8f31f090 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -282,6 +282,7 @@ genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup                                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/wakeup                                                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0

From fb3a11636618dbb044e567716ff2984b25117bc5 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 4 Aug 2023 14:26:21 +0900
Subject: [PATCH 852/921] Move coredomain seapp ctx and types to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: build bluejay and boot test
Change-Id: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
---
 system_ext/private/con_monitor.te             |  7 +++++++
 system_ext/private/hbmsvmanager_app.te        | 11 +++++++++++
 system_ext/private/seapp_contexts             |  6 ++++++
 system_ext/public/con_monitor.te              |  2 ++
 system_ext/public/hbmsvmanager_app.te         |  1 +
 whitechapel/vendor/google/con_monitor.te      | 11 -----------
 whitechapel/vendor/google/hbmsvmanager_app.te | 15 ---------------
 whitechapel/vendor/google/seapp_contexts      |  6 ------
 8 files changed, 27 insertions(+), 32 deletions(-)
 create mode 100644 system_ext/private/con_monitor.te
 create mode 100644 system_ext/private/hbmsvmanager_app.te
 create mode 100644 system_ext/public/con_monitor.te
 create mode 100644 system_ext/public/hbmsvmanager_app.te

diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te
new file mode 100644
index 00000000..c68ec1f8
--- /dev/null
+++ b/system_ext/private/con_monitor.te
@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te
new file mode 100644
index 00000000..6f5ff7ac
--- /dev/null
+++ b/system_ext/private/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a8..6ac71499 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,8 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te
new file mode 100644
index 00000000..6a4d1dac
--- /dev/null
+++ b/system_ext/public/con_monitor.te
@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te
new file mode 100644
index 00000000..4fcf2bdb
--- /dev/null
+++ b/system_ext/public/hbmsvmanager_app.te
@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index ab17c826..32c2056d 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -1,13 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-# TODO(b/296512193): move con_monitor_app out of vendor sepolicy
-typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 2acbaa8a..bbedea8c 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -1,17 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy
-typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e724de28..7711c447 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,18 +24,12 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 87b9095bd5d9811c0b37887e980b057453894dea Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 4 Aug 2023 14:26:21 +0900
Subject: [PATCH 853/921] Move coredomain seapp ctx and types to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: build bluejay and boot test
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb3a11636618dbb044e567716ff2984b25117bc5)
Merged-In: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
Change-Id: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
---
 system_ext/private/con_monitor.te             |  7 +++++++
 system_ext/private/hbmsvmanager_app.te        | 11 +++++++++++
 system_ext/private/seapp_contexts             |  6 ++++++
 system_ext/public/con_monitor.te              |  2 ++
 system_ext/public/hbmsvmanager_app.te         |  1 +
 whitechapel/vendor/google/con_monitor.te      | 11 -----------
 whitechapel/vendor/google/hbmsvmanager_app.te | 15 ---------------
 whitechapel/vendor/google/seapp_contexts      |  6 ------
 8 files changed, 27 insertions(+), 32 deletions(-)
 create mode 100644 system_ext/private/con_monitor.te
 create mode 100644 system_ext/private/hbmsvmanager_app.te
 create mode 100644 system_ext/public/con_monitor.te
 create mode 100644 system_ext/public/hbmsvmanager_app.te

diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te
new file mode 100644
index 00000000..c68ec1f8
--- /dev/null
+++ b/system_ext/private/con_monitor.te
@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te
new file mode 100644
index 00000000..6f5ff7ac
--- /dev/null
+++ b/system_ext/private/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a8..6ac71499 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,8 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te
new file mode 100644
index 00000000..6a4d1dac
--- /dev/null
+++ b/system_ext/public/con_monitor.te
@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te
new file mode 100644
index 00000000..4fcf2bdb
--- /dev/null
+++ b/system_ext/public/hbmsvmanager_app.te
@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index ab17c826..32c2056d 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -1,13 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-# TODO(b/296512193): move con_monitor_app out of vendor sepolicy
-typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 2acbaa8a..bbedea8c 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -1,17 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy
-typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e724de28..7711c447 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,18 +24,12 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 567ce923337337ccbba3a6d81ee437571c9025ea Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Tue, 5 Sep 2023 03:33:31 +0000
Subject: [PATCH 854/921] Remove obsolete exo sepolicy

They are not used anymore.

Bug: 296512193
Test: m selinux_policy
Change-Id: If1e70eb34f5225e1df329df31fbc7439c9e4fa4b
---
 ambient/exo_app.te     | 24 ------------------------
 ambient/seapp_contexts |  2 --
 2 files changed, 26 deletions(-)
 delete mode 100644 ambient/exo_app.te
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
deleted file mode 100644
index 9b4fd0b6..00000000
--- a/ambient/exo_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type exo_app, coredomain, domain;
-
-# TODO(b/296512193): move exo_app out of vendor sepolicy
-typeattribute exo_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(exo_app)
-net_domain(exo_app)
-
-allow exo_app app_api_service:service_manager find;
-allow exo_app audioserver_service:service_manager find;
-allow exo_app cameraserver_service:service_manager find;
-allow exo_app mediaserver_service:service_manager find;
-allow exo_app radio_service:service_manager find;
-allow exo_app fwk_stats_service:service_manager find;
-allow exo_app mediametrics_service:service_manager find;
-allow exo_app virtual_device_service:service_manager find;
-allow exo_app gpu_device:dir search;
-
-allow exo_app uhid_device:chr_file rw_file_perms;
-
-binder_call(exo_app, statsd)
-binder_use(exo_app)
-
-get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all

From 7e9c67cf47f6ef5d7f8e1f0244c4c0eb01079604 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Tue, 5 Sep 2023 03:33:31 +0000
Subject: [PATCH 855/921] Remove obsolete exo sepolicy

They are not used anymore.

Bug: 296512193
Test: m selinux_policy
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:567ce923337337ccbba3a6d81ee437571c9025ea)
Merged-In: If1e70eb34f5225e1df329df31fbc7439c9e4fa4b
Change-Id: If1e70eb34f5225e1df329df31fbc7439c9e4fa4b
---
 ambient/exo_app.te     | 24 ------------------------
 ambient/seapp_contexts |  2 --
 2 files changed, 26 deletions(-)
 delete mode 100644 ambient/exo_app.te
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
deleted file mode 100644
index 9b4fd0b6..00000000
--- a/ambient/exo_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type exo_app, coredomain, domain;
-
-# TODO(b/296512193): move exo_app out of vendor sepolicy
-typeattribute exo_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(exo_app)
-net_domain(exo_app)
-
-allow exo_app app_api_service:service_manager find;
-allow exo_app audioserver_service:service_manager find;
-allow exo_app cameraserver_service:service_manager find;
-allow exo_app mediaserver_service:service_manager find;
-allow exo_app radio_service:service_manager find;
-allow exo_app fwk_stats_service:service_manager find;
-allow exo_app mediametrics_service:service_manager find;
-allow exo_app virtual_device_service:service_manager find;
-allow exo_app gpu_device:dir search;
-
-allow exo_app uhid_device:chr_file rw_file_perms;
-
-binder_call(exo_app, statsd)
-binder_use(exo_app)
-
-get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all

From 2196ba412e32d3c6e1408da84bb7544682c95394 Mon Sep 17 00:00:00 2001
From: Desmond Huang <desmondh@google.com>
Date: Wed, 13 Sep 2023 01:18:13 +0800
Subject: [PATCH 856/921] Remove obsolete entries

Bug: 299029620
Change-Id: I8cb8d78099656d515feca434073a367908d5fddd
---
 tracking_denials/bug_map             | 1 -
 tracking_denials/dumpstate.te        | 2 --
 tracking_denials/hal_drm_widevine.te | 2 --
 3 files changed, 5 deletions(-)
 delete mode 100644 tracking_denials/hal_drm_widevine.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 40905d96..0b3e8343 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,2 +1 @@
 hal_power_default hal_power_default capability b/240632824
-system_suspend sysfs_aoc dir b/291237382
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
index 6025bd5d..9d082cb8 100644
--- a/tracking_denials/dumpstate.te
+++ b/tracking_denials/dumpstate.te
@@ -1,4 +1,2 @@
 # b/277155042
-dontaudit dumpstate app_zygote:process { signal };
-dontaudit dumpstate default_android_service:service_manager { find };
 dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te
deleted file mode 100644
index d1190b16..00000000
--- a/tracking_denials/hal_drm_widevine.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/223502652
-dontaudit hal_drm_widevine vndbinder_device:chr_file { read };

From 8e7549987f4acf87105c14ef283df7bfe0d2601b Mon Sep 17 00:00:00 2001
From: Desmond Huang <desmondh@google.com>
Date: Thu, 14 Sep 2023 14:16:52 +0800
Subject: [PATCH 857/921] Relocate common tracking denial entries

Bug: 299029620
Change-Id: I57a75de7e0f0c5f31f2e8b0c5c9d60c3ebdb8844
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 0b3e8343..817374aa 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1 +1,3 @@
 hal_power_default hal_power_default capability b/240632824
+incidentd debugfs_wakeup_sources file b/282626428
+incidentd incidentd anon_inode b/282626428

From 502fd30697355355b8da02e6af176a7ee9c9ec17 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 4 Aug 2023 14:26:21 +0900
Subject: [PATCH 858/921] Move coredomain seapp ctx and types to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: build bluejay and boot test
Merged-In: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
Change-Id: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
---
 system_ext/private/con_monitor.te             |  7 +++++++
 system_ext/private/hbmsvmanager_app.te        | 11 +++++++++++
 system_ext/private/seapp_contexts             |  6 ++++++
 system_ext/public/con_monitor.te              |  2 ++
 system_ext/public/hbmsvmanager_app.te         |  1 +
 whitechapel/vendor/google/con_monitor.te      | 11 -----------
 whitechapel/vendor/google/hbmsvmanager_app.te | 15 ---------------
 whitechapel/vendor/google/seapp_contexts      |  6 ------
 8 files changed, 27 insertions(+), 32 deletions(-)
 create mode 100644 system_ext/private/con_monitor.te
 create mode 100644 system_ext/private/hbmsvmanager_app.te
 create mode 100644 system_ext/public/con_monitor.te
 create mode 100644 system_ext/public/hbmsvmanager_app.te

diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te
new file mode 100644
index 00000000..c68ec1f8
--- /dev/null
+++ b/system_ext/private/con_monitor.te
@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te
new file mode 100644
index 00000000..6f5ff7ac
--- /dev/null
+++ b/system_ext/private/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a8..6ac71499 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,8 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te
new file mode 100644
index 00000000..6a4d1dac
--- /dev/null
+++ b/system_ext/public/con_monitor.te
@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te
new file mode 100644
index 00000000..4fcf2bdb
--- /dev/null
+++ b/system_ext/public/hbmsvmanager_app.te
@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index ab17c826..32c2056d 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -1,13 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-# TODO(b/296512193): move con_monitor_app out of vendor sepolicy
-typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 2acbaa8a..bbedea8c 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -1,17 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy
-typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index ed5f5d76..4db2b0ec 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,9 +24,6 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Hardware Info Collection
 user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
 
@@ -36,9 +33,6 @@ user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=o
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 57547357d94f7d5615463d4c551526563d97a38e Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 15 Sep 2023 03:55:19 +0000
Subject: [PATCH 859/921] Remove obsolete exo sepolicy

They are not used anymore.

Bug: 296512193
Test: m selinux_policy
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:567ce923337337ccbba3a6d81ee437571c9025ea)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7e9c67cf47f6ef5d7f8e1f0244c4c0eb01079604)
Merged-In: If1e70eb34f5225e1df329df31fbc7439c9e4fa4b
Change-Id: If1e70eb34f5225e1df329df31fbc7439c9e4fa4b
---
 ambient/exo_app.te     | 24 ------------------------
 ambient/seapp_contexts |  2 --
 2 files changed, 26 deletions(-)
 delete mode 100644 ambient/exo_app.te
 delete mode 100644 ambient/seapp_contexts

diff --git a/ambient/exo_app.te b/ambient/exo_app.te
deleted file mode 100644
index 9b4fd0b6..00000000
--- a/ambient/exo_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type exo_app, coredomain, domain;
-
-# TODO(b/296512193): move exo_app out of vendor sepolicy
-typeattribute exo_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(exo_app)
-net_domain(exo_app)
-
-allow exo_app app_api_service:service_manager find;
-allow exo_app audioserver_service:service_manager find;
-allow exo_app cameraserver_service:service_manager find;
-allow exo_app mediaserver_service:service_manager find;
-allow exo_app radio_service:service_manager find;
-allow exo_app fwk_stats_service:service_manager find;
-allow exo_app mediametrics_service:service_manager find;
-allow exo_app virtual_device_service:service_manager find;
-allow exo_app gpu_device:dir search;
-
-allow exo_app uhid_device:chr_file rw_file_perms;
-
-binder_call(exo_app, statsd)
-binder_use(exo_app)
-
-get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
deleted file mode 100644
index 8024688c..00000000
--- a/ambient/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Domain for Exo app
-user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all

From 3770a8a19c012877750124df7fc212d694dd0b37 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 4 Aug 2023 14:26:21 +0900
Subject: [PATCH 860/921] Move coredomain seapp ctx and types to system_ext

Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble
violation.

Bug: 280547417
Test: build bluejay and boot test
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb3a11636618dbb044e567716ff2984b25117bc5)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:87b9095bd5d9811c0b37887e980b057453894dea)
Merged-In: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
Change-Id: I48441749de4eb1de90ce5a307b1d47ae3cb9592d
---
 system_ext/private/con_monitor.te             |  7 +++++++
 system_ext/private/hbmsvmanager_app.te        | 11 +++++++++++
 system_ext/private/seapp_contexts             |  6 ++++++
 system_ext/public/con_monitor.te              |  2 ++
 system_ext/public/hbmsvmanager_app.te         |  1 +
 whitechapel/vendor/google/con_monitor.te      | 11 -----------
 whitechapel/vendor/google/hbmsvmanager_app.te | 15 ---------------
 whitechapel/vendor/google/seapp_contexts      |  6 ------
 8 files changed, 27 insertions(+), 32 deletions(-)
 create mode 100644 system_ext/private/con_monitor.te
 create mode 100644 system_ext/private/hbmsvmanager_app.te
 create mode 100644 system_ext/public/con_monitor.te
 create mode 100644 system_ext/public/hbmsvmanager_app.te

diff --git a/system_ext/private/con_monitor.te b/system_ext/private/con_monitor.te
new file mode 100644
index 00000000..c68ec1f8
--- /dev/null
+++ b/system_ext/private/con_monitor.te
@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
diff --git a/system_ext/private/hbmsvmanager_app.te b/system_ext/private/hbmsvmanager_app.te
new file mode 100644
index 00000000..6f5ff7ac
--- /dev/null
+++ b/system_ext/private/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 8c2178a8..6ac71499 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -1,2 +1,8 @@
 # Domain for EuiccGoogle
 user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/con_monitor.te b/system_ext/public/con_monitor.te
new file mode 100644
index 00000000..6a4d1dac
--- /dev/null
+++ b/system_ext/public/con_monitor.te
@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
diff --git a/system_ext/public/hbmsvmanager_app.te b/system_ext/public/hbmsvmanager_app.te
new file mode 100644
index 00000000..4fcf2bdb
--- /dev/null
+++ b/system_ext/public/hbmsvmanager_app.te
@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
diff --git a/whitechapel/vendor/google/con_monitor.te b/whitechapel/vendor/google/con_monitor.te
index ab17c826..32c2056d 100644
--- a/whitechapel/vendor/google/con_monitor.te
+++ b/whitechapel/vendor/google/con_monitor.te
@@ -1,13 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-# TODO(b/296512193): move con_monitor_app out of vendor sepolicy
-typeattribute con_monitor_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
index 2acbaa8a..bbedea8c 100644
--- a/whitechapel/vendor/google/hbmsvmanager_app.te
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -1,17 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-# TODO(b/296512193): move hbmsvmanager_app out of vendor sepolicy
-typeattribute hbmsvmanager_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
 allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
 binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index e724de28..7711c447 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -24,18 +24,12 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
 # Domain for omadm
 user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 

From 421a5fef3307a1834537c28162988c655987548c Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Mon, 18 Sep 2023 15:10:49 -0700
Subject: [PATCH 861/921] Update the i2c device node sepolicy labeling

This change needs to be merged with the corresponding kernel change that
sets the i2c bus aliases correctly to match the existing v5.10 bus
probe ordering.

To verify the sepolicy labeling doesn't change, run the below commands
and diff the stdout on builds with and without the changes. For extra
credit, verify the nodes are labeled the same when upgrading the kernel
to v6.1 (with the correct i2c aliases to match the existing policy):

  acpm_bus_array=("acpm_mfd_bus@17500000" "acpm_mfd_bus@17510000")
  for bus in ${acpm_bus_array[@]}; do
    adb shell ls -ZR /sys/devices/platform/${bus}/i2c-*;
  done

  bus_array=("10960000" "10970000" "10d50000" "10900000")
  for bus in ${bus_array[@]}; do
    adb shell ls -ZR /sys/devices/platform/${bus}.hsi2c/i2c-*;
  done

Test: verify on r4
Bug: 291606723
Change-Id: Id5b9021cdbf4b9d3578d5e9ee655463ab62dcd12
---
 whitechapel/vendor/google/genfs_contexts | 495 +++--------------------
 1 file changed, 53 insertions(+), 442 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8f31f090..b8da5986 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -31,64 +31,28 @@ genfscon sysfs /devices/platform/google,charger
 genfscon sysfs /devices/platform/google,dock/power_supply/dock                  u:object_r:sysfs_batteryinfo:s0
 
 genfscon sysfs /devices/platform/10d50000.hsi2c                                 u:object_r:sysfs_batteryinfo:s0
-#   Slider
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
 
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply                       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply                       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+# Slider
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c                                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply                       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats                          u:object_r:sysfs_pca:s0
+
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
 
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-9/9-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats          u:object_r:sysfs_power_stats:s0
 
 # Storage
-genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
-genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
+genfscon proc /fs/f2fs                                                  u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness                                        u:object_r:proc_dirty:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt           u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt          u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt          u:object_r:sysfs_scsi_devices_0000:s0
@@ -110,164 +74,38 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee80215
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net                      u:object_r:sysfs_net:s0
 
 # Vibrator
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0042            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
 
 # Fingerprint
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
 
 # System_suspend
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/wakeup                                                         u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/wakeup                                                         u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/wakeup                                                         u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2                                     u:object_r:sysfs_wakeup:s0
@@ -283,80 +121,19 @@ genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/wakeup                                                                        u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                                                        u:object_r:sysfs_wakeup:s0
@@ -400,78 +177,6 @@ genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
 
 # ODPM
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
@@ -481,15 +186,8 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
@@ -498,90 +196,25 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
 
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
@@ -635,30 +268,15 @@ genfscon sysfs /devices/platform/1c500000.mali/kprcs
 genfscon sysfs /devices/platform/1c500000.mali/power_policy                                             u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/0-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/1-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/2-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/3-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/5-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/6-00500/nvmem                              u:object_r:sysfs_memory:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/7-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem                              u:object_r:sysfs_memory:s0
 
 # Broadcom
 genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
 
 # Power Stats
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/power_stats                                u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 
@@ -705,15 +323,8 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/extcon             u:object_r:sysfs_extcon:s0
 
 # SecureElement
 genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi    u:object_r:sysfs_st33spi:s0

From fb8d2f7d73a3e52540af76ef4dd88f8bc78ffdaf Mon Sep 17 00:00:00 2001
From: Roy Luo <royluo@google.com>
Date: Thu, 28 Sep 2023 18:00:06 +0000
Subject: [PATCH 862/921] Revert "Update the i2c device node sepolicy labeling"

Revert submission 24855741-gs101-i2c-bus-fixes

Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_main&target=bluejay-trunk_food-userdebug&lkgb=10876543&lkbb=10876988&fkbb=10876587, bug b/302549624.

Reverted changes: /q/submissionid:24855741-gs101-i2c-bus-fixes

Change-Id: Iea8fe5b374609225ab07aa13effcb1d6e8d13468
BUG: 302549624
---
 whitechapel/vendor/google/genfs_contexts | 501 ++++++++++++++++++++---
 1 file changed, 445 insertions(+), 56 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b8da5986..8f31f090 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -31,28 +31,64 @@ genfscon sysfs /devices/platform/google,charger
 genfscon sysfs /devices/platform/google,dock/power_supply/dock                  u:object_r:sysfs_batteryinfo:s0
 
 genfscon sysfs /devices/platform/10d50000.hsi2c                                 u:object_r:sysfs_batteryinfo:s0
+#   Slider
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
 
-# Slider
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
-
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply                       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply                       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c                                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply                       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats                          u:object_r:sysfs_pca:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
 
-genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats          u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-9/9-003c              u:object_r:sysfs_wlc:s0
 
 # Storage
-genfscon proc /fs/f2fs                                                  u:object_r:proc_f2fs:s0
-genfscon proc /sys/vm/swappiness                                        u:object_r:proc_dirty:s0
+genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt           u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt          u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt          u:object_r:sysfs_scsi_devices_0000:s0
@@ -74,38 +110,164 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee80215
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net                      u:object_r:sysfs_net:s0
 
 # Vibrator
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0042            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-005a            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 
 # Fingerprint
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
 
 # System_suspend
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/wakeup                                                         u:object_r:sysfs_wakeup:s0
-
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/wakeup                                                         u:object_r:sysfs_wakeup:s0
-
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
-
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/wakeup                                                         u:object_r:sysfs_wakeup:s0
-
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2                                     u:object_r:sysfs_wakeup:s0
@@ -121,19 +283,80 @@ genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/wakeup                                                                        u:object_r:sysfs_wakeup:s0
-
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                                                        u:object_r:sysfs_wakeup:s0
@@ -177,6 +400,78 @@ genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
 
 # ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
@@ -186,25 +481,6 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
@@ -213,8 +489,99 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
+
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
 
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
@@ -268,15 +635,30 @@ genfscon sysfs /devices/platform/1c500000.mali/kprcs
 genfscon sysfs /devices/platform/1c500000.mali/power_policy                                             u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/0-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/1-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/2-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/3-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/5-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/6-00500/nvmem                              u:object_r:sysfs_memory:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/7-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem                              u:object_r:sysfs_memory:s0
 
 # Broadcom
 genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
 
 # Power Stats
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/power_stats                                u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 
@@ -323,8 +705,15 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/extcon             u:object_r:sysfs_extcon:s0
 
 # SecureElement
 genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi    u:object_r:sysfs_st33spi:s0

From d17c49fd0a8c8ba326a8f82226d7899cff6fbd80 Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Mon, 18 Sep 2023 15:10:49 -0700
Subject: [PATCH 863/921] Update the i2c device node sepolicy labeling

This change needs to be merged with the corresponding kernel change that
sets the i2c bus aliases correctly to match the existing v5.10 bus
probe ordering.

To verify the sepolicy labeling doesn't change, run the below commands
and diff the stdout on builds with and without the changes. For extra
credit, verify the nodes are labeled the same when upgrading the kernel
to v6.1 (with the correct i2c aliases to match the existing policy):

  acpm_bus_array=("acpm_mfd_bus@17500000" "acpm_mfd_bus@17510000")
  for bus in ${acpm_bus_array[@]}; do
    adb shell ls -ZR /sys/devices/platform/${bus}/i2c-*;
  done

  bus_array=("10960000" "10970000" "10d50000" "10900000")
  for bus in ${bus_array[@]}; do
    adb shell ls -ZR /sys/devices/platform/${bus}.hsi2c/i2c-*;
  done

Test: verify on r4
Bug: 291606723
Change-Id: Ifbfc53fbeb39a47cda4263fc706f11af6675d90e
---
 whitechapel/vendor/google/genfs_contexts | 495 +++--------------------
 1 file changed, 53 insertions(+), 442 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 8f31f090..b8da5986 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -31,64 +31,28 @@ genfscon sysfs /devices/platform/google,charger
 genfscon sysfs /devices/platform/google,dock/power_supply/dock                  u:object_r:sysfs_batteryinfo:s0
 
 genfscon sysfs /devices/platform/10d50000.hsi2c                                 u:object_r:sysfs_batteryinfo:s0
-#   Slider
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
 
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply                       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply                       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+# Slider
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412                                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c                                    u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply                       u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats                          u:object_r:sysfs_pca:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats                          u:object_r:sysfs_pca:s0
+
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
 
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c              u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-9/9-003c              u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats          u:object_r:sysfs_power_stats:s0
 
 # Storage
-genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
-genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
+genfscon proc /fs/f2fs                                                  u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness                                        u:object_r:proc_dirty:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt           u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt          u:object_r:sysfs_scsi_devices_0000:s0
 genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt          u:object_r:sysfs_scsi_devices_0000:s0
@@ -110,164 +74,38 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee80215
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net                      u:object_r:sysfs_net:s0
 
 # Vibrator
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0042            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
 
 # Fingerprint
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
 
 # System_suspend
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/wakeup                                                         u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/wakeup                                                         u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup                     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup                                       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup                                 u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/wakeup                                                         u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2                                     u:object_r:sysfs_wakeup:s0
@@ -283,80 +121,19 @@ genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/wakeup                                                                        u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+
 genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                                                        u:object_r:sysfs_wakeup:s0
@@ -400,78 +177,6 @@ genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
 
 # ODPM
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/0-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/2-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/3-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/4-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/5-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/6-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
 
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
@@ -481,15 +186,8 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
@@ -498,90 +196,25 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mp
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
 genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/1-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/2-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/3-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/4-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/5-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/8-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
 
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
 
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
@@ -635,30 +268,15 @@ genfscon sysfs /devices/platform/1c500000.mali/kprcs
 genfscon sysfs /devices/platform/1c500000.mali/power_policy                                             u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-0/0-0050/0-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-1/1-0050/1-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/2-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/3-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/5-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/6-00500/nvmem                              u:object_r:sysfs_memory:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/7-00500/nvmem                              u:object_r:sysfs_memory:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem                              u:object_r:sysfs_memory:s0
 
 # Broadcom
 genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
 
 # Power Stats
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-0/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-1/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-2/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/power_stats                                u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 
@@ -705,15 +323,8 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-0/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-1/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/extcon             u:object_r:sysfs_extcon:s0
 
 # SecureElement
 genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi    u:object_r:sysfs_st33spi:s0

From f0047396deed3d38ec1232cdb4d2298d534e24a1 Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Thu, 28 Sep 2023 10:37:24 -0700
Subject: [PATCH 864/921] Move i2c-cs40l26a to gs101-sepolicy

The i2c-7/7-0043 label is shared with both i2c-7/i2c-cs40l25a and
i2c-7/i2c-cs40l26a nodes. To make it clear that these all are related,
let's move i2c-7/i2c-cs40l26a to gs101-sepolicy and have all the gs101
vibrator policy labels together.

Bug: 302549624
Bug: 291606723
Test: Verify i2c nodes on r4
Fixes: ccdd975a88d0 ("Update the cs40l26a i2c device node sepolicy labeling")
Change-Id: I2950a2c064e31e300d07f124cf1a7bfc00ae58c3
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index b8da5986..e9cbdb9b 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -78,6 +78,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0042            u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a      u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
 
 # Fingerprint

From 15261ed885484796732186e5cfa07d6da96136e0 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 4 Oct 2023 11:43:51 +0000
Subject: [PATCH 865/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 303391666
Bug: 303391687
Bug: 301948771
Change-Id: I16e38ca15d7a9995f7922b9c3be6a6f2f2238c2a
---
 tracking_denials/bug_map               | 1 +
 tracking_denials/dmd.te                | 2 ++
 tracking_denials/hal_camera_default.te | 2 ++
 3 files changed, 5 insertions(+)
 create mode 100644 tracking_denials/dmd.te
 create mode 100644 tracking_denials/hal_camera_default.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 817374aa..8bcf1b30 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,4 @@
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
+chre vendor_data_file dir b/301948771
diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te
new file mode 100644
index 00000000..68719b9b
--- /dev/null
+++ b/tracking_denials/dmd.te
@@ -0,0 +1,2 @@
+#b/303391666
+dontaudit dmd servicemanager:binder { call };
diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
new file mode 100644
index 00000000..56a42a37
--- /dev/null
+++ b/tracking_denials/hal_camera_default.te
@@ -0,0 +1,2 @@
+#b/303391687
+dontaudit hal_camera_default hal_system_suspend_service:service_manager find ;

From 0c5fff7954234fd71f43a1799861867862529468 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 16 Oct 2023 12:20:20 +0800
Subject: [PATCH 866/921] Update SELinux error

Test: scanBugreport
Bug: 305600375
Bug: 305600845
Bug: 305600595
Change-Id: I6bd13a82d02eb063435520be7705c67408b0269f
---
 tracking_denials/bug_map           | 7 ++++++-
 tracking_denials/servicemanager.te | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 tracking_denials/servicemanager.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 8bcf1b30..ac62f599 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,9 @@
+chre vendor_data_file dir b/301948771
+dump_modem device chr_file b/305600375
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
-chre vendor_data_file dir b/301948771
+untrusted_app nativetest_data_file dir b/305600845
+untrusted_app shell_test_data_file dir b/305600845
+untrusted_app system_data_root_file dir b/305600845
+untrusted_app userdebug_or_eng_prop file b/305600845
diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te
new file mode 100644
index 00000000..a6b549ff
--- /dev/null
+++ b/tracking_denials/servicemanager.te
@@ -0,0 +1,2 @@
+# b/305600595
+dontaudit servicemanager hal_thermal_default:binder call;

From ea198bd127e0d6880ff2cdea628d5a1faeba27f5 Mon Sep 17 00:00:00 2001
From: JimiChen <jimichen@google.com>
Date: Mon, 30 Oct 2023 19:39:19 +0800
Subject: [PATCH 867/921] Update SELinux policies for rlsservice

1. Move rls_service context from vndservice_contexts to
   service_contexts.
2. Allow binder calls from rlsservice to servicemanager
3. Change rls_service type from vndservice_manager_type to
   service_manager_type.

Bug: 301520085
Test: GCA
Change-Id: I7badfe2ddb73b13884b54d2c8972e1921af6ea38
---
 whitechapel/vendor/google/rlsservice.te       | 3 ++-
 whitechapel/vendor/google/service.te          | 2 ++
 whitechapel/vendor/google/service_contexts    | 1 +
 whitechapel/vendor/google/vndservice.te       | 1 -
 whitechapel/vendor/google/vndservice_contexts | 1 -
 5 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index 3086bcad..43324959 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -16,8 +16,9 @@ allow rlsservice mnt_vendor_file:dir search;
 # access device files
 allow rlsservice rls_device:chr_file rw_file_perms;
 
-binder_call(rlsservice, hal_sensors_default)
 binder_call(rlsservice, hal_camera_default)
+binder_call(rlsservice, hal_sensors_default)
+binder_call(rlsservice, servicemanager)
 
 # Allow access to always-on compute device node
 allow rlsservice device:dir { read watch };
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
index 62b0b767..7218e40c 100644
--- a/whitechapel/vendor/google/service.te
+++ b/whitechapel/vendor/google/service.te
@@ -2,3 +2,5 @@ type hal_pixel_display_service, service_manager_type, hal_service_type;
 type hal_uwb_vendor_service, service_manager_type, hal_service_type;
 # WLC
 type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type;
+
+type rls_service, service_manager_type;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 32ac11bd..074dedf6 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -2,3 +2,4 @@ com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_
 hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_vendor_service:s0
 android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_service:s0
 vendor.google.wireless_charger.IWirelessCharger/default                      u:object_r:hal_wireless_charger_service:s0
+rlsservice                                                 u:object_r:rls_service:s0
diff --git a/whitechapel/vendor/google/vndservice.te b/whitechapel/vendor/google/vndservice.te
index bd59e836..06ef0b2d 100644
--- a/whitechapel/vendor/google/vndservice.te
+++ b/whitechapel/vendor/google/vndservice.te
@@ -1,3 +1,2 @@
-type rls_service, vndservice_manager_type;
 type vendor_surfaceflinger_vndservice, vndservice_manager_type;
 type eco_service, vndservice_manager_type;
diff --git a/whitechapel/vendor/google/vndservice_contexts b/whitechapel/vendor/google/vndservice_contexts
index d272fe16..6ddcabfe 100644
--- a/whitechapel/vendor/google/vndservice_contexts
+++ b/whitechapel/vendor/google/vndservice_contexts
@@ -1,3 +1,2 @@
 Exynos.HWCService     u:object_r:vendor_surfaceflinger_vndservice:s0
-rlsservice            u:object_r:rls_service:s0
 media.ecoservice      u:object_r:eco_service:s0

From c11845e69e812553dae1766024742fd1774c1e3c Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 6 Nov 2023 08:01:12 +0000
Subject: [PATCH 868/921] Update SELinux error

Test: scanBugreport
Bug: 309379598
Change-Id: I9c334cdb5e98c71a70f079fb984e57c154ab6a99
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index ac62f599..e292ba7e 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,6 @@
 chre vendor_data_file dir b/301948771
 dump_modem device chr_file b/305600375
+dumpstate rlsservice binder b/309379598
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428

From 04e4ac1717e1fcd1e41662a46ac5c667067b879b Mon Sep 17 00:00:00 2001
From: Rick Chen <rickctchen@google.com>
Date: Fri, 3 Nov 2023 20:09:37 +0800
Subject: [PATCH 869/921] sensors: Move USF related sepolicy to gs-common.

Bug: 305120274
Test: Compile pass. Flash the build to WHI devices and no sensor
      related avc denied log.
Change-Id: I56174a24d159968c01d1572e84f4bcdd7930a709
Signed-off-by: Rick Chen <rickctchen@google.com>
---
 gs101-sepolicy.mk                             |  3 -
 usf/file.te                                   | 16 ----
 usf/file_contexts                             | 12 ---
 usf/sensor_hal.te                             | 83 -------------------
 usf/te_macros                                 | 14 ----
 .../vendor/google/hal_sensors_default.te      | 24 ++++++
 6 files changed, 24 insertions(+), 128 deletions(-)
 delete mode 100644 usf/file.te
 delete mode 100644 usf/file_contexts
 delete mode 100644 usf/sensor_hal.te
 delete mode 100644 usf/te_macros
 create mode 100644 whitechapel/vendor/google/hal_sensors_default.te

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index b9bb717f..12768b9e 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -10,9 +10,6 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/private
 BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
 BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
 
-# Micro sensor framework (usf)
-BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/usf
-
 # system_ext
 SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/public
 SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/private
diff --git a/usf/file.te b/usf/file.te
deleted file mode 100644
index 8f49e32b..00000000
--- a/usf/file.te
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# USF file SELinux type enforcements.
-#
-
-# Declare the sensor registry persist file type. By convention, persist file
-# types begin with "persist_".
-type persist_sensor_reg_file, file_type, vendor_persist_type;
-
-# Declare the sensor registry data file type. By convention, data file types
-# end with "data_file".
-type sensor_reg_data_file, file_type, data_file_type;
-
-# Declare the sensor debug data file type. By convention, data file types
-# end with "data_file".
-type sensor_debug_data_file, file_type, data_file_type;
-
diff --git a/usf/file_contexts b/usf/file_contexts
deleted file mode 100644
index 3c7833b1..00000000
--- a/usf/file_contexts
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# USF SELinux file security contexts.
-#
-
-# Sensor registry persist files.
-/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
-
-# Sensor registry data files.
-/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
-
-# Sensor debug data files.
-/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
deleted file mode 100644
index 595aeef6..00000000
--- a/usf/sensor_hal.te
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# USF sensor HAL SELinux type enforcements.
-#
-
-# Allow reading of sensor registry persist files and camera persist files.
-allow hal_sensors_default persist_file:dir search;
-allow hal_sensors_default mnt_vendor_file:dir search;
-r_dir_file(hal_sensors_default, persist_sensor_reg_file)
-r_dir_file(hal_sensors_default, persist_camera_file)
-
-# Allow creation and writing of sensor registry data files.
-allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
-allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
-
-userdebug_or_eng(`
-    # Allow creation and writing of sensor debug data files.
-    allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms;
-    allow hal_sensors_default sensor_debug_data_file:file create_file_perms;
-')
-
-# Allow access to the AoC communication driver.
-allow hal_sensors_default aoc_device:chr_file rw_file_perms;
-
-# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
-# to synchronize the AP and AoC clock timestamps.
-allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
-
-# Allow create thread to watch AOC's device.
-allow hal_sensors_default device:dir r_dir_perms;
-
-# Allow access to the files of CDT information.
-r_dir_file(hal_sensors_default, sysfs_chosen)
-
-# Allow display_info_service access to the backlight driver.
-allow hal_sensors_default sysfs_leds:dir search;
-allow hal_sensors_default sysfs_leds:file rw_file_perms;
-
-# Allow access to the power supply files for MagCC.
-r_dir_file(hal_sensors_default, sysfs_batteryinfo)
-allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
-
-# Allow access to sensor service for sensor_listener.
-binder_call(hal_sensors_default, system_server);
-
-# Allow access to the sysfs_aoc.
-allow hal_sensors_default sysfs_aoc:dir search;
-allow hal_sensors_default sysfs_aoc:file r_file_perms;
-
-# Allow use of the USF low latency transport.
-usf_low_latency_transport(hal_sensors_default)
-
-# Allow sensor HAL to reset AOC.
-allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
-
-# Allow sensor HAL to read AoC dumpstate.
-allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
-
-# Allow access for AoC properties.
-get_prop(hal_sensors_default, vendor_aoc_prop)
-
-# Allow access for dynamic sensor properties.
-get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
-
-# Allow access to raw HID devices for dynamic sensors.
-allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
-
-# Allow sensor HAL to access the display service HAL
-allow hal_sensors_default hal_pixel_display_service:service_manager find;
-binder_call(hal_sensors_default, hal_graphics_composer_default)
-
-# Allow sensor HAL to access to display sysfs.
-allow hal_sensors_default sysfs_display:file r_file_perms;
-
-#
-# Suez type enforcements.
-#
-
-# Allow SensorSuez to connect AIDL stats.
-binder_use(hal_sensors_default);
-allow hal_sensors_default fwk_stats_service:service_manager find;
-
-# Allow access to CHRE socket to connect to nanoapps.
-unix_socket_connect(hal_sensors_default, chre, chre)
diff --git a/usf/te_macros b/usf/te_macros
deleted file mode 100644
index 01ac13c1..00000000
--- a/usf/te_macros
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# USF SELinux type enforcement macros.
-#
-
-#
-# usf_low_latency_transport(domain)
-#
-# Allows domain use of the USF low latency transport.
-#
-define(`usf_low_latency_transport', `
-  allow $1 hal_graphics_mapper_hwservice:hwservice_manager find;
-  hal_client_domain($1, hal_graphics_allocator)
-')
-
diff --git a/whitechapel/vendor/google/hal_sensors_default.te b/whitechapel/vendor/google/hal_sensors_default.te
new file mode 100644
index 00000000..57763d14
--- /dev/null
+++ b/whitechapel/vendor/google/hal_sensors_default.te
@@ -0,0 +1,24 @@
+#
+# USF sensor HAL SELinux type enforcements.
+#
+
+# Allow reading of camera persist files.
+r_dir_file(hal_sensors_default, persist_camera_file)
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
+
+# Allow access for dynamic sensor properties.
+get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
+
+# Allow access to raw HID devices for dynamic sensors.
+allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
+
+# Allow sensor HAL to access the display service HAL
+allow hal_sensors_default hal_pixel_display_service:service_manager find;
+
+# Allow sensor HAL to access the graphics composer.
+binder_call(hal_sensors_default, hal_graphics_composer_default)
+
+# Allow access to the power supply files for MagCC.
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;

From a6c7f726b55b5640c6726af2168a1fed829ba50d Mon Sep 17 00:00:00 2001
From: Mike Wang <mikeyuewang@google.com>
Date: Thu, 9 Nov 2023 07:17:07 +0000
Subject: [PATCH 870/921] Change the MDS to platform app in selinux ap context.

The MDS will be signed with platform key and become a platform app. To
make the selinux rules for modem_diagnostic_app work, need to set it to
platform app in app context.

Bug: 287683516

Test: Tested with both dev key or platform key signed MDS apps and the selinux rules works.
Change-Id: If890f7caaac33e5ddc6c02cc8084654a10cea416
---
 whitechapel/vendor/google/seapp_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 7711c447..f2c53ebc 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -29,6 +29,7 @@ user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=o
 
 # Modem Diagnostic System
 user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
 
 # RIL Config Service
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file

From 8966bfa2378d117e3e149c52ea108a38ae5b303b Mon Sep 17 00:00:00 2001
From: Alex Iacobucci <alexiacobucci@google.com>
Date: Fri, 10 Nov 2023 18:25:17 +0000
Subject: [PATCH 871/921] aoc: add sysfs file entry

Test: on device
Bug: 309950738
Change-Id: I7e2ceaa61c7870ace37014ad39f3a119f3712569
Signed-off-by: Alex Iacobucci <alexiacobucci@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index e9cbdb9b..95852d7b 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -16,6 +16,7 @@ genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup        u:ob
 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1      u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status     u:object_r:sysfs_aoc_notifytimeout:s0
 
 # EdgeTPU
 genfscon sysfs /devices/platform/1ce00000.abrolhos                          u:object_r:sysfs_edgetpu:s0

From 89dd17c9ada82787ed7fdf423f3b1736940ca304 Mon Sep 17 00:00:00 2001
From: Lei Ju <leiju@google.com>
Date: Wed, 21 Dec 2022 15:58:13 -0800
Subject: [PATCH 872/921] Set up sepolicy for CHRE HAL process

Contexthub (CHRE) team is removing the chre daemon and incorporating
its functionalities into the next gen HAL. This CL copied the
permissions we received in whitechapel/vendor/google/chre.te to
hal_contexthub.te to enable the same set of permissions on gs101.

Bug: 247124878
Test: launch the hal process on oriole and verify it can perform
required operations such as loading nanoapps holding wakelocks,
query nanoapps, etc.

Change-Id: I8ce6b4f7f411e50cf454bb5f1286f73d4d46aced
---
 whitechapel/vendor/google/hal_contexthub.te | 29 ++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/hal_contexthub.te b/whitechapel/vendor/google/hal_contexthub.te
index ba776c89..4175b444 100644
--- a/whitechapel/vendor/google/hal_contexthub.te
+++ b/whitechapel/vendor/google/hal_contexthub.te
@@ -1,3 +1,30 @@
 # Allow context hub HAL to communicate with daemon via socket
 allow hal_contexthub_default chre:unix_stream_socket connectto;
-allow hal_contexthub_default chre_socket:sock_file write;
\ No newline at end of file
+allow hal_contexthub_default chre_socket:sock_file write;
+
+# Permit communication with AoC
+allow hal_contexthub_default aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow hal_contexthub_default sysfs_aoc:dir search;
+allow hal_contexthub_default sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow hal_contexthub_default aoc_device:dir r_dir_perms;
+
+# Allow CHRE to use the USF low latency transport
+usf_low_latency_transport(hal_contexthub_default)
+
+# Allow CHRE to talk to the WiFi HAL
+allow hal_contexthub_default hal_wifi_ext:binder { call transfer };
+allow hal_contexthub_default hal_wifi_ext_service:service_manager find;
+
+# Allow CHRE host to talk to stats service
+allow hal_contexthub_default fwk_stats_service:service_manager find;
+binder_call(hal_contexthub_default, stats_service_server)
+
+# Allow CHRE to use WakeLock
+wakelock_use(hal_contexthub_default)
+
+# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP
+allow hal_contexthub_default self:global_capability2_class_set block_suspend;

From e948bb326a518bd2f7f92410c4f2d0ae6f6d146a Mon Sep 17 00:00:00 2001
From: Daniel Norman <danielnorman@google.com>
Date: Fri, 10 Nov 2023 22:42:44 +0000
Subject: [PATCH 873/921] Removes duplicate hidraw_device type definition.

This type is now defined by the platform.

Bug: 303522222
Change-Id: I3e1fc7cb102fa9e9a80b8751eb0da505e3b3d69f
Test: ls -z /dev/hidraw0
---
 whitechapel/vendor/google/device.te     | 3 ---
 whitechapel/vendor/google/file_contexts | 4 ----
 2 files changed, 7 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 17dede95..113cd5cf 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -35,9 +35,6 @@ type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
 # Fingerprint device
 type fingerprint_device, dev_type;
 
-# Raw HID device
-type hidraw_device, dev_type;
-
 # SecureElement SPI device
 type st54spi_device, dev_type;
 type st33spi_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index b45782e6..ea95a34a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -373,7 +373,3 @@
 /vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
-
-# Raw HID device
-/dev/hidraw[0-9]*                        u:object_r:hidraw_device:s0
-

From 1f9e3a93e15c295d62a84055cb791c547a30dd72 Mon Sep 17 00:00:00 2001
From: Devika Krishnadas <kdevika@google.com>
Date: Thu, 16 Nov 2023 01:17:05 +0000
Subject: [PATCH 874/921] Add Pixel Mapper as a sp-HAL

Bug: 267352318

Change-Id: I77b064c3eae2b47677ee83df8483e6f7aba08e6e
Signed-off-by: Devika Krishnadas <kdevika@google.com>
---
 whitechapel/vendor/google/file_contexts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index b45782e6..0b192d23 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -32,6 +32,9 @@
 # Vendor Firmwares
 /(vendor|system/vendor)/firmware(/.*)?                        u:object_r:vendor_fw_file:s0
 
+# Gralloc
+/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so         u:object_r:same_process_hal_file:s0
+
 #
 # Exynos Block Devices
 #

From ec6ba5806d16d8d80c79d79b70176dede6ef636b Mon Sep 17 00:00:00 2001
From: Randall Huang <huangrandall@google.com>
Date: Wed, 22 Nov 2023 13:06:59 +0800
Subject: [PATCH 875/921] Move sg_device related policy

Bug: 312582937
Test: make selinux_policy
Change-Id: I27a86d47777a6d769b93fc1c40ae27dacf83ab10
Signed-off-by: Randall Huang <huangrandall@google.com>
---
 whitechapel/vendor/google/file_contexts    | 1 -
 whitechapel/vendor/google/storageproxyd.te | 2 --
 2 files changed, 3 deletions(-)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index e2b0405c..c804c5a7 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -290,7 +290,6 @@
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
 /mnt/vendor/persist/ss(/.*)?         u:object_r:persist_ss_file:s0
-/dev/sg1                             u:object_r:sg_device:s0
 
 # Battery
 /mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index e803c0c6..453caad1 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -1,4 +1,3 @@
-type sg_device, dev_type;
 type persist_ss_file, file_type, vendor_persist_type;
 
 # Handle wake locks
@@ -10,7 +9,6 @@ allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee tee_data_file:dir create_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
-allow tee sg_device:chr_file rw_file_perms;
 
 # Allow storageproxyd access to gsi_public_metadata_file
 read_fstab(tee)

From 213b76e9b8549d0f6c3adecc8b501de1384d7715 Mon Sep 17 00:00:00 2001
From: Khoa Hong <khoahong@google.com>
Date: Thu, 30 Nov 2023 15:01:37 +0800
Subject: [PATCH 876/921] Suppress avc error log on debugfs's usb folder.

The XHCI driver in kernel will write debugging information to DebugFS on
some USB host operations (for example: plugging in a USB headphone). We
are not using those information right now.

Bug: 311088739
Test: No error when plugging a USB headphone in.
Change-Id: If7c511f4466959d819f2672ae8f82a8a8dae83e4
---
 whitechapel/vendor/google/kernel.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index c1d73c68..f1156829 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -11,3 +11,4 @@ allow kernel self:perf_event cpu;
 dontaudit kernel vendor_battery_debugfs:dir search;
 dontaudit kernel vendor_maxfg_debugfs:dir { search };
 dontaudit kernel vendor_votable_debugfs:dir { search };
+dontaudit kernel vendor_usb_debugfs:dir search;

From 484f609deeea0245dcf4d6771da128eadc69df28 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Thu, 30 Nov 2023 07:14:31 +0000
Subject: [PATCH 877/921] Update SELinux error

Test: scanBugreport
Bug: 312894628
Bug: 313804340
Change-Id: I87b384eac0c734444f0d722955b341a4611b7842
---
 tracking_denials/bug_map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index e292ba7e..2b6cd412 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,9 +1,12 @@
 chre vendor_data_file dir b/301948771
 dump_modem device chr_file b/305600375
 dumpstate rlsservice binder b/309379598
+dumpstate virtual_camera binder b/312894628
+dumpstate virtual_camera process b/312894628
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
+surfaceflinger selinuxfs file b/313804340
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845

From 60940a7ad745d46e2d5bc7e9a5824759b952c082 Mon Sep 17 00:00:00 2001
From: Daniel Norman <danielnorman@google.com>
Date: Thu, 30 Nov 2023 23:27:49 +0000
Subject: [PATCH 878/921] Removes duplicate hidraw_device type definition.

This type is now defined by the platform.

Bug: 303522222
Test: ls -z /dev/hidraw0
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e948bb326a518bd2f7f92410c4f2d0ae6f6d146a)
Merged-In: I3e1fc7cb102fa9e9a80b8751eb0da505e3b3d69f
Change-Id: I3e1fc7cb102fa9e9a80b8751eb0da505e3b3d69f
---
 whitechapel/vendor/google/device.te     | 3 ---
 whitechapel/vendor/google/file_contexts | 4 ----
 2 files changed, 7 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 17dede95..113cd5cf 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -35,9 +35,6 @@ type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
 # Fingerprint device
 type fingerprint_device, dev_type;
 
-# Raw HID device
-type hidraw_device, dev_type;
-
 # SecureElement SPI device
 type st54spi_device, dev_type;
 type st33spi_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index a8be48f8..5903e37c 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -372,7 +372,3 @@
 /vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
-
-# Raw HID device
-/dev/hidraw[0-9]*                        u:object_r:hidraw_device:s0
-

From 3f3bfddaffc31890954e60f792e9d4d98aa6f790 Mon Sep 17 00:00:00 2001
From: Jason Chiu <jasoncschiu@google.com>
Date: Mon, 27 Nov 2023 17:24:54 +0800
Subject: [PATCH 879/921] gs101: move common sepolicy related to bootctrl hal
 to gs-common

Bug: 265063384
Change-Id: I2e7bee9c6be4a6802a759bf52fb412dd73f868bd
Signed-off-by: Jason Chiu <jasoncschiu@google.com>
---
 whitechapel/vendor/google/device.te              | 2 --
 whitechapel/vendor/google/file.te                | 3 ---
 whitechapel/vendor/google/file_contexts          | 1 -
 whitechapel/vendor/google/hal_bootctl_default.te | 3 ---
 4 files changed, 9 deletions(-)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 113cd5cf..4662a075 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -3,13 +3,11 @@ type efs_block_device, dev_type;
 type modem_block_device, dev_type;
 type modem_userdata_block_device, dev_type;
 type persist_block_device, dev_type;
-type sda_block_device, dev_type;
 type mfg_data_block_device, dev_type;
 
 # Exynos devices
 type vendor_toe_device, dev_type;
 type custom_ab_block_device, dev_type;
-type devinfo_block_device, dev_type;
 
 # usbpd
 type logbuffer_device, dev_type;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index a1baa85f..965c876e 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -31,9 +31,6 @@ type vendor_charger_debugfs, fs_type, debugfs_type;
 type vendor_votable_debugfs, fs_type, debugfs_type;
 type vendor_battery_debugfs, fs_type, debugfs_type;
 
-# Exynos sysfs
-type sysfs_ota, sysfs_type, fs_type;
-
 # Exynos Firmware
 type vendor_fw_file, vendor_file_type, file_type;
 
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c804c5a7..49a88cff 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -21,7 +21,6 @@
 #
 # HALs
 #
-/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs101                   u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101                      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel                       u:object_r:hal_memtrack_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
index a9f9cdea..fe4ba2e0 100644
--- a/whitechapel/vendor/google/hal_bootctl_default.te
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -1,4 +1 @@
-allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default sysfs_ota:file rw_file_perms;
 allow hal_bootctl_default sysfs_bootctl:file rw_file_perms;

From 03785012eda51ad8a3f8eea8002eebe9dbcd82c4 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Tue, 14 Nov 2023 13:50:00 +0000
Subject: [PATCH 880/921] Add Secretkeeper HAL

Test: VtsAidlAuthGraphSessionTest
Bug: 306364873
Change-Id: I72d9d9afd57d265bd2a019a02d6aa364deb4acb4
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index c804c5a7..38541a71 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -287,6 +287,7 @@
 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty                     u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty                 u:object_r:hal_secretkeeper_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
 /mnt/vendor/persist/ss(/.*)?         u:object_r:persist_ss_file:s0

From c42d6625f58837ee0a9cebbdf43f6d7174fe3a54 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 11 Dec 2023 02:54:34 +0000
Subject: [PATCH 881/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 315720636
Bug: 315104713
Test: scanBugreport
Bug: 315720725
Bug: 315104713
Test: scanAvcDeniedLogRightAfterReboot
Bug: 315720636
Bug: 315104713
Change-Id: I6fdd21dd1d78aee006d3d5dbeb57ae6912f9b42e
---
 tracking_denials/bug_map | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 2b6cd412..0e211125 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -6,8 +6,12 @@ dumpstate virtual_camera process b/312894628
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
+rild default_prop file b/315720636
+rild default_prop file b/315720725
 surfaceflinger selinuxfs file b/313804340
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845
 untrusted_app userdebug_or_eng_prop file b/305600845
+vendor_init default_prop file b/315104713
+vendor_init default_prop property_service b/315104713

From 548c2f184d9b8aeca9d75bf35319fef591d05a85 Mon Sep 17 00:00:00 2001
From: Boon Jun Soh <boonjun@google.com>
Date: Fri, 8 Dec 2023 19:00:04 +0800
Subject: [PATCH 882/921] Fix rlsservice sepolicy

Allows bugreport generation

Bug: 315255760
Bug: 309379598
Test: abd bugreport & ensure lack of rls avc denied logs
Change-Id: Ib3fc7b089c7aea4aea69f219d4c19847d39b0729
---
 tracking_denials/bug_map                | 1 -
 whitechapel/vendor/google/dumpstate.te  | 2 +-
 whitechapel/vendor/google/rlsservice.te | 4 ++++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 2b6cd412..a967250a 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,6 +1,5 @@
 chre vendor_data_file dir b/301948771
 dump_modem device chr_file b/305600375
-dumpstate rlsservice binder b/309379598
 dumpstate virtual_camera binder b/312894628
 dumpstate virtual_camera process b/312894628
 hal_power_default hal_power_default capability b/240632824
diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
index e715ad95..f5be2a83 100644
--- a/whitechapel/vendor/google/dumpstate.te
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -13,4 +13,4 @@ allow dumpstate modem_efs_file:dir getattr;
 allow dumpstate modem_img_file:dir getattr;
 allow dumpstate modem_userdata_file:dir getattr;
 allow dumpstate fuse:dir search;
-
+allow dumpstate rlsservice:binder call;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index 43324959..0705e5db 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -36,3 +36,7 @@ allow rlsservice apex_info_file:file r_file_perms;
 
 # Allow read camera property
 get_prop(rlsservice, vendor_camera_prop);
+
+# Allow rlsservice bugreport generation
+allow rlsservice dumpstate:fd use;
+allow rlsservice dumpstate:fifo_file write;
\ No newline at end of file

From 9fa7db53a14c2a3a1d7a5edb2c2823677f55b884 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Tue, 12 Dec 2023 06:34:48 +0000
Subject: [PATCH 883/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 315907959
Test: scanBugreport
Bug: 315104713
Test: scanAvcDeniedLogRightAfterReboot
Bug: 315104713
Change-Id: Ib110dee4622befb0e4a04ade1c1805e822ce3b2e
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 5ec3d600..671bcae6 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -5,6 +5,8 @@ dumpstate virtual_camera process b/312894628
 hal_power_default hal_power_default capability b/240632824
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
+kernel dm_device blk_file b/315907959
+kernel tmpfs chr_file b/315907959
 rild default_prop file b/315720636
 rild default_prop file b/315720725
 surfaceflinger selinuxfs file b/313804340

From 0212befe1e4337c381290ca2a93238dd7f3b5639 Mon Sep 17 00:00:00 2001
From: Chi Zhang <czhangsd@google.com>
Date: Wed, 29 Nov 2023 16:32:37 -0800
Subject: [PATCH 884/921] Allow GRIL to get power stats.

AVC log: SELinux : avc:  denied  { find } for pid=3147 uid=10219 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:grilservice_app:s0:c219,c256,c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=0

Bug: 286187143
Test: build and boot
Change-Id: Iff51df55ad0011815b764b334801dedc6a6d1cbc
---
 whitechapel/vendor/google/grilservice_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
index c0ba5764..d22bc010 100644
--- a/whitechapel/vendor/google/grilservice_app.te
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -11,3 +11,4 @@ binder_call(grilservice_app, hal_bluetooth_btlinux)
 binder_call(grilservice_app, hal_radioext_default)
 binder_call(grilservice_app, hal_wifi_ext)
 binder_call(grilservice_app, hal_audiometricext_default)
+hal_client_domain(grilservice_app, hal_power_stats)

From 64e2ac2aa017386fca93f7e07b4d00de1b940e17 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Thu, 21 Dec 2023 07:37:17 +0000
Subject: [PATCH 885/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 317316478
Test: scanBugreport
Bug: 316817111
Test: scanAvcDeniedLogRightAfterReboot
Bug: 316817111
Change-Id: I0eaf3217d077d2465a2f4ac3f1e3b15b9236df4f
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 671bcae6..6f1bdccf 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -3,6 +3,7 @@ dump_modem device chr_file b/305600375
 dumpstate virtual_camera binder b/312894628
 dumpstate virtual_camera process b/312894628
 hal_power_default hal_power_default capability b/240632824
+hal_vibrator_default default_android_service service_manager b/317316478
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
 kernel dm_device blk_file b/315907959
@@ -15,4 +16,5 @@ untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845
 untrusted_app userdebug_or_eng_prop file b/305600845
 vendor_init default_prop file b/315104713
+vendor_init default_prop file b/316817111
 vendor_init default_prop property_service b/315104713

From 52fc41b1c23b1a69f9bd2fd0c05679e30ba928cb Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Tue, 26 Dec 2023 03:34:50 +0000
Subject: [PATCH 886/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 317734923
Test: scanBugreport
Bug: 317734418
Bug: 316817111
Test: scanAvcDeniedLogRightAfterReboot
Bug: 317734489
Bug: 316817111
Change-Id: Ibc5c35c327cbb1fb4433c63a9073503037d9c8cf
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6f1bdccf..772ede39 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -8,6 +8,7 @@ incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
 kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
+rfsd vendor_cbd_prop file b/317734418
 rild default_prop file b/315720636
 rild default_prop file b/315720725
 surfaceflinger selinuxfs file b/313804340

From c4181c461d82d38d4e523bb33e42c604f962a37b Mon Sep 17 00:00:00 2001
From: timtmlin <timtmlin@google.com>
Date: Wed, 27 Dec 2023 15:44:23 +0800
Subject: [PATCH 887/921] Remove obsolete entries

Bug: 315720636
Bug: 315720725
Test: make
Change-Id: I485bbd472314199106a6f92f08796762cb440952
---
 tracking_denials/bug_map | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 772ede39..b6f2fc40 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -9,8 +9,6 @@ incidentd incidentd anon_inode b/282626428
 kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
 rfsd vendor_cbd_prop file b/317734418
-rild default_prop file b/315720636
-rild default_prop file b/315720725
 surfaceflinger selinuxfs file b/313804340
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845

From da91eed387356c29ecff7be4ea7e1aaf4efb92b8 Mon Sep 17 00:00:00 2001
From: wenchangliu <wenchangliu@google.com>
Date: Fri, 5 Jan 2024 02:57:09 +0000
Subject: [PATCH 888/921] gs101: move mediacodec_samsung sepolicy to gs-common

remove mediacodec_samsung sepolicy in legacy path since we will include it from gs-common.

Bug: 318793681
Test: build pass, camera record, youtube
Change-Id: Idc0e19348d1e113e95305279aebbbaf82c79d730
---
 whitechapel/vendor/google/file.te               |  4 ----
 whitechapel/vendor/google/file_contexts         |  2 --
 whitechapel/vendor/google/genfs_contexts        |  3 ---
 whitechapel/vendor/google/hal_camera_default.te |  2 +-
 whitechapel/vendor/google/mediacodec.te         | 10 ----------
 whitechapel/vendor/google/property.te           |  1 -
 whitechapel/vendor/google/property_contexts     |  5 -----
 whitechapel/vendor/google/vndservice.te         |  1 -
 whitechapel/vendor/google/vndservice_contexts   |  1 -
 9 files changed, 1 insertion(+), 28 deletions(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 965c876e..9e7f1fab 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -1,7 +1,6 @@
 # Exynos Data Files
 #type vendor_data_file, file_type, data_file_type;
 type vendor_cbd_boot_file, file_type, data_file_type;
-type vendor_media_data_file, file_type, data_file_type;
 
 # Exynos Log Files
 type vendor_log_file, file_type, data_file_type;
@@ -134,9 +133,6 @@ type sysfs_memory, sysfs_type, fs_type;
 # bcmdhd (Broadcom FullMAC wireless cards support)
 type sysfs_bcmdhd, sysfs_type, fs_type;
 
-# Video
-type sysfs_video, sysfs_type, fs_type;
-
 # UWB vendor
 type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 type persist_uwb_file, file_type, vendor_persist_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 7c3b828d..0d3d8a2f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -224,9 +224,7 @@
 /dev/lwis-votf                                                          u:object_r:lwis_device:s0
 
 # VIDEO
-/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service                u:object_r:mediacodec_exec:s0
 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service                 u:object_r:mediacodec_exec:s0
-/data/vendor/media(/.*)?                                                u:object_r:vendor_media_data_file:s0
 
 # IMS VoWiFi
 /data/vendor/misc(/.*)?                u:object_r:vendor_misc_data_file:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 95852d7b..2adf1f01 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -308,9 +308,6 @@ genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_coun
 genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count                         u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count                                 u:object_r:sysfs_sscoredump_subsystem_report_count:s0
 
-# mediacodec
-genfscon sysfs /devices/platform/mfc/video4linux/video                                                  u:object_r:sysfs_video:s0
-
 # SJTAG
 genfscon sysfs /devices/platform/sjtag_ap/interface                    u:object_r:sysfs_sjtag:s0
 genfscon sysfs /devices/platform/sjtag_gsa/interface                   u:object_r:sysfs_sjtag:s0
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 07789692..8e0a8616 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -72,7 +72,7 @@ binder_call(hal_camera_default, system_server);
 
 # Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
 allow hal_camera_default eco_service:service_manager find;
-binder_call(hal_camera_default, mediacodec);
+binder_call(hal_camera_default, mediacodec_samsung);
 
 # Allow camera HAL to query preferred camera frequencies from the radio HAL
 # extensions to avoid interference with cellular antennas.
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
index 0c22d5bf..13d8ab85 100644
--- a/whitechapel/vendor/google/mediacodec.te
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -1,11 +1 @@
-userdebug_or_eng(`
-  set_prop(mediacodec, vendor_codec2_debug_prop)
-  allow mediacodec vendor_media_data_file:dir rw_dir_perms;
-  allow mediacodec vendor_media_data_file:file create_file_perms;
-')
-
-add_service(mediacodec, eco_service)
-allow mediacodec hal_camera_default:binder call;
-allow mediacodec sysfs_video:file r_file_perms;
-allow mediacodec sysfs_video:dir r_dir_perms;
 allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
index 934e13a9..98da3e39 100644
--- a/whitechapel/vendor/google/property.te
+++ b/whitechapel/vendor/google/property.te
@@ -14,7 +14,6 @@ vendor_internal_prop(vendor_persist_config_default_prop)
 vendor_internal_prop(vendor_sys_default_prop)
 vendor_internal_prop(vendor_ro_sys_default_prop)
 vendor_internal_prop(vendor_persist_sys_default_prop)
-vendor_internal_prop(vendor_codec2_debug_prop)
 vendor_internal_prop(vendor_display_prop)
 vendor_internal_prop(vendor_camera_prop)
 vendor_internal_prop(vendor_camera_fatp_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 4c01239d..c9187a3f 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -15,11 +15,6 @@ persist.vendor.sys.crash_rcu    u:object_r:vendor_ramdump_prop:s0
 vendor.debug.ssrdump.           u:object_r:vendor_ssrdump_prop:s0
 persist.vendor.sys.ssr.         u:object_r:vendor_ssrdump_prop:s0
 
-# for codec2
-vendor.debug.c2.level       u:object_r:vendor_codec2_debug_prop:s0
-vendor.debug.c2.dump        u:object_r:vendor_codec2_debug_prop:s0
-vendor.debug.c2.dump.opt    u:object_r:vendor_codec2_debug_prop:s0
-
 # USB HAL
 persist.vendor.usb.    u:object_r:vendor_usb_config_prop:s0
 vendor.usb.            u:object_r:vendor_usb_config_prop:s0
diff --git a/whitechapel/vendor/google/vndservice.te b/whitechapel/vendor/google/vndservice.te
index 06ef0b2d..12a48194 100644
--- a/whitechapel/vendor/google/vndservice.te
+++ b/whitechapel/vendor/google/vndservice.te
@@ -1,2 +1 @@
 type vendor_surfaceflinger_vndservice, vndservice_manager_type;
-type eco_service, vndservice_manager_type;
diff --git a/whitechapel/vendor/google/vndservice_contexts b/whitechapel/vendor/google/vndservice_contexts
index 6ddcabfe..4f9f5a70 100644
--- a/whitechapel/vendor/google/vndservice_contexts
+++ b/whitechapel/vendor/google/vndservice_contexts
@@ -1,2 +1 @@
 Exynos.HWCService     u:object_r:vendor_surfaceflinger_vndservice:s0
-media.ecoservice      u:object_r:eco_service:s0

From 6073bb0ff8a11984113b53222cc8f0d493818ac9 Mon Sep 17 00:00:00 2001
From: Ken Yang <yangken@google.com>
Date: Wed, 10 Jan 2024 06:13:47 +0000
Subject: [PATCH 889/921] selinux: label wakeup for BMS I2C 0x36, 0x69

Bug: 319035561
Change-Id: Ib339ce27cc89a02825be51f1bf49fe727ac9fb67
Signed-off-by: Ken Yang <yangken@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 2adf1f01..4315d412 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -47,6 +47,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom
 
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/wakeup/wakeup                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
 
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats          u:object_r:sysfs_power_stats:s0
@@ -101,6 +102,7 @@ genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/wakeup/wakeup                                                  u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0

From ea7ccea15c633ab83d86144037c2027654b4ad99 Mon Sep 17 00:00:00 2001
From: Mahesh Kallelil <kallelil@google.com>
Date: Thu, 11 Jan 2024 09:19:57 -0800
Subject: [PATCH 890/921] Fix SELinux error in dump_modem

The cpif logbuffer did not have the right context and was
missing as part of the bugreport.

Test: Tested bugreport on device
Bug: 305600375
Change-Id: I2101037d0044e706969f2582e29f923ae029458b
Signed-off-by: Mahesh Kallelil <kallelil@google.com>
---
 tracking_denials/bug_map                | 1 -
 whitechapel/vendor/google/file_contexts | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index b6f2fc40..17fcff7d 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,4 @@
 chre vendor_data_file dir b/301948771
-dump_modem device chr_file b/305600375
 dumpstate virtual_camera binder b/312894628
 dumpstate virtual_camera process b/312894628
 hal_power_default hal_power_default capability b/240632824
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 7c3b828d..51eefaed 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -105,6 +105,7 @@
 /dev/logbuffer_pca9468         u:object_r:logbuffer_device:s0
 /dev/logbuffer_cpm             u:object_r:logbuffer_device:s0
 /dev/logbuffer_bd              u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpif            u:object_r:logbuffer_device:s0
 
 /dev/logbuffer_maxfg_monitor        u:object_r:logbuffer_device:s0
 /dev/logbuffer_maxfg_base_monitor   u:object_r:logbuffer_device:s0

From 29021574e6feb35426a13f9419ec695ac5dc8d27 Mon Sep 17 00:00:00 2001
From: Kyle Tso <kyletso@google.com>
Date: Mon, 15 Jan 2024 15:45:52 +0800
Subject: [PATCH 891/921] Correct the path of tcpm wakelock

Bug: 315190967
Change-Id: I01f8da9e0467f34cd0229bf9c5370d062ca78130
Signed-off-by: Kyle Tso <kyletso@google.com>
---
 whitechapel/vendor/google/genfs_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 95852d7b..cccc3ec8 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -104,7 +104,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-c
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/wakeup                                                         u:object_r:sysfs_wakeup:s0
 

From 3116a34269cc40bda840e44dc8fc9e0c67ec6ceb Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 22 Jan 2024 17:42:00 +0000
Subject: [PATCH 892/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Test: scanBugreport
Bug: 321730881
Bug: 316817111
Test: scanAvcDeniedLogRightAfterReboot
Bug: 316817111
Change-Id: I6f7abbb5402fd991d174a79a81c2d5e6c41c71d8
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 17fcff7d..a93b45b7 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -9,6 +9,7 @@ kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
 rfsd vendor_cbd_prop file b/317734418
 surfaceflinger selinuxfs file b/313804340
+system_server pm_archiving_enabled_prop file b/321730881
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845

From 7ea71a9c1c1a23485166dbc7fcdb639fdac28bfd Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Mon, 29 Jan 2024 11:49:04 +0800
Subject: [PATCH 893/921] sepolicy: allow hal_power_stats to read sysfs_display

avc:  denied  { read } for  name="available_disp_stats"
dev="sysfs" ino=76162 scontext=u:r:hal_power_stats_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 321848496
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: I869e80af8994408e7eef279b6a5eb59d6d2c406b
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 whitechapel/vendor/google/genfs_contexts             | 4 ++++
 whitechapel/vendor/google/hal_power_stats_default.te | 1 +
 2 files changed, 5 insertions(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 6c56a4e0..644251ca 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -156,6 +156,8 @@ genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.au
 genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
 
 # Display
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/available_disp_stats           u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/available_disp_stats           u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh                   u:object_r:sysfs_display:s0
@@ -168,6 +170,8 @@ genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle                     u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit    u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/time_in_state                  u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/time_in_state                  u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock                                          u:object_r:sysfs_display:s0
 genfscon sysfs /devices/platform/1c300000.drmdecon/counters                                         u:object_r:sysfs_display:s0
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
index 13a0487f..90a78492 100644
--- a/whitechapel/vendor/google/hal_power_stats_default.te
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -17,6 +17,7 @@ binder_call(hal_power_stats_default, citadeld)
 r_dir_file(hal_power_stats_default, sysfs_aoc)
 r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate)
 r_dir_file(hal_power_stats_default, sysfs_cpu)
+r_dir_file(hal_power_stats_default, sysfs_display)
 r_dir_file(hal_power_stats_default, sysfs_leds)
 r_dir_file(hal_power_stats_default, sysfs_acpm_stats)
 r_dir_file(hal_power_stats_default, sysfs_wifi)

From 811682e50f0a21341dc5801670e05082510c48ba Mon Sep 17 00:00:00 2001
From: Wonsik Kim <wonsik@google.com>
Date: Fri, 26 Jan 2024 16:02:08 -0800
Subject: [PATCH 894/921] Add AIDL media.c2 into service_contexts

Bug: 321808716
Test: adb shell dumpsys android.hardware.media.c2.IComponentStore/default
Test: adb shell dumpsys android.hardware.media.c2.IComponentStore/default1
Change-Id: Ifef80e6d12e1b0c9e5d2ce6b33a61b51239683de
---
 whitechapel/vendor/google/service_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
index 074dedf6..25362525 100644
--- a/whitechapel/vendor/google/service_contexts
+++ b/whitechapel/vendor/google/service_contexts
@@ -3,3 +3,4 @@ hardware.qorvo.uwb.IUwbVendor/default                      u:object_r:hal_uwb_ve
 android.hardware.drm.IDrmFactory/widevine                  u:object_r:hal_drm_service:s0
 vendor.google.wireless_charger.IWirelessCharger/default                      u:object_r:hal_wireless_charger_service:s0
 rlsservice                                                 u:object_r:rls_service:s0
+android.hardware.media.c2.IComponentStore/default1                    u:object_r:hal_codec2_service:s0

From 16de970cd01f124a6725d5f6679e2058a089a9b2 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 31 Jan 2024 02:59:05 +0000
Subject: [PATCH 895/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 323086679
Test: scanBugreport
Bug: 323087054
Bug: 316817111
Test: scanAvcDeniedLogRightAfterReboot
Bug: 323086660
Bug: 316817111
Change-Id: I03dc82e832048e9a165b738bea1903ed37b2231c
---
 tracking_denials/bug_map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index a93b45b7..7d1687e6 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -10,6 +10,9 @@ kernel tmpfs chr_file b/315907959
 rfsd vendor_cbd_prop file b/317734418
 surfaceflinger selinuxfs file b/313804340
 system_server pm_archiving_enabled_prop file b/321730881
+system_suspend sysfs dir b/323086660
+system_suspend sysfs dir b/323086679
+system_suspend sysfs dir b/323087054
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845

From e2e71d0850f1efd7546cc9f17da51f0a29b32d41 Mon Sep 17 00:00:00 2001
From: Andrea Zilio <azilio@google.com>
Date: Wed, 31 Jan 2024 15:24:11 +0000
Subject: [PATCH 896/921] Removed SE Linux error bugmap entry, as we have fixed
 this property usage.

Change-Id: I1093c7c7b7633a734d1108fa6e05c010dd1af4c6
Bug: 321730881
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 7d1687e6..3b92d112 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -9,7 +9,6 @@ kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
 rfsd vendor_cbd_prop file b/317734418
 surfaceflinger selinuxfs file b/313804340
-system_server pm_archiving_enabled_prop file b/321730881
 system_suspend sysfs dir b/323086660
 system_suspend sysfs dir b/323086679
 system_suspend sysfs dir b/323087054

From 3a53df7d7accb8b17cbb9c4dc4a156347a799d4a Mon Sep 17 00:00:00 2001
From: Jacky Liu <qsliu@google.com>
Date: Fri, 2 Feb 2024 12:41:35 +0800
Subject: [PATCH 897/921] Update i2c device paths

Update i2c device paths with static bus numbers.

Bug: 323447554
Test: Boot to home
Change-Id: I5aacc4db4726f7608b2049bd2efb1d8732d3cdcf
---
 whitechapel/vendor/google/genfs_contexts | 143 ++++++++---------------
 1 file changed, 49 insertions(+), 94 deletions(-)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 644251ca..582ba6e7 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -34,21 +34,17 @@ genfscon sysfs /devices/platform/google,dock/power_supply/dock
 genfscon sysfs /devices/platform/10d50000.hsi2c                                 u:object_r:sysfs_batteryinfo:s0
 
 # Slider
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/i2c-p9412/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-9/9-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c                                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c/power_supply                       u:object_r:sysfs_batteryinfo:s0
 
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412                                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c                                    u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply                    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply                       u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c                                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/power_supply                       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom                             u:object_r:sysfs_batteryinfo:s0
 
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup     u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/wakeup/wakeup                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats                          u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/power_supply/maxfg_base/wakeup   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0057/chg_stats                        u:object_r:sysfs_pca:s0
 
 genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats          u:object_r:sysfs_power_stats:s0
 
@@ -76,39 +72,26 @@ genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee80215
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net                      u:object_r:sysfs_net:s0
 
 # Vibrator
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0042            u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a      u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0042            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043            u:object_r:sysfs_vibrator:s0
 
 # Fingerprint
 genfscon sysfs /devices/platform/odm/odm:fp_fpc1020                 u:object_r:sysfs_fingerprint:s0
 
 # System_suspend
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup                                                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/wakeup                                                         u:object_r:sysfs_wakeup:s0
-
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a/wakeup                                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup                                u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/wakeup                                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup                                   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-003c/wakeup                                                         u:object_r:sysfs_wakeup:s0
-
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/7-0008/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/power_supply/wireless/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/wakeup                                                         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup                                               u:object_r:sysfs_wakeup:s0
-
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup                                         u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/wakeup/wakeup                                                  u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup                                               u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup                                        u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/wakeup                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0057/power_supply/pca9468-mains/wakeup                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/dc/wakeup                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/main-charger/wakeup                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/wakeup/wakeup                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/tcpm-source-psy-12-0025/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/usb/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/wakeup                                                       u:object_r:sysfs_wakeup:s0
 
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup                                   u:object_r:sysfs_wakeup:s0
@@ -125,18 +108,11 @@ genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup
 genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup                                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup                                                            u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/19000000.aoc/wakeup                                                                        u:object_r:sysfs_wakeup:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup   u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup                              u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup           u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup                                      u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup                                                  u:object_r:sysfs_wakeup:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup                                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/wakeup                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/wakeup                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/wakeup                                                u:object_r:sysfs_wakeup:s0
 
 genfscon sysfs /devices/platform/cpif/wakeup                                                                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                                                 u:object_r:sysfs_wakeup:s0
@@ -185,44 +161,25 @@ genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u
 genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
 
 # ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name                 u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                 u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/wakeup                           u:object_r:sysfs_wakeup:s0
 
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value  u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value          u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails         u:object_r:sysfs_odpm:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup                    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/wakeup                            u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name                 u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name                 u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value         u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails        u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/wakeup                           u:object_r:sysfs_wakeup:s0
 
 # bcl sysfs files
 genfscon sysfs /devices/virtual/pmic/mitigation                                        u:object_r:sysfs_bcl:s0
@@ -276,15 +233,14 @@ genfscon sysfs /devices/platform/1c500000.mali/kprcs
 genfscon sysfs /devices/platform/1c500000.mali/power_policy                                             u:object_r:sysfs_gpu:s0
 
 # nvmem (Non Volatile Memory layer)
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/7-00500/nvmem                              u:object_r:sysfs_memory:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem                              u:object_r:sysfs_memory:s0
 
 # Broadcom
 genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
 
 # Power Stats
 genfscon sysfs /devices/platform/cpif/modem/power_stats                                                 u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/power_stats                           u:object_r:sysfs_power_stats:s0
-genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/6-0008/power_stats                                u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/7-0008/power_stats                                u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/11920000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 genfscon sysfs /devices/platform/14520000.pcie/power_stats                                              u:object_r:sysfs_power_stats:s0
 
@@ -328,8 +284,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time
 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time         u:object_r:sysfs_usbc_throttling_stats:s0
 
 # Extcon
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
-genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0025/extcon             u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/extcon           u:object_r:sysfs_extcon:s0
 
 # SecureElement
 genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi    u:object_r:sysfs_st33spi:s0

From 3ad00c9539890fd9d99b69ef6f2ac631ff8a44bc Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Fri, 16 Feb 2024 14:54:04 -0800
Subject: [PATCH 898/921] Update i2c sepolicy with new device names

The new names fix uninformative kernel wakelock names.

Bug: 315190967
Bug: 323447554
Change-Id: Iff6eccb677444357f867785f213dadd70fb649c1
---
 whitechapel/vendor/google/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 582ba6e7..efce278f 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -90,6 +90,7 @@ genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/dc/w
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/main-charger/wakeup                             u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/wakeup/wakeup                                                u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/tcpm-source-psy-12-0025/wakeup                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup         u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/usb/wakeup                                      u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/wakeup                                                       u:object_r:sysfs_wakeup:s0
 

From 7af07fe0e455d4fb18a60cfac24c8b2e6d2ee8a9 Mon Sep 17 00:00:00 2001
From: Peter Lin <linpeter@google.com>
Date: Fri, 2 Feb 2024 01:03:20 +0000
Subject: [PATCH 899/921] add dsim wakeup labels

Bug: 323086660
Bug: 321733124
test: ls sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup -Z
Change-Id: Ic47c14713727de1639e456fb6b2f0fc7d9810dc6
---
 tracking_denials/bug_map                 | 3 ---
 whitechapel/vendor/google/genfs_contexts | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 3b92d112..17fcff7d 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -9,9 +9,6 @@ kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
 rfsd vendor_cbd_prop file b/317734418
 surfaceflinger selinuxfs file b/313804340
-system_suspend sysfs dir b/323086660
-system_suspend sysfs dir b/323086679
-system_suspend sysfs dir b/323087054
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 644251ca..70449f9b 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -148,6 +148,9 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup
 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup                                                                       u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/sound-aoc/wakeup                                                                           u:object_r:sysfs_wakeup:s0
 
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/wakeup                                                 u:object_r:sysfs_wakeup:s0
+
 # Input
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0
 genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 	u:object_r:sysfs_uhid:s0

From 40465c19883219645bd04f2ca2c772fa342b9fe8 Mon Sep 17 00:00:00 2001
From: Lei Ju <leiju@google.com>
Date: Sat, 17 Feb 2024 09:46:51 -0800
Subject: [PATCH 900/921] [gs101] Use common settings for Contexthub HAL

The change also labeled files under /data/vendor/chre/ to grant
required access.

Test: compilation
Bug: 248615564
Change-Id: I4db158853764987cf04dc7963ff79c680613f028
---
 whitechapel/vendor/google/file.te       | 1 +
 whitechapel/vendor/google/file_contexts | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index 9e7f1fab..8c985555 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -49,6 +49,7 @@ type sysfs_nanoapp_cmd, sysfs_type, fs_type;
 type sysfs_fingerprint, sysfs_type, fs_type;
 
 # CHRE
+type chre_data_file, file_type, data_file_type;
 type chre_socket, file_type;
 
 # BT
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 0fb85403..40114760 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -235,9 +235,9 @@
 /data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
 
 # Contexthub
-/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/chre                                            u:object_r:chre_exec:s0
 /dev/socket/chre                                                            u:object_r:chre_socket:s0
+/data/vendor/chre(/.*)?                                                     u:object_r:chre_data_file:s0
 
 # Modem logging
 /vendor/bin/modem_logging_control   u:object_r:modem_logging_control_exec:s0

From dbac8fd52fbe391d0a27b35a803b212ecba8f278 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Wed, 21 Feb 2024 13:46:21 +1100
Subject: [PATCH 901/921] Remove persist.bootanim.color property definitions

These now belong to the platform policy.

Bug: 321088135
Test: build
Change-Id: Iafe8da5e19a43807aed49e1984ef798de396e723
---
 system_ext/private/property_contexts | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index b8f09520..a8e90427 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -1,14 +1,8 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
 
-# Boot animation dynamic colors
-persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
-
 # Properties for euicc
 persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
 
 # Telephony
-telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
\ No newline at end of file
+telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool

From 6f152690d9adcc3dff983b3bc6826bafecbab07a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= <krzysio@google.com>
Date: Fri, 23 Feb 2024 03:00:08 +0000
Subject: [PATCH 902/921] Allow camera to acquire wakelocks.

This is already allowed on all other Google chips and used
for a face auth latency optimization.

Fix: 303391687
Test: check logs on raven
Change-Id: I6f70b70d1cf4c055ce9f3e76c1fca0ae0c3e070d
---
 tracking_denials/hal_camera_default.te          | 2 --
 whitechapel/vendor/google/hal_camera_default.te | 3 +++
 2 files changed, 3 insertions(+), 2 deletions(-)
 delete mode 100644 tracking_denials/hal_camera_default.te

diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
deleted file mode 100644
index 56a42a37..00000000
--- a/tracking_denials/hal_camera_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-#b/303391687
-dontaudit hal_camera_default hal_system_suspend_service:service_manager find ;
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 8e0a8616..b488860d 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -111,3 +111,6 @@ dontaudit hal_camera_default traced_producer_socket:sock_file { write };
 
 # Allow access to always-on compute device node
 allow hal_camera_default aoc_device:chr_file rw_file_perms;
+
+# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes
+wakelock_use(hal_camera_default)

From 303a4dd99b15745c02afb565fa9a630e87a68f45 Mon Sep 17 00:00:00 2001
From: Rubin Xu <rubinxu@google.com>
Date: Fri, 23 Feb 2024 12:12:26 +0000
Subject: [PATCH 903/921] Revert "Remove persist.bootanim.color property
 definitions"

Revert submission 26301396-bootanim_prop

Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/quarterdeck/?branch=git_main&target=sdk_goog3_x86_64-trunk_staging-userdebug&lkgb=11487950&lkbb=11488141&fkbb=11488141

Bug: 326521604

Reverted changes: /q/submissionid:26301396-bootanim_prop

Change-Id: Ic931ad1f4f7580cae73355ba3419a7c7422cd580
---
 system_ext/private/property_contexts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index a8e90427..b8f09520 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -1,8 +1,14 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
 
+# Boot animation dynamic colors
+persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
+
 # Properties for euicc
 persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
 
 # Telephony
-telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
+telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
\ No newline at end of file

From f0447fb52d67313d5716bc25697d4afa8247d66b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Sun, 25 Feb 2024 23:58:44 +0000
Subject: [PATCH 904/921] Revert^2 "Remove persist.bootanim.color property
 definitions"

303a4dd99b15745c02afb565fa9a630e87a68f45

Change-Id: I237450825ef2aaf4681265aede03091ca2d76484
---
 system_ext/private/property_contexts | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index b8f09520..a8e90427 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -1,14 +1,8 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
 
-# Boot animation dynamic colors
-persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
-
 # Properties for euicc
 persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
 
 # Telephony
-telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
\ No newline at end of file
+telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool

From d3db02a5c3944852603541d314e9a0f603d1b1a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Fri, 8 Mar 2024 01:38:00 +0000
Subject: [PATCH 905/921] Remove persist.bootanim.color property definitions

These now belong to the platform policy.

Bug: 321088135
Test: build
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dbac8fd52fbe391d0a27b35a803b212ecba8f278)
Merged-In: Iafe8da5e19a43807aed49e1984ef798de396e723
Change-Id: Iafe8da5e19a43807aed49e1984ef798de396e723
---
 system_ext/private/property_contexts | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index b8f09520..a8e90427 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -1,14 +1,8 @@
 # Fingerprint (UDFPS) GHBM/LHBM toggle
 persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
 
-# Boot animation dynamic colors
-persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
-persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
-
 # Properties for euicc
 persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
 
 # Telephony
-telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
\ No newline at end of file
+telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool

From 89224de0eb667995bcb01f054cb718e8543cd950 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 18 Mar 2024 02:58:47 +0000
Subject: [PATCH 906/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 329380904
Change-Id: I5ef59058c7c7487a8a9cb238767e019631c5ac63
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 17fcff7d..6b94d7d3 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -8,6 +8,7 @@ incidentd incidentd anon_inode b/282626428
 kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
 rfsd vendor_cbd_prop file b/317734418
+shell sysfs_net file b/329380904
 surfaceflinger selinuxfs file b/313804340
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845

From 9ddb9bab3d2500edab8cece590c16ade06b81cbc Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Tue, 19 Mar 2024 07:54:01 +0000
Subject: [PATCH 907/921] sepolicy: allow kernel to search vendor debugfs

audit: type=1400 audit(1710259012.824:4): avc:  denied  { search } for  pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0
audit: type=1400 audit(1710427790.680:2): avc:  denied  { search } for  pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1
audit: type=1400 audit(1710427790.680:3): avc:  denied  { search } for  pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1

Bug: 328016570
Bug: 329317898
Test: check all debugfs folders are correctly mounted
Change-Id: I13ef8c4d9b0f84a8641cfbe12a7b5cf89a97d3da
Signed-off-by: Spade Lee <spadelee@google.com>
---
 whitechapel/vendor/google/kernel.te | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index f1156829..d44eed68 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -8,7 +8,11 @@ allow kernel per_boot_file:file r_file_perms;
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
 
-dontaudit kernel vendor_battery_debugfs:dir search;
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
-dontaudit kernel vendor_votable_debugfs:dir { search };
-dontaudit kernel vendor_usb_debugfs:dir search;
+userdebug_or_eng(`
+  allow kernel vendor_battery_debugfs:dir search;
+  allow kernel vendor_regmap_debugfs:dir search;
+  allow kernel vendor_usb_debugfs:dir search;
+  allow kernel vendor_votable_debugfs:dir search;
+  allow kernel vendor_charger_debugfs:dir search;
+  allow kernel vendor_maxfg_debugfs:dir search;
+')

From 66d3a4ef4e33553862de92119cd2345b777df1f6 Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Thu, 21 Mar 2024 00:29:41 +0000
Subject: [PATCH 908/921] pixelstats_vendor: add logbuffer_device r_file_perms

avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0

Bug: 329174074
Test: no denied log, and able to read logbuffer in pixelstats_vendor
Change-Id: I2c6069f43d17114f937657724dc34e43cf3d48fe
Signed-off-by: Spade Lee <spadelee@google.com>
---
 whitechapel/vendor/google/pixelstats_vendor.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 7496a7ce..33e9511c 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -25,6 +25,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find;
 
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+allow pixelstats_vendor logbuffer_device:chr_file r_file_perms;
 
 #vendor-metrics
 r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)

From 629dd3eaf9183258fa4fbf9242a1da91c69198c2 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 25 Mar 2024 07:56:34 +0000
Subject: [PATCH 909/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 331147031
Change-Id: I098aab7a986a8b2c659c006f50b5dade74ebcb5b
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6b94d7d3..2bae68e0 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -7,6 +7,7 @@ incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
 kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
+modem_svc_sit traced_producer_socket sock_file b/331147031
 rfsd vendor_cbd_prop file b/317734418
 shell sysfs_net file b/329380904
 surfaceflinger selinuxfs file b/313804340

From f1baab05304024ab39b3ec12ed503dd033601d37 Mon Sep 17 00:00:00 2001
From: Pablo Gamito <pablogamito@google.com>
Date: Mon, 25 Mar 2024 07:15:31 +0000
Subject: [PATCH 910/921] Remove donotaudit line for b/277155042

Since this bug is now fixed

Fixes: 277155042
Test: scanBugreport
Change-Id: If2fdbcbd0b0c0edbcc6824235bbfc561e0f43378
---
 tracking_denials/dumpstate.te | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 tracking_denials/dumpstate.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
deleted file mode 100644
index 9d082cb8..00000000
--- a/tracking_denials/dumpstate.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/277155042
-dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };

From 27e4e3cd9d7b4be40a32847416ae05cfd6b82d5d Mon Sep 17 00:00:00 2001
From: Jan Sebechlebsky <jsebechlebsky@google.com>
Date: Thu, 21 Mar 2024 09:37:55 +0100
Subject: [PATCH 911/921] Remove virtual_camera dumpstate denial entry from
 bug_map

Fix: 312894628
Test: N/A
Change-Id: Ia31780377ef121b9347eace64af470926220524b
---
 tracking_denials/bug_map | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6b94d7d3..06ce063e 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,6 +1,4 @@
 chre vendor_data_file dir b/301948771
-dumpstate virtual_camera binder b/312894628
-dumpstate virtual_camera process b/312894628
 hal_power_default hal_power_default capability b/240632824
 hal_vibrator_default default_android_service service_manager b/317316478
 incidentd debugfs_wakeup_sources file b/282626428

From 3a2d59d8a93ef1980cc846de4a3b359961463b23 Mon Sep 17 00:00:00 2001
From: Hungyen Weng <hungyenweng@google.com>
Date: Mon, 25 Mar 2024 20:33:16 +0000
Subject: [PATCH 912/921] Allow modem_svc to access modem files and perfetto

Bug: 331147031
Bug: 330730987

Test: Confirmed that modem_svc is able to access token db files in modem partition
Test: Confiemed that modem_svc can send traces to perfetto
Test: Confirmed v2/pixel-health-guard/device-boot-health-check-extra has no modem_svc avc denials.

Change-Id: I5fabd3177c758be533ca8bdef3cb3305afd6a5a6
---
 tracking_denials/bug_map                   |  2 +-
 whitechapel/vendor/google/modem_svc_sit.te | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 51624460..bb1e6993 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -5,7 +5,6 @@ incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
 kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
-modem_svc_sit traced_producer_socket sock_file b/331147031
 rfsd vendor_cbd_prop file b/317734418
 shell sysfs_net file b/329380904
 surfaceflinger selinuxfs file b/313804340
@@ -16,3 +15,4 @@ untrusted_app userdebug_or_eng_prop file b/305600845
 vendor_init default_prop file b/315104713
 vendor_init default_prop file b/316817111
 vendor_init default_prop property_service b/315104713
+
diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
index 63dec363..0eb7498d 100644
--- a/whitechapel/vendor/google/modem_svc_sit.te
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -17,7 +17,7 @@ allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
 allow modem_svc_sit modem_stat_data_file:dir create_dir_perms;
 allow modem_svc_sit modem_stat_data_file:file create_file_perms;
 
-allow modem_svc_sit mnt_vendor_file:dir search;
+allow modem_svc_sit mnt_vendor_file:dir r_dir_perms;
 allow modem_svc_sit modem_userdata_file:dir create_dir_perms;
 allow modem_svc_sit modem_userdata_file:file create_file_perms;
 
@@ -33,3 +33,12 @@ get_prop(modem_svc_sit, vendor_logger_prop)
 
 # Modem property
 set_prop(modem_svc_sit, vendor_modem_prop)
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(modem_svc_sit)
+
+# Allow modem_svc_sit to access modem image file/dir
+allow modem_svc_sit modem_img_file:dir r_dir_perms;
+allow modem_svc_sit modem_img_file:file r_file_perms;
+allow modem_svc_sit modem_img_file:lnk_file r_file_perms;
\ No newline at end of file

From ec6f15d8129595a6f22f60d9a982e6b0d4361a90 Mon Sep 17 00:00:00 2001
From: kadirpili <kadirpili@google.com>
Date: Fri, 22 Mar 2024 02:51:44 +0000
Subject: [PATCH 913/921] gs101: telephony property for cbd

Bug: 316817111
Change-Id: Idf85b27d755cff0fb5fffb088d13b105c25beb3b
---
 system_ext/private/pixelntnservice_app.te | 5 +++++
 system_ext/private/property_contexts      | 1 +
 system_ext/private/seapp_contexts         | 3 +++
 system_ext/public/pixelntnservice_app.te  | 1 +
 system_ext/public/property.te             | 3 ++-
 whitechapel/vendor/google/cbd.te          | 1 +
 whitechapel/vendor/google/rfsd.te         | 1 +
 whitechapel/vendor/google/vendor_init.te  | 2 ++
 8 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 system_ext/private/pixelntnservice_app.te
 create mode 100644 system_ext/public/pixelntnservice_app.te

diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te
new file mode 100644
index 00000000..8bf71cc9
--- /dev/null
+++ b/system_ext/private/pixelntnservice_app.te
@@ -0,0 +1,5 @@
+typeattribute pixelntnservice_app coredomain;
+
+app_domain(pixelntnservice_app);
+allow pixelntnservice_app app_api_service:service_manager find;
+set_prop(pixelntnservice_app, telephony_modem_prop)
diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts
index a8e90427..1bc593cc 100644
--- a/system_ext/private/property_contexts
+++ b/system_ext/private/property_contexts
@@ -5,4 +5,5 @@ persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
 persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
 
 # Telephony
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0    exact enum ntn tn
 telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 6ac71499..2f3c6785 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -6,3 +6,6 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
 
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# PixelNtnService
+user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all
diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te
new file mode 100644
index 00000000..10661b66
--- /dev/null
+++ b/system_ext/public/pixelntnservice_app.te
@@ -0,0 +1 @@
+type pixelntnservice_app, domain;
diff --git a/system_ext/public/property.te b/system_ext/public/property.te
index 1abcc84a..bf64eaad 100644
--- a/system_ext/public/property.te
+++ b/system_ext/public/property.te
@@ -6,7 +6,8 @@ system_vendor_config_prop(esim_modem_prop)
 
 # Telephony
 system_public_prop(telephony_ril_prop)
+system_restricted_prop(telephony_modem_prop)
 
 userdebug_or_eng(`
   set_prop(shell, telephony_ril_prop)
-')
\ No newline at end of file
+')
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
index cbd222ff..6b41f57e 100644
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@@ -5,6 +5,7 @@ init_daemon_domain(cbd)
 set_prop(cbd, vendor_modem_prop)
 set_prop(cbd, vendor_cbd_prop)
 set_prop(cbd, vendor_rild_prop)
+get_prop(cbd, telephony_modem_prop)
 
 # Allow cbd to setuid from root to radio
 # TODO: confirming with vendor via b/182334947
diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te
index 2f7102fc..f51ba865 100644
--- a/whitechapel/vendor/google/rfsd.te
+++ b/whitechapel/vendor/google/rfsd.te
@@ -32,6 +32,7 @@ allow rfsd radio_device:chr_file rw_file_perms;
 # Allow to set rild and modem property
 set_prop(rfsd, vendor_modem_prop)
 set_prop(rfsd, vendor_rild_prop)
+set_prop(cbd, vendor_cbd_prop)
 
 # Allow rfsd to access modem image file/dir
 allow rfsd modem_img_file:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 5ff78d4d..3771394b 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -14,6 +14,8 @@ get_prop(vendor_init, vendor_touchpanel_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
 set_prop(vendor_init, vendor_logger_prop)
 set_prop(vendor_init, esim_modem_prop)
+get_prop(vendor_init, telephony_modem_prop)
+
 
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;

From bddc287c10ef592977723867b993862c096dfc66 Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Tue, 19 Mar 2024 07:54:01 +0000
Subject: [PATCH 914/921] sepolicy: allow kernel to search vendor debugfs

audit: type=1400 audit(1710259012.824:4): avc:  denied  { search } for  pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0
audit: type=1400 audit(1710427790.680:2): avc:  denied  { search } for  pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1
audit: type=1400 audit(1710427790.680:3): avc:  denied  { search } for  pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1

Bug: 328016570
Bug: 329317898
Test: check all debugfs folders are correctly mounted
Change-Id: I13ef8c4d9b0f84a8641cfbe12a7b5cf89a97d3da
Signed-off-by: Spade Lee <spadelee@google.com>
---
 whitechapel/vendor/google/kernel.te | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
index f1156829..d44eed68 100644
--- a/whitechapel/vendor/google/kernel.te
+++ b/whitechapel/vendor/google/kernel.te
@@ -8,7 +8,11 @@ allow kernel per_boot_file:file r_file_perms;
 allow kernel self:capability2 perfmon;
 allow kernel self:perf_event cpu;
 
-dontaudit kernel vendor_battery_debugfs:dir search;
-dontaudit kernel vendor_maxfg_debugfs:dir { search };
-dontaudit kernel vendor_votable_debugfs:dir { search };
-dontaudit kernel vendor_usb_debugfs:dir search;
+userdebug_or_eng(`
+  allow kernel vendor_battery_debugfs:dir search;
+  allow kernel vendor_regmap_debugfs:dir search;
+  allow kernel vendor_usb_debugfs:dir search;
+  allow kernel vendor_votable_debugfs:dir search;
+  allow kernel vendor_charger_debugfs:dir search;
+  allow kernel vendor_maxfg_debugfs:dir search;
+')

From b0daa90c01a3f377715524c91392fe80c9aa5800 Mon Sep 17 00:00:00 2001
From: Enzo Liao <enzoliao@google.com>
Date: Thu, 14 Mar 2024 15:01:43 +0800
Subject: [PATCH 915/921] Move SELinux policies of RamdumpService and
 SSRestartDetector to /gs-common.

New paths (ag/26620507):
  RamdumpService: device/google/gs-common/ramdump_app
  SSRestartDetector: device/google/gs-common/ssr_detector_app

Bug: 298102808
Design: go/sys-software-logging
Test: Manual
Change-Id: I568f43ab8ed8f5ab330cbda19cd68bcc12838fdf
---
 gs101-sepolicy.mk                         |  3 ---
 whitechapel/vendor/google/ramdump_app.te  | 24 -----------------------
 whitechapel/vendor/google/seapp_contexts  |  4 ----
 whitechapel/vendor/google/ssr_detector.te | 24 -----------------------
 4 files changed, 55 deletions(-)
 delete mode 100644 whitechapel/vendor/google/ramdump_app.te
 delete mode 100644 whitechapel/vendor/google/ssr_detector.te

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 12768b9e..3e8c9022 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -20,9 +20,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/priv
 #   PowerStats HAL
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 
-# sscoredump
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
-
 # Public
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
 
diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te
deleted file mode 100644
index 308e9fb7..00000000
--- a/whitechapel/vendor/google/ramdump_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ramdump_app, domain;
-
-userdebug_or_eng(`
-  app_domain(ramdump_app)
-
-  allow ramdump_app app_api_service:service_manager find;
-
-  allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
-  allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
-
-  set_prop(ramdump_app, vendor_ramdump_prop)
-  get_prop(ramdump_app, system_boot_reason_prop)
-
-  # To access ramdumpfs.
-  allow ramdump_app mnt_vendor_file:dir search;
-  allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
-  allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
-
-  # To access subsystem ramdump files and dirs.
-  allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-  allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-  allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
-  allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-')
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f2c53ebc..804c36ce 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -17,10 +17,6 @@ user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app level
 user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all
 
-# coredump/ramdump
-user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
-user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
-
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
deleted file mode 100644
index f27fcc5b..00000000
--- a/whitechapel/vendor/google/ssr_detector.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ssr_detector_app, domain;
-
-app_domain(ssr_detector_app)
-allow ssr_detector_app app_api_service:service_manager find;
-allow ssr_detector_app radio_service:service_manager find;
-
-allow ssr_detector_app system_app_data_file:dir create_dir_perms;
-allow ssr_detector_app system_app_data_file:file create_file_perms;
-
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-userdebug_or_eng(`
-  allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
-  allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
-  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
-  allow ssr_detector_app proc_vendor_sched:dir search;
-  allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
-  allow ssr_detector_app cgroup:file write;
-')
-
-get_prop(ssr_detector_app, vendor_ssrdump_prop)
-get_prop(ssr_detector_app, vendor_wifi_version)
-get_prop(ssr_detector_app, vendor_aoc_prop)

From 6750917d2b0ce72f907d1ddf21831b3eebc6e450 Mon Sep 17 00:00:00 2001
From: Pablo Gamito <pablogamito@google.com>
Date: Fri, 19 Apr 2024 10:48:29 +0000
Subject: [PATCH 916/921] Revert "Remove donotaudit line for b/277155042"

This reverts commit f1baab05304024ab39b3ec12ed503dd033601d37.

Fixes: 331693615
Reason for revert: b/331693615

Change-Id: I32d6dc1e1b89b430d34da6909590367defd0af9d
---
 tracking_denials/dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 tracking_denials/dumpstate.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
new file mode 100644
index 00000000..9d082cb8
--- /dev/null
+++ b/tracking_denials/dumpstate.te
@@ -0,0 +1,2 @@
+# b/277155042
+dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };

From 5e8b518a770f000490ab10265fd3a29ec25b9037 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 18 Mar 2024 02:58:47 +0000
Subject: [PATCH 917/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 329380904
Merged-In: I5ef59058c7c7487a8a9cb238767e019631c5ac63
Change-Id: I5ef59058c7c7487a8a9cb238767e019631c5ac63
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 671bcae6..8bfda1e5 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -9,6 +9,7 @@ kernel dm_device blk_file b/315907959
 kernel tmpfs chr_file b/315907959
 rild default_prop file b/315720636
 rild default_prop file b/315720725
+shell sysfs_net file b/329380904
 surfaceflinger selinuxfs file b/313804340
 untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845

From 2034e36abbb870da145acd246a5602a04134d627 Mon Sep 17 00:00:00 2001
From: Spade Lee <spadelee@google.com>
Date: Thu, 21 Mar 2024 00:29:41 +0000
Subject: [PATCH 918/921] pixelstats_vendor: add logbuffer_device r_file_perms

avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0

Bug: 329174074
Test: no denied log, and able to read logbuffer in pixelstats_vendor
Signed-off-by: Spade Lee <spadelee@google.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66d3a4ef4e33553862de92119cd2345b777df1f6)
Merged-In: I2c6069f43d17114f937657724dc34e43cf3d48fe
Change-Id: I2c6069f43d17114f937657724dc34e43cf3d48fe
---
 whitechapel/vendor/google/pixelstats_vendor.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 7496a7ce..33e9511c 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -25,6 +25,7 @@ allow pixelstats_vendor fwk_sensor_service:service_manager find;
 
 # Batery history
 allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+allow pixelstats_vendor logbuffer_device:chr_file r_file_perms;
 
 #vendor-metrics
 r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)

From 9df205d57fc633fc7524ca8affd22dac467092b9 Mon Sep 17 00:00:00 2001
From: Enzo Liao <enzoliao@google.com>
Date: Thu, 14 Mar 2024 15:01:43 +0800
Subject: [PATCH 919/921] Move SELinux policies of RamdumpService and
 SSRestartDetector to /gs-common.

New paths (ag/26620507):
  RamdumpService: device/google/gs-common/ramdump_app
  SSRestartDetector: device/google/gs-common/ssr_detector_app

Bug: 298102808
Design: go/sys-software-logging
Test: Manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0daa90c01a3f377715524c91392fe80c9aa5800)
Merged-In: I568f43ab8ed8f5ab330cbda19cd68bcc12838fdf
Change-Id: I568f43ab8ed8f5ab330cbda19cd68bcc12838fdf
---
 gs101-sepolicy.mk                         |  3 ---
 whitechapel/vendor/google/ramdump_app.te  | 24 -----------------------
 whitechapel/vendor/google/seapp_contexts  |  4 ----
 whitechapel/vendor/google/ssr_detector.te | 24 -----------------------
 4 files changed, 55 deletions(-)
 delete mode 100644 whitechapel/vendor/google/ramdump_app.te
 delete mode 100644 whitechapel/vendor/google/ssr_detector.te

diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 12768b9e..3e8c9022 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -20,9 +20,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/priv
 #   PowerStats HAL
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
 
-# sscoredump
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
-
 # Public
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
 
diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te
deleted file mode 100644
index 308e9fb7..00000000
--- a/whitechapel/vendor/google/ramdump_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ramdump_app, domain;
-
-userdebug_or_eng(`
-  app_domain(ramdump_app)
-
-  allow ramdump_app app_api_service:service_manager find;
-
-  allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
-  allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
-
-  set_prop(ramdump_app, vendor_ramdump_prop)
-  get_prop(ramdump_app, system_boot_reason_prop)
-
-  # To access ramdumpfs.
-  allow ramdump_app mnt_vendor_file:dir search;
-  allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
-  allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
-
-  # To access subsystem ramdump files and dirs.
-  allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-  allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-  allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
-  allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-')
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index f2c53ebc..804c36ce 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -17,10 +17,6 @@ user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app level
 user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all
 user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all
 
-# coredump/ramdump
-user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
-user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
-
 # grilservice
 user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
 
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
deleted file mode 100644
index f27fcc5b..00000000
--- a/whitechapel/vendor/google/ssr_detector.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type ssr_detector_app, domain;
-
-app_domain(ssr_detector_app)
-allow ssr_detector_app app_api_service:service_manager find;
-allow ssr_detector_app radio_service:service_manager find;
-
-allow ssr_detector_app system_app_data_file:dir create_dir_perms;
-allow ssr_detector_app system_app_data_file:file create_file_perms;
-
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
-allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
-userdebug_or_eng(`
-  allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
-  allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
-  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
-  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
-  allow ssr_detector_app proc_vendor_sched:dir search;
-  allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
-  allow ssr_detector_app cgroup:file write;
-')
-
-get_prop(ssr_detector_app, vendor_ssrdump_prop)
-get_prop(ssr_detector_app, vendor_wifi_version)
-get_prop(ssr_detector_app, vendor_aoc_prop)

From 44f0166eb6c7b2a1194ac027efa41b8808e10968 Mon Sep 17 00:00:00 2001
From: chenkris <chenkris@google.com>
Date: Wed, 20 Mar 2024 10:27:24 +0000
Subject: [PATCH 920/921] Allow fingerprint to access the folder
 /data/vendor/fingerprint

Fix the following avc denial:
android.hardwar: type=1400 audit(0.0:20): avc:  denied  { write } for  name="fingerprint" dev="dm-56" ino=36703 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0

Bug: 267766859
Test: Tested fingerprint under enforcing mode
Change-Id: Id3f00d526dbe044f60aad2198fa65fbe3b6b2c60
---
 whitechapel/vendor/google/file_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 40114760..69e0d3a9 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -362,6 +362,7 @@
 
 # Fingerprint
 /dev/goodix_fp                                                                 u:object_r:fingerprint_device:s0
+/data/vendor/fingerprint(/.*)?                                                 u:object_r:fingerprint_vendor_data_file:s0
 
 # Wifi Firmware config update
 /data/vendor/firmware/wifi(/.*)?                                               u:object_r:updated_wifi_firmware_data_file:s0

From 855cd95dce6b51fd5695d6f9f0cd02e8143c18c9 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 15 May 2024 03:50:37 +0000
Subject: [PATCH 921/921] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 340723222
Bug: 340723303
Bug: 340723030
Test: scanBugreport
Bug: 340723303
Bug: 340722537
Bug: 340723222
Bug: 340722772
Test: scanAvcDeniedLogRightAfterReboot
Bug: 340723303
Bug: 340723030
Bug: 340723222
Change-Id: I91df897d8ae7d8e4b1b49a7eb20f6bb5fe99755c
---
 tracking_denials/bug_map | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index bb1e6993..737d604e 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,9 +1,14 @@
+
 chre vendor_data_file dir b/301948771
+dump_display sysfs file b/340722772
 hal_power_default hal_power_default capability b/240632824
+hal_sensors_default sysfs file b/340723303
 hal_vibrator_default default_android_service service_manager b/317316478
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
 kernel dm_device blk_file b/315907959
+kernel kernel capability b/340722537
+kernel kernel capability b/340723030
 kernel tmpfs chr_file b/315907959
 rfsd vendor_cbd_prop file b/317734418
 shell sysfs_net file b/329380904
@@ -12,7 +17,7 @@ untrusted_app nativetest_data_file dir b/305600845
 untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845
 untrusted_app userdebug_or_eng_prop file b/305600845
+vendor_init debugfs_trace_marker file b/340723222
 vendor_init default_prop file b/315104713
 vendor_init default_prop file b/316817111
 vendor_init default_prop property_service b/315104713
-