gs201: Rework sepolicy

TODO: Automatically handle the following: * certs/mac_permissions.xml/keys.conf Change-Id: Idb0636bce2392beb720e420055a7bcb838725a18
2025-12-02 13:46:03 +02:00
parent 4577fe8551
commit 480af963fd
311 changed files with 3072 additions and 2624 deletions
--- a/BoardConfig-common.mk
+++ b/BoardConfig-common.mk
@@ -243,7 +243,26 @@ endif
 BOARD_SYSTEM_KERNEL_MODULES_LOAD := $(strip $(shell cat $(KERNEL_MODULE_DIR)/system_dlkm.modules.load 2>/dev/null))
 BOARD_SYSTEM_KERNEL_MODULES := $(addprefix $(KERNEL_MODULE_DIR)/, $(notdir $(BOARD_SYSTEM_KERNEL_MODULES_LOAD)))

-include device/google/gs201/sepolicy/gs201-sepolicy.mk
+# SEPolicy
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    hardware/google/pixel-sepolicy/googlebattery \
+    hardware/google/pixel-sepolicy/input \
+    hardware/google/pixel-sepolicy/powerstats \
+    device/google/gs201/sepolicy/certificates \
+    device/google/gs201/sepolicy/recovery \
+    device/google/gs201/sepolicy/vendor
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += \
+    device/google/gs201/sepolicy/product/private
+
+PRODUCT_PUBLIC_SEPOLICY_DIRS += \
+    device/google/gs201/sepolicy/product/public
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
+    device/google/gs201/sepolicy/system_ext/private
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
+    device/google/gs201/sepolicy/system_ext/public

 # Battery options
 BOARD_KERNEL_CMDLINE += at24.write_timeout=100
--- a/sepolicy/OWNERS
+++ b/sepolicy/OWNERS
@@ -1,4 +0,0 @@
-include device/google/gs-common:/sepolicy/OWNERS
-
-adamshih@google.com
-
--- a/sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem
+++ b/sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem
--- a/sepolicy/whitechapel_pro/certs/app.x509.pem
+++ b/sepolicy/whitechapel_pro/certs/app.x509.pem
--- a/sepolicy/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem
+++ b/sepolicy/whitechapel_pro/certs/com_google_android_apps_camera_services.x509.pem
--- a/sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
+++ b/sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
--- a/sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
+++ b/sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
--- a/sepolicy/certificates/keys.conf
+++ b/sepolicy/certificates/keys.conf
@@ -0,0 +1,14 @@
+[@GOOGLE]
+ALL : device/google/gs201/sepolicy/certificates/certs/app.x509.pem
+
+[@CAMERASERVICES]
+ALL : device/google/gs201/sepolicy/certificates/certs/com_google_android_apps_camera_services.x509.pem
+
+[@MDS]
+ALL : device/google/gs201/sepolicy/certificates/certs/com_google_mds.x509.pem
+
+[@UWB]
+ALL : device/google/gs201/sepolicy/certificates/certs/com_qorvo_uwb.x509.pem
+
+[@EUICCSUPPORTPIXEL]
+ALL : device/google/gs201/sepolicy/certificates/certs/EuiccSupportPixel.x509.pem
--- a/sepolicy/whitechapel_pro/mac_permissions.xml
+++ b/sepolicy/whitechapel_pro/mac_permissions.xml
@@ -1,8 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <policy>
-
 <!--
-
    * A signature is a hex encoded X.509 certificate or a tag defined in
      keys.conf and is required for each signer tag.
    * A signer tag may contain a seinfo tag and multiple package stanzas.
@@ -22,21 +20,18 @@
 -->
    <!-- google apps key -->
    <signer signature="@GOOGLE" >
-      <seinfo value="google" />
+        <seinfo value="google" />
+    </signer>
+    <signer signature="@CAMERASERVICES" >
+        <seinfo value="CameraServices" />
    </signer>
    <signer signature="@MDS" >
        <seinfo value="mds" />
    </signer>
+    <signer signature="@UWB" >
+        <seinfo value="uwb" />
+    </signer>
    <signer signature="@EUICCSUPPORTPIXEL" >
        <seinfo value="EuiccSupportPixel" />
    </signer>
-    <signer signature="@CAMERAENG" >
-      <seinfo value="CameraEng" />
-    </signer>
-    <signer signature="@CAMERAFISHFOOD" >
-      <seinfo value="CameraFishfood" />
-    </signer>
-    <signer signature="@CAMERASERVICES" >
-      <seinfo value="CameraServices" />
-    </signer>
 </policy>
--- a/sepolicy/gs201-sepolicy.mk
+++ b/sepolicy/gs201-sepolicy.mk
@@ -1,95 +0,0 @@
-# ConnectivityThermalPowerManager
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/connectivity_thermal_power_manager
-
-# twoshay
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/input
-
-# google_battery service
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/googlebattery
-
-# sepolicy that are shared among devices using whitechapel
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs201/sepolicy/whitechapel_pro
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs201/sepolicy/widevine
-
-# unresolved SELinux error log with bug tracking
-BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/tracking_denials
-
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201/sepolicy/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201/sepolicy/private
-
-# system_ext
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs201/sepolicy/system_ext/public
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201/sepolicy/system_ext/private
-
-#
-# Pixel-wide
-#
-# Dauntless sepolicy (b/199685763)
-BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/dauntless
-
-#   PowerStats HAL
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
-
-# Health HAL
-BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/health
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/common
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hidl
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/vendor
-ifneq ($(filter %_cheetah %_felix %_panther, $(TARGET_PRODUCT)),)
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bcmbt/dump/sepolicy
-endif
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bootctrl/sepolicy/aidl
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/vendor
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/chre/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/dauntless/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/display/sepolicy/exynos
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/edgetpu/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/fingerprint/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gear/dumpstate/sepolicy
-ifneq ($(BOARD_WITHOUT_RADIO),true)
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/brcm/sepolicy
-endif
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/dump/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/insmod/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/common/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/samsung/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/misc_writer
-ifneq ($(BOARD_WITHOUT_RADIO),true)
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/dump_modemlog/sepolicy
-endif
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/modem_svc_sit/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/performance/experiments/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/performance/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixel_metrics/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixel_ril/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/radio/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/ramdump_and_coredump/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/sensors/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/soc/sepolicy/freq
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/soc/sepolicy/soc
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/storage/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/storage/sepolicy/tracking_denials
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/telephony/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/thermal/sepolicy/dump
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/thermal/sepolicy/thermal_hal
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/twoshay/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/trusty/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/umfw_stat/sepolicy
-
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/private
-
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/private
-
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/private
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/public
-
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/gs_watchdogd/sepolicy
-
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext
--- a/sepolicy/health/file_contexts
+++ b/sepolicy/health/file_contexts
@@ -1 +0,0 @@
-/vendor/bin/hw/android\.hardware\.health-service\.gs201  u:object_r:hal_health_default_exec:s0
--- a/sepolicy/private/debug_camera_app.te
+++ b/sepolicy/private/debug_camera_app.te
@@ -1,16 +0,0 @@
-typeattribute debug_camera_app coredomain;
-
-userdebug_or_eng(`
-	app_domain(debug_camera_app)
-	net_domain(debug_camera_app)
-
-	allow debug_camera_app app_api_service:service_manager find;
-	allow debug_camera_app audioserver_service:service_manager find;
-	allow debug_camera_app cameraserver_service:service_manager find;
-	allow debug_camera_app mediaextractor_service:service_manager find;
-	allow debug_camera_app mediametrics_service:service_manager find;
-	allow debug_camera_app mediaserver_service:service_manager find;
-
-	# Allows camera app to access the PowerHAL.
-	hal_client_domain(debug_camera_app, hal_power)
-')
--- a/sepolicy/private/google_camera_app.te
+++ b/sepolicy/private/google_camera_app.te
@@ -1,17 +0,0 @@
-typeattribute google_camera_app coredomain;
-
-app_domain(google_camera_app)
-net_domain(google_camera_app)
-
-allow google_camera_app app_api_service:service_manager find;
-allow google_camera_app audioserver_service:service_manager find;
-allow google_camera_app cameraserver_service:service_manager find;
-allow google_camera_app mediaextractor_service:service_manager find;
-allow google_camera_app mediametrics_service:service_manager find;
-allow google_camera_app mediaserver_service:service_manager find;
-
-# Allows camera app to access the PowerHAL.
-hal_client_domain(google_camera_app, hal_power)
-
-# Library code may try to access vendor properties, but should be denied
-dontaudit google_camera_app vendor_default_prop:file { getattr map open };
--- a/sepolicy/private/seapp_contexts
+++ b/sepolicy/private/seapp_contexts
@@ -1,11 +0,0 @@
-# Google Camera
-user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
-
-# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
-user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
-
-# Google Camera Eng
-user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
-
-# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
-user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
--- a/sepolicy/private/service_contexts
+++ b/sepolicy/private/service_contexts
@@ -1 +0,0 @@
-telephony.oem.oemrilhook        u:object_r:radio_service:s0
--- a/sepolicy/product/private/pbcs_app.te
+++ b/sepolicy/product/private/pbcs_app.te
@@ -0,0 +1,12 @@
+typeattribute vendor_pbcs_app coredomain;
+
+add_service(vendor_pbcs_app, camera_binder_service)
+add_service(vendor_pbcs_app, camera_cameraidremapper_service)
+add_service(vendor_pbcs_app, camera_lyricconfigprovider_service)
+
+app_domain(vendor_pbcs_app)
+
+allow vendor_pbcs_app app_api_service:service_manager find;
+allow vendor_pbcs_app cameraserver_service:service_manager find;
+
+dontaudit vendor_pbcs_app system_app_data_file:dir *;
--- a/sepolicy/product/private/pcs_app.te
+++ b/sepolicy/product/private/pcs_app.te
@@ -0,0 +1,31 @@
+typeattribute vendor_pcs_app coredomain;
+
+app_domain(vendor_pcs_app)
+
+bluetooth_domain(vendor_pcs_app)
+
+net_domain(vendor_pcs_app)
+
+r_dir_file(vendor_pcs_app, preloads_data_file)
+r_dir_file(vendor_pcs_app, preloads_media_file)
+
+allow vendor_pcs_app app_api_service:service_manager find;
+allow vendor_pcs_app audioserver_service:service_manager find;
+allow vendor_pcs_app cache_file:dir create_dir_perms;
+allow vendor_pcs_app cache_file:file create_file_perms;
+allow vendor_pcs_app cache_file:lnk_file r_file_perms;
+allow vendor_pcs_app cache_recovery_file:dir create_dir_perms;
+allow vendor_pcs_app cache_recovery_file:file create_file_perms;
+allow vendor_pcs_app camera_cameraidremapper_service:service_manager find;
+allow vendor_pcs_app camera_lyricconfigprovider_service:service_manager find;
+allow vendor_pcs_app cameraserver_service:service_manager find;
+allow vendor_pcs_app drmserver_service:service_manager find;
+allow vendor_pcs_app media_rw_data_file:dir create_dir_perms;
+allow vendor_pcs_app media_rw_data_file:file create_file_perms;
+allow vendor_pcs_app mediametrics_service:service_manager find;
+allow vendor_pcs_app mediaserver_service:service_manager find;
+allow vendor_pcs_app nfc_service:service_manager find;
+allow vendor_pcs_app radio_service:service_manager find;
+
+dontaudit vendor_pcs_app device:dir read;
+dontaudit vendor_pcs_app usb_device:dir { open read search };
--- a/sepolicy/product/private/permissioncontroller_app.te
+++ b/sepolicy/product/private/permissioncontroller_app.te
--- a/sepolicy/product/private/radio.te
+++ b/sepolicy/product/private/radio.te
--- a/sepolicy/product/private/seapp_contexts
+++ b/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,4 @@
+user=_app seinfo=CameraServices name=com.google.android.apps.camera.services domain=vendor_pcs_app type=app_data_file levelFrom=all
+user=_app seinfo=CameraServices name=com.google.android.apps.camera.services:* domain=vendor_pcs_app type=app_data_file levelFrom=all
+user=system seinfo=platform name=com.google.pixel.camera.services domain=vendor_pbcs_app type=system_app_data_file levelFrom=all
+user=system seinfo=platform name=com.google.pixel.camera.services:* domain=vendor_pbcs_app type=system_app_data_file levelFrom=all
--- a/sepolicy/product/private/service_contexts
+++ b/sepolicy/product/private/service_contexts
@@ -0,0 +1,4 @@
+com.google.pixel.camera.services.binder.IServiceBinder/default u:object_r:camera_binder_service:s0
+com.google.pixel.camera.services.cameraidremapper.ICameraIdRemapper/default u:object_r:camera_cameraidremapper_service:s0
+com.google.pixel.camera.services.lyricconfigprovider.ILyricConfigProvider/default u:object_r:camera_lyricconfigprovider_service:s0
+telephony.oem.oemrilhook u:object_r:radio_service:s0
--- a/sepolicy/product/public/pbcs_app.te
+++ b/sepolicy/product/public/pbcs_app.te
@@ -0,0 +1 @@
+type vendor_pbcs_app, domain;
--- a/sepolicy/product/public/pcs_app.te
+++ b/sepolicy/product/public/pcs_app.te
@@ -0,0 +1 @@
+type vendor_pcs_app, domain;
--- a/sepolicy/product/public/service.te
+++ b/sepolicy/product/public/service.te
@@ -0,0 +1,3 @@
+type camera_binder_service, hal_service_type, protected_service, service_manager_type;
+type camera_cameraidremapper_service, hal_service_type, protected_service, service_manager_type;
+type camera_lyricconfigprovider_service, hal_service_type, protected_service, service_manager_type;
--- a/sepolicy/public/debug_camera_app.te
+++ b/sepolicy/public/debug_camera_app.te
@@ -1 +0,0 @@
-type debug_camera_app, domain;
--- a/sepolicy/public/google_camera_app.te
+++ b/sepolicy/public/google_camera_app.te
@@ -1 +0,0 @@
-type google_camera_app, domain;
--- a/sepolicy/recovery/fastbootd.te
+++ b/sepolicy/recovery/fastbootd.te
@@ -0,0 +1,8 @@
+recovery_only(`
+  allow fastbootd citadel_device:chr_file rw_file_perms;
+  allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
+  allow fastbootd devinfo_block_device:blk_file rw_file_perms;
+  allow fastbootd sda_block_device:blk_file rw_file_perms;
+  allow fastbootd st54spi_device:chr_file rw_file_perms;
+  allow fastbootd sysfs_ota:file rw_file_perms;
+')
--- a/sepolicy/recovery/hal_bootctl_default.te
+++ b/sepolicy/recovery/hal_bootctl_default.te
@@ -0,0 +1,3 @@
+recovery_only(`
+  allow hal_bootctl_default rootfs:dir r_dir_perms;
+')
--- a/sepolicy/recovery/recovery.te
+++ b/sepolicy/recovery/recovery.te
@@ -0,0 +1,7 @@
+recovery_only(`
+  allow recovery citadel_device:chr_file rw_file_perms;
+  allow recovery st54spi_device:chr_file rw_file_perms;
+  allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+')
--- a/sepolicy/system_ext/private/bluetooth_gci.te
+++ b/sepolicy/system_ext/private/bluetooth_gci.te
@@ -0,0 +1,9 @@
+init_daemon_domain(bluetooth_gci)
+
+allow bluetooth_gci bluetooth_data_file:dir ra_dir_perms;
+allow bluetooth_gci bluetooth_data_file:file create_file_perms;
+allow bluetooth_gci fuse:dir r_dir_perms;
+allow bluetooth_gci fuse:file r_file_perms;
+allow bluetooth_gci media_rw_data_file:dir ra_dir_perms;
+allow bluetooth_gci media_rw_data_file:file r_file_perms;
+allow bluetooth_gci mnt_user_file:dir search;
--- a/sepolicy/system_ext/private/con_monitor_app.te
+++ b/sepolicy/system_ext/private/con_monitor_app.te
@@ -3,5 +3,6 @@ typeattribute con_monitor_app coredomain;
 app_domain(con_monitor_app)

 set_prop(con_monitor_app, radio_prop)
+
 allow con_monitor_app app_api_service:service_manager find;
 allow con_monitor_app radio_service:service_manager find;
--- a/sepolicy/system_ext/private/connectivity_thermal_power_manager.te
+++ b/sepolicy/system_ext/private/connectivity_thermal_power_manager.te
@@ -0,0 +1,9 @@
+type connectivity_thermal_power_manager, coredomain, domain, system_suspend_internal_server;
+
+app_domain(connectivity_thermal_power_manager)
+
+hal_client_domain(connectivity_thermal_power_manager, hal_power_stats)
+
+allow connectivity_thermal_power_manager app_api_service:service_manager find;
+allow connectivity_thermal_power_manager radio_service:service_manager find;
+allow connectivity_thermal_power_manager system_api_service:service_manager find;
--- a/sepolicy/system_ext/private/dcservice_app.te
+++ b/sepolicy/system_ext/private/dcservice_app.te
@@ -0,0 +1,16 @@
+typeattribute dcservice_app coredomain;
+
+app_domain(dcservice_app)
+
+get_prop(dcservice_app, bluetooth_lea_prop)
+
+net_domain(dcservice_app)
+
+set_prop(dcservice_app, ctl_start_prop)
+
+allow dcservice_app app_api_service:service_manager find;
+allow dcservice_app audioserver_service:service_manager find;
+allow dcservice_app nfc_service:service_manager find;
+allow dcservice_app privapp_data_file:file execute;
+allow dcservice_app privapp_data_file:lnk_file r_file_perms;
+allow dcservice_app radio_service:service_manager find;
--- a/sepolicy/system_ext/private/file.te
+++ b/sepolicy/system_ext/private/file.te
@@ -1,2 +1,2 @@
-
-type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
+type repair_mode_metadata_config_file, file_type, mlstrustedobject;
+type uwb_vendor_data_file, app_data_file_type, data_file_type, file_type;
--- a/sepolicy/system_ext/private/file_contexts
+++ b/sepolicy/system_ext/private/file_contexts
@@ -0,0 +1,4 @@
+/dev/watchdog[0-9] u:object_r:watchdog_device:s0
+/metadata/repair-mode/config(/.*)? u:object_r:repair_mode_metadata_config_file:s0
+/system_ext/bin/bluetooth_gci u:object_r:bluetooth_gci_exec:s0
+/system_ext/bin/gs_watchdogd u:object_r:gs_watchdogd_exec:s0
--- a/sepolicy/system_ext/private/gs_watchdogd.te
+++ b/sepolicy/system_ext/private/gs_watchdogd.te
@@ -0,0 +1,8 @@
+type gs_watchdogd, coredomain, domain;
+type gs_watchdogd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(gs_watchdogd)
+
+allow gs_watchdogd kmsg_device:chr_file rw_file_perms;
+allow gs_watchdogd sysfs:dir r_dir_perms;
+allow gs_watchdogd watchdog_device:chr_file rw_file_perms;
--- a/sepolicy/system_ext/private/hbmsvmanager_app.te
+++ b/sepolicy/system_ext/private/hbmsvmanager_app.te
@@ -1,11 +1,8 @@
 typeattribute hbmsvmanager_app coredomain;

-app_domain(hbmsvmanager_app);
+app_domain(hbmsvmanager_app)

+allow hbmsvmanager_app app_api_service:service_manager find;
+allow hbmsvmanager_app cameraserver_service:service_manager find;
 allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
 allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
--- a/sepolicy/system_ext/private/keys.conf
+++ b/sepolicy/system_ext/private/keys.conf
@@ -1,3 +0,0 @@
-[@UWB]
-ALL : device/google/gs201/sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
-
--- a/sepolicy/system_ext/private/mac_permissions.xml
+++ b/sepolicy/system_ext/private/mac_permissions.xml
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
-    * A signature is a hex encoded X.509 certificate or a tag defined in
-      keys.conf and is required for each signer tag.
-    * A signer tag may contain a seinfo tag and multiple package stanzas.
-    * A default tag is allowed that can contain policy for all apps not signed with a
-      previously listed cert. It may not contain any inner package stanzas.
-    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
-      represents additional info that each app can use in setting a SELinux security
-      context on the eventual process.
-    * When a package is installed the following logic is used to determine what seinfo
-      value, if any, is assigned.
-      - All signatures used to sign the app are checked first.
-      - If a signer stanza has inner package stanzas, those stanza will be checked
-        to try and match the package name of the app. If the package name matches
-        then that seinfo tag is used. If no inner package matches then the outer
-        seinfo tag is assigned.
-      - The default tag is consulted last if needed.
-->
-    <!-- google apps key -->
-    <signer signature="@UWB" >
-        <seinfo value="uwb" />
-    </signer>
-</policy>
--- a/sepolicy/system_ext/private/pixelntnservice_app.te
+++ b/sepolicy/system_ext/private/pixelntnservice_app.te
@@ -1,5 +1,7 @@
 typeattribute pixelntnservice_app coredomain;

-app_domain(pixelntnservice_app);
-allow pixelntnservice_app app_api_service:service_manager find;
+app_domain(pixelntnservice_app)
+
 set_prop(pixelntnservice_app, telephony_modem_prop)
+
+allow pixelntnservice_app app_api_service:service_manager find;
--- a/sepolicy/system_ext/private/platform_app.te
+++ b/sepolicy/system_ext/private/platform_app.te
@@ -1,2 +1,3 @@
-# allow systemui access to fingerprint
+get_prop(platform_app, bluetooth_lea_prop)
+
 hal_client_domain(platform_app, hal_fingerprint)
--- a/sepolicy/system_ext/private/property.te
+++ b/sepolicy/system_ext/private/property.te
@@ -0,0 +1 @@
+system_internal_prop(repair_mode_init_prop)
--- a/sepolicy/system_ext/private/property_contexts
+++ b/sepolicy/system_ext/private/property_contexts
@@ -1,6 +1,4 @@
-# Fingerprint (UDFPS) GHBM/LHBM toggle
-persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
-
-# Telephony
-telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0    exact enum ntn tn
-telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
+persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool
+repair_mode.init_completed. u:object_r:repair_mode_init_prop:s0 prefix bool
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn
+telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool
--- a/sepolicy/system_ext/private/repair_mode_app.te
+++ b/sepolicy/system_ext/private/repair_mode_app.te
@@ -0,0 +1,14 @@
+type repair_mode_app, coredomain, domain;
+
+app_domain(repair_mode_app)
+
+get_prop(repair_mode_app, gsid_prop)
+
+set_prop(repair_mode_app, repair_mode_init_prop)
+
+allow repair_mode_app app_api_service:service_manager find;
+allow repair_mode_app metadata_file:dir search;
+allow repair_mode_app repair_mode_metadata_config_file:dir rw_dir_perms;
+allow repair_mode_app repair_mode_metadata_config_file:file create_file_perms;
+allow repair_mode_app repair_mode_metadata_file:dir search;
+allow repair_mode_app system_api_service:service_manager find;
--- a/sepolicy/system_ext/private/seapp_contexts
+++ b/sepolicy/system_ext/private/seapp_contexts
@@ -1,12 +1,8 @@
-# Domain for connectivity monitor
+user=_app isPrivApp=true name=com.google.android.apps.pixel.dcservice domain=dcservice_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.apps.pixel.dcservice.ui domain=dcservice_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
-# Qorvo UWB system app
-# TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
-
-# PixelNtnService
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.google.android.connectivitythermalpowermanager domain=connectivity_thermal_power_manager type=app_data_file levelFrom=all
+user=system seinfo=platform name=com.google.android.repairmode domain=repair_mode_app type=app_data_file levelFrom=user
 user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all
--- a/sepolicy/system_ext/private/uwb_vendor_app.te
+++ b/sepolicy/system_ext/private/uwb_vendor_app.te
@@ -1,12 +1,7 @@
 app_domain(uwb_vendor_app)

-not_recovery(`
-
 allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 allow uwb_vendor_app radio_service:service_manager find;
-
-allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
-
-')
+allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
--- a/sepolicy/system_ext/public/bluetooth_gci.te
+++ b/sepolicy/system_ext/public/bluetooth_gci.te
@@ -0,0 +1,2 @@
+type bluetooth_gci, coredomain, domain;
+type bluetooth_gci_exec, exec_type, file_type, system_file_type;
--- a/sepolicy/system_ext/public/con_monitor_app.te
+++ b/sepolicy/system_ext/public/con_monitor_app.te
@@ -1,2 +1 @@
-# ConnectivityMonitor app
 type con_monitor_app, domain;
--- a/sepolicy/system_ext/public/dcservice_app.te
+++ b/sepolicy/system_ext/public/dcservice_app.te
@@ -0,0 +1 @@
+type dcservice_app, domain;
--- a/sepolicy/system_ext/public/property.te
+++ b/sepolicy/system_ext/public/property.te
@@ -1,10 +1,5 @@
-# Fingerprint (UDFPS) GHBM/LHBM toggle
-system_vendor_config_prop(fingerprint_ghbm_prop)
-
-# Telephony
 system_public_prop(telephony_ril_prop)
+
 system_restricted_prop(telephony_modem_prop)

-userdebug_or_eng(`
-  set_prop(shell, telephony_ril_prop)
-')
+system_vendor_config_prop(fingerprint_ghbm_prop)
--- a/sepolicy/system_ext/public/uwb_vendor_app.te
+++ b/sepolicy/system_ext/public/uwb_vendor_app.te
@@ -1,2 +1 @@
 type uwb_vendor_app, domain;
-
--- a/sepolicy/tracking_denials/README.txt
+++ b/sepolicy/tracking_denials/README.txt
@@ -1,2 +0,0 @@
-This folder stores known errors detected by PTS. Be sure to remove relevant
-files to reproduce error log on latest ROMs.
--- a/sepolicy/tracking_denials/bluetooth.te
+++ b/sepolicy/tracking_denials/bluetooth.te
@@ -1,2 +0,0 @@
-# b/382362323
-dontaudit bluetooth default_android_service:service_manager { find };
--- a/sepolicy/tracking_denials/bug_map
+++ b/sepolicy/tracking_denials/bug_map
@@ -1,53 +0,0 @@
-aconfigd apex_info_file file b/381326452
-bluetooth audio_config_prop file b/379245738
-dump_display sysfs file b/350831939
-dump_modem sscoredump_vendor_data_coredump_file dir b/361726277
-dump_modem sscoredump_vendor_data_logcat_file dir b/361726277
-dumpstate unlabeled file b/350832009
-hal_audio_default hal_audio_default binder b/395745737
-hal_bluetooth_synabtlinux device chr_file b/386303831
-hal_camera_default aconfig_storage_metadata_file dir b/383013727
-hal_contexthub_default hal_bluetooth_service service_manager b/396573096
-hal_drm_widevine system_userdir_file dir b/393956479
-hal_drm_widevine widevine_sys_vendor_prop file b/393956479
-hal_face_default traced_producer_socket sock_file b/305600808
-hal_power_default hal_power_default capability b/237492146
-hal_sensors_default property_socket sock_file b/373755350
-hal_sensors_default sysfs file b/336451433
-incidentd debugfs_wakeup_sources file b/282626428
-incidentd incidentd anon_inode b/282626428
-init init capability b/379206608
-init-display-sh kmsg_device chr_file b/388949662
-insmod-sh insmod-sh key b/336451874
-insmod-sh kmsg_device chr_file b/388949536
-insmod-sh vendor_edgetpu_debugfs dir b/385858933
-kernel dm_device blk_file b/319403445
-kernel kernel capability b/336451113
-kernel tmpfs chr_file b/321731318
-pixelstats_vendor block_device dir b/369540701
-pixelstats_vendor chre_socket sock_file b/400298488
-platform_app bluetooth_lea_mode_prop file b/402595629
-platform_app vendor_fw_file dir b/377811773
-platform_app vendor_rild_prop file b/377811773
-priv_app audio_config_prop file b/379246129
-priv_app metadata_file dir b/383438008
-ramdump ramdump capability b/369475655
-ramdump_app default_prop file b/386148928
-rfsd vendor_cbd_prop file b/317734397
-shell sysfs_net file b/329380891
-ssr_detector_app default_prop file b/359428005
-surfaceflinger selinuxfs file b/315104594
-system_server vendor_default_prop file b/366116786
-untrusted_app audio_config_prop file b/379245515
-vendor_init debugfs_trace_marker file b/336451787
-vendor_init default_prop file b/315104479
-vendor_init default_prop file b/315104803
-vendor_init default_prop file b/323086703
-vendor_init default_prop file b/323086890
-vendor_init default_prop file b/329380363
-vendor_init default_prop file b/329381126
-vendor_init default_prop property_service b/315104803
-vendor_init default_prop property_service b/359427666
-vendor_init default_prop property_service b/359428317
-zygote aconfig_storage_metadata_file dir b/383949172
-zygote zygote capability b/379206941
--- a/sepolicy/tracking_denials/dmd.te
+++ b/sepolicy/tracking_denials/dmd.te
@@ -1,2 +0,0 @@
-#b/303391666
-dontaudit dmd servicemanager:binder { call };
--- a/sepolicy/tracking_denials/dumpstate.te
+++ b/sepolicy/tracking_denials/dumpstate.te
@@ -1,2 +0,0 @@
-# b/185723618
-dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
--- a/sepolicy/vendor/aocd.te
+++ b/sepolicy/vendor/aocd.te
@@ -0,0 +1,19 @@
+type aocd, domain;
+type aocd_exec, exec_type, file_type, vendor_file_type;
+
+get_prop(aocd, vendor_volte_mif_off)
+
+init_daemon_domain(aocd)
+
+r_dir_file(aocd, persist_aoc_file)
+
+set_prop(aocd, vendor_aoc_prop)
+set_prop(aocd, vendor_timeout_aoc_prop)
+
+allow aocd aoc_device:chr_file rw_file_perms;
+allow aocd device:dir r_dir_perms;
+allow aocd mnt_vendor_file:dir search;
+allow aocd persist_file:dir search;
+allow aocd sysfs_aoc:dir search;
+allow aocd sysfs_aoc_firmware:file w_file_perms;
+allow aocd sysfs_aoc_notifytimeout:file r_file_perms;
--- a/sepolicy/vendor/aocdump.te
+++ b/sepolicy/vendor/aocdump.te
@@ -0,0 +1,4 @@
+type aocdump, domain;
+type aocdump_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(aocdump)
--- a/sepolicy/vendor/aocx.te
+++ b/sepolicy/vendor/aocx.te
@@ -0,0 +1 @@
+type aocx, service_manager_type;
--- a/sepolicy/vendor/aocxd.te
+++ b/sepolicy/vendor/aocxd.te
@@ -0,0 +1,21 @@
+type aocxd, domain;
+type aocxd_exec, exec_type, file_type, vendor_file_type;
+
+add_service(aocxd, aocx)
+
+binder_call(aocxd, dcservice_app)
+
+init_daemon_domain(aocxd)
+
+set_prop(aocxd, vendor_aoc_prop)
+
+vndbinder_use(aocxd)
+
+wakelock_use(aocxd)
+
+allow aocxd aoc_device:chr_file rw_file_perms;
+allow aocxd device:dir r_dir_perms;
+allow aocxd dumpstate:fd use;
+allow aocxd dumpstate:fifo_file write;
+allow aocxd self:global_capability_class_set sys_nice;
+allow aocxd sysfs_aoc:dir search;
--- a/sepolicy/vendor/appdomain.te
+++ b/sepolicy/vendor/appdomain.te
@@ -0,0 +1,6 @@
+get_prop(appdomain, vendor_edgetpu_runtime_prop)
+get_prop(appdomain, vendor_gxp_prop)
+get_prop(appdomain, vendor_hetero_runtime_prop)
+get_prop(appdomain, vendor_tflite_delegate_prop)
+
+neverallow appdomain edgetpu_device:chr_file open;
--- a/sepolicy/whitechapel_pro/attributes
+++ b/sepolicy/whitechapel_pro/attributes
--- a/sepolicy/vendor/audio_prop_restricted.te
+++ b/sepolicy/vendor/audio_prop_restricted.te
@@ -0,0 +1 @@
+vendor_restricted_prop(vendor_audio_prop_restricted)
--- a/sepolicy/vendor/audioserver.te
+++ b/sepolicy/vendor/audioserver.te
@@ -0,0 +1 @@
+allow audioserver audio_device:chr_file r_file_perms;
--- a/sepolicy/vendor/battery_mitigation.te
+++ b/sepolicy/vendor/battery_mitigation.te
@@ -0,0 +1,39 @@
+type battery_mitigation, domain;
+type battery_mitigation_exec, exec_type, file_type, vendor_file_type;
+
+add_service(battery_mitigation, hal_battery_mitigation_service)
+
+binder_call(battery_mitigation, hal_audio_default)
+binder_call(battery_mitigation, servicemanager)
+
+get_prop(battery_mitigation, boot_status_prop)
+get_prop(battery_mitigation, system_boot_reason_prop)
+get_prop(battery_mitigation, vendor_brownout_reason_prop)
+
+hal_client_domain(battery_mitigation, hal_health)
+hal_client_domain(battery_mitigation, hal_thermal)
+
+init_daemon_domain(battery_mitigation)
+
+r_dir_file(battery_mitigation, sysfs_acpm_stats)
+r_dir_file(battery_mitigation, sysfs_batteryinfo)
+r_dir_file(battery_mitigation, sysfs_gpu)
+r_dir_file(battery_mitigation, sysfs_iio_devices)
+r_dir_file(battery_mitigation, sysfs_odpm)
+r_dir_file(battery_mitigation, sysfs_power_stats)
+r_dir_file(battery_mitigation, sysfs_thermal)
+r_dir_file(battery_mitigation, thermal_link_device)
+
+set_prop(battery_mitigation, vendor_brownout_br_feasible_prop)
+set_prop(battery_mitigation, vendor_mitigation_ready_prop)
+
+wakelock_use(battery_mitigation)
+
+allow battery_mitigation dumpstate:fd use;
+allow battery_mitigation dumpstate:fifo_file rw_file_perms;
+allow battery_mitigation fwk_stats_service:service_manager find;
+allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms;
+allow battery_mitigation mitigation_vendor_data_file:file create_file_perms;
+allow battery_mitigation sysfs_bcl:dir r_dir_perms;
+allow battery_mitigation sysfs_bcl:file rw_file_perms;
+allow battery_mitigation sysfs_bcl:lnk_file r_file_perms;
--- a/sepolicy/whitechapel_pro/bipchmgr.te
+++ b/sepolicy/whitechapel_pro/bipchmgr.te
@@ -1,9 +1,12 @@
 type bipchmgr, domain;
-type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+type bipchmgr_exec, exec_type, file_type, vendor_file_type;
+
+binder_call(bipchmgr, rild)
+
+get_prop(bipchmgr, hwservicemanager_prop)
+
+hwbinder_use(bipchmgr)
+
 init_daemon_domain(bipchmgr)

-get_prop(bipchmgr, hwservicemanager_prop);
-
 allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
-hwbinder_use(bipchmgr)
-binder_call(bipchmgr, rild)
--- a/sepolicy/vendor/bluetooth.te
+++ b/sepolicy/vendor/bluetooth.te
@@ -0,0 +1,4 @@
+allow bluetooth proc_vendor_sched:dir r_dir_perms;
+allow bluetooth proc_vendor_sched:file w_file_perms;
+
+dontaudit bluetooth default_android_service:service_manager find;
--- a/sepolicy/vendor/bootanim.te
+++ b/sepolicy/vendor/bootanim.te
@@ -0,0 +1 @@
+dontaudit bootanim system_data_file:dir r_dir_perms;
--- a/sepolicy/whitechapel_pro/bootdevice_sysdev.te
+++ b/sepolicy/whitechapel_pro/bootdevice_sysdev.te
@@ -1 +1,3 @@
+type bootdevice_sysdev, dev_type;
+
 allow bootdevice_sysdev sysfs:filesystem associate;
--- a/sepolicy/vendor/bug_map
+++ b/sepolicy/vendor/bug_map
@@ -0,0 +1,48 @@
+aconfigd apex_info_file file b/381326452
+dump_modem sscoredump_vendor_data_coredump_file dir b/416212184
+dump_modem sscoredump_vendor_data_logcat_file dir b/422941831
+grilservice_app graphics_config_writable_prop file b/409896525
+gyotaku_app graphics_config_writable_prop file b/409896487
+hal_audio_default hal_audio_default binder b/395745737
+hal_bluetooth_synabtlinux device chr_file b/386303831
+hal_camera_default aconfig_storage_metadata_file dir b/383013727
+hal_contexthub_default hal_bluetooth_service service_manager b/396573096
+hal_sensors_default property_socket sock_file b/373755350
+hal_sensors_default sysfs file b/336451433
+hardware_info_app graphics_config_writable_prop file b/409895934
+incidentd debugfs_wakeup_sources file b/282626428
+incidentd incidentd anon_inode b/282626428
+init init capability b/379591559
+init-display-sh kmsg_device chr_file b/388949662
+insmod-sh insmod-sh key b/336451874
+insmod-sh kmsg_debug_device chr_file b/410729205
+insmod-sh kmsg_device chr_file b/388949536
+insmod-sh vendor_edgetpu_debugfs dir b/385858933
+kernel kernel capability b/340722537
+logger_app graphics_config_writable_prop file b/409896486
+modem_diagnostic_app graphics_config_writable_prop file b/409895878
+pixelstats_vendor block_device dir b/369540701
+pixelstats_vendor sysfs_pixel_stat dir b/422900204
+pixelstats_vendor sysfs_pixel_stat file b/422900204
+platform_app vendor_fw_file dir b/377811773
+platform_app vendor_rild_prop file b/377811773
+priv_app audio_config_prop file b/379246129
+priv_app metadata_file dir b/383438008
+ramdump proc_bootconfig file b/181615626
+ramdump public_vendor_default_prop file b/161103878
+ramdump ramdump capability b/369475655
+ramdump vendor_hw_plat_prop file b/161103878
+ramdump_app default_prop file b/386149375
+ramdump_app graphics_config_writable_prop file b/409895818
+rfsd vendor_cbd_prop file b/412237886
+shell vendor_intelligence_prop file b/378120929
+ssr_detector_app default_prop file b/422943113
+ssr_detector_app graphics_config_writable_prop file b/409895951
+system_server build_bootimage_prop file b/413561511
+system_server vendor_default_prop file b/366116786
+untrusted_app audio_config_prop file b/379245515
+uwb_vendor_app graphics_config_writable_prop file b/409895896
+vendor_init debugfs_trace_marker file b/336451787
+vendor_init default_prop file b/315104479
+zygote aconfig_storage_metadata_file dir b/383949172
+zygote zygote capability b/379591519
--- a/sepolicy/vendor/cat_engine_service_app.te
+++ b/sepolicy/vendor/cat_engine_service_app.te
@@ -0,0 +1 @@
+type cat_engine_service_app, domain;
--- a/sepolicy/whitechapel_pro/cbd.te
+++ b/sepolicy/whitechapel_pro/cbd.te
@@ -1,64 +1,35 @@
 type cbd, domain;
-type cbd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(cbd)
+type cbd_exec, exec_type, file_type, vendor_file_type;

-set_prop(cbd, vendor_modem_prop)
-set_prop(cbd, vendor_cbd_prop)
-set_prop(cbd, vendor_rild_prop)
 get_prop(cbd, telephony_modem_prop)

-# Allow cbd to set gid/uid from too to radio
-allow cbd self:capability { setgid setuid };
+init_daemon_domain(cbd)

-allow cbd mnt_vendor_file:dir r_dir_perms;
+r_dir_file(cbd, modem_img_file)

-allow cbd kmsg_device:chr_file rw_file_perms;
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_rild_prop)

-allow cbd vendor_shell_exec:file execute_no_trans;
-allow cbd vendor_toolbox_exec:file execute_no_trans;
-
-# Allow cbd to access modem block device
 allow cbd block_device:dir search;
+allow cbd kmsg_device:chr_file rw_file_perms;
+allow cbd mnt_vendor_file:dir r_dir_perms;
 allow cbd modem_block_device:blk_file r_file_perms;
-
-# Allow cbd to access sysfs chosen files
-allow cbd sysfs_chosen:file r_file_perms;
-allow cbd sysfs_chosen:dir r_dir_perms;
-
-allow cbd radio_device:chr_file rw_file_perms;
-
-allow cbd proc_cmdline:file r_file_perms;
-
-allow cbd persist_modem_file:dir create_dir_perms;
-allow cbd persist_modem_file:file create_file_perms;
-allow cbd persist_file:dir search;
-
-allow cbd radio_vendor_data_file:dir create_dir_perms;
-allow cbd radio_vendor_data_file:file create_file_perms;
-
-# Allow cbd to operate with modem EFS file/dir
 allow cbd modem_efs_file:dir create_dir_perms;
 allow cbd modem_efs_file:file create_file_perms;
-
-# Allow cbd to operate with modem userdata file/dir
 allow cbd modem_userdata_file:dir create_dir_perms;
 allow cbd modem_userdata_file:file create_file_perms;
-
-# Allow cbd to access modem image file/dir
-allow cbd modem_img_file:dir r_dir_perms;
-allow cbd modem_img_file:file r_file_perms;
-allow cbd modem_img_file:lnk_file r_file_perms;
-
-# Allow cbd to collect crash info
+allow cbd persist_file:dir search;
+allow cbd persist_modem_file:dir create_dir_perms;
+allow cbd persist_modem_file:file create_file_perms;
+allow cbd proc_cmdline:file r_file_perms;
+allow cbd radio_device:chr_file rw_file_perms;
+allow cbd radio_vendor_data_file:dir create_dir_perms;
+allow cbd radio_vendor_data_file:file create_file_perms;
+allow cbd self:capability { setgid setuid };
 allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
 allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
-
-userdebug_or_eng(`
-  r_dir_file(cbd, vendor_slog_file)
-
-  allow cbd kernel:system syslog_read;
-
-  allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
-  allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
-')
-
+allow cbd sysfs_chosen:dir r_dir_perms;
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;
--- a/sepolicy/vendor/cbrs_setup_app.te
+++ b/sepolicy/vendor/cbrs_setup_app.te
@@ -0,0 +1 @@
+type cbrs_setup_app, domain;
--- a/sepolicy/whitechapel_pro/cccdk_timesync_app.te
+++ b/sepolicy/whitechapel_pro/cccdk_timesync_app.te
@@ -1,10 +1,8 @@
 type vendor_cccdktimesync_app, domain;
+
 app_domain(vendor_cccdktimesync_app)

-allow vendor_cccdktimesync_app app_api_service:service_manager find;
-
 binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux)
-allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;

-# allow the HAL to call our registered callbacks
-binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app)
+allow vendor_cccdktimesync_app app_api_service:service_manager find;
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
--- a/sepolicy/whitechapel_pro/charger_vendor.te
+++ b/sepolicy/whitechapel_pro/charger_vendor.te
@@ -1,10 +1,11 @@
+set_prop(charger_vendor, vendor_battery_defender_prop)
+
 allow charger_vendor mnt_vendor_file:dir search;
-allow charger_vendor sysfs_batteryinfo:file w_file_perms;
-allow charger_vendor persist_file:dir search;
 allow charger_vendor persist_battery_file:dir search;
 allow charger_vendor persist_battery_file:file rw_file_perms;
+allow charger_vendor persist_file:dir search;
+allow charger_vendor sysfs_batteryinfo:file w_file_perms;
 allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
 allow charger_vendor sysfs_thermal:file w_file_perms;
 allow charger_vendor sysfs_thermal:lnk_file read;
 allow charger_vendor thermal_link_device:dir search;
-set_prop(charger_vendor, vendor_battery_defender_prop)
--- a/sepolicy/vendor/chre.te
+++ b/sepolicy/vendor/chre.te
@@ -0,0 +1,20 @@
+type chre, domain;
+type chre_exec, exec_type, file_type, vendor_file_type;
+
+binder_call(chre, stats_service_server)
+
+hal_client_domain(chre, hal_graphics_allocator)
+
+init_daemon_domain(chre)
+
+wakelock_use(chre)
+
+allow chre aoc_device:chr_file rw_file_perms;
+allow chre device:dir r_dir_perms;
+allow chre fwk_stats_service:service_manager find;
+allow chre hal_graphics_mapper_hwservice:hwservice_manager find;
+allow chre hal_wifi_ext:binder { call transfer };
+allow chre hal_wifi_ext_hwservice:hwservice_manager find;
+allow chre hal_wifi_ext_service:service_manager find;
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
--- a/sepolicy/vendor/citadeld.te
+++ b/sepolicy/vendor/citadeld.te
@@ -0,0 +1,20 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, file_type, vendor_file_type;
+type citadeld_service, vndservice_manager_type;
+
+add_service(citadeld, citadeld_service)
+
+binder_call(citadeld, system_server)
+
+binder_use(citadeld)
+
+init_daemon_domain(citadeld)
+
+set_prop(citadeld, vendor_nos_citadel_version)
+
+vndbinder_use(citadeld)
+
+allow citadeld citadel_device:chr_file rw_file_perms;
+allow citadeld fwk_stats_service:service_manager find;
+allow citadeld hal_power_stats_vendor_service:service_manager find;
+allow citadeld hal_weaver_citadel:binder call;
--- a/sepolicy/whitechapel_pro/con_monitor.te
+++ b/sepolicy/whitechapel_pro/con_monitor.te
--- a/sepolicy/vendor/dcservice_app.te
+++ b/sepolicy/vendor/dcservice_app.te
@@ -0,0 +1,5 @@
+binder_call(dcservice_app, aocxd)
+binder_call(dcservice_app, twoshay)
+
+allow dcservice_app aocx:service_manager find;
+allow dcservice_app touch_context_service:service_manager find;
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,33 @@
+type amcs_device, dev_type;
+type aoc_device, dev_type;
+type citadel_device, dev_type;
+type custom_ab_block_device, dev_type;
+type devinfo_block_device, dev_type;
+type edgetpu_device, dev_type, isolated_compute_allowed_device, mlstrustedobject;
+type efs_block_device, dev_type;
+type faceauth_heap_device, dev_type, dmabuf_heap_device_type;
+type fingerprint_device, dev_type;
+type fips_block_device, dev_type;
+type gxp_device, dev_type, mlstrustedobject;
+type logbuffer_device, dev_type;
+type lwis_device, dev_type;
+type mfg_data_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type pktrouter_device, dev_type;
+type radio_test_device, dev_type;
+type rls_device, dev_type;
+type sda_block_device, dev_type;
+type sensor_direct_heap_device, dev_type, dmabuf_heap_device_type;
+type sg_device, dev_type;
+type sscoredump_device, dev_type;
+type st33spi_device, dev_type;
+type st54spi_device, dev_type;
+type thermal_link_device, dev_type;
+type touch_offload_device, dev_type;
+type trusty_log_device, dev_type;
+type ufs_internal_block_device, dev_type;
+type userdata_exp_block_device, dev_type;
+type vendor_toe_device, dev_type;
+type vscaler_heap_device, dev_type, dmabuf_heap_device_type;
--- a/sepolicy/whitechapel_pro/disable-contaminant-detection-sh.te
+++ b/sepolicy/whitechapel_pro/disable-contaminant-detection-sh.te
@@ -1,7 +1,8 @@
 type disable-contaminant-detection-sh, domain;
-type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type;
+type disable-contaminant-detection-sh_exec, exec_type, file_type, vendor_file_type;
+
 init_daemon_domain(disable-contaminant-detection-sh)

-allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;
 allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms;
 allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms;
+allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;
--- a/sepolicy/whitechapel_pro/dmd.te
+++ b/sepolicy/whitechapel_pro/dmd.te
@@ -1,32 +1,27 @@
 type dmd, domain;
-type dmd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(dmd)
+type dmd_exec, exec_type, file_type, vendor_file_type;

-# Grant to access serial device for external logging tool
-allow dmd serial_device:chr_file rw_file_perms;
-
-# Grant to access radio device
-allow dmd radio_device:chr_file rw_file_perms;
-
-# Grant to access slog dir/file
-allow dmd vendor_slog_file:dir create_dir_perms;
-allow dmd vendor_slog_file:file create_file_perms;
-
-# Grant to access tcp socket
-allow dmd node:tcp_socket node_bind;
-allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
-
-# Grant to access log related properties
-set_prop(dmd, vendor_diag_prop)
-set_prop(dmd, vendor_slog_prop)
-set_prop(dmd, vendor_modem_prop)
-get_prop(dmd, vendor_persist_config_default_prop)
-
-# Grant to access hwservice manager
-get_prop(dmd, hwservicemanager_prop)
-allow dmd hidl_base_hwservice:hwservice_manager add;
-allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
 binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
 binder_call(dmd, modem_logging_control)
 binder_call(dmd, vendor_telephony_silentlogging_app)
+
+get_prop(dmd, hwservicemanager_prop)
+get_prop(dmd, vendor_persist_config_default_prop)
+
+init_daemon_domain(dmd)
+
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_modem_prop)
+set_prop(dmd, vendor_slog_prop)
+
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd node:tcp_socket node_bind;
+allow dmd radio_device:chr_file rw_file_perms;
+allow dmd self:tcp_socket { accept create_socket_perms_no_ioctl listen };
+allow dmd serial_device:chr_file rw_file_perms;
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+dontaudit dmd servicemanager:binder call;
--- a/sepolicy/vendor/domain.te
+++ b/sepolicy/vendor/domain.te
@@ -0,0 +1 @@
+get_prop(domain, vendor_arm_runtime_option_prop)
--- a/sepolicy/vendor/dump_aoc.te
+++ b/sepolicy/vendor/dump_aoc.te
@@ -0,0 +1,8 @@
+pixel_bugreport(dump_aoc)
+
+allow dump_aoc aoc_device:chr_file rw_file_perms;
+allow dump_aoc sysfs:dir r_dir_perms;
+allow dump_aoc sysfs_aoc:dir search;
+allow dump_aoc sysfs_aoc_dumpstate:file r_file_perms;
+allow dump_aoc vendor_shell_exec:file execute_no_trans;
+allow dump_aoc vendor_toolbox_exec:file execute_no_trans;
--- a/sepolicy/vendor/dump_camera.te
+++ b/sepolicy/vendor/dump_camera.te
@@ -0,0 +1 @@
+pixel_bugreport(dump_camera)
--- a/sepolicy/vendor/dump_devfreq.te
+++ b/sepolicy/vendor/dump_devfreq.te
@@ -0,0 +1,5 @@
+pixel_bugreport(dump_devfreq)
+
+allow dump_devfreq sysfs_cpu:file r_file_perms;
+allow dump_devfreq sysfs_exynos_bts:dir r_dir_perms;
+allow dump_devfreq sysfs_exynos_bts_stats:file r_file_perms;
--- a/sepolicy/vendor/dump_exynos_display.te
+++ b/sepolicy/vendor/dump_exynos_display.te
@@ -0,0 +1,10 @@
+binder_call(dump_exynos_display, hal_graphics_composer_default)
+
+pixel_bugreport(dump_exynos_display)
+
+vndbinder_use(dump_exynos_display)
+
+allow dump_exynos_display sysfs_display:file r_file_perms;
+allow dump_exynos_display vendor_displaycolor_service:service_manager find;
+allow dump_exynos_display vendor_dumpsys:file execute_no_trans;
+allow dump_exynos_display vendor_shell_exec:file execute_no_trans;
--- a/sepolicy/vendor/dump_exynos_display_userdebug.te
+++ b/sepolicy/vendor/dump_exynos_display_userdebug.te
@@ -0,0 +1 @@
+pixel_bugreport(dump_exynos_display_userdebug)
--- a/sepolicy/vendor/dump_fingerprint.te
+++ b/sepolicy/vendor/dump_fingerprint.te
@@ -0,0 +1,4 @@
+pixel_bugreport(dump_fingerprint)
+
+allow dump_fingerprint fingerprint_vendor_data_file:dir r_dir_perms;
+allow dump_fingerprint fingerprint_vendor_data_file:file r_file_perms;
--- a/sepolicy/vendor/dump_gps.te
+++ b/sepolicy/vendor/dump_gps.te
@@ -0,0 +1 @@
+pixel_bugreport(dump_gps)
--- a/sepolicy/vendor/dump_gsc.te
+++ b/sepolicy/vendor/dump_gsc.te
@@ -0,0 +1,14 @@
+type dump_gsc, domain;
+type dump_gsc_exec, exec_type, file_type, vendor_file_type;
+
+binder_call(dump_gsc, citadeld)
+
+hal_client_domain(dump_gsc, hal_dumpstate)
+
+vndbinder_use(dump_gsc)
+
+allow dump_gsc citadel_updater:file execute_no_trans;
+allow dump_gsc citadeld_service:service_manager find;
+allow dump_gsc dumpstate:fd use;
+allow dump_gsc dumpstate:fifo_file { getattr write };
+allow dump_gsc shell_data_file:file { getattr write };
--- a/sepolicy/vendor/dump_gxp.te
+++ b/sepolicy/vendor/dump_gxp.te
@@ -0,0 +1 @@
+pixel_bugreport(dump_gxp)
--- a/sepolicy/vendor/dump_memory.te
+++ b/sepolicy/vendor/dump_memory.te
@@ -0,0 +1,3 @@
+pixel_bugreport(dump_memory)
+
+allow dump_memory vendor_toolbox_exec:file execute_no_trans;
--- a/sepolicy/vendor/dump_modem.te
+++ b/sepolicy/vendor/dump_modem.te
@@ -0,0 +1,14 @@
+pixel_bugreport(dump_modem)
+
+allow dump_modem logbuffer_device:chr_file r_file_perms;
+allow dump_modem modem_stat_data_file:dir search;
+allow dump_modem modem_stat_data_file:file r_file_perms;
+allow dump_modem radio_vendor_data_file:dir search;
+allow dump_modem radio_vendor_data_file:file r_file_perms;
+allow dump_modem sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow dump_modem sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+allow dump_modem sysfs_dump_modem:file r_file_perms;
+allow dump_modem vendor_log_file:dir search;
+allow dump_modem vendor_rfsd_log_file:dir r_dir_perms;
+allow dump_modem vendor_rfsd_log_file:file r_file_perms;
+allow dump_modem vendor_toolbox_exec:file execute_no_trans;
--- a/sepolicy/vendor/dump_modemlog.te
+++ b/sepolicy/vendor/dump_modemlog.te
@@ -0,0 +1,11 @@
+pixel_bugreport(dump_modemlog)
+
+set_prop(dump_modemlog, vendor_modem_prop)
+
+allow dump_modemlog mnt_vendor_file:dir search;
+allow dump_modemlog modem_efs_file:dir search;
+allow dump_modemlog modem_efs_file:file r_file_perms;
+allow dump_modemlog radio_vendor_data_file:dir create_dir_perms;
+allow dump_modemlog radio_vendor_data_file:file create_file_perms;
+allow dump_modemlog vendor_slog_file:dir r_dir_perms;
+allow dump_modemlog vendor_slog_file:file r_file_perms;
--- a/sepolicy/vendor/dump_perf.te
+++ b/sepolicy/vendor/dump_perf.te
@@ -0,0 +1,3 @@
+pixel_bugreport(dump_perf)
+
+allow dump_perf proc_vendor_sched:file r_file_perms;
--- a/sepolicy/vendor/dump_pixel_metrics.te
+++ b/sepolicy/vendor/dump_pixel_metrics.te
@@ -0,0 +1,5 @@
+pixel_bugreport(dump_pixel_metrics)
+
+r_dir_file(dump_pixel_metrics, sysfs_vendor_metrics)
+
+allow dump_pixel_metrics vendor_dumpsys:file execute_no_trans;
--- a/sepolicy/whitechapel_pro/dump_power.te
+++ b/sepolicy/whitechapel_pro/dump_power.te
@@ -1,25 +1,15 @@
-# Allow dumpstate to execute dump_power
-pixel_bugreport(dump_power);
+pixel_bugreport(dump_power)

-allow dump_power sysfs_acpm_stats:dir r_dir_perms;
-allow dump_power sysfs_acpm_stats:file r_file_perms;
-allow dump_power sysfs_cpu:file r_file_perms;
-allow dump_power sysfs_wlc:file r_file_perms;
-allow dump_power sysfs_wlc:dir search;
-allow dump_power sysfs_batteryinfo:dir r_dir_perms;
-allow dump_power sysfs_batteryinfo:file r_file_perms;
+allow dump_power battery_history_device:chr_file r_file_perms;
 allow dump_power logbuffer_device:chr_file r_file_perms;
 allow dump_power mitigation_vendor_data_file:dir r_dir_perms;
 allow dump_power mitigation_vendor_data_file:file r_file_perms;
+allow dump_power sysfs_acpm_stats:dir r_dir_perms;
+allow dump_power sysfs_acpm_stats:file r_file_perms;
+allow dump_power sysfs_batteryinfo:dir r_dir_perms;
+allow dump_power sysfs_batteryinfo:file r_file_perms;
 allow dump_power sysfs_bcl:dir r_dir_perms;
 allow dump_power sysfs_bcl:file r_file_perms;
-allow dump_power battery_history_device:chr_file r_file_perms;
-
-userdebug_or_eng(`
-  r_dir_file(dump_power, vendor_battery_debugfs)
-  r_dir_file(dump_power, vendor_maxfg_debugfs)
-  r_dir_file(dump_power, vendor_charger_debugfs)
-  r_dir_file(dump_power, vendor_votable_debugfs)
-  allow dump_power debugfs:dir r_dir_perms;
-  allow dump_power vendor_usb_debugfs:dir { search };
-')
+allow dump_power sysfs_cpu:file r_file_perms;
+allow dump_power sysfs_wlc:dir search;
+allow dump_power sysfs_wlc:file r_file_perms;
--- a/sepolicy/vendor/dump_radio.te
+++ b/sepolicy/vendor/dump_radio.te
@@ -0,0 +1 @@
+pixel_bugreport(dump_radio)
--- a/sepolicy/vendor/dump_ramdump.te
+++ b/sepolicy/vendor/dump_ramdump.te
@@ -0,0 +1 @@
+pixel_bugreport(dump_ramdump)
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`/vendor/bin/hw/android\.hardware\.health-service\.gs201 u:object_r:hal_health_default_exec:s0`
				`@@ -1 +0,0 @@`
				`telephony.oem.oemrilhook u:object_r:radio_service:s0`
				`@@ -0,0 +1 @@`
				`system_internal_prop(repair_mode_init_prop)`
				`@@ -0,0 +1 @@`
				`vendor_restricted_prop(vendor_audio_prop_restricted)`
				`@@ -0,0 +1 @@`
				`allow audioserver audio_device:chr_file r_file_perms;`
				`@@ -0,0 +1 @@`
				`dontaudit bootanim system_data_file:dir r_dir_perms;`
				`@@ -0,0 +1 @@`
				`get_prop(domain, vendor_arm_runtime_option_prop)`
				`@@ -0,0 +1 @@`
				`pixel_bugreport(dump_exynos_display_userdebug)`