diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS
new file mode 100644
index 0000000..bff635e
--- /dev/null
+++ b/sepolicy/OWNERS
@@ -0,0 +1,3 @@
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
diff --git a/sepolicy/bug_map b/sepolicy/bug_map
new file mode 100644
index 0000000..c15cd11
--- /dev/null
+++ b/sepolicy/bug_map
@@ -0,0 +1 @@
+vendor_init device_config_configuration_prop property_service b/267843409
diff --git a/sepolicy/legacy/zuma/vendor/debug_camera_app.te b/sepolicy/legacy/zuma/vendor/debug_camera_app.te
new file mode 100644
index 0000000..44859fe
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/debug_camera_app.te
@@ -0,0 +1,9 @@
+userdebug_or_eng(`
+ # Allows GCA-Eng & GCA-Next access the GXP device and properties.
+ allow debug_camera_app gxp_device:chr_file rw_file_perms;
+ get_prop(debug_camera_app, vendor_gxp_prop)
+
+ # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
+ allow debug_camera_app edgetpu_app_service:service_manager find;
+ allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+')
diff --git a/sepolicy/legacy/zuma/vendor/device.te b/sepolicy/legacy/zuma/vendor/device.te
new file mode 100644
index 0000000..80bf3f0
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/device.te
@@ -0,0 +1,17 @@
+type persist_block_device, dev_type;
+type custom_ab_block_device, dev_type;
+type mfg_data_block_device, dev_type;
+type ufs_internal_block_device, dev_type;
+type logbuffer_device, dev_type;
+type fingerprint_device, dev_type;
+type uci_device, dev_type;
+
+# Dmabuf heaps
+type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
+type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
+type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type;
+type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type;
+type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type;
+
+# SecureElement SPI device
+type st54spi_device, dev_type;
diff --git a/sepolicy/legacy/zuma/vendor/domain.te b/sepolicy/legacy/zuma/vendor/domain.te
new file mode 100644
index 0000000..a8bad53
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/domain.te
@@ -0,0 +1,5 @@
+allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms;
+allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms;
+
+# Mali
+get_prop(domain, vendor_arm_runtime_option_prop)
diff --git a/sepolicy/legacy/zuma/vendor/euiccpixel_app.te b/sepolicy/legacy/zuma/vendor/euiccpixel_app.te
new file mode 100644
index 0000000..0e4d65b
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/euiccpixel_app.te
@@ -0,0 +1,21 @@
+type euiccpixel_app, domain;
+app_domain(euiccpixel_app)
+
+allow euiccpixel_app app_api_service:service_manager find;
+allow euiccpixel_app radio_service:service_manager find;
+allow euiccpixel_app nfc_service:service_manager find;
+
+set_prop(euiccpixel_app, vendor_secure_element_prop)
+set_prop(euiccpixel_app, vendor_modem_prop)
+get_prop(euiccpixel_app, dck_prop)
+
+userdebug_or_eng(`
+ net_domain(euiccpixel_app)
+
+ # Access to directly upgrade firmware on st54spi_device used for engineering devices
+ typeattribute st54spi_device mlstrustedobject;
+ allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
+')
+
+# b/265286368 framework UI rendering properties
+dontaudit euiccpixel_app default_prop:file { read };
\ No newline at end of file
diff --git a/sepolicy/legacy/zuma/vendor/hal_bluetooth_btlinux.te b/sepolicy/legacy/zuma/vendor/hal_bluetooth_btlinux.te
new file mode 100644
index 0000000..c496ea0
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_bluetooth_btlinux.te
@@ -0,0 +1,9 @@
+# Allow access to always-on compute device node
+allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms;
+allow hal_bluetooth_btlinux device:dir r_dir_perms;
+
+allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms;
+allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms;
+
+# allow the HAL to call cccdktimesync registered callbacks
+binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app)
diff --git a/sepolicy/legacy/zuma/vendor/hal_contexthub_default.te b/sepolicy/legacy/zuma/vendor/hal_contexthub_default.te
new file mode 100644
index 0000000..7e0eef2
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_contexthub_default.te
@@ -0,0 +1,2 @@
+# Allow context hub HAL to communicate with daemon via socket
+unix_socket_connect(hal_contexthub_default, chre, chre)
diff --git a/sepolicy/legacy/zuma/vendor/hal_graphics_allocator_default.te b/sepolicy/legacy/zuma/vendor/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..b624db1
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_graphics_allocator_default.te
@@ -0,0 +1,6 @@
+allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default framebuffer_secure_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default gcma_camera_heap_device:chr_file r_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/hal_health_default.te b/sepolicy/legacy/zuma/vendor/hal_health_default.te
new file mode 100644
index 0000000..c57ef34
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_health_default.te
@@ -0,0 +1,16 @@
+allow hal_health_default mnt_vendor_file:dir search;
+allow hal_health_default persist_file:dir search;
+allow hal_health_default persist_battery_file:file create_file_perms;
+allow hal_health_default persist_battery_file:dir rw_dir_perms;
+
+set_prop(hal_health_default, vendor_battery_defender_prop)
+set_prop(hal_health_default, vendor_shutdown_prop)
+
+allow hal_health_default fwk_stats_service:service_manager find;
+
+# Access to /sys/devices/platform/13200000.ufs/*
+allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms;
+
+allow hal_health_default sysfs_wlc:dir search;
+allow hal_health_default sysfs_batteryinfo:file rw_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/hal_memtrack_default.te b/sepolicy/legacy/zuma/vendor/hal_memtrack_default.te
new file mode 100644
index 0000000..7554c6f
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_memtrack_default.te
@@ -0,0 +1 @@
+r_dir_file(hal_memtrack_default, sysfs_gpu)
diff --git a/sepolicy/legacy/zuma/vendor/hal_nfc_default.te b/sepolicy/legacy/zuma/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..d71d9e2
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_nfc_default.te
@@ -0,0 +1,5 @@
+# HAL NFC property
+get_prop(hal_nfc_default, vendor_nfc_prop)
+
+# SecureElement property
+set_prop(hal_nfc_default, vendor_secure_element_prop)
diff --git a/sepolicy/legacy/zuma/vendor/hal_power_default.te b/sepolicy/legacy/zuma/vendor/hal_power_default.te
new file mode 100644
index 0000000..bb86aad
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_power_default.te
@@ -0,0 +1,7 @@
+allow hal_power_default sysfs_gpu:file rw_file_perms;
+allow hal_power_default sysfs_fabric:file rw_file_perms;
+allow hal_power_default sysfs_camera:file rw_file_perms;
+allow hal_power_default sysfs_em_profile:file rw_file_perms;
+allow hal_power_default sysfs_display:file rw_file_perms;
+allow hal_power_default sysfs_trusty:file rw_file_perms;
+set_prop(hal_power_default, vendor_camera_prop);
\ No newline at end of file
diff --git a/sepolicy/legacy/zuma/vendor/hal_radioext_default.te b/sepolicy/legacy/zuma/vendor/hal_radioext_default.te
new file mode 100644
index 0000000..d67f9e8
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_radioext_default.te
@@ -0,0 +1 @@
+allow hal_radioext_default sysfs_display:file rw_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/hal_secure_element_st54spi_aidl.te b/sepolicy/legacy/zuma/vendor/hal_secure_element_st54spi_aidl.te
new file mode 100644
index 0000000..5110b96
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_secure_element_st54spi_aidl.te
@@ -0,0 +1,7 @@
+type hal_secure_element_st54spi_aidl, domain;
+type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi_aidl)
+hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element)
+allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop)
diff --git a/sepolicy/legacy/zuma/vendor/hal_secure_element_uicc.te b/sepolicy/legacy/zuma/vendor/hal_secure_element_uicc.te
new file mode 100644
index 0000000..8cd1cb3
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_secure_element_uicc.te
@@ -0,0 +1,12 @@
+type hal_secure_element_uicc, domain;
+type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_secure_element_uicc, hal_secure_element)
+init_daemon_domain(hal_secure_element_uicc)
+
+# Allow writing to system_server pipes during crash dump
+crash_dump_fallback(hal_secure_element_uicc)
+
+# Allow hal_secure_element_uicc to access rild
+binder_call(hal_secure_element_uicc, rild);
+allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find;
diff --git a/sepolicy/legacy/zuma/vendor/hal_sensors_default.te b/sepolicy/legacy/zuma/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..7267dd3
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_sensors_default.te
@@ -0,0 +1,26 @@
+# Allow reading of camera persist files.
+r_dir_file(hal_sensors_default, persist_camera_file)
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
+
+# Allow sensor HAL to access the thermal service HAL
+hal_client_domain(hal_sensors_default, hal_thermal);
+
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
+
+# Allow access for dynamic sensor properties.
+get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
+
+# Allow access to raw HID devices for dynamic sensors.
+allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
+
+# Allow sensor HAL to access the display service HAL
+allow hal_sensors_default hal_pixel_display_service:service_manager find;
+
+# Allow sensor HAL to access the graphics composer.
+binder_call(hal_sensors_default, hal_graphics_composer_default)
+
+# Allow access to the power supply files for MagCC.
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
diff --git a/sepolicy/legacy/zuma/vendor/hal_thermal_default.te b/sepolicy/legacy/zuma/vendor/hal_thermal_default.te
new file mode 100644
index 0000000..a573a2a
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_thermal_default.te
@@ -0,0 +1,2 @@
+r_dir_file(hal_thermal_default, sysfs_iio_devices)
+r_dir_file(hal_thermal_default, sysfs_odpm)
diff --git a/sepolicy/legacy/zuma/vendor/hal_wifi_ext.te b/sepolicy/legacy/zuma/vendor/hal_wifi_ext.te
new file mode 100644
index 0000000..9b52d7a
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_wifi_ext.te
@@ -0,0 +1,9 @@
+# Allow wifi_ext to report callbacks to gril-service app
+binder_call(hal_wifi_ext, grilservice_app)
+
+# Write wlan driver/fw version into property
+set_prop(hal_wifi_ext, vendor_wifi_version)
+
+# Allow wifi_ext to read and write /data/vendor/firmware/wifi
+allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms;
+allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/hal_wireless_charger.te b/sepolicy/legacy/zuma/vendor/hal_wireless_charger.te
new file mode 100644
index 0000000..17d704d
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hal_wireless_charger.te
@@ -0,0 +1,7 @@
+type hal_wireless_charger, domain;
+type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type;
+
+allow hal_wireless_charger dumpstate:fd use;
+allow hal_wireless_charger dumpstate:fifo_file rw_file_perms;
+
+binder_call(hal_wireless_charger, systemui_app)
\ No newline at end of file
diff --git a/sepolicy/legacy/zuma/vendor/hwservice.te b/sepolicy/legacy/zuma/vendor/hwservice.te
new file mode 100644
index 0000000..68b8dd7
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/hwservice.te
@@ -0,0 +1,2 @@
+# Fingerprint
+type hal_fingerprint_ext_hwservice, hwservice_manager_type;
diff --git a/sepolicy/legacy/zuma/vendor/init.te b/sepolicy/legacy/zuma/vendor/init.te
new file mode 100644
index 0000000..3d0a8f9
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/init.te
@@ -0,0 +1,13 @@
+allow init mnt_vendor_file:dir mounton;
+allow init custom_ab_block_device:lnk_file relabelto;
+
+# This is needed for chaining a boot partition vbmeta
+# descriptor, where init will probe the boot partition
+# to read the chained vbmeta in the first-stage, then
+# relabel /dev/block/by-name/boot_[a|b] to block_device
+# after loading sepolicy in the second stage.
+allow init boot_block_device:lnk_file relabelto;
+
+allow init persist_file:dir mounton;
+allow init ram_device:blk_file w_file_perms;
+
diff --git a/sepolicy/legacy/zuma/vendor/installd.te b/sepolicy/legacy/zuma/vendor/installd.te
new file mode 100644
index 0000000..44e74c6
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/installd.te
@@ -0,0 +1 @@
+dontaudit installd modem_img_file:filesystem quotaget;
diff --git a/sepolicy/legacy/zuma/vendor/logd.te b/sepolicy/legacy/zuma/vendor/logd.te
new file mode 100644
index 0000000..ca969d8
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/logd.te
@@ -0,0 +1,4 @@
+r_dir_file(logd, logbuffer_device)
+allow logd logbuffer_device:chr_file r_file_perms;
+allow logd trusty_log_device:chr_file r_file_perms;
+
diff --git a/sepolicy/legacy/zuma/vendor/mediacodec_google.te b/sepolicy/legacy/zuma/vendor/mediacodec_google.te
new file mode 100644
index 0000000..1c6413a
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/mediacodec_google.te
@@ -0,0 +1,35 @@
+type mediacodec_google, domain;
+type mediacodec_google_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mediacodec_google)
+
+vndbinder_use(mediacodec_google)
+
+hal_server_domain(mediacodec_google, hal_codec2)
+
+# mediacodec_google may use an input surface from a different Codec2 service
+hal_client_domain(mediacodec_google, hal_codec2)
+
+hal_client_domain(mediacodec_google, hal_graphics_allocator)
+
+allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediacodec_google video_device:chr_file rw_file_perms;
+allow mediacodec_google gpu_device:chr_file rw_file_perms;
+
+crash_dump_fallback(mediacodec_google)
+
+# mediacodec_google should never execute any executable without a domain transition
+neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+userdebug_or_eng(`
+ allow mediacodec_google vendor_media_data_file:dir rw_dir_perms;
+ allow mediacodec_google vendor_media_data_file:file create_file_perms;
+')
diff --git a/sepolicy/legacy/zuma/vendor/pixeldisplayservice_app.te b/sepolicy/legacy/zuma/vendor/pixeldisplayservice_app.te
new file mode 100644
index 0000000..e9c8d78
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/pixeldisplayservice_app.te
@@ -0,0 +1,2 @@
+allow pixeldisplayservice_app hal_pixel_display_service:service_manager find;
+binder_call(pixeldisplayservice_app, hal_graphics_composer_default)
diff --git a/sepolicy/legacy/zuma/vendor/pixelstats_vendor.te b/sepolicy/legacy/zuma/vendor/pixelstats_vendor.te
new file mode 100644
index 0000000..192616b
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/pixelstats_vendor.te
@@ -0,0 +1,28 @@
+# Batery history
+allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+
+# BCL
+allow pixelstats_vendor sysfs_bcl:dir search;
+allow pixelstats_vendor sysfs_bcl:file r_file_perms;
+allow pixelstats_vendor mitigation_vendor_data_file:dir search;
+allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms;
+get_prop(pixelstats_vendor, vendor_brownout_reason_prop);
+
+#vendor-metrics
+r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)
+allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms;
+allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms;
+
+# Wireless charge
+allow pixelstats_vendor sysfs_wlc:dir search;
+allow pixelstats_vendor sysfs_wlc:file rw_file_perms;
+
+# PCIe Link Statistics
+allow pixelstats_vendor sysfs_pcie:dir search;
+allow pixelstats_vendor sysfs_pcie:file rw_file_perms;
+
+allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;
+
+#Thermal
+r_dir_file(pixelstats_vendor, sysfs_thermal)
+allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/platform_app.te b/sepolicy/legacy/zuma/vendor/platform_app.te
new file mode 100644
index 0000000..f0586f3
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/platform_app.te
@@ -0,0 +1,3 @@
+# WLC
+allow platform_app hal_wireless_charger_service:service_manager find;
+binder_call(platform_app, hal_wireless_charger)
diff --git a/sepolicy/legacy/zuma/vendor/recovery.te b/sepolicy/legacy/zuma/vendor/recovery.te
new file mode 100644
index 0000000..efbea53
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/recovery.te
@@ -0,0 +1,8 @@
+recovery_only(`
+ allow recovery sysfs_ota:file rw_file_perms;
+ allow recovery st54spi_device:chr_file rw_file_perms;
+ allow recovery tee_device:chr_file rw_file_perms;
+ allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+ allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+ set_prop(recovery, boottime_prop)
+')
diff --git a/sepolicy/legacy/zuma/vendor/shell.te b/sepolicy/legacy/zuma/vendor/shell.te
new file mode 100644
index 0000000..adc4eb6
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/shell.te
@@ -0,0 +1,2 @@
+# wlc
+dontaudit shell sysfs_wlc:dir search;
\ No newline at end of file
diff --git a/sepolicy/legacy/zuma/vendor/surfaceflinger.te b/sepolicy/legacy/zuma/vendor/surfaceflinger.te
new file mode 100644
index 0000000..403734e
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger arm_mali_platform_service:service_manager find;
diff --git a/sepolicy/legacy/zuma/vendor/system_app.te b/sepolicy/legacy/zuma/vendor/system_app.te
new file mode 100644
index 0000000..4677e98
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/system_app.te
@@ -0,0 +1,3 @@
+# WLC
+allow system_app hal_wireless_charger_service:service_manager find;
+binder_call(system_app, hal_wireless_charger)
diff --git a/sepolicy/legacy/zuma/vendor/system_server.te b/sepolicy/legacy/zuma/vendor/system_server.te
new file mode 100644
index 0000000..ba41aa7
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/system_server.te
@@ -0,0 +1,3 @@
+binder_call(system_server, hal_camera_default);
+
+allow system_server arm_mali_platform_service:service_manager find;
diff --git a/sepolicy/legacy/zuma/vendor/systemui_app.te b/sepolicy/legacy/zuma/vendor/systemui_app.te
new file mode 100644
index 0000000..034dd0a
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/systemui_app.te
@@ -0,0 +1,10 @@
+allow systemui_app pixel_battery_service_type:service_manager find;
+binder_call(systemui_app, pixel_battery_domain)
+
+allow systemui_app screen_protector_detector_service:service_manager find;
+allow systemui_app touch_context_service:service_manager find;
+binder_call(systemui_app, twoshay)
+
+# WLC
+allow systemui_app hal_wireless_charger_service:service_manager find;
+binder_call(systemui_app, hal_wireless_charger)
diff --git a/sepolicy/legacy/zuma/vendor/tcpdump_logger.te b/sepolicy/legacy/zuma/vendor/tcpdump_logger.te
new file mode 100644
index 0000000..7cf0245
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/tcpdump_logger.te
@@ -0,0 +1,21 @@
+type tcpdump_logger, domain;
+type tcpdump_logger_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ # make transition from init to its domain
+ init_daemon_domain(tcpdump_logger)
+
+ allow tcpdump_logger self:capability net_raw;
+ allow tcpdump_logger self:packet_socket create_socket_perms;
+ allowxperm tcpdump_logger self:packet_socket ioctl 0x8933;
+ allow tcpdump_logger tcpdump_exec:file rx_file_perms;
+ allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms;
+ allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms;
+ allow tcpdump_logger tcpdump_vendor_data_file:dir search;
+ allow tcpdump_logger radio_vendor_data_file:file create_file_perms;
+ allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms;
+ allow tcpdump_logger wifi_logging_data_file:file create_file_perms;
+ allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms;
+
+ set_prop(tcpdump_logger, vendor_tcpdump_log_prop)
+')
\ No newline at end of file
diff --git a/sepolicy/legacy/zuma/vendor/tee.te b/sepolicy/legacy/zuma/vendor/tee.te
new file mode 100644
index 0000000..8551b24
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/tee.te
@@ -0,0 +1,15 @@
+# Handle wake locks
+wakelock_use(tee)
+
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
+allow tee block_device:dir search;
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)
+
+set_prop(tee, vendor_trusty_storage_prop)
diff --git a/sepolicy/legacy/zuma/vendor/toolbox.te b/sepolicy/legacy/zuma/vendor/toolbox.te
new file mode 100644
index 0000000..9fbbb7a
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/toolbox.te
@@ -0,0 +1,3 @@
+allow toolbox ram_device:blk_file rw_file_perms;
+allow toolbox per_boot_file:dir create_dir_perms;
+allow toolbox per_boot_file:file create_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/trusty_apploader.te b/sepolicy/legacy/zuma/vendor/trusty_apploader.te
new file mode 100644
index 0000000..983e3a0
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/trusty_apploader.te
@@ -0,0 +1,7 @@
+type trusty_apploader, domain;
+type trusty_apploader_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(trusty_apploader)
+
+allow trusty_apploader ion_device:chr_file r_file_perms;
+allow trusty_apploader tee_device:chr_file rw_file_perms;
+allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/trusty_metricsd.te b/sepolicy/legacy/zuma/vendor/trusty_metricsd.te
new file mode 100644
index 0000000..63fc85b
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/trusty_metricsd.te
@@ -0,0 +1,11 @@
+type trusty_metricsd, domain;
+type trusty_metricsd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(trusty_metricsd)
+
+allow trusty_metricsd tee_device:chr_file rw_file_perms;
+
+# For Suez metrics collection
+binder_use(trusty_metricsd)
+binder_call(trusty_metricsd, system_server)
+allow trusty_metricsd fwk_stats_service:service_manager find;
diff --git a/sepolicy/legacy/zuma/vendor/twoshay.te b/sepolicy/legacy/zuma/vendor/twoshay.te
new file mode 100644
index 0000000..219619a
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/twoshay.te
@@ -0,0 +1,4 @@
+# Allow ITouchContextService callback
+binder_call(twoshay, systemui_app)
+
+binder_call(twoshay, hal_radioext_default)
diff --git a/sepolicy/legacy/zuma/vendor/ufs_firmware_update.te b/sepolicy/legacy/zuma/vendor/ufs_firmware_update.te
new file mode 100644
index 0000000..04e532e
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/ufs_firmware_update.te
@@ -0,0 +1,12 @@
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(ufs_firmware_update)
+
+ allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
+ allow ufs_firmware_update block_device:dir r_dir_perms;
+ allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms;
+ allow ufs_firmware_update sysfs:dir r_dir_perms;
+ allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;
+')
diff --git a/sepolicy/legacy/zuma/vendor/update_engine.te b/sepolicy/legacy/zuma/vendor/update_engine.te
new file mode 100644
index 0000000..fb59e4b
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/update_engine.te
@@ -0,0 +1,4 @@
+allow update_engine custom_ab_block_device:blk_file rw_file_perms;
+allow update_engine dtbo_block_device:blk_file rw_file_perms;
+allow update_engine modem_block_device:blk_file rw_file_perms;
+allow update_engine proc_bootconfig:file r_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/vendor_init.te b/sepolicy/legacy/zuma/vendor/vendor_init.te
new file mode 100644
index 0000000..91e2786
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/vendor_init.te
@@ -0,0 +1,30 @@
+# Fingerprint property
+set_prop(vendor_init, vendor_fingerprint_prop)
+# Battery harness mode property
+set_prop(vendor_init, vendor_battery_defender_prop)
+
+set_prop(vendor_init, logpersistd_logging_prop)
+
+allow vendor_init proc_dirty:file w_file_perms;
+allow vendor_init proc_sched:file w_file_perms;
+allow vendor_init bootdevice_sysdev:file create_file_perms;
+allow vendor_init modem_img_file:filesystem { getattr };
+
+userdebug_or_eng(`
+allow vendor_init vendor_init:lockdown { integrity };
+')
+
+# Camera vendor property
+set_prop(vendor_init, vendor_camera_prop)
+
+# NFC vendor property
+set_prop(vendor_init, vendor_nfc_prop)
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)
+
+# Mali
+set_prop(vendor_init, vendor_arm_runtime_option_prop)
+set_prop(vendor_init, vendor_ssrdump_prop)
+
+# MM
+allow vendor_init proc_watermark_scale_factor:file w_file_perms;
diff --git a/sepolicy/legacy/zuma/vendor/wifi_sniffer.te b/sepolicy/legacy/zuma/vendor/wifi_sniffer.te
new file mode 100644
index 0000000..1faffce
--- /dev/null
+++ b/sepolicy/legacy/zuma/vendor/wifi_sniffer.te
@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+allow wifi_sniffer sysfs_wifi:dir search;
+allow wifi_sniffer sysfs_wifi:file rw_file_perms;
+')
diff --git a/sepolicy/private/debug_camera_app.te b/sepolicy/private/debug_camera_app.te
new file mode 100644
index 0000000..8250e42
--- /dev/null
+++ b/sepolicy/private/debug_camera_app.te
@@ -0,0 +1,16 @@
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+ app_domain(debug_camera_app)
+ net_domain(debug_camera_app)
+
+ allow debug_camera_app app_api_service:service_manager find;
+ allow debug_camera_app audioserver_service:service_manager find;
+ allow debug_camera_app cameraserver_service:service_manager find;
+ allow debug_camera_app mediaextractor_service:service_manager find;
+ allow debug_camera_app mediametrics_service:service_manager find;
+ allow debug_camera_app mediaserver_service:service_manager find;
+
+ # Allows GCA_Eng & GCA-Next to access the PowerHAL.
+ hal_client_domain(debug_camera_app, hal_power)
+')
diff --git a/sepolicy/private/google_camera_app.te b/sepolicy/private/google_camera_app.te
new file mode 100644
index 0000000..4ce84af
--- /dev/null
+++ b/sepolicy/private/google_camera_app.te
@@ -0,0 +1,16 @@
+typeattribute google_camera_app coredomain;
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/sepolicy/private/seapp_contexts b/sepolicy/private/seapp_contexts
new file mode 100644
index 0000000..38c4e6e
--- /dev/null
+++ b/sepolicy/private/seapp_contexts
@@ -0,0 +1,11 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
diff --git a/sepolicy/private/systemui_app.te b/sepolicy/private/systemui_app.te
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/sepolicy/private/systemui_app.te
@@ -0,0 +1 @@
+
diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te
new file mode 100644
index 0000000..812f9e1
--- /dev/null
+++ b/sepolicy/private/vendor_init.te
@@ -0,0 +1,2 @@
+# b/277300125
+dontaudit vendor_init device_config_configuration_prop:property_service { set };
diff --git a/sepolicy/public/debug_camera_app.te b/sepolicy/public/debug_camera_app.te
new file mode 100644
index 0000000..6f49768
--- /dev/null
+++ b/sepolicy/public/debug_camera_app.te
@@ -0,0 +1 @@
+type debug_camera_app, domain;
diff --git a/sepolicy/public/google_camera_app.te b/sepolicy/public/google_camera_app.te
new file mode 100644
index 0000000..c93038c
--- /dev/null
+++ b/sepolicy/public/google_camera_app.te
@@ -0,0 +1 @@
+type google_camera_app, domain;
diff --git a/sepolicy/radio/bipchmgr.te b/sepolicy/radio/bipchmgr.te
new file mode 100644
index 0000000..9298e32
--- /dev/null
+++ b/sepolicy/radio/bipchmgr.te
@@ -0,0 +1,9 @@
+type bipchmgr, domain;
+type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(bipchmgr)
+
+get_prop(bipchmgr, hwservicemanager_prop);
+
+allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
+hwbinder_use(bipchmgr)
+binder_call(bipchmgr, rild)
diff --git a/sepolicy/radio/cat_engine_service_app.te b/sepolicy/radio/cat_engine_service_app.te
new file mode 100644
index 0000000..eacf962
--- /dev/null
+++ b/sepolicy/radio/cat_engine_service_app.te
@@ -0,0 +1,8 @@
+type cat_engine_service_app, domain;
+
+userdebug_or_eng(`
+ app_domain(cat_engine_service_app)
+ get_prop(cat_engine_service_app, vendor_rild_prop)
+ allow cat_engine_service_app app_api_service:service_manager find;
+ allow cat_engine_service_app system_app_data_file:dir r_dir_perms;
+')
diff --git a/sepolicy/radio/cbd.te b/sepolicy/radio/cbd.te
new file mode 100644
index 0000000..ae5af2a
--- /dev/null
+++ b/sepolicy/radio/cbd.te
@@ -0,0 +1,62 @@
+type cbd, domain;
+type cbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(cbd)
+
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_rild_prop)
+get_prop(cbd, telephony_modem_prop)
+set_prop(cbd, telephony_modemtype_prop)
+
+allow cbd mnt_vendor_file:dir r_dir_perms;
+
+allow cbd kmsg_device:chr_file rw_file_perms;
+
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;
+
+# Allow cbd to access modem block device
+allow cbd block_device:dir search;
+allow cbd modem_block_device:blk_file r_file_perms;
+
+# Allow cbd to access sysfs chosen files
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd sysfs_chosen:dir r_dir_perms;
+
+allow cbd radio_device:chr_file rw_file_perms;
+
+allow cbd proc_cmdline:file r_file_perms;
+
+allow cbd persist_modem_file:dir create_dir_perms;
+allow cbd persist_modem_file:file create_file_perms;
+allow cbd persist_file:dir search;
+
+allow cbd radio_vendor_data_file:dir create_dir_perms;
+allow cbd radio_vendor_data_file:file create_file_perms;
+
+# Allow cbd to operate with modem EFS file/dir
+allow cbd modem_efs_file:dir create_dir_perms;
+allow cbd modem_efs_file:file create_file_perms;
+
+# Allow cbd to operate with modem userdata file/dir
+allow cbd modem_userdata_file:dir create_dir_perms;
+allow cbd modem_userdata_file:file create_file_perms;
+
+# Allow cbd to access modem image file/dir
+allow cbd modem_img_file:dir r_dir_perms;
+allow cbd modem_img_file:file r_file_perms;
+allow cbd modem_img_file:lnk_file r_file_perms;
+
+# Allow cbd to collect crash info
+allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+ r_dir_file(cbd, vendor_slog_file)
+
+ allow cbd kernel:system syslog_read;
+
+ allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+ allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
+
diff --git a/sepolicy/radio/cbrs_setup.te b/sepolicy/radio/cbrs_setup.te
new file mode 100644
index 0000000..1abbcff
--- /dev/null
+++ b/sepolicy/radio/cbrs_setup.te
@@ -0,0 +1,13 @@
+# GoogleCBRS app
+type cbrs_setup_app, domain;
+
+userdebug_or_eng(`
+ app_domain(cbrs_setup_app)
+ net_domain(cbrs_setup_app)
+
+ allow cbrs_setup_app app_api_service:service_manager find;
+ allow cbrs_setup_app cameraserver_service:service_manager find;
+ allow cbrs_setup_app radio_service:service_manager find;
+ set_prop(cbrs_setup_app, radio_prop)
+ set_prop(cbrs_setup_app, vendor_rild_prop)
+')
diff --git a/sepolicy/radio/certs/com_google_mds.x509.pem b/sepolicy/radio/certs/com_google_mds.x509.pem
new file mode 100644
index 0000000..640c6fb
--- /dev/null
+++ b/sepolicy/radio/certs/com_google_mds.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----
diff --git a/sepolicy/radio/device.te b/sepolicy/radio/device.te
new file mode 100644
index 0000000..2f1aff7
--- /dev/null
+++ b/sepolicy/radio/device.te
@@ -0,0 +1,3 @@
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type efs_block_device, dev_type;
diff --git a/sepolicy/radio/dmd.te b/sepolicy/radio/dmd.te
new file mode 100644
index 0000000..be820be
--- /dev/null
+++ b/sepolicy/radio/dmd.te
@@ -0,0 +1,33 @@
+type dmd, domain;
+type dmd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(dmd)
+
+# Grant to access serial device for external logging tool
+allow dmd serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow dmd radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow dmd node:tcp_socket node_bind;
+allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_slog_prop)
+set_prop(dmd, vendor_modem_prop)
+get_prop(dmd, vendor_persist_config_default_prop)
+
+# Grant to access hwservice manager
+get_prop(dmd, hwservicemanager_prop)
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
+binder_call(dmd, hwservicemanager)
+binder_call(dmd, modem_diagnostic_app)
+binder_call(dmd, modem_logging_control)
+binder_call(dmd, vendor_telephony_silentlogging_app)
+binder_call(dmd, liboemservice_proxy_default)
diff --git a/sepolicy/radio/file.te b/sepolicy/radio/file.te
new file mode 100644
index 0000000..a79dfcc
--- /dev/null
+++ b/sepolicy/radio/file.te
@@ -0,0 +1,42 @@
+# Data
+type rild_vendor_data_file, file_type, data_file_type;
+type modem_ml_data_file, file_type, data_file_type;
+type modem_stat_data_file, file_type, data_file_type;
+type sysfs_gps, sysfs_type, fs_type;
+type vendor_gps_file, file_type, data_file_type;
+type vendor_log_file, file_type, data_file_type;
+type vendor_rfsd_log_file, file_type, data_file_type;
+type vendor_slog_file, file_type, data_file_type;
+userdebug_or_eng(`
+ typeattribute vendor_slog_file mlstrustedobject;
+ typeattribute vendor_gps_file mlstrustedobject;
+')
+
+# persist
+type persist_modem_file, file_type, vendor_persist_type;
+
+# Modem
+type modem_efs_file, file_type;
+type modem_userdata_file, file_type;
+type sysfs_modem, sysfs_type, fs_type;
+
+# Exynos Firmware
+type vendor_fw_file, vendor_file_type, file_type;
+
+# vendor extra images
+type modem_img_file, contextmount_type, file_type, vendor_file_type;
+allow modem_img_file self:filesystem associate;
+type modem_config_file, file_type, vendor_file_type;
+
+# sysfs
+type sysfs_chosen, sysfs_type, fs_type;
+type sysfs_sjtag, fs_type, sysfs_type;
+userdebug_or_eng(`
+ typeattribute sysfs_sjtag mlstrustedobject;
+')
+
+# Vendor sched files
+userdebug_or_eng(`
+ typeattribute proc_vendor_sched mlstrustedobject;
+')
+
diff --git a/sepolicy/radio/file_contexts b/sepolicy/radio/file_contexts
new file mode 100644
index 0000000..4c25199
--- /dev/null
+++ b/sepolicy/radio/file_contexts
@@ -0,0 +1,43 @@
+# Binaries
+/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0
+/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0
+/vendor/bin/vcd u:object_r:vcd_exec:s0
+/vendor/bin/dmd u:object_r:dmd_exec:s0
+/vendor/bin/sced u:object_r:sced_exec:s0
+/vendor/bin/rfsd u:object_r:rfsd_exec:s0
+/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0
+/vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0
+/vendor/bin/cbd u:object_r:cbd_exec:s0
+/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
+/vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0
+/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0
+
+# Config files
+/vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0
+
+# Data
+/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0
+/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0
+/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0
+/data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0
+/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0
+/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0
+
+# vendor extra images
+/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0
+/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0
+/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0
+/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0
+/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0
+
+# Devices
+/dev/ttyGS[0-3] u:object_r:serial_device:s0
+/dev/oem_ipc[0-7] u:object_r:radio_device:s0
+/dev/oem_test u:object_r:radio_device:s0
+/dev/umts_boot0 u:object_r:radio_device:s0
+/dev/umts_ipc0 u:object_r:radio_device:s0
+/dev/umts_ipc1 u:object_r:radio_device:s0
+/dev/umts_rfs0 u:object_r:radio_device:s0
+/dev/umts_dm0 u:object_r:radio_device:s0
+/dev/umts_router u:object_r:radio_device:s0
diff --git a/sepolicy/radio/fsck.te b/sepolicy/radio/fsck.te
new file mode 100644
index 0000000..1095107
--- /dev/null
+++ b/sepolicy/radio/fsck.te
@@ -0,0 +1,4 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+
diff --git a/sepolicy/radio/genfs_contexts b/sepolicy/radio/genfs_contexts
new file mode 100644
index 0000000..d45d42f
--- /dev/null
+++ b/sepolicy/radio/genfs_contexts
@@ -0,0 +1,11 @@
+# SJTAG
+genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0
+genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0
+
+genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0
+
+# Modem
+genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0
+genfscon sysfs /devices/platform/cpif/dynamic_pcie_spd/tp_threshold u:object_r:sysfs_modem:s0
+genfscon sysfs /devices/platform/cpif/dynamic_pcie_spd/tp_hysteresis u:object_r:sysfs_modem:s0
+genfscon sysfs /devices/platform/cpif/dynamic_pcie_spd/dynamic_spd_enable u:object_r:sysfs_modem:s0
diff --git a/sepolicy/radio/grilservice_app.te b/sepolicy/radio/grilservice_app.te
new file mode 100644
index 0000000..cb4eec8
--- /dev/null
+++ b/sepolicy/radio/grilservice_app.te
@@ -0,0 +1,24 @@
+type grilservice_app, domain;
+app_domain(grilservice_app)
+
+allow grilservice_app app_api_service:service_manager find;
+allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
+allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_service:service_manager find;
+allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find;
+allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow grilservice_app radio_vendor_data_file:dir create_dir_perms;
+allow grilservice_app radio_vendor_data_file:file create_file_perms;
+allow grilservice_app gril_antenna_tuning_service:service_manager find;
+binder_call(grilservice_app, hal_bluetooth_btlinux)
+binder_call(grilservice_app, hal_radioext_default)
+binder_call(grilservice_app, hal_wifi_ext)
+binder_call(grilservice_app, hal_audiometricext_default)
+binder_call(grilservice_app, rild)
+hal_client_domain(grilservice_app, hal_power_stats)
+# Read access to /sys/kernel/irq
+allow grilservice_app sysfs_irq:dir r_dir_perms;
+allow grilservice_app sysfs_irq:file r_file_perms;
+get_prop(grilservice_app, telephony_modemtype_prop)
diff --git a/sepolicy/radio/hal_radioext_default.te b/sepolicy/radio/hal_radioext_default.te
new file mode 100644
index 0000000..c978ffe
--- /dev/null
+++ b/sepolicy/radio/hal_radioext_default.te
@@ -0,0 +1,24 @@
+type hal_radioext_default, domain;
+type hal_radioext_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_radioext_default)
+
+hwbinder_use(hal_radioext_default)
+get_prop(hal_radioext_default, hwservicemanager_prop)
+get_prop(hal_radioext_default, telephony_modemtype_prop)
+set_prop(hal_radioext_default, vendor_gril_prop)
+add_hwservice(hal_radioext_default, hal_radioext_hwservice)
+
+binder_call(hal_radioext_default, servicemanager)
+binder_call(hal_radioext_default, grilservice_app)
+binder_call(hal_radioext_default, hal_bluetooth_btlinux)
+
+# RW /dev/oem_ipc0
+allow hal_radioext_default radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_radioext_default hal_bluetooth_coexistence_service:service_manager find;
diff --git a/sepolicy/radio/hwservice.te b/sepolicy/radio/hwservice.te
new file mode 100644
index 0000000..19320cb
--- /dev/null
+++ b/sepolicy/radio/hwservice.te
@@ -0,0 +1,9 @@
+# dmd servcie
+type hal_vendor_oem_hwservice, hwservice_manager_type;
+
+# GRIL service
+type hal_radioext_hwservice, hwservice_manager_type;
+
+# rild service
+type hal_exynos_rild_hwservice, hwservice_manager_type;
+
diff --git a/sepolicy/radio/hwservice_contexts b/sepolicy/radio/hwservice_contexts
new file mode 100644
index 0000000..6453a56
--- /dev/null
+++ b/sepolicy/radio/hwservice_contexts
@@ -0,0 +1,8 @@
+# dmd HAL
+vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0
+
+# rild HAL
+vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0
+
+# GRIL HAL
+vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0
diff --git a/sepolicy/radio/hwservicemanager.te b/sepolicy/radio/hwservicemanager.te
new file mode 100644
index 0000000..7b64499
--- /dev/null
+++ b/sepolicy/radio/hwservicemanager.te
@@ -0,0 +1 @@
+binder_call(hwservicemanager, bipchmgr)
diff --git a/sepolicy/radio/init.te b/sepolicy/radio/init.te
new file mode 100644
index 0000000..eb9e465
--- /dev/null
+++ b/sepolicy/radio/init.te
@@ -0,0 +1,4 @@
+allow init modem_efs_file:dir mounton;
+allow init modem_userdata_file:dir mounton;
+allow init modem_img_file:dir mounton;
+allow init modem_img_file:filesystem { getattr mount relabelfrom };
diff --git a/sepolicy/radio/init_radio.te b/sepolicy/radio/init_radio.te
new file mode 100644
index 0000000..3a29edf
--- /dev/null
+++ b/sepolicy/radio/init_radio.te
@@ -0,0 +1,8 @@
+type init_radio, domain;
+type init_radio_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_radio);
+
+allow init_radio vendor_toolbox_exec:file execute_no_trans;
+allow init_radio radio_vendor_data_file:dir create_dir_perms;
+allow init_radio radio_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/radio/keys.conf b/sepolicy/radio/keys.conf
new file mode 100644
index 0000000..45db97d
--- /dev/null
+++ b/sepolicy/radio/keys.conf
@@ -0,0 +1,3 @@
+[@MDS]
+ALL : device/google/zumapro-sepolicy/radio/certs/com_google_mds.x509.pem
+
diff --git a/sepolicy/radio/liboemservice_proxy.te b/sepolicy/radio/liboemservice_proxy.te
new file mode 100644
index 0000000..9a4a61a
--- /dev/null
+++ b/sepolicy/radio/liboemservice_proxy.te
@@ -0,0 +1,34 @@
+type liboemservice_proxy_default, domain;
+type liboemservice_proxy_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(liboemservice_proxy_default)
+
+# Allow proxy to register as android service.
+binder_use(liboemservice_proxy_default);
+add_service(liboemservice_proxy_default, liboemservice_proxy_service);
+
+get_prop(liboemservice_proxy_default, hwservicemanager_prop)
+binder_call(liboemservice_proxy_default, hwservicemanager)
+binder_call(liboemservice_proxy_default, dmd)
+allow liboemservice_proxy_default hal_vendor_oem_hwservice:hwservice_manager find;
+allow liboemservice_proxy_default radio_vendor_data_file:dir create_dir_perms;
+allow liboemservice_proxy_default radio_vendor_data_file:file create_file_perms;
+
+# Grant to access serial device for external logging tool
+allow liboemservice_proxy_default serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow liboemservice_proxy_default radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow liboemservice_proxy_default vendor_slog_file:dir create_dir_perms;
+allow liboemservice_proxy_default vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow liboemservice_proxy_default node:tcp_socket node_bind;
+allow liboemservice_proxy_default self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(liboemservice_proxy_default, vendor_diag_prop)
+set_prop(liboemservice_proxy_default, vendor_slog_prop)
+set_prop(liboemservice_proxy_default, vendor_modem_prop)
+get_prop(liboemservice_proxy_default, vendor_persist_config_default_prop)
diff --git a/sepolicy/radio/logger_app.te b/sepolicy/radio/logger_app.te
new file mode 100644
index 0000000..098955d
--- /dev/null
+++ b/sepolicy/radio/logger_app.te
@@ -0,0 +1,27 @@
+userdebug_or_eng(`
+ allow logger_app vendor_gps_file:file create_file_perms;
+ allow logger_app vendor_gps_file:dir create_dir_perms;
+ allow logger_app vendor_slog_file:file {r_file_perms unlink};
+ allow logger_app radio_vendor_data_file:file create_file_perms;
+ allow logger_app radio_vendor_data_file:dir create_dir_perms;
+ allow logger_app sysfs_sscoredump_level:file r_file_perms;
+
+ r_dir_file(logger_app, sscoredump_vendor_data_coredump_file)
+ r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file)
+
+ set_prop(logger_app, vendor_audio_prop)
+ set_prop(logger_app, vendor_gps_prop)
+ set_prop(logger_app, vendor_logger_prop)
+ set_prop(logger_app, vendor_modem_prop)
+ set_prop(logger_app, vendor_ramdump_prop)
+ set_prop(logger_app, vendor_rild_prop)
+ set_prop(logger_app, vendor_ssrdump_prop)
+ set_prop(logger_app, vendor_tcpdump_log_prop)
+ set_prop(logger_app, vendor_usb_config_prop)
+ set_prop(logger_app, vendor_wifi_sniffer_prop)
+ set_prop(logger_app, logpersistd_logging_prop)
+ set_prop(logger_app, logd_prop)
+
+ # b/269383459 framework UI rendering properties
+ dontaudit logger_app default_prop:file { read };
+')
diff --git a/sepolicy/radio/mac_permissions.xml b/sepolicy/radio/mac_permissions.xml
new file mode 100644
index 0000000..4b997c2
--- /dev/null
+++ b/sepolicy/radio/mac_permissions.xml
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
diff --git a/sepolicy/radio/modem_diagnostic_app.te b/sepolicy/radio/modem_diagnostic_app.te
new file mode 100644
index 0000000..03e3af6
--- /dev/null
+++ b/sepolicy/radio/modem_diagnostic_app.te
@@ -0,0 +1,49 @@
+type modem_diagnostic_app, domain;
+
+app_domain(modem_diagnostic_app)
+net_domain(modem_diagnostic_app)
+
+allow modem_diagnostic_app app_api_service:service_manager find;
+allow modem_diagnostic_app radio_service:service_manager find;
+
+userdebug_or_eng(`
+ allow modem_diagnostic_app sysfs_modem_state:file r_file_perms;
+
+ hal_client_domain(modem_diagnostic_app, hal_power_stats);
+
+ allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find;
+ binder_call(modem_diagnostic_app, rild)
+
+ binder_call(modem_diagnostic_app, dmd)
+
+ set_prop(modem_diagnostic_app, vendor_cbd_prop)
+ set_prop(modem_diagnostic_app, vendor_rild_prop)
+ set_prop(modem_diagnostic_app, vendor_modem_prop)
+
+ allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms;
+ allow modem_diagnostic_app sysfs_chosen:file r_file_perms;
+
+ allow modem_diagnostic_app vendor_fw_file:file r_file_perms;
+
+ allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms;
+ allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms;
+
+ allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms;
+ allow modem_diagnostic_app mnt_vendor_file:file r_file_perms;
+
+ allow modem_diagnostic_app modem_img_file:dir r_dir_perms;
+ allow modem_diagnostic_app modem_img_file:file r_file_perms;
+ allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms;
+
+ allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find;
+
+ allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms;
+ allow modem_diagnostic_app sysfs_batteryinfo:dir search;
+
+ dontaudit modem_diagnostic_app default_prop:file r_file_perms;
+
+ # Modem Log Mask Library Permissions
+ allow modem_diagnostic_app liboemservice_proxy_service:service_manager find;
+ binder_use(modem_diagnostic_app)
+ binder_call(modem_diagnostic_app, liboemservice_proxy_default)
+')
diff --git a/sepolicy/radio/modem_logging_control.te b/sepolicy/radio/modem_logging_control.te
new file mode 100644
index 0000000..7392297
--- /dev/null
+++ b/sepolicy/radio/modem_logging_control.te
@@ -0,0 +1,17 @@
+type modem_logging_control, domain;
+type modem_logging_control_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(modem_logging_control)
+
+hwbinder_use(modem_logging_control)
+binder_call(modem_logging_control, dmd)
+
+allow modem_logging_control radio_device:chr_file rw_file_perms;
+allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find;
+allow modem_logging_control radio_vendor_data_file:dir create_dir_perms;
+allow modem_logging_control radio_vendor_data_file:file create_file_perms;
+allow modem_logging_control vendor_slog_file:dir create_dir_perms;
+allow modem_logging_control vendor_slog_file:file create_file_perms;
+
+set_prop(modem_logging_control, vendor_modem_prop)
+get_prop(modem_logging_control, hwservicemanager_prop)
diff --git a/sepolicy/radio/modem_ml_svc_sit.te b/sepolicy/radio/modem_ml_svc_sit.te
new file mode 100644
index 0000000..609e56a
--- /dev/null
+++ b/sepolicy/radio/modem_ml_svc_sit.te
@@ -0,0 +1,30 @@
+type modem_ml_svc_sit, domain;
+type modem_ml_svc_sit_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(modem_ml_svc_sit)
+
+binder_use(modem_ml_svc_sit)
+
+# Grant radio device access
+allow modem_ml_svc_sit radio_device:chr_file rw_file_perms;
+
+# Grant vendor radio and modem file/dir creation permission
+allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms;
+allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms;
+
+# Grant modem ml data file/dir creation permission
+allow modem_ml_svc_sit modem_ml_data_file:dir create_dir_perms;
+allow modem_ml_svc_sit modem_ml_data_file:file create_file_perms;
+
+# Grant modem ml models config files access
+allow modem_ml_svc_sit modem_config_file:file r_file_perms;
+
+# RIL property
+get_prop(modem_ml_svc_sit, vendor_rild_prop)
+
+# Access to NNAPI service
+hal_client_domain(modem_ml_svc_sit, hal_neuralnetworks)
+allow modem_ml_svc_sit edgetpu_nnapi_service:service_manager find;
+
+# Access to TFLite binder service
+allow modem_ml_svc_sit modemml_tflite_service:service_manager find;
+binder_call(modem_ml_svc_sit, system_server)
diff --git a/sepolicy/radio/modem_svc_sit.te b/sepolicy/radio/modem_svc_sit.te
new file mode 100644
index 0000000..0bc59bd
--- /dev/null
+++ b/sepolicy/radio/modem_svc_sit.te
@@ -0,0 +1,50 @@
+type modem_svc_sit, domain;
+type modem_svc_sit_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(modem_svc_sit)
+
+hwbinder_use(modem_svc_sit)
+binder_call(modem_svc_sit, rild)
+
+# Grant sysfs_modem access
+allow modem_svc_sit sysfs_modem:file rw_file_perms;
+
+# Grant radio device access
+allow modem_svc_sit radio_device:chr_file rw_file_perms;
+
+# Grant vendor radio and modem file/dir creation permission
+allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms;
+allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
+allow modem_svc_sit modem_stat_data_file:dir create_dir_perms;
+allow modem_svc_sit modem_stat_data_file:file create_file_perms;
+
+allow modem_svc_sit vendor_fw_file:dir search;
+allow modem_svc_sit vendor_fw_file:file r_file_perms;
+
+allow modem_svc_sit mnt_vendor_file:dir r_dir_perms;
+allow modem_svc_sit modem_userdata_file:dir create_dir_perms;
+allow modem_svc_sit modem_userdata_file:file create_file_perms;
+
+# RIL property
+get_prop(modem_svc_sit, vendor_rild_prop)
+
+# Modem property
+set_prop(modem_svc_sit, vendor_modem_prop)
+
+# logging property
+get_prop(modem_svc_sit, vendor_logger_prop)
+
+# hwservice permission
+allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find;
+get_prop(modem_svc_sit, hwservicemanager_prop)
+
+# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
+hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(modem_svc_sit)
+
+# Allow modem_svc_sit to access modem image file/dir
+allow modem_svc_sit modem_img_file:dir r_dir_perms;
+allow modem_svc_sit modem_img_file:file r_file_perms;
+allow modem_svc_sit modem_img_file:lnk_file r_file_perms;
diff --git a/sepolicy/radio/oemrilservice_app.te b/sepolicy/radio/oemrilservice_app.te
new file mode 100644
index 0000000..b055dbe
--- /dev/null
+++ b/sepolicy/radio/oemrilservice_app.te
@@ -0,0 +1,9 @@
+type oemrilservice_app, domain;
+app_domain(oemrilservice_app)
+
+allow oemrilservice_app app_api_service:service_manager find;
+allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow oemrilservice_app radio_service:service_manager find;
+
+binder_call(oemrilservice_app, rild)
+set_prop(oemrilservice_app, vendor_rild_prop)
diff --git a/sepolicy/radio/pixel_modem_app.te b/sepolicy/radio/pixel_modem_app.te
new file mode 100644
index 0000000..85a2628
--- /dev/null
+++ b/sepolicy/radio/pixel_modem_app.te
@@ -0,0 +1,11 @@
+# pixel_modem_app is the selinux domain for pixel_modem_service
+
+type pixel_modem_app, domain;
+
+app_domain(pixel_modem_app)
+
+allow pixel_modem_app app_api_service:service_manager find;
+allow pixel_modem_app radio_service:service_manager find;
+
+# Allow the pixel_modem_app to find and call shared modem platform service.
+hal_client_domain(pixel_modem_app, hal_shared_modem_platform)
diff --git a/sepolicy/radio/private/radio.te b/sepolicy/radio/private/radio.te
new file mode 100644
index 0000000..a569b9c
--- /dev/null
+++ b/sepolicy/radio/private/radio.te
@@ -0,0 +1 @@
+add_service(radio, uce_service)
diff --git a/sepolicy/radio/private/service_contexts b/sepolicy/radio/private/service_contexts
new file mode 100644
index 0000000..84ef341
--- /dev/null
+++ b/sepolicy/radio/private/service_contexts
@@ -0,0 +1,2 @@
+telephony.oem.oemrilhook u:object_r:radio_service:s0
+
diff --git a/sepolicy/radio/property.te b/sepolicy/radio/property.te
new file mode 100644
index 0000000..0b15ab2
--- /dev/null
+++ b/sepolicy/radio/property.te
@@ -0,0 +1,19 @@
+# P23 vendor properties
+vendor_internal_prop(vendor_carrier_prop)
+vendor_internal_prop(vendor_cbd_prop)
+vendor_internal_prop(vendor_slog_prop)
+vendor_internal_prop(vendor_persist_config_default_prop)
+vendor_internal_prop(vendor_diag_prop)
+vendor_internal_prop(vendor_modem_prop)
+vendor_internal_prop(vendor_rild_prop)
+vendor_internal_prop(vendor_gps_prop)
+vendor_internal_prop(vendor_gril_prop)
+vendor_internal_prop(vendor_ssrdump_prop)
+vendor_internal_prop(vendor_wifi_version)
+vendor_internal_prop(vendor_imssvc_prop)
+vendor_internal_prop(vendor_ims_tiss_prop)
+vendor_internal_prop(vendor_tcpdump_log_prop)
+
+# Telephony debug app
+vendor_internal_prop(vendor_telephony_app_prop)
+
diff --git a/sepolicy/radio/property_contexts b/sepolicy/radio/property_contexts
new file mode 100644
index 0000000..549c745
--- /dev/null
+++ b/sepolicy/radio/property_contexts
@@ -0,0 +1,65 @@
+# for cbd
+vendor.cbd. u:object_r:vendor_cbd_prop:s0
+persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0
+
+# for ims service
+persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0
+
+# for ims test mode based on go/tiss (do not modify, setprop should not be enabled)
+persist.vendor.ims_tiss. u:object_r:vendor_ims_tiss_prop:s0
+
+# for slog
+vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0
+vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0
+persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0
+
+# for dmd
+persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0
+persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0
+vendor.sys.dmd. u:object_r:vendor_diag_prop:s0
+vendor.sys.diag. u:object_r:vendor_diag_prop:s0
+persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0
+
+# for logger app
+vendor.pixellogger. u:object_r:vendor_logger_prop:s0
+persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0
+
+# Modem
+persist.vendor.modem. u:object_r:vendor_modem_prop:s0
+vendor.modem. u:object_r:vendor_modem_prop:s0
+vendor.sys.modem. u:object_r:vendor_modem_prop:s0
+vendor.sys.modem_reset u:object_r:vendor_modem_prop:s0
+ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0
+vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0
+persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0
+
+# for rild
+persist.vendor.ril. u:object_r:vendor_rild_prop:s0
+vendor.ril. u:object_r:vendor_rild_prop:s0
+vendor.radio. u:object_r:vendor_rild_prop:s0
+vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0
+persist.vendor.radio. u:object_r:vendor_rild_prop:s0
+ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0
+
+# for GRIL
+vendor.gril. u:object_r:vendor_gril_prop:s0
+
+# SSR Detector
+vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0
+persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0
+
+# WiFi
+vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0
+vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0
+
+# for vendor telephony debug app
+vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0
+
+# for gps
+vendor.gps. u:object_r:vendor_gps_prop:s0
+persist.vendor.gps. u:object_r:vendor_gps_prop:s0
+
+# Tcpdump_logger
+persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0
+
diff --git a/sepolicy/radio/radio.te b/sepolicy/radio/radio.te
new file mode 100644
index 0000000..721e018
--- /dev/null
+++ b/sepolicy/radio/radio.te
@@ -0,0 +1,9 @@
+set_prop(radio, telephony_ril_prop)
+set_prop(radio, telephony_modemtype_prop)
+get_prop(radio, telephony_ntn_demo_mode_prop)
+
+allow radio radio_vendor_data_file:dir rw_dir_perms;
+allow radio radio_vendor_data_file:file create_file_perms;
+allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown };
+allow radio aoc_device:chr_file rw_file_perms;
+allow radio scheduling_policy_service:service_manager find;
diff --git a/sepolicy/radio/rfsd.te b/sepolicy/radio/rfsd.te
new file mode 100644
index 0000000..6391e48
--- /dev/null
+++ b/sepolicy/radio/rfsd.te
@@ -0,0 +1,37 @@
+type rfsd, domain;
+type rfsd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(rfsd)
+
+# Allow to search block device and mnt dir for modem EFS partitions
+allow rfsd mnt_vendor_file:dir search;
+allow rfsd block_device:dir search;
+
+# Allow to operate with modem EFS file/dir
+allow rfsd modem_efs_file:dir create_dir_perms;
+allow rfsd modem_efs_file:file create_file_perms;
+
+allow rfsd radio_vendor_data_file:dir r_dir_perms;
+allow rfsd radio_vendor_data_file:file r_file_perms;
+
+r_dir_file(rfsd, vendor_fw_file)
+
+# Allow to access rfsd log file/dir
+allow rfsd vendor_log_file:dir search;
+allow rfsd vendor_rfsd_log_file:dir create_dir_perms;
+allow rfsd vendor_rfsd_log_file:file create_file_perms;
+
+# Allow to read/write modem block device
+allow rfsd modem_block_device:blk_file rw_file_perms;
+
+# Allow to operate with radio device
+allow rfsd radio_device:chr_file rw_file_perms;
+
+# Allow to set rild and modem property
+set_prop(rfsd, vendor_modem_prop)
+set_prop(rfsd, vendor_rild_prop)
+get_prop(rfsd, vendor_cbd_prop)
+
+# Allow rfsd to access modem image file/dir
+allow rfsd modem_img_file:dir r_dir_perms;
+allow rfsd modem_img_file:file r_file_perms;
+allow rfsd modem_img_file:lnk_file r_file_perms;
diff --git a/sepolicy/radio/rild.te b/sepolicy/radio/rild.te
new file mode 100644
index 0000000..535a6b4
--- /dev/null
+++ b/sepolicy/radio/rild.te
@@ -0,0 +1,48 @@
+set_prop(rild, vendor_rild_prop)
+set_prop(rild, vendor_modem_prop)
+get_prop(rild, vendor_persist_config_default_prop)
+get_prop(rild, vendor_carrier_prop)
+
+get_prop(rild, sota_prop)
+get_prop(rild, system_boot_reason_prop)
+
+set_prop(rild, telephony_ril_prop)
+set_prop(rild, telephony_modemtype_prop)
+get_prop(rild, telephony_ntn_demo_mode_prop)
+
+allow rild proc_net:file rw_file_perms;
+allow rild radio_vendor_data_file:dir create_dir_perms;
+allow rild radio_vendor_data_file:file create_file_perms;
+allow rild rild_vendor_data_file:dir create_dir_perms;
+allow rild rild_vendor_data_file:file create_file_perms;
+allow rild vendor_fw_file:file r_file_perms;
+allow rild mnt_vendor_file:dir r_dir_perms;
+
+r_dir_file(rild, modem_img_file)
+
+binder_call(rild, bipchmgr)
+binder_call(rild, hal_audio_default)
+binder_call(rild, modem_svc_sit)
+binder_call(rild, vendor_ims_app)
+binder_call(rild, vendor_rcs_app)
+binder_call(rild, oemrilservice_app)
+binder_call(rild, hal_secure_element_uicc)
+binder_call(rild, grilservice_app)
+binder_call(rild, vendor_engineermode_app)
+binder_call(rild, vendor_telephony_debug_app)
+binder_call(rild, logger_app)
+binder_call(rild, vendor_satellite_service)
+
+crash_dump_fallback(rild)
+
+# for hal service
+add_hwservice(rild, hal_exynos_rild_hwservice)
+
+# Allow rild to access files on modem img.
+allow rild modem_img_file:dir r_dir_perms;
+allow rild modem_img_file:file r_file_perms;
+allow rild modem_img_file:lnk_file r_file_perms;
+
+userdebug_or_eng(`
+ binder_call(rild, modem_diagnostic_app)
+')
diff --git a/sepolicy/radio/sced.te b/sepolicy/radio/sced.te
new file mode 100644
index 0000000..2b08973
--- /dev/null
+++ b/sepolicy/radio/sced.te
@@ -0,0 +1,23 @@
+type sced, domain;
+type sced_exec, vendor_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(sced)
+ typeattribute sced vendor_executes_system_violators;
+
+ hwbinder_use(sced)
+ binder_call(sced, dmd)
+ binder_call(sced, vendor_telephony_silentlogging_app)
+
+ get_prop(sced, hwservicemanager_prop)
+ allow sced self:packet_socket create_socket_perms_no_ioctl;
+
+ allow sced self:capability net_raw;
+ allow sced shell_exec:file rx_file_perms;
+ allow sced tcpdump_exec:file rx_file_perms;
+ allow sced vendor_shell_exec:file x_file_perms;
+ allow sced vendor_slog_file:dir create_dir_perms;
+ allow sced vendor_slog_file:file create_file_perms;
+ allow sced hidl_base_hwservice:hwservice_manager add;
+ allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
+')
diff --git a/sepolicy/radio/seapp_contexts b/sepolicy/radio/seapp_contexts
new file mode 100644
index 0000000..7ed10c6
--- /dev/null
+++ b/sepolicy/radio/seapp_contexts
@@ -0,0 +1,37 @@
+# CBRS setup app
+user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
+
+# Modem Diagnostic System
+user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+
+# grilservice
+user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
+
+# exynos apps
+user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
+user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all
+
+
+# slsi logging apps
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all
+
+# Samsung S.LSI engineer mode
+user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all
+
+# Domain for CatEngineService
+user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all
+
+# Vendor Satellite Service
+user=_app isPrivApp=true seinfo=platform name=com.samsung.slsi.telephony.satelliteservice domain=vendor_satellite_service levelFrom=all
+
+# Domain for pixel_modem_app
+user=_app isPrivApp=true seinfo=platform name=com.google.android.modem.pms domain=pixel_modem_app levelFrom=all
diff --git a/sepolicy/radio/service.te b/sepolicy/radio/service.te
new file mode 100644
index 0000000..349e658
--- /dev/null
+++ b/sepolicy/radio/service.te
@@ -0,0 +1,2 @@
+# Define liboemservice_proxy_service.
+type liboemservice_proxy_service, hal_service_type, service_manager_type;
\ No newline at end of file
diff --git a/sepolicy/radio/service_contexts b/sepolicy/radio/service_contexts
new file mode 100644
index 0000000..d463150
--- /dev/null
+++ b/sepolicy/radio/service_contexts
@@ -0,0 +1,2 @@
+# DMD oemservice aidl proxy.
+com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0
\ No newline at end of file
diff --git a/sepolicy/radio/vcd.te b/sepolicy/radio/vcd.te
new file mode 100644
index 0000000..c5c229e
--- /dev/null
+++ b/sepolicy/radio/vcd.te
@@ -0,0 +1,13 @@
+type vcd, domain;
+type vcd_exec, vendor_file_type, exec_type, file_type;
+userdebug_or_eng(`
+ init_daemon_domain(vcd)
+
+ get_prop(vcd, vendor_rild_prop);
+ get_prop(vcd, vendor_persist_config_default_prop);
+
+ allow vcd serial_device:chr_file rw_file_perms;
+ allow vcd radio_device:chr_file rw_file_perms;
+ allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+ allow vcd node:tcp_socket node_bind;
+')
diff --git a/sepolicy/radio/vendor_engineermode_app.te b/sepolicy/radio/vendor_engineermode_app.te
new file mode 100644
index 0000000..d35403a
--- /dev/null
+++ b/sepolicy/radio/vendor_engineermode_app.te
@@ -0,0 +1,12 @@
+type vendor_engineermode_app, domain;
+app_domain(vendor_engineermode_app)
+
+binder_call(vendor_engineermode_app, rild)
+
+allow vendor_engineermode_app app_api_service:service_manager find;
+allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+userdebug_or_eng(`
+ dontaudit vendor_engineermode_app default_prop:file r_file_perms;
+')
+
diff --git a/sepolicy/radio/vendor_ims_app.te b/sepolicy/radio/vendor_ims_app.te
new file mode 100644
index 0000000..b0aba05
--- /dev/null
+++ b/sepolicy/radio/vendor_ims_app.te
@@ -0,0 +1,23 @@
+type vendor_ims_app, domain;
+app_domain(vendor_ims_app)
+net_domain(vendor_ims_app)
+
+allow vendor_ims_app app_api_service:service_manager find;
+allow vendor_ims_app audioserver_service:service_manager find;
+
+allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow vendor_ims_app radio_service:service_manager find;
+
+allow vendor_ims_app mediaserver_service:service_manager find;
+allow vendor_ims_app cameraserver_service:service_manager find;
+allow vendor_ims_app mediametrics_service:service_manager find;
+
+allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl };
+
+binder_call(vendor_ims_app, rild)
+set_prop(vendor_ims_app, vendor_rild_prop)
+set_prop(vendor_ims_app, radio_prop)
+get_prop(vendor_ims_app, vendor_imssvc_prop)
+userdebug_or_eng(`
+ get_prop(vendor_ims_app, vendor_ims_tiss_prop)
+')
diff --git a/sepolicy/radio/vendor_ims_remote_app.te b/sepolicy/radio/vendor_ims_remote_app.te
new file mode 100644
index 0000000..f5d3846
--- /dev/null
+++ b/sepolicy/radio/vendor_ims_remote_app.te
@@ -0,0 +1,4 @@
+type vendor_ims_remote_app, domain;
+app_domain(vendor_ims_remote_app)
+
+allow vendor_ims_remote_app app_api_service:service_manager find;
diff --git a/sepolicy/radio/vendor_init.te b/sepolicy/radio/vendor_init.te
new file mode 100644
index 0000000..7d6d39d
--- /dev/null
+++ b/sepolicy/radio/vendor_init.te
@@ -0,0 +1,8 @@
+set_prop(vendor_init, vendor_cbd_prop)
+get_prop(vendor_init, telephony_modem_prop)
+set_prop(vendor_init, telephony_modemtype_prop)
+set_prop(vendor_init, vendor_carrier_prop)
+set_prop(vendor_init, vendor_modem_prop)
+set_prop(vendor_init, vendor_rild_prop)
+set_prop(vendor_init, vendor_logger_prop)
+set_prop(vendor_init, vendor_slog_prop)
diff --git a/sepolicy/radio/vendor_qualifiednetworks_app.te b/sepolicy/radio/vendor_qualifiednetworks_app.te
new file mode 100644
index 0000000..e48601a
--- /dev/null
+++ b/sepolicy/radio/vendor_qualifiednetworks_app.te
@@ -0,0 +1,5 @@
+type vendor_qualifiednetworks_app, domain;
+app_domain(vendor_qualifiednetworks_app)
+
+allow vendor_qualifiednetworks_app app_api_service:service_manager find;
+allow vendor_qualifiednetworks_app radio_service:service_manager find;
diff --git a/sepolicy/radio/vendor_rcs_app.te b/sepolicy/radio/vendor_rcs_app.te
new file mode 100644
index 0000000..37cadef
--- /dev/null
+++ b/sepolicy/radio/vendor_rcs_app.te
@@ -0,0 +1,9 @@
+type vendor_rcs_app, domain;
+app_domain(vendor_rcs_app)
+net_domain(vendor_rcs_app)
+
+allow vendor_rcs_app app_api_service:service_manager find;
+allow vendor_rcs_app radio_service:service_manager find;
+allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+binder_call(vendor_rcs_app, rild)
diff --git a/sepolicy/radio/vendor_rcs_service_app.te b/sepolicy/radio/vendor_rcs_service_app.te
new file mode 100644
index 0000000..a7ae221
--- /dev/null
+++ b/sepolicy/radio/vendor_rcs_service_app.te
@@ -0,0 +1,5 @@
+type vendor_rcs_service_app, domain;
+app_domain(vendor_rcs_service_app)
+
+allow vendor_rcs_service_app app_api_service:service_manager find;
+allow vendor_rcs_service_app radio_service:service_manager find;
diff --git a/sepolicy/radio/vendor_satellite_service.te b/sepolicy/radio/vendor_satellite_service.te
new file mode 100644
index 0000000..f6a1fa2
--- /dev/null
+++ b/sepolicy/radio/vendor_satellite_service.te
@@ -0,0 +1,6 @@
+type vendor_satellite_service, domain;
+
+app_domain(vendor_satellite_service);
+allow vendor_satellite_service app_api_service:service_manager find;
+allow vendor_satellite_service hal_exynos_rild_hwservice:hwservice_manager find;
+binder_call(vendor_satellite_service, rild)
\ No newline at end of file
diff --git a/sepolicy/radio/vendor_silentlogging_remote_app.te b/sepolicy/radio/vendor_silentlogging_remote_app.te
new file mode 100644
index 0000000..885fb6a
--- /dev/null
+++ b/sepolicy/radio/vendor_silentlogging_remote_app.te
@@ -0,0 +1,13 @@
+type vendor_silentlogging_remote_app, domain;
+app_domain(vendor_silentlogging_remote_app)
+
+allow vendor_silentlogging_remote_app vendor_slog_file:dir create_dir_perms;
+allow vendor_silentlogging_remote_app vendor_slog_file:file create_file_perms;
+
+allow vendor_silentlogging_remote_app app_api_service:service_manager find;
+
+userdebug_or_eng(`
+# Silent Logging Remote
+dontaudit vendor_silentlogging_remote_app system_app_data_file:dir create_dir_perms;
+dontaudit vendor_silentlogging_remote_app system_app_data_file:file create_file_perms;
+')
diff --git a/sepolicy/radio/vendor_telephony_debug_app.te b/sepolicy/radio/vendor_telephony_debug_app.te
new file mode 100644
index 0000000..539fffc
--- /dev/null
+++ b/sepolicy/radio/vendor_telephony_debug_app.te
@@ -0,0 +1,20 @@
+type vendor_telephony_debug_app, domain;
+app_domain(vendor_telephony_debug_app)
+
+allow vendor_telephony_debug_app app_api_service:service_manager find;
+allow vendor_telephony_debug_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+binder_call(vendor_telephony_debug_app, rild)
+
+# RIL property
+set_prop(vendor_telephony_debug_app, vendor_rild_prop)
+
+# Debug property
+set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop)
+
+userdebug_or_eng(`
+# System Debug Mode
+dontaudit vendor_telephony_debug_app system_app_data_file:dir create_dir_perms;
+dontaudit vendor_telephony_debug_app system_app_data_file:file create_file_perms;
+dontaudit vendor_telephony_debug_app default_prop:file r_file_perms;
+')
diff --git a/sepolicy/radio/vendor_telephony_silentlogging_app.te b/sepolicy/radio/vendor_telephony_silentlogging_app.te
new file mode 100644
index 0000000..583f408
--- /dev/null
+++ b/sepolicy/radio/vendor_telephony_silentlogging_app.te
@@ -0,0 +1,21 @@
+type vendor_telephony_silentlogging_app, domain;
+app_domain(vendor_telephony_silentlogging_app)
+
+set_prop(vendor_telephony_silentlogging_app, vendor_modem_prop)
+set_prop(vendor_telephony_silentlogging_app, vendor_slog_prop)
+
+allow vendor_telephony_silentlogging_app vendor_slog_file:dir create_dir_perms;
+allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms;
+
+allow vendor_telephony_silentlogging_app app_api_service:service_manager find;
+allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find;
+binder_call(vendor_telephony_silentlogging_app, dmd)
+binder_call(vendor_telephony_silentlogging_app, sced)
+
+userdebug_or_eng(`
+# Silent Logging
+dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir create_dir_perms;
+dontaudit vendor_telephony_silentlogging_app system_app_data_file:file create_file_perms;
+dontaudit vendor_telephony_silentlogging_app default_prop:file { getattr open read map };
+allow vendor_telephony_silentlogging_app selinuxfs:file { read open };
+')
diff --git a/sepolicy/radio/vendor_telephony_test_app.te b/sepolicy/radio/vendor_telephony_test_app.te
new file mode 100644
index 0000000..ea18209
--- /dev/null
+++ b/sepolicy/radio/vendor_telephony_test_app.te
@@ -0,0 +1,4 @@
+type vendor_telephony_test_app, domain;
+app_domain(vendor_telephony_test_app)
+
+allow vendor_telephony_test_app app_api_service:service_manager find;
diff --git a/sepolicy/radio/vold.te b/sepolicy/radio/vold.te
new file mode 100644
index 0000000..3923e9c
--- /dev/null
+++ b/sepolicy/radio/vold.te
@@ -0,0 +1,4 @@
+allow vold modem_efs_file:dir rw_dir_perms;
+allow vold modem_userdata_file:dir rw_dir_perms;
+allow vold efs_block_device:blk_file { getattr };
+allow vold modem_userdata_block_device:blk_file { getattr };
diff --git a/sepolicy/system_ext/private/pixeldisplayservice_app.te b/sepolicy/system_ext/private/pixeldisplayservice_app.te
new file mode 100644
index 0000000..9d603b7
--- /dev/null
+++ b/sepolicy/system_ext/private/pixeldisplayservice_app.te
@@ -0,0 +1,11 @@
+typeattribute pixeldisplayservice_app coredomain;
+
+app_domain(pixeldisplayservice_app);
+
+allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
+allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow pixeldisplayservice_app app_api_service:service_manager find;
+
+allow pixeldisplayservice_app cameraserver_service:service_manager find;
diff --git a/sepolicy/system_ext/private/pixelntnservice_app.te b/sepolicy/system_ext/private/pixelntnservice_app.te
new file mode 100644
index 0000000..d3d7bb7
--- /dev/null
+++ b/sepolicy/system_ext/private/pixelntnservice_app.te
@@ -0,0 +1,8 @@
+typeattribute pixelntnservice_app coredomain;
+
+app_domain(pixelntnservice_app);
+allow pixelntnservice_app app_api_service:service_manager find;
+allow pixelntnservice_app radio_service:service_manager find;
+set_prop(pixelntnservice_app, telephony_modem_prop)
+get_prop(pixelntnservice_app, telephony_modemtype_prop)
+set_prop(pixelntnservice_app, telephony_ntn_demo_mode_prop)
diff --git a/sepolicy/system_ext/private/platform_app.te b/sepolicy/system_ext/private/platform_app.te
new file mode 100644
index 0000000..20042f2
--- /dev/null
+++ b/sepolicy/system_ext/private/platform_app.te
@@ -0,0 +1,2 @@
+# allow systemui access to fingerprint
+hal_client_domain(platform_app, hal_fingerprint)
diff --git a/sepolicy/system_ext/private/property_contexts b/sepolicy/system_ext/private/property_contexts
new file mode 100644
index 0000000..22683bd
--- /dev/null
+++ b/sepolicy/system_ext/private/property_contexts
@@ -0,0 +1,8 @@
+# Telephony
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn
+telephony.ril.modem_bin_status u:object_r:telephony_modemtype_prop:s0 exact uint
+telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool
+telephony.ril.ntn_demo_mode u:object_r:telephony_ntn_demo_mode_prop:s0 exact bool
+
+# HDCP setting of the display connected via USB port
+persist.sys.hdcp_checking u:object_r:usb_control_prop:s0 exact string
diff --git a/sepolicy/system_ext/private/seapp_contexts b/sepolicy/system_ext/private/seapp_contexts
new file mode 100644
index 0000000..a379f67
--- /dev/null
+++ b/sepolicy/system_ext/private/seapp_contexts
@@ -0,0 +1,8 @@
+# PixelDisplayService
+user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
+
+# SystemUI
+user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all
+# PixelNtnService
+user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all
diff --git a/sepolicy/system_ext/private/systemui_app.te b/sepolicy/system_ext/private/systemui_app.te
new file mode 100644
index 0000000..32bc9cf
--- /dev/null
+++ b/sepolicy/system_ext/private/systemui_app.te
@@ -0,0 +1,28 @@
+typeattribute systemui_app coredomain;
+app_domain(systemui_app)
+allow systemui_app app_api_service:service_manager find;
+allow systemui_app network_score_service:service_manager find;
+allow systemui_app overlay_service:service_manager find;
+allow systemui_app color_display_service:service_manager find;
+allow systemui_app audioserver_service:service_manager find;
+allow systemui_app cameraserver_service:service_manager find;
+allow systemui_app mediaserver_service:service_manager find;
+allow systemui_app mediaextractor_service:service_manager find;
+allow systemui_app mediametrics_service:service_manager find;
+allow systemui_app radio_service:service_manager find;
+allow systemui_app vr_manager_service:service_manager find;
+allow systemui_app statsmanager_service:service_manager find;
+allow systemui_app nfc_service:service_manager find;
+allow systemui_app adb_service:service_manager find;
+
+get_prop(systemui_app, keyguard_config_prop)
+set_prop(systemui_app, bootanim_system_prop)
+get_prop(systemui_app, qemu_hw_prop)
+set_prop(systemui_app, debug_prop)
+
+# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow systemui_app wm_trace_data_file:dir rw_dir_perms;
+ allow systemui_app wm_trace_data_file:file create_file_perms;
+')
+
diff --git a/sepolicy/system_ext/public/pixeldisplayservice_app.te b/sepolicy/system_ext/public/pixeldisplayservice_app.te
new file mode 100644
index 0000000..2c608b4
--- /dev/null
+++ b/sepolicy/system_ext/public/pixeldisplayservice_app.te
@@ -0,0 +1 @@
+type pixeldisplayservice_app, domain;
diff --git a/sepolicy/system_ext/public/pixelntnservice_app.te b/sepolicy/system_ext/public/pixelntnservice_app.te
new file mode 100644
index 0000000..10661b6
--- /dev/null
+++ b/sepolicy/system_ext/public/pixelntnservice_app.te
@@ -0,0 +1 @@
+type pixelntnservice_app, domain;
diff --git a/sepolicy/system_ext/public/property.te b/sepolicy/system_ext/public/property.te
new file mode 100644
index 0000000..e492369
--- /dev/null
+++ b/sepolicy/system_ext/public/property.te
@@ -0,0 +1,9 @@
+# Telephony
+system_public_prop(telephony_ril_prop)
+system_restricted_prop(telephony_modem_prop)
+system_public_prop(telephony_modemtype_prop)
+system_restricted_prop(telephony_ntn_demo_mode_prop)
+
+userdebug_or_eng(`
+ set_prop(shell, telephony_ril_prop)
+')
diff --git a/sepolicy/system_ext/public/systemui_app.te b/sepolicy/system_ext/public/systemui_app.te
new file mode 100644
index 0000000..cb101a6
--- /dev/null
+++ b/sepolicy/system_ext/public/systemui_app.te
@@ -0,0 +1 @@
+type systemui_app, domain;
diff --git a/sepolicy/tracking_denials/README.txt b/sepolicy/tracking_denials/README.txt
new file mode 100644
index 0000000..6cfc62d
--- /dev/null
+++ b/sepolicy/tracking_denials/README.txt
@@ -0,0 +1,2 @@
+This folder stores known errors detected by PTS. Be sure to remove relevant
+files to reproduce error log on latest ROMs.
diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map
new file mode 100644
index 0000000..a07f071
--- /dev/null
+++ b/sepolicy/tracking_denials/bug_map
@@ -0,0 +1,14 @@
+
+dump_display sysfs file b/322917055
+dumpstate image_processing_hal binder b/322916328
+dumpstate image_processing_server binder b/322916328
+hal_audio_default fwk_stats_service service_manager b/340369535
+hal_audio_default traced_producer_socket sock_file b/340369535
+hal_gnss_default vendor_gps_prop file b/318310869
+incidentd incidentd anon_inode b/322917075
+sctd sctd tcp_socket b/309550514
+sctd swcnd unix_stream_socket b/309550514
+sctd vendor_persist_config_default_prop file b/309550514
+spad spad unix_stream_socket b/309550905
+swcnd swcnd unix_stream_socket b/309551062
+shell sysfs_net file b/338347525
diff --git a/sepolicy/tracking_denials/certs/EuiccSupportPixel.x509.pem b/sepolicy/tracking_denials/certs/EuiccSupportPixel.x509.pem
new file mode 100644
index 0000000..d11ad3d
--- /dev/null
+++ b/sepolicy/tracking_denials/certs/EuiccSupportPixel.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw
+b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v
+Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb
+WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/
+amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK
+aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0
+oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho
++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td
+5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK
+rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki
+uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag
+ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV
+HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5
+FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9
+Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp
+ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL
+EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB
+GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U
+XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0
+IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj
+pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon
+A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU
+0JD1T1qdCm3aUSEmFgEA4rOL/0K3
+-----END CERTIFICATE-----
diff --git a/sepolicy/tracking_denials/certs/app.x509.pem b/sepolicy/tracking_denials/certs/app.x509.pem
new file mode 100644
index 0000000..8e3e627
--- /dev/null
+++ b/sepolicy/tracking_denials/certs/app.x509.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR
+24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy
+xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X
+W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC
+69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA
+cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw
+HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c
+xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP
+zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla
+XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a
+IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a
+ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW
+Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs=
+-----END CERTIFICATE-----
diff --git a/sepolicy/tracking_denials/certs/camera_eng.x509.pem b/sepolicy/tracking_denials/certs/camera_eng.x509.pem
new file mode 100644
index 0000000..011a9ec
--- /dev/null
+++ b/sepolicy/tracking_denials/certs/camera_eng.x509.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
diff --git a/sepolicy/tracking_denials/certs/camera_fishfood.x509.pem b/sepolicy/tracking_denials/certs/camera_fishfood.x509.pem
new file mode 100644
index 0000000..fb11572
--- /dev/null
+++ b/sepolicy/tracking_denials/certs/camera_fishfood.x509.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
diff --git a/sepolicy/tracking_denials/certs/com_google_android_apps_camera_services.x509.pem b/sepolicy/tracking_denials/certs/com_google_android_apps_camera_services.x509.pem
new file mode 100644
index 0000000..7b8c5b2
--- /dev/null
+++ b/sepolicy/tracking_denials/certs/com_google_android_apps_camera_services.x509.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz
+MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
+b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G
+A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP
+1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR
+UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5
+4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL
+jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8
+pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0
+VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3
+A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO
+sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV
+eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO
+nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI
+hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5
+YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm
+FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr
+njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI
+hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e
+JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3
+IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA
+V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H
+r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F
+DB17LhMLl0GxX9j1
+-----END CERTIFICATE-----
diff --git a/sepolicy/tracking_denials/con_monitor_app.te b/sepolicy/tracking_denials/con_monitor_app.te
new file mode 100644
index 0000000..e69de29
diff --git a/sepolicy/tracking_denials/dmd.te b/sepolicy/tracking_denials/dmd.te
new file mode 100644
index 0000000..ac62949
--- /dev/null
+++ b/sepolicy/tracking_denials/dmd.te
@@ -0,0 +1,2 @@
+# b/308381409
+dontaudit dmd servicemanager:binder { call };
diff --git a/sepolicy/tracking_denials/file.te b/sepolicy/tracking_denials/file.te
new file mode 100644
index 0000000..6a2f6b2
--- /dev/null
+++ b/sepolicy/tracking_denials/file.te
@@ -0,0 +1,14 @@
+# b/314035704
+# Data
+type per_boot_file, file_type, data_file_type, core_data_file_type;
+
+# sysfs
+type sysfs_bcmdhd, sysfs_type, fs_type;
+type sysfs_chargelevel, sysfs_type, fs_type;
+
+# mount FS
+allow proc_vendor_sched proc:filesystem associate;
+
+# Faceauth
+type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type;
+
diff --git a/sepolicy/tracking_denials/file_contexts b/sepolicy/tracking_denials/file_contexts
new file mode 100644
index 0000000..3a629b2
--- /dev/null
+++ b/sepolicy/tracking_denials/file_contexts
@@ -0,0 +1,39 @@
+# b/314036372
+
+# Binaries
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0
+
+# Vendor Firmwares
+/vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0
+
+# Devices
+/dev/logbuffer_maxq u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0
+/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0
+/dev/logbuffer_wc68 u:object_r:logbuffer_device:s0
+/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0
+/dev/lwis-csi u:object_r:lwis_device:s0
+/dev/lwis-eeprom-gt24p64e-imentet u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0
+/dev/lwis-g3aa u:object_r:lwis_device:s0
+/dev/lwis-ipp u:object_r:lwis_device:s0
+/dev/lwis-itp u:object_r:lwis_device:s0
+/dev/lwis-pdp u:object_r:lwis_device:s0
+/dev/lwis-scsc u:object_r:lwis_device:s0
+/dev/lwis-sensor-buraq u:object_r:lwis_device:s0
+/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0
+/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0
+/dev/uci u:object_r:uci_device:s0
+/dev/dma_heap/framebuffer-secure u:object_r:framebuffer_secure_heap_device:s0
+
+# Graphics
+/vendor/lib64/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0
+
+# Data
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/per_boot(/.*)? u:object_r:per_boot_file:s0
diff --git a/sepolicy/tracking_denials/genfs_contexts b/sepolicy/tracking_denials/genfs_contexts
new file mode 100644
index 0000000..b28f508
--- /dev/null
+++ b/sepolicy/tracking_denials/genfs_contexts
@@ -0,0 +1,95 @@
+# b/314036370
+# Broadcom
+genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0
+
+# GPU
+genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/28000000.mali/power_policy u:object_r:sysfs_gpu:s0
+
+# sscoredump (per device)
+genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+
+# Thermal
+genfscon sysfs /devices/platform/100a0000.ISP u:object_r:sysfs_thermal:s0
+genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0
+
+# Coresight ETM
+genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0
+
+# Devfreq current frequency
+genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0
+
+# debugfs
+genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0
+
+# Storage
+genfscon sysfs /devices/platform/13200000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0
+
+# Power ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+
+# Battery
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0057/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0057/registers_dump u:object_r:sysfs_power_dump:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-006e/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-006e/registers_dump u:object_r:sysfs_power_dump:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0050/eeprom u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-006e/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-006e/registers_dump u:object_r:sysfs_power_dump:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/registers_dump u:object_r:sysfs_power_dump:s0
+
+# wake up nodes
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-006e/power_supply/dc-mains/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0057/power_supply/dc-mains/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-006e/power_supply/dc-mains/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c1/11025/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c1/11025/power_supply/tcpmourcesy025/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c1/11025/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c1/11036/power_supply/max77779fg/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c1/11069/power_supply/dc/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c1/11069/power_supply/mainharger/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soundoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+
+# USB-C throttling stats
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0
+
+# Faceauth
+genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0
+
diff --git a/sepolicy/tracking_denials/grilservice_app.te b/sepolicy/tracking_denials/grilservice_app.te
new file mode 100644
index 0000000..c4dc75e
--- /dev/null
+++ b/sepolicy/tracking_denials/grilservice_app.te
@@ -0,0 +1,2 @@
+# b/312069580
+dontaudit grilservice_app hal_bluetooth_coexistence_service:service_manager { find };
diff --git a/sepolicy/tracking_denials/hal_audio_default.te b/sepolicy/tracking_denials/hal_audio_default.te
new file mode 100644
index 0000000..a2d3250
--- /dev/null
+++ b/sepolicy/tracking_denials/hal_audio_default.te
@@ -0,0 +1,2 @@
+# b/319399862
+dontaudit hal_audio_default bluetooth_prop:file { read };
diff --git a/sepolicy/tracking_denials/hal_bootctl_default.te b/sepolicy/tracking_denials/hal_bootctl_default.te
new file mode 100644
index 0000000..07eadb0
--- /dev/null
+++ b/sepolicy/tracking_denials/hal_bootctl_default.te
@@ -0,0 +1,2 @@
+# b/312373134
+dontaudit hal_bootctl_default hal_bootctl_default:capability { dac_override };
diff --git a/sepolicy/tracking_denials/hal_radioext_default.te b/sepolicy/tracking_denials/hal_radioext_default.te
new file mode 100644
index 0000000..7ea2914
--- /dev/null
+++ b/sepolicy/tracking_denials/hal_radioext_default.te
@@ -0,0 +1,2 @@
+# b/315105050
+dontaudit hal_radioext_default radio_vendor_data_file:file { ioctl };
diff --git a/sepolicy/tracking_denials/kernel.te b/sepolicy/tracking_denials/kernel.te
new file mode 100644
index 0000000..7a36039
--- /dev/null
+++ b/sepolicy/tracking_denials/kernel.te
@@ -0,0 +1,2 @@
+# b/308381222
+dontaudit kernel kernel:capability { net_bind_service };
diff --git a/sepolicy/tracking_denials/keys.conf b/sepolicy/tracking_denials/keys.conf
new file mode 100644
index 0000000..56f6721
--- /dev/null
+++ b/sepolicy/tracking_denials/keys.conf
@@ -0,0 +1,14 @@
+[@GOOGLE]
+ALL : device/google/zumapro-sepolicy/tracking_denials/certs/app.x509.pem
+
+[@CAMERAENG]
+ALL : device/google/zumapro-sepolicy/tracking_denials/certs/camera_eng.x509.pem
+
+[@CAMERAFISHFOOD]
+ALL : device/google/zumapro-sepolicy/tracking_denials/certs/camera_fishfood.x509.pem
+
+[@CAMERASERVICES]
+ALL : device/google/zumapro-sepolicy/tracking_denials/certs/com_google_android_apps_camera_services.x509.pem
+
+[@EUICCSUPPORTPIXEL]
+ALL : device/google/zumapro-sepolicy/tracking_denials/certs/EuiccSupportPixel.x509.pem
diff --git a/sepolicy/tracking_denials/mac_permissions.xml b/sepolicy/tracking_denials/mac_permissions.xml
new file mode 100644
index 0000000..c0c0cc9
--- /dev/null
+++ b/sepolicy/tracking_denials/mac_permissions.xml
@@ -0,0 +1,39 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/sepolicy/tracking_denials/modem_ml_svc_sit.te b/sepolicy/tracking_denials/modem_ml_svc_sit.te
new file mode 100644
index 0000000..f517366
--- /dev/null
+++ b/sepolicy/tracking_denials/modem_ml_svc_sit.te
@@ -0,0 +1,2 @@
+# b/308381747
+dontaudit modem_ml_svc_sit statsdw_socket:sock_file { write };
diff --git a/sepolicy/tracking_denials/pixelntnservice_app.te b/sepolicy/tracking_denials/pixelntnservice_app.te
new file mode 100644
index 0000000..bdc1ec9
--- /dev/null
+++ b/sepolicy/tracking_denials/pixelntnservice_app.te
@@ -0,0 +1,2 @@
+# b/316989258
+dontaudit pixelntnservice_app radio_service:service_manager { find };
diff --git a/sepolicy/tracking_denials/property.te b/sepolicy/tracking_denials/property.te
new file mode 100644
index 0000000..c1a95d6
--- /dev/null
+++ b/sepolicy/tracking_denials/property.te
@@ -0,0 +1,15 @@
+# b/314065301
+
+vendor_internal_prop(vendor_nfc_prop)
+vendor_internal_prop(vendor_battery_profile_prop)
+vendor_internal_prop(vendor_camera_fatp_prop)
+vendor_internal_prop(vendor_display_prop)
+
+# UWB calibration
+system_vendor_config_prop(vendor_uwb_calibration_prop)
+
+# Battery
+vendor_internal_prop(vendor_shutdown_prop)
+
+# Dynamic sensor
+vendor_internal_prop(vendor_dynamic_sensor_prop)
diff --git a/sepolicy/tracking_denials/property_contexts b/sepolicy/tracking_denials/property_contexts
new file mode 100644
index 0000000..b8d7fd3
--- /dev/null
+++ b/sepolicy/tracking_denials/property_contexts
@@ -0,0 +1,18 @@
+# b/314065298
+
+# for display
+ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0
+persist.vendor.display. u:object_r:vendor_display_prop:s0
+#uwb
+ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string
+# Camera
+persist.vendor.camera. u:object_r:vendor_camera_prop:s0
+vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0
+# Fingerprint
+vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0
+vendor.gf. u:object_r:vendor_fingerprint_prop:s0
+# Battery
+persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0
+# Dynamic sensor
+vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0
+
diff --git a/sepolicy/tracking_denials/rebalance_interrupts_vendor.te b/sepolicy/tracking_denials/rebalance_interrupts_vendor.te
new file mode 100644
index 0000000..fa7f82b
--- /dev/null
+++ b/sepolicy/tracking_denials/rebalance_interrupts_vendor.te
@@ -0,0 +1,2 @@
+# b/308381263
+dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override };
diff --git a/sepolicy/tracking_denials/rfsd.te b/sepolicy/tracking_denials/rfsd.te
new file mode 100644
index 0000000..c3073fb
--- /dev/null
+++ b/sepolicy/tracking_denials/rfsd.te
@@ -0,0 +1,2 @@
+# b/317735109
+dontaudit rfsd vendor_cbd_prop:file { read };
diff --git a/sepolicy/tracking_denials/seapp_contexts b/sepolicy/tracking_denials/seapp_contexts
new file mode 100644
index 0000000..74fea00
--- /dev/null
+++ b/sepolicy/tracking_denials/seapp_contexts
@@ -0,0 +1,8 @@
+# Domain for EuiccSupportPixel
+user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# CccDkTimeSyncService
+user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all
diff --git a/sepolicy/tracking_denials/service.te b/sepolicy/tracking_denials/service.te
new file mode 100644
index 0000000..dd4f0a2
--- /dev/null
+++ b/sepolicy/tracking_denials/service.te
@@ -0,0 +1,2 @@
+# b/314080507
+type arm_mali_platform_service, app_api_service, service_manager_type;
diff --git a/sepolicy/tracking_denials/service_contexts b/sepolicy/tracking_denials/service_contexts
new file mode 100644
index 0000000..cde80dc
--- /dev/null
+++ b/sepolicy/tracking_denials/service_contexts
@@ -0,0 +1,2 @@
+# b/314080507
+arm.mali.platform.ICompression/default u:object_r:arm_mali_platform_service:s0
diff --git a/sepolicy/tracking_denials/shell.te b/sepolicy/tracking_denials/shell.te
new file mode 100644
index 0000000..729e8b0
--- /dev/null
+++ b/sepolicy/tracking_denials/shell.te
@@ -0,0 +1,2 @@
+# b/308381279
+dontaudit shell sysfs:file { getattr };
diff --git a/sepolicy/tracking_denials/system_server.te b/sepolicy/tracking_denials/system_server.te
new file mode 100644
index 0000000..3c9fb6b
--- /dev/null
+++ b/sepolicy/tracking_denials/system_server.te
@@ -0,0 +1,2 @@
+# b/317315498
+dontaudit system_server vendor_public_lib_file:dir { search };
diff --git a/sepolicy/tracking_denials/vendor_init.te b/sepolicy/tracking_denials/vendor_init.te
new file mode 100644
index 0000000..4846678
--- /dev/null
+++ b/sepolicy/tracking_denials/vendor_init.te
@@ -0,0 +1,5 @@
+# b/317316031
+dontaudit vendor_init debugfs_trace_marker:file { getattr };
+dontaudit vendor_init default_prop:property_service { set };
+# b/322035750
+dontaudit vendor_init vendor_gps_prop:property_service { set };
diff --git a/sepolicy/vendor/attributes b/sepolicy/vendor/attributes
new file mode 100644
index 0000000..7e6def7
--- /dev/null
+++ b/sepolicy/vendor/attributes
@@ -0,0 +1 @@
+attribute vendor_persist_type;
diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te
new file mode 100644
index 0000000..a0466ed
--- /dev/null
+++ b/sepolicy/vendor/audioserver.te
@@ -0,0 +1,2 @@
+#allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file r_file_perms;
diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te
new file mode 100644
index 0000000..0289a4d
--- /dev/null
+++ b/sepolicy/vendor/bootanim.te
@@ -0,0 +1,2 @@
+allow bootanim arm_mali_platform_service:service_manager find;
+dontaudit bootanim system_data_file:dir { search };
diff --git a/sepolicy/vendor/cccdk_timesync_app.te b/sepolicy/vendor/cccdk_timesync_app.te
new file mode 100644
index 0000000..3948edc
--- /dev/null
+++ b/sepolicy/vendor/cccdk_timesync_app.te
@@ -0,0 +1,8 @@
+type vendor_cccdktimesync_app, domain;
+app_domain(vendor_cccdktimesync_app)
+
+allow vendor_cccdktimesync_app app_api_service:service_manager find;
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find;
+
+binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux)
diff --git a/sepolicy/vendor/charger_vendor.te b/sepolicy/vendor/charger_vendor.te
new file mode 100644
index 0000000..d992247
--- /dev/null
+++ b/sepolicy/vendor/charger_vendor.te
@@ -0,0 +1,7 @@
+# charger_vendor for battery in off-mode charging
+allow charger_vendor mnt_vendor_file:dir search;
+allow charger_vendor persist_file:dir search;
+allow charger_vendor sysfs_batteryinfo:file w_file_perms;
+allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
+dontaudit charger_vendor default_prop:file r_file_perms;
+set_prop(charger_vendor, vendor_battery_defender_prop)
diff --git a/sepolicy/vendor/chre.te b/sepolicy/vendor/chre.te
new file mode 100644
index 0000000..c4298ab
--- /dev/null
+++ b/sepolicy/vendor/chre.te
@@ -0,0 +1,24 @@
+type chre, domain;
+type chre_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(chre)
+
+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;
+
+# Allow CHRE to write to data to chre data directory
+allow chre chre_data_file:dir create_dir_perms;
+allow chre chre_data_file:file create_file_perms;
+
+# Allow CHRE to use WakeLock
+wakelock_use(chre)
+
+# Allow CHRE host to talk to stats service
+allow chre fwk_stats_service:service_manager find;
+binder_call(chre, stats_service_server)
diff --git a/sepolicy/vendor/con_monitor_app.te b/sepolicy/vendor/con_monitor_app.te
new file mode 100644
index 0000000..2fffbb5
--- /dev/null
+++ b/sepolicy/vendor/con_monitor_app.te
@@ -0,0 +1,11 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
+app_domain(con_monitor_app);
+
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app batterystats_service:service_manager find;
+allow con_monitor_app virtual_device_service:service_manager find;
+
+binder_call(con_monitor_app, servicemanager);
+
+set_prop(con_monitor_app, radio_prop);
diff --git a/sepolicy/vendor/debug_camera_app.te b/sepolicy/vendor/debug_camera_app.te
new file mode 100644
index 0000000..ddc4337
--- /dev/null
+++ b/sepolicy/vendor/debug_camera_app.te
@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+ # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12.
+ allow debug_camera_app hw_jpg_device:chr_file rw_file_perms;
+')
\ No newline at end of file
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..10aff49
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,4 @@
+type lwis_device, dev_type;
+type tee_persist_block_device, dev_type;
+type tee_userdata_block_device, dev_type;
+type hw_jpg_device, dev_type, mlstrustedobject;
diff --git a/sepolicy/vendor/disable-contaminant-detection-sh.te b/sepolicy/vendor/disable-contaminant-detection-sh.te
new file mode 100644
index 0000000..95845a1
--- /dev/null
+++ b/sepolicy/vendor/disable-contaminant-detection-sh.te
@@ -0,0 +1,7 @@
+type disable-contaminant-detection-sh, domain;
+type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(disable-contaminant-detection-sh)
+
+allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms;
diff --git a/sepolicy/vendor/dump_gsa.te b/sepolicy/vendor/dump_gsa.te
new file mode 100644
index 0000000..8cd230b
--- /dev/null
+++ b/sepolicy/vendor/dump_gsa.te
@@ -0,0 +1,6 @@
+pixel_bugreport(dump_gsa)
+
+userdebug_or_eng(`
+ allow dump_gsa vendor_toolbox_exec:file execute_no_trans;
+ allow dump_gsa sysfs_gsa_log:file r_file_perms;
+')
diff --git a/sepolicy/vendor/dump_power.te b/sepolicy/vendor/dump_power.te
new file mode 100644
index 0000000..7c836ea
--- /dev/null
+++ b/sepolicy/vendor/dump_power.te
@@ -0,0 +1,41 @@
+pixel_bugreport(dump_power)
+
+allow dump_power vendor_toolbox_exec:file execute_no_trans;
+allow dump_power sysfs_acpm_stats:dir r_dir_perms;
+allow dump_power sysfs_acpm_stats:file r_file_perms;
+allow dump_power sysfs_cpu:file r_file_perms;
+allow dump_power sysfs_bcl:dir r_dir_perms;
+allow dump_power sysfs_bcl:file r_file_perms;
+allow dump_power sysfs_odpm:dir r_dir_perms;
+allow dump_power sysfs_odpm:file r_file_perms;
+allow dump_power logbuffer_device:chr_file r_file_perms;
+allow dump_power sysfs_batteryinfo:dir r_dir_perms;
+allow dump_power sysfs_batteryinfo:file r_file_perms;
+allow dump_power sysfs_wlc:dir search;
+allow dump_power sysfs_wlc:file r_file_perms;
+allow dump_power sysfs_power_dump:file r_file_perms;
+allow dump_power mitigation_vendor_data_file:dir rw_dir_perms;
+allow dump_power mitigation_vendor_data_file:file create_file_perms;
+allow dump_power mnt_vendor_file:dir search;
+allow dump_power persist_file:dir search;
+allow dump_power persist_battery_file:dir r_dir_perms;
+allow dump_power persist_battery_file:file r_file_perms;
+allow dump_power vendor_shell_exec:file execute_no_trans;
+allow dump_power battery_mitigation_exec:file execute_no_trans;
+allow dump_power sysfs_iio_devices:dir search;
+
+userdebug_or_eng(`
+ allow dump_power debugfs:dir r_dir_perms;
+ allow dump_power vendor_battery_debugfs:dir r_dir_perms;
+ allow dump_power vendor_battery_debugfs:file r_file_perms;
+ allow dump_power vendor_pm_genpd_debugfs:file r_file_perms;
+ allow dump_power vendor_charger_debugfs:dir r_dir_perms;
+ allow dump_power vendor_charger_debugfs:file r_file_perms;
+ allow dump_power vendor_usb_debugfs:dir r_dir_perms;
+ allow dump_power vendor_votable_debugfs:dir r_dir_perms;
+ allow dump_power vendor_votable_debugfs:file r_file_perms;
+ allow dump_power vendor_maxfg_debugfs:dir r_dir_perms;
+ allow dump_power vendor_maxfg_debugfs:file r_file_perms;
+ allow dump_power self:lockdown integrity;
+')
+
diff --git a/sepolicy/vendor/dumpstate.te b/sepolicy/vendor/dumpstate.te
new file mode 100644
index 0000000..dc0f6c9
--- /dev/null
+++ b/sepolicy/vendor/dumpstate.te
@@ -0,0 +1,14 @@
+# allow HWC to output to dumpstate via pipe fd
+dump_hal(hal_graphics_composer)
+
+dump_hal(hal_health)
+
+dump_hal(hal_telephony)
+
+dump_hal(hal_confirmationui)
+
+binder_call(dumpstate, hal_wireless_charger)
+
+dump_hal(hal_uwb)
+
+dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
diff --git a/sepolicy/vendor/e2fs.te b/sepolicy/vendor/e2fs.te
new file mode 100644
index 0000000..3e72adf
--- /dev/null
+++ b/sepolicy/vendor/e2fs.te
@@ -0,0 +1,8 @@
+allow e2fs persist_block_device:blk_file rw_file_perms;
+allow e2fs efs_block_device:blk_file rw_file_perms;
+allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
new file mode 100644
index 0000000..cbe1e35
--- /dev/null
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1,69 @@
+# persist
+type persist_uwb_file, file_type, vendor_persist_type;
+type persist_ss_file, file_type, vendor_persist_type;
+type persist_display_file, file_type, vendor_persist_type;
+type persist_battery_file, file_type, vendor_persist_type;
+type persist_camera_file, file_type, vendor_persist_type;
+type persist_fingerprint_file, file_type, vendor_persist_type;
+
+#sysfs
+type sysfs_pca, sysfs_type, fs_type;
+type bootdevice_sysdev, dev_type;
+type sysfs_wifi, sysfs_type, fs_type;
+type sysfs_camera, sysfs_type, fs_type;
+type sysfs_power_dump, sysfs_type, fs_type;
+type sysfs_acpm_stats, sysfs_type, fs_type;
+type sysfs_write_leds, sysfs_type, fs_type;
+type sysfs_fabric, sysfs_type, fs_type;
+type sysfs_em_profile, sysfs_type, fs_type;
+type sysfs_ospm, sysfs_type, fs_type;
+
+# debugfs
+type vendor_regmap_debugfs, fs_type, debugfs_type;
+type vendor_usb_debugfs, fs_type, debugfs_type;
+type vendor_charger_debugfs, fs_type, debugfs_type;
+type vendor_votable_debugfs, fs_type, debugfs_type;
+type vendor_battery_debugfs, fs_type, debugfs_type;
+type vendor_pm_genpd_debugfs, fs_type, debugfs_type;
+type vendor_maxfg_debugfs, fs_type, debugfs_type;
+
+# Data
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
+type uwb_data_vendor, file_type, data_file_type;
+type updated_wifi_firmware_data_file, file_type, data_file_type;
+type vendor_misc_data_file, file_type, data_file_type;
+type powerstats_vendor_data_file, file_type, data_file_type;
+type chre_data_file, file_type, data_file_type;
+type vendor_fingerprint_data_file, file_type, data_file_type;
+
+# Storage Health HAL
+type proc_f2fs, proc_type, fs_type;
+
+# Vendor tools
+type vendor_dumpsys, vendor_file_type, file_type;
+
+# USB-C throttling stats
+type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
+
+# Trusty
+type sysfs_trusty, sysfs_type, fs_type;
+
+# mount FS
+allow bootdevice_sysdev sysfs:filesystem associate;
+
+# WLC
+type sysfs_wlc, sysfs_type, fs_type;
+
+# CHRE
+type chre_socket, file_type;
+
+# BT
+type vendor_bt_data_file, file_type, data_file_type;
+
+# Vendor sched files
+userdebug_or_eng(`
+ typeattribute proc_vendor_sched mlstrustedobject;
+')
+
+# GSA
+type sysfs_gsa_log, sysfs_type, fs_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..8af27f9
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,176 @@
+# Binaries
+/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0
+/vendor/bin/init_uwb_calib u:object_r:vendor_uwb_init_exec:s0
+/vendor/bin/dump/dump_power u:object_r:dump_power_exec:s0
+/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0
+/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0
+/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0
+/vendor/bin/hw/android\.hardware\.health-service\.zumapro u:object_r:hal_health_default_exec:s0
+/vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0
+/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0
+/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0
+/vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0
+/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0
+/vendor/bin/storageproxyd u:object_r:tee_exec:s0
+/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0
+/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0
+/vendor/bin/chre u:object_r:chre_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0
+/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
+/vendor/bin/hw/qfp-daemon u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0
+
+# Vendor libraries
+/vendor/lib64/libdrm\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libion_google\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libOpenCL\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/lib_jpg_encoder\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libhwjpeg\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libgpudataproducer\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/arm\.mali\.platform-V2-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/hw/vulkan\.pastel\.so u:object_r:same_process_hal_file:s0
+
+# Vendor Firmwares
+/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
+
+# persist
+/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
+/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0
+/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
+/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0
+/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
+/mnt/vendor/persist/qti_fp(/.*)? u:object_r:persist_fingerprint_file:s0
+
+# Bluetooth
+/dev/ttySAC18 u:object_r:hci_attach_dev:s0
+/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0
+/dev/logbuffer_tty18 u:object_r:logbuffer_device:s0
+
+# Devices
+/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_secondary u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_secondary_monitor u:object_r:logbuffer_device:s0
+/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0
+/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0
+/dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0
+/dev/ttySAC0 u:object_r:tty_device:s0
+/dev/bigwave u:object_r:video_device:s0
+/dev/watchdog0 u:object_r:watchdog_device:s0
+/dev/dri/card0 u:object_r:graphics_device:s0
+/dev/fimg2d u:object_r:graphics_device:s0
+/dev/g2d u:object_r:graphics_device:s0
+/dev/st21nfc u:object_r:nfc_device:s0
+/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0
+/dev/socket/chre u:object_r:chre_socket:s0
+/dev/battery_history u:object_r:battery_history_device:s0
+/dev/maxfg_history u:object_r:battery_history_device:s0
+/dev/bbd_pwrstat u:object_r:power_stats_device:s0
+/dev/edgetpu-soc u:object_r:edgetpu_device:s0
+/dev/block/sda u:object_r:sda_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:dtbo_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/gcf_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/trusty_persist u:object_r:tee_persist_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/trusty_userdata u:object_r:tee_userdata_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/13200000\.ufs/by-name/ufs_internal u:object_r:ufs_internal_block_device:s0
+/dev/gxp u:object_r:gxp_device:s0
+/dev/mali0 u:object_r:gpu_device:s0
+/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0
+/dev/logbuffer_wireless u:object_r:logbuffer_device:s0
+/dev/logbuffer_ttf u:object_r:logbuffer_device:s0
+/dev/logbuffer_rtx u:object_r:logbuffer_device:s0
+/dev/logbuffer_max77779fg u:object_r:logbuffer_device:s0
+/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpm u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpif u:object_r:logbuffer_device:s0
+/dev/logbuffer_max77779fg_monitor u:object_r:logbuffer_device:s0
+/dev/logbuffer_bd u:object_r:logbuffer_device:s0
+/dev/logbuffer_max77779_fwupdate u:object_r:logbuffer_device:s0
+/dev/lwis-be-core u:object_r:lwis_device:s0
+/dev/lwis-dpm u:object_r:lwis_device:s0
+/dev/lwis-gdc0 u:object_r:lwis_device:s0
+/dev/lwis-gdc1 u:object_r:lwis_device:s0
+/dev/lwis-gse u:object_r:lwis_device:s0
+/dev/lwis-gtnr-align u:object_r:lwis_device:s0
+/dev/lwis-gtnr-merge u:object_r:lwis_device:s0
+/dev/lwis-isp-fe u:object_r:lwis_device:s0
+/dev/lwis-lme u:object_r:lwis_device:s0
+/dev/lwis-mcsc u:object_r:lwis_device:s0
+/dev/lwis-slc u:object_r:lwis_device:s0
+/dev/lwis-top u:object_r:lwis_device:s0
+/dev/ispolin_ranging u:object_r:lwis_device:s0
+/dev/lwis-votf u:object_r:lwis_device:s0
+/dev/st54spi u:object_r:st54spi_device:s0
+/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
+/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0
+/dev/dma_heap/faceauth_dsp-secure u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0
+/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/gcma_camera u:object_r:gcma_camera_heap_device:s0
+/dev/dma_heap/gcma_camera-uncached u:object_r:gcma_camera_heap_device:s0
+/dev/qbt_ipc u:object_r:fingerprint_device:s0
+/dev/qbt_fd u:object_r:fingerprint_device:s0
+/dev/goodix_fp u:object_r:fingerprint_device:s0
+/dev/video12 u:object_r:hw_jpg_device:s0
+
+# Data
+/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0
+/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0
+/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0
+/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0
+/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0
+/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
+/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0
+/data/vendor/misc/qti_fp(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0
diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te
new file mode 100644
index 0000000..cb9470d
--- /dev/null
+++ b/sepolicy/vendor/fsck.te
@@ -0,0 +1,5 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..5bc0605
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,464 @@
+# SOC
+genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0
+genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0
+
+# disable contaminant detection
+genfscon sysfs /devices/platform/108d0000.hsi2c u:object_r:sysfs_batteryinfo:s0
+
+# Battery
+genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-006e/chg_stats u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-006e/chg_stats u:object_r:sysfs_pca:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/typec u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/typec u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/maxim,max77779fwu u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0066/name u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0066/registers_dump u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/name u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/registers_dump u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0066/name u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0066/registers_dump u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/name u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/registers_dump u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-003b/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/registers_dump u:object_r:sysfs_power_dump:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0050/eeprom u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0
+
+
+# debugfs
+genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0
+genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0
+genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77779_chg u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /max77779_pmic u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0
+genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0
+genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /max77779fg u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /maxfg_secondary u:object_r:vendor_maxfg_debugfs:s0
+
+# GPU
+genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/hint_power_on u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/dvfs_period u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/available_frequencies u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/cur_freq u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/1f000000.mali/capacity_headroom u:object_r:sysfs_gpu:s0
+
+# Haptics
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0043 u:object_r:sysfs_vibrator:s0
+
+# wake up nodes
+genfscon sysfs /devices/platform/10870000.uart/tty/ttySAC0/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-6-0025/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-6-0025/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power_supply/usb/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0066/max77779-pmic-irq.2.auto/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/power_supply/max77779fg/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0036/power_supply/max77779fg/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/power_supply/dc/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/power_supply/main-charger/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0008/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0008/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-003b/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-003b/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-003b/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/power_supply/rt9471/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/power_supply/rt9471/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-005b/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/power_supply/dc-mains/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-006e/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.8.auto/usb1 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.8.auto/usb2 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.8.auto/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/12100000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/12100000.pcie/pci0000:00/0000:00:00.0/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/13120000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/155d0000.serial/tty/ttySAC18/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/com.google.bt.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/com.google.bt/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/power/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:qcom,qbt-handler/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gnssif/wakeup u:object_r:sysfs_wakeup:s0
+
+# WiFi
+genfscon sysfs /wifi u:object_r:sysfs_wifi:s0
+
+# OSPM
+genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1_target_residency u:object_r:sysfs_ospm:s0
+genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2_target_residency u:object_r:sysfs_ospm:s0
+
+# Power ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_power11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_power11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/in_current11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current0_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current1_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current2_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current3_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current4_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current5_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current6_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current7_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current8_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current9_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current10_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/in_current11_scale u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0
+
+# Fabric
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/min_freq u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/min_freq u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/max_freq u:object_r:sysfs_fabric:s0
+genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0
+
+# Sscoredump
+genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0
+
+# Storage
+genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0
+genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/vendor u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/model u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/13200000.ufs/rev u:object_r:sysfs_scsi_devices_0000:s0
+
+# Tracefs
+genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0
+
+# Thermal
+genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0
+
+genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0
+
+# Camera
+genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0
+genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0
+
+# USB-C throttling stats
+genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0
+
+# Devfreq current frequency
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0
+genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0
+
+# EdgeTPU
+genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0
+
+# Gxp
+genfscon sysfs /devices/platform/20c00000.callisto u:object_r:sysfs_gxp:s0
+
+# Extcon
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0
+
+# Display
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19470000.drmdecon/counters u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19471000.drmdecon/counters u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19472000.drmdecon/counters u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/power_state u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_model u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_ctrl u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_option u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te_rate_hz u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0
+genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_rate_hz u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/te2_option u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/frame_rate u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_invalid_failures u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/sink_count_invalid_failures u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_unstable_failures u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/hdcp/hdcp2_success_count u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/hdcp/hdcp2_fallback_count u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/hdcp/hdcp1_success_count u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/hdcp/hdcp1_fail_count u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/hdcp/hdcp0_count u:object_r:sysfs_display:s0
+
+# ACPM
+genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0
+
+# Power Stats
+genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0008/power_stats u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/12100000.pcie/link_duration u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/12100000.pcie/power_stats u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/13120000.pcie/power_stats u:object_r:sysfs_power_stats:s0
+genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0
+
+# PCIe link stats
+genfscon sysfs /devices/platform/12100000.pcie/link_stats/complete_timeout_irqs u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_down_irqs u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_recovery_failures u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_up_average u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_up_failures u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/12100000.pcie/link_stats/pll_lock_average u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/13120000.pcie/link_stats/complete_timeout_irqs u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_down_irqs u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_recovery_failures u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_average u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_failures u:object_r:sysfs_pcie:s0
+genfscon sysfs /devices/platform/13120000.pcie/link_stats/pll_lock_average u:object_r:sysfs_pcie:s0
+
+# Trusty
+genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0
+genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0
+
+# EM Profile
+genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0
+
+# GSA logs
+genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0
+genfscon sysfs /devices/platform/16490000.gsa-ns/log_intermediate u:object_r:sysfs_gsa_log:s0
+
+# AOC
+genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0
+genfscon sysfs /devices/platform/17000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0
+genfscon sysfs /devices/platform/17000000.aoc u:object_r:sysfs_aoc:s0
+genfscon sysfs /devices/platform/17000000.aoc/reset u:object_r:sysfs_aoc_reset:s0
+genfscon sysfs /devices/platform/17000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/17000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0
+
+# OTA
+genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0
+
+# Extcon
+genfscon sysfs /devices/platform/108d0000.hsi2c/i2c-6/6-0025/extcon u:object_r:sysfs_extcon:s0
+
+# ARM ETE
+genfscon sysfs /devices/platform/ete0 u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/ete1 u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/ete2 u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/ete3 u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/ete4 u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/ete5 u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/ete6 u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/platform/ete7 u:object_r:sysfs_devices_cs_etm:s0
+
+# Privacy LED
+genfscon sysfs /devices/platform/pwmleds/leds/green/brightness u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/pwmleds/leds/green/max_brightness u:object_r:sysfs_leds:s0
diff --git a/sepolicy/vendor/google_camera_app.te b/sepolicy/vendor/google_camera_app.te
new file mode 100644
index 0000000..c572c26
--- /dev/null
+++ b/sepolicy/vendor/google_camera_app.te
@@ -0,0 +1,10 @@
+# Allows GCA to acccess the GXP device & properties.
+allow google_camera_app gxp_device:chr_file rw_file_perms;
+get_prop(google_camera_app, vendor_gxp_prop)
+
+# Allows GCA to find and access the EdgeTPU.
+allow google_camera_app edgetpu_app_service:service_manager find;
+allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows GCA to access the hw_jpeg /dev/video12.
+allow google_camera_app hw_jpg_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_bluetooth_btlinux.te b/sepolicy/vendor/hal_bluetooth_btlinux.te
new file mode 100644
index 0000000..65e037d
--- /dev/null
+++ b/sepolicy/vendor/hal_bluetooth_btlinux.te
@@ -0,0 +1 @@
+allow hal_bluetooth_btlinux vendor_bt_data_file:sock_file create_file_perms;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..4072cd3
--- /dev/null
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,96 @@
+allow hal_camera_default self:global_capability_class_set sys_nice;
+allow hal_camera_default kernel:process setsched;
+
+vndbinder_use(hal_camera_default);
+
+allow hal_camera_default lwis_device:chr_file rw_file_perms;
+
+# Face authentication code that is part of the camera HAL needs to allocate
+# dma_bufs and access the Trusted Execution Environment device node
+allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_camera_default tee_device:chr_file rw_file_perms;
+
+# Allow the camera hal to access the EdgeTPU service and the
+# Android shared memory allocated by the EdgeTPU service for
+# on-device compilation.
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default edgetpu_vendor_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_vendor_server)
+# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging
+# library has a dependency on edgetpu_app_service, see b/275016466.
+allow hal_camera_default edgetpu_app_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_app_server)
+
+# Allow access to data files used by the camera HAL
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default persist_file:dir search;
+allow hal_camera_default persist_camera_file:dir rw_dir_perms;
+allow hal_camera_default persist_camera_file:file create_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+
+# Allow creating dump files for debugging in non-release builds
+userdebug_or_eng(`
+ allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
+ allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+')
+
+# Allow access to camera-related system properties
+set_prop(hal_camera_default, vendor_camera_prop);
+get_prop(hal_camera_default, vendor_camera_debug_prop);
+userdebug_or_eng(`
+ set_prop(hal_camera_default, vendor_camera_fatp_prop);
+ set_prop(hal_camera_default, vendor_camera_debug_prop);
+')
+
+
+hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_graphics_composer)
+hal_client_domain(hal_camera_default, hal_power);
+hal_client_domain(hal_camera_default, hal_thermal);
+
+# Allow access to sensor service for sensor_listener
+binder_call(hal_camera_default, system_server);
+
+# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
+allow hal_camera_default eco_service:service_manager find;
+binder_call(hal_camera_default, mediacodec_samsung);
+
+# Allow camera HAL to connect to the stats service.
+allow hal_camera_default fwk_stats_service:service_manager find;
+
+# For observing apex file changes
+allow hal_camera_default apex_info_file:file r_file_perms;
+
+# Allow camera HAL to query current device clock frequencies.
+allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
+
+# Allow camera HAL to read display info, including backlight
+allow hal_camera_default sysfs_leds:dir r_dir_perms;
+allow hal_camera_default sysfs_leds:file r_file_perms;
+allow hal_camera_default sysfs_display:file r_file_perms;
+
+# Allow camera HAL to query preferred camera frequencies from the radio HAL
+# extensions to avoid interference with cellular antennas.
+allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
+binder_call(hal_camera_default, hal_radioext_default);
+
+# Allows camera HAL to access the hw_jpeg /dev/video12.
+allow hal_camera_default hw_jpg_device:chr_file rw_file_perms;
+
+# Allow access to always-on compute device node
+allow hal_camera_default aoc_device:chr_file rw_file_perms;
+
+# Allow camera HAL to send trace packets to Perfetto
+userdebug_or_eng(`perfetto_producer(hal_camera_default)')
+
+# Some file searches attempt to access system data and are denied.
+# This is benign and can be ignored.
+dontaudit hal_camera_default system_data_file:dir { search };
+
+# google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+
+# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes
+wakelock_use(hal_camera_default)
diff --git a/sepolicy/vendor/hal_contexthub_default.te b/sepolicy/vendor/hal_contexthub_default.te
new file mode 100644
index 0000000..6e9041a
--- /dev/null
+++ b/sepolicy/vendor/hal_contexthub_default.te
@@ -0,0 +1,3 @@
+
+# Allow binder call to PixelGnss PPS function.
+binder_call(hal_contexthub_default, hal_gnss_pixel)
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
new file mode 100644
index 0000000..11f478a
--- /dev/null
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,58 @@
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow hal_fingerprint_default fwk_stats_service:service_manager find;
+set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
+add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
+
+# allow fingerprint to access power hal
+hal_client_domain(hal_fingerprint_default, hal_power);
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_fingerprint_default, sysfs_chosen)
+
+# Allow fingerprint to access calibration blk device.
+allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms;
+allow hal_fingerprint_default block_device:dir search;
+
+# Allow fingerprint to access fwk_sensor_hwservice
+allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find;
+
+# Allow fingerprint to access sysfs_display
+allow hal_fingerprint_default sysfs_display:file rw_file_perms;
+
+# Allow fingerprint to access trusty sysfs
+allow hal_fingerprint_default sysfs_trusty:file rw_file_perms;
+
+# Allow fingerprint to access display hal
+allow hal_fingerprint_default hal_pixel_display_service:service_manager find;
+binder_call(hal_fingerprint_default, hal_graphics_composer_default)
+
+# allow fingerprint to access thermal hal
+hal_client_domain(hal_fingerprint_default, hal_thermal);
+
+# allow fingerprint to read sysfs_leds
+allow hal_fingerprint_default sysfs_leds:file r_file_perms;
+allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
+
+# allow fingerprint to wakeup to trigger calibration scans and sleep after
+allow hal_fingerprint_default self:capability2 wake_alarm;
+allow hal_fingerprint_default self:capability2 block_suspend;
+
+# allow fingerprint to search for files
+# TODO: b/297562630 - remove unecessary permissions once not needed
+allow hal_fingerprint_default mnt_vendor_file:dir search;
+allow hal_fingerprint_default vendor_misc_data_file:dir search;
+allow hal_fingerprint_default persist_file:dir search;
+
+# allow fingerprint to rw config and calibration files in persist
+# TODO: b/297562630 - remove unecessary permissions once not needed
+allow hal_fingerprint_default persist_fingerprint_file:dir search;
+allow hal_fingerprint_default persist_fingerprint_file:file create_file_perms;
+
+# allow fingerprint to rw data files
+# TODO: b/297562630 - remove unecessary permissions once not needed
+allow hal_fingerprint_default vendor_fingerprint_data_file:dir create_dir_perms;
+allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_gnss_pixel.te b/sepolicy/vendor/hal_gnss_pixel.te
new file mode 100644
index 0000000..1206ac1
--- /dev/null
+++ b/sepolicy/vendor/hal_gnss_pixel.te
@@ -0,0 +1,4 @@
+type hal_gnss_pixel, domain;
+init_daemon_domain(hal_gnss_pixel)
+type hal_gnss_pixel_exec, exec_type, vendor_file_type, file_type;
+hal_server_domain(hal_gnss_pixel, hal_gnss)
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
new file mode 100644
index 0000000..39dc7ee
--- /dev/null
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -0,0 +1,51 @@
+# allow HWC to access power hal
+hal_client_domain(hal_graphics_composer_default, hal_power)
+
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
+
+# access sysfs R/W
+allow hal_graphics_composer_default sysfs_display:dir search;
+allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
+
+# allow HWC to r/w backlight
+allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
+
+# socket / vnd service
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+vndbinder_use(hal_graphics_composer_default)
+
+# boot stauts prop
+get_prop(hal_graphics_composer_default, boot_status_prop);
+
+# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags
+get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop)
+
+add_service(hal_graphics_composer_default, hal_pixel_display_service)
+
+# allow HWC/libdisplaycolor to read calibration data
+allow hal_graphics_composer_default mnt_vendor_file:dir search;
+allow hal_graphics_composer_default persist_file:dir search;
+allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+allow hal_graphics_composer_default persist_display_file:dir search;
+
+# allow HWC to get/set vendor_display_prop
+set_prop(hal_graphics_composer_default, vendor_display_prop)
+
+# allow HWC to access vendor_displaycolor_service
+add_service(hal_graphics_composer_default, vendor_displaycolor_service)
+
+add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
+
+# allow HWC to read/write/search hwc_log_file
+allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms;
+allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms;
+allow hal_graphics_composer_default vendor_log_file:dir search;
+
+# allow HWC to access powerstats
+allow hal_graphics_composer_default hal_power_stats_vendor_service:service_manager find;
+binder_call(hal_graphics_composer_default, hal_power_stats_default)
+
+# allow HWC to access IStats AIDL
+allow hal_graphics_composer_default fwk_stats_service:service_manager find;
+binder_call(hal_graphics_composer_default, system_server);
diff --git a/sepolicy/vendor/hal_input_processor_default.te b/sepolicy/vendor/hal_input_processor_default.te
new file mode 100644
index 0000000..00d4c69
--- /dev/null
+++ b/sepolicy/vendor/hal_input_processor_default.te
@@ -0,0 +1,2 @@
+# allow InputProcessor HAL to read the display resolution system property
+get_prop(hal_input_processor_default, vendor_display_prop)
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
new file mode 100644
index 0000000..2e55825
--- /dev/null
+++ b/sepolicy/vendor/hal_power_default.te
@@ -0,0 +1 @@
+allow hal_power_default sysfs_ospm:file rw_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te
new file mode 100644
index 0000000..c2e6100
--- /dev/null
+++ b/sepolicy/vendor/hal_power_stats_default.te
@@ -0,0 +1,24 @@
+# Allowed to access required sysfs nodes
+r_dir_file(hal_power_stats_default, sysfs_aoc)
+r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate)
+r_dir_file(hal_power_stats_default, sysfs_acpm_stats)
+r_dir_file(hal_power_stats_default, sysfs_cpu)
+r_dir_file(hal_power_stats_default, sysfs_display)
+r_dir_file(hal_power_stats_default, sysfs_edgetpu)
+r_dir_file(hal_power_stats_default, sysfs_iio_devices)
+r_dir_file(hal_power_stats_default, sysfs_leds)
+r_dir_file(hal_power_stats_default, sysfs_odpm)
+r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000)
+r_dir_file(hal_power_stats_default, sysfs_wifi)
+r_dir_file(hal_power_stats_default, powerstats_vendor_data_file)
+r_dir_file(hal_power_stats_default, vendor_gps_file)
+
+# Rail selection requires read/write permissions
+allow hal_power_stats_default sysfs_odpm:dir search;
+allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
+
+# getStateResidency AIDL callback for Bluetooth HAL
+binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
+
+# getStateResidency AIDL callback for Composer HAL
+binder_call(hal_power_stats_default, hal_graphics_composer_default)
diff --git a/sepolicy/vendor/hal_threadnetwork_default.te b/sepolicy/vendor/hal_threadnetwork_default.te
new file mode 100644
index 0000000..558847b
--- /dev/null
+++ b/sepolicy/vendor/hal_threadnetwork_default.te
@@ -0,0 +1,3 @@
+allow hal_threadnetwork_default vendor_bt_data_file:dir r_dir_perms;
+allow hal_threadnetwork_default vendor_bt_data_file:sock_file rw_file_perms;
+allow hal_threadnetwork_default hal_bluetooth_btlinux:unix_stream_socket connectto;
diff --git a/sepolicy/vendor/hal_usb_gadget_impl.te b/sepolicy/vendor/hal_usb_gadget_impl.te
new file mode 100644
index 0000000..2b1494f
--- /dev/null
+++ b/sepolicy/vendor/hal_usb_gadget_impl.te
@@ -0,0 +1,20 @@
+type hal_usb_gadget_impl, domain;
+hal_server_domain(hal_usb_gadget_impl, hal_usb)
+hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget)
+
+type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_gadget_impl)
+
+allow hal_usb_gadget_impl configfs:dir { create rmdir };
+allow hal_usb_gadget_impl functionfs:dir { watch watch_reads };
+set_prop(hal_usb_gadget_impl, vendor_usb_config_prop)
+
+# parser the number of dwc3 irq
+allow hal_usb_gadget_impl proc_interrupts:file r_file_perms;
+
+# change irq to other cores
+allow hal_usb_gadget_impl proc_irq:dir r_dir_perms;
+allow hal_usb_gadget_impl proc_irq:file w_file_perms;
+
+allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms;
+allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_usb_impl.te b/sepolicy/vendor/hal_usb_impl.te
new file mode 100644
index 0000000..2ec4888
--- /dev/null
+++ b/sepolicy/vendor/hal_usb_impl.te
@@ -0,0 +1,28 @@
+type hal_usb_impl, domain;
+
+type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_impl)
+hal_server_domain(hal_usb_impl, hal_usb)
+hal_server_domain(hal_usb_impl, hal_usb_gadget)
+
+allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms;
+allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms;
+get_prop(hal_usb_impl, vendor_usb_config_prop)
+
+# Needed for monitoring usb port temperature
+allow hal_usb_impl self:capability2 wake_alarm;
+wakelock_use(hal_usb_impl);
+
+# For interfacing with ThermalHAL
+hal_client_domain(hal_usb_impl, hal_thermal);
+
+# Needed for reporting Usb Overheat suez event through statsd
+allow hal_usb_impl fwk_stats_service:service_manager find;
+
+# For reading the usb-c throttling stats
+allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms;
+
+# For issuing vendor commands to USB hub via libusbhost
+allow hal_usb_impl device:dir r_dir_perms;
+allow hal_usb_impl usb_device:chr_file rw_file_perms;
+allow hal_usb_impl usb_device:dir r_dir_perms;
diff --git a/sepolicy/vendor/hal_uwb_vendor_default.te b/sepolicy/vendor/hal_uwb_vendor_default.te
new file mode 100644
index 0000000..e6ac638
--- /dev/null
+++ b/sepolicy/vendor/hal_uwb_vendor_default.te
@@ -0,0 +1,8 @@
+type hal_uwb_vendor_default, domain;
+type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type;
+allow hal_uwb_default uci_device:chr_file rw_file_perms;
+init_daemon_domain(hal_uwb_vendor_default)
+
+allow hal_uwb_default uwb_data_vendor:dir create_dir_perms;
+allow hal_uwb_default uwb_data_vendor:file create_file_perms;
+
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..5aed498
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,3 @@
+# Fingerprint
+vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_ext_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0
diff --git a/sepolicy/vendor/insmod-sh.te b/sepolicy/vendor/insmod-sh.te
new file mode 100644
index 0000000..2fec873
--- /dev/null
+++ b/sepolicy/vendor/insmod-sh.te
@@ -0,0 +1,4 @@
+allow insmod-sh self:capability sys_nice;
+allow insmod-sh kernel:process setsched;
+allow insmod-sh vendor_regmap_debugfs:dir search;
+dontaudit insmod-sh insmod-sh:key write;
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
new file mode 100644
index 0000000..ea36a06
--- /dev/null
+++ b/sepolicy/vendor/kernel.te
@@ -0,0 +1,21 @@
+allow kernel vendor_fw_file:dir r_dir_perms;
+allow kernel vendor_fw_file:file r_file_perms;
+
+# ZRam
+allow kernel per_boot_file:file r_file_perms;
+
+# memlat needs permision to create/delete perf events when hotplug on/off
+allow kernel self:capability2 perfmon;
+allow kernel self:perf_event cpu;
+
+userdebug_or_eng(`
+ allow kernel vendor_battery_debugfs:dir search;
+ allow kernel vendor_regmap_debugfs:dir search;
+ allow kernel vendor_usb_debugfs:dir search;
+ allow kernel vendor_votable_debugfs:dir search;
+ allow kernel vendor_charger_debugfs:dir search;
+ allow kernel vendor_maxfg_debugfs:dir search;
+')
+
+
+
diff --git a/sepolicy/vendor/pixelstats_vendor.te b/sepolicy/vendor/pixelstats_vendor.te
new file mode 100644
index 0000000..ff183b3
--- /dev/null
+++ b/sepolicy/vendor/pixelstats_vendor.te
@@ -0,0 +1,8 @@
+# Display
+r_dir_file(pixelstats_vendor, sysfs_display)
+allow pixelstats_vendor sysfs_display:lnk_file r_file_perms;
+
+# Pca charge
+allow pixelstats_vendor sysfs_pca:file rw_file_perms;
+
+allow pixelstats_vendor logbuffer_device:chr_file r_file_perms;
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..344e8c9
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,19 @@
+vendor_internal_prop(vendor_camera_prop)
+vendor_internal_prop(vendor_ro_sys_default_prop)
+vendor_internal_prop(vendor_persist_sys_default_prop)
+
+# USB
+vendor_internal_prop(vendor_usb_config_prop)
+vendor_internal_prop(vendor_secure_element_prop)
+
+# Trusty storage FS ready
+vendor_internal_prop(vendor_trusty_storage_prop)
+
+# Fingerprint
+vendor_internal_prop(vendor_fingerprint_prop)
+
+# Battery
+vendor_internal_prop(vendor_battery_defender_prop)
+
+# Mali Integration
+vendor_restricted_prop(vendor_arm_runtime_option_prop)
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..c3402ac
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,34 @@
+# USB
+persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0
+vendor.usb. u:object_r:vendor_usb_config_prop:s0
+
+# SecureElement
+persist.vendor.se. u:object_r:vendor_secure_element_prop:s0
+
+# vendor default
+ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0
+persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0
+
+# Trusty
+ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0
+
+# Camera
+vendor.camera. u:object_r:vendor_camera_prop:s0
+
+# Fingerprint
+persist.vendor.qfp. u:object_r:vendor_fingerprint_prop:s0
+
+# Battery
+vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0
+
+# Mali GPU driver configuration and debug options
+vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix
+
+# Display
+persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix
+ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string
+ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string
+ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int
+ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int
+ro.vendor.primarydisplay.powerstats.entity_name u:object_r:vendor_display_prop:s0 exact string
+ro.vendor.secondarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string
diff --git a/sepolicy/vendor/service.te b/sepolicy/vendor/service.te
new file mode 100644
index 0000000..6be01a1
--- /dev/null
+++ b/sepolicy/vendor/service.te
@@ -0,0 +1,7 @@
+type hal_pixel_display_service, service_manager_type, hal_service_type;
+type hal_uwb_vendor_service, service_manager_type, hal_service_type;
+
+# WLC
+type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type;
+
+type modemml_tflite_service, system_server_service, service_manager_type;
diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts
new file mode 100644
index 0000000..38a8cca
--- /dev/null
+++ b/sepolicy/vendor/service_contexts
@@ -0,0 +1,6 @@
+vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default u:object_r:hal_fingerprint_service:s0
+com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0
+vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0
+hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0
+android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0
+com.android.server.modemml.ITFLiteService/default u:object_r:modemml_tflite_service:s0
diff --git a/sepolicy/vendor/servicemanager.te b/sepolicy/vendor/servicemanager.te
new file mode 100644
index 0000000..c3fa4da
--- /dev/null
+++ b/sepolicy/vendor/servicemanager.te
@@ -0,0 +1 @@
+binder_call(servicemanager, hal_graphics_composer_default)
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
new file mode 100644
index 0000000..52b499f
--- /dev/null
+++ b/sepolicy/vendor/system_server.te
@@ -0,0 +1,2 @@
+# Allow modemml.TFLiteService in system server to access NNAPI TPU service
+allow system_server edgetpu_nnapi_service:service_manager find;
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
new file mode 100644
index 0000000..0a6139b
--- /dev/null
+++ b/sepolicy/vendor/tee.te
@@ -0,0 +1,3 @@
+allow tee tee_persist_block_device:blk_file rw_file_perms;
+allow tee tee_userdata_block_device:blk_file rw_file_perms;
+allow tee tee_data_file:lnk_file create;
diff --git a/sepolicy/vendor/twoshay.te b/sepolicy/vendor/twoshay.te
new file mode 100644
index 0000000..83d9e1a
--- /dev/null
+++ b/sepolicy/vendor/twoshay.te
@@ -0,0 +1,10 @@
+# Allow ITouchContextService callback
+binder_call(twoshay, systemui_app)
+
+binder_call(twoshay, grilservice_app)
+
+# b/324278826
+unix_socket_connect(twoshay, chre, chre)
+# TODO(b/248615564): Remove above rule after CHRE multiclient HAL is launched.
+unix_socket_connect(twoshay, chre, hal_contexthub_default)
+allow twoshay self:capability2 block_suspend;
\ No newline at end of file
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..7a8ec91
--- /dev/null
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,10 @@
+# USB property
+set_prop(vendor_init, vendor_usb_config_prop)
+set_prop(vendor_init, vendor_display_prop)
+allow vendor_init tee_data_file:lnk_file read;
+
+# Vendor Ims Service property - Set the audio path for PDK build
+userdebug_or_eng(`
+ set_prop(vendor_init, vendor_imssvc_prop)
+')
+
diff --git a/sepolicy/vendor/vendor_uwb_init.te b/sepolicy/vendor/vendor_uwb_init.te
new file mode 100644
index 0000000..84e41cf
--- /dev/null
+++ b/sepolicy/vendor/vendor_uwb_init.te
@@ -0,0 +1,8 @@
+type vendor_uwb_init, domain;
+type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_uwb_init)
+
+allow vendor_uwb_init uwb_data_vendor:file create_file_perms;
+allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms;
+
diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te
new file mode 100644
index 0000000..12a4819
--- /dev/null
+++ b/sepolicy/vendor/vndservice.te
@@ -0,0 +1 @@
+type vendor_surfaceflinger_vndservice, vndservice_manager_type;
diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts
new file mode 100644
index 0000000..4f9f5a7
--- /dev/null
+++ b/sepolicy/vendor/vndservice_contexts
@@ -0,0 +1 @@
+Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0
diff --git a/sepolicy/widevine/file.te b/sepolicy/widevine/file.te
new file mode 100644
index 0000000..a1e4e0e
--- /dev/null
+++ b/sepolicy/widevine/file.te
@@ -0,0 +1,3 @@
+# Widevine DRM
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
diff --git a/sepolicy/widevine/file_contexts b/sepolicy/widevine/file_contexts
new file mode 100644
index 0000000..92aed3c
--- /dev/null
+++ b/sepolicy/widevine/file_contexts
@@ -0,0 +1,5 @@
+/vendor/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0
+/vendor/bin/hw/android\.hardware\.drm-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
+
+# Data
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
diff --git a/sepolicy/widevine/hal_drm_clearkey.te b/sepolicy/widevine/hal_drm_clearkey.te
new file mode 100644
index 0000000..0e0a5c2
--- /dev/null
+++ b/sepolicy/widevine/hal_drm_clearkey.te
@@ -0,0 +1,5 @@
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)
diff --git a/sepolicy/widevine/hal_drm_widevine.te b/sepolicy/widevine/hal_drm_widevine.te
new file mode 100644
index 0000000..1ecfa92
--- /dev/null
+++ b/sepolicy/widevine/hal_drm_widevine.te
@@ -0,0 +1,12 @@
+type hal_drm_widevine, domain;
+type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+# L1
+allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/sepolicy/widevine/service_contexts b/sepolicy/widevine/service_contexts
new file mode 100644
index 0000000..6989dde
--- /dev/null
+++ b/sepolicy/widevine/service_contexts
@@ -0,0 +1 @@
+android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0
diff --git a/sepolicy/zumapro-sepolicy.mk b/sepolicy/zumapro-sepolicy.mk
new file mode 100644
index 0000000..4edddb2
--- /dev/null
+++ b/sepolicy/zumapro-sepolicy.mk
@@ -0,0 +1,25 @@
+# sepolicy that are shared among devices using zumapro
+BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor
+BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private
+
+# unresolved SELinux error log with bug tracking
+BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/tracking_denials
+
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/zumapro-sepolicy/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/private
+
+# system_ext
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zumapro-sepolicy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/system_ext/private
+
+# PowerStats HAL
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
+
+# To be reviewed and removed.
+BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/whitechapel_pro
+BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/zuma/vendor
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/private
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/system_ext/private
+