Add 'sepolicy/' from tag 'android-15.0.0_r2'

git-subtree-dir: sepolicy
git-subtree-mainline: 68bba197f4
git-subtree-split: 36623ceb5d
Change-Id: I8abfa4d1b1cb245da2c562eed56c4f8c78ae0ede

sepolicy/OWNERS

@@ -0,0 +1,3 @@
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com

sepolicy/bug_map

@@ -0,0 +1 @@
+vendor_init device_config_configuration_prop property_service b/267843409

sepolicy/legacy/zuma/vendor/debug_camera_app.te

@@ -0,0 +1,9 @@
+userdebug_or_eng(`
+	# Allows GCA-Eng & GCA-Next access the GXP device and properties.
+	allow debug_camera_app gxp_device:chr_file rw_file_perms;
+	get_prop(debug_camera_app, vendor_gxp_prop)
+
+	# Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
+	allow debug_camera_app edgetpu_app_service:service_manager find;
+	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+')

sepolicy/legacy/zuma/vendor/device.te

@@ -0,0 +1,17 @@
+type persist_block_device, dev_type;
+type custom_ab_block_device, dev_type;
+type mfg_data_block_device, dev_type;
+type ufs_internal_block_device, dev_type;
+type logbuffer_device, dev_type;
+type fingerprint_device, dev_type;
+type uci_device, dev_type;
+
+# Dmabuf heaps
+type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
+type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
+type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type;
+type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type;
+type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type;
+
+# SecureElement SPI device
+type st54spi_device, dev_type;

sepolicy/legacy/zuma/vendor/domain.te

@@ -0,0 +1,5 @@
+allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms;
+allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms;
+
+# Mali
+get_prop(domain, vendor_arm_runtime_option_prop)

sepolicy/legacy/zuma/vendor/euiccpixel_app.te

@@ -0,0 +1,21 @@
+type euiccpixel_app, domain;
+app_domain(euiccpixel_app)
+
+allow euiccpixel_app app_api_service:service_manager find;
+allow euiccpixel_app radio_service:service_manager find;
+allow euiccpixel_app nfc_service:service_manager find;
+
+set_prop(euiccpixel_app, vendor_secure_element_prop)
+set_prop(euiccpixel_app, vendor_modem_prop)
+get_prop(euiccpixel_app, dck_prop)
+
+userdebug_or_eng(`
+    net_domain(euiccpixel_app)
+
+    # Access to directly upgrade firmware on st54spi_device used for engineering devices
+    typeattribute st54spi_device mlstrustedobject;
+    allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
+')
+
+# b/265286368 framework UI rendering properties
+dontaudit euiccpixel_app default_prop:file { read };

sepolicy/legacy/zuma/vendor/hal_bluetooth_btlinux.te

@@ -0,0 +1,9 @@
+# Allow access to always-on compute device node
+allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms;
+allow hal_bluetooth_btlinux device:dir r_dir_perms;
+
+allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms;
+allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms;
+
+# allow the HAL to call cccdktimesync registered callbacks
+binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app)

sepolicy/legacy/zuma/vendor/hal_contexthub_default.te

@@ -0,0 +1,2 @@
+# Allow context hub HAL to communicate with daemon via socket
+unix_socket_connect(hal_contexthub_default, chre, chre)

sepolicy/legacy/zuma/vendor/hal_graphics_allocator_default.te

@@ -0,0 +1,6 @@
+allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default framebuffer_secure_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default gcma_camera_heap_device:chr_file r_file_perms;

sepolicy/legacy/zuma/vendor/hal_health_default.te

@@ -0,0 +1,16 @@
+allow hal_health_default mnt_vendor_file:dir search;
+allow hal_health_default persist_file:dir search;
+allow hal_health_default persist_battery_file:file create_file_perms;
+allow hal_health_default persist_battery_file:dir rw_dir_perms;
+
+set_prop(hal_health_default, vendor_battery_defender_prop)
+set_prop(hal_health_default, vendor_shutdown_prop)
+
+allow hal_health_default fwk_stats_service:service_manager find;
+
+# Access to /sys/devices/platform/13200000.ufs/*
+allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms;
+
+allow hal_health_default sysfs_wlc:dir search;
+allow hal_health_default sysfs_batteryinfo:file rw_file_perms;

sepolicy/legacy/zuma/vendor/hal_memtrack_default.te

@@ -0,0 +1 @@
+r_dir_file(hal_memtrack_default, sysfs_gpu)

sepolicy/legacy/zuma/vendor/hal_nfc_default.te

@@ -0,0 +1,5 @@
+# HAL NFC property
+get_prop(hal_nfc_default, vendor_nfc_prop)
+
+# SecureElement property
+set_prop(hal_nfc_default, vendor_secure_element_prop)

sepolicy/legacy/zuma/vendor/hal_power_default.te

@@ -0,0 +1,7 @@
+allow hal_power_default sysfs_gpu:file rw_file_perms;
+allow hal_power_default sysfs_fabric:file rw_file_perms;
+allow hal_power_default sysfs_camera:file rw_file_perms;
+allow hal_power_default sysfs_em_profile:file rw_file_perms;
+allow hal_power_default sysfs_display:file rw_file_perms;
+allow hal_power_default sysfs_trusty:file rw_file_perms;
+set_prop(hal_power_default, vendor_camera_prop);

sepolicy/legacy/zuma/vendor/hal_radioext_default.te

@@ -0,0 +1 @@
+allow hal_radioext_default sysfs_display:file rw_file_perms;

sepolicy/legacy/zuma/vendor/hal_secure_element_st54spi_aidl.te

@@ -0,0 +1,7 @@
+type hal_secure_element_st54spi_aidl, domain;
+type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi_aidl)
+hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element)
+allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop)

sepolicy/legacy/zuma/vendor/hal_secure_element_uicc.te

@@ -0,0 +1,12 @@
+type hal_secure_element_uicc, domain;
+type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_secure_element_uicc, hal_secure_element)
+init_daemon_domain(hal_secure_element_uicc)
+
+# Allow writing to system_server pipes during crash dump
+crash_dump_fallback(hal_secure_element_uicc)
+
+# Allow hal_secure_element_uicc to access rild
+binder_call(hal_secure_element_uicc, rild);
+allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find;

sepolicy/legacy/zuma/vendor/hal_sensors_default.te

@@ -0,0 +1,26 @@
+# Allow reading of camera persist files.
+r_dir_file(hal_sensors_default, persist_camera_file)
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
+
+# Allow sensor HAL to access the thermal service HAL
+hal_client_domain(hal_sensors_default, hal_thermal);
+
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
+
+# Allow access for dynamic sensor properties.
+get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
+
+# Allow access to raw HID devices for dynamic sensors.
+allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
+
+# Allow sensor HAL to access the display service HAL
+allow hal_sensors_default hal_pixel_display_service:service_manager find;
+
+# Allow sensor HAL to access the graphics composer.
+binder_call(hal_sensors_default, hal_graphics_composer_default)
+
+# Allow access to the power supply files for MagCC.
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;

sepolicy/legacy/zuma/vendor/hal_thermal_default.te

@@ -0,0 +1,2 @@
+r_dir_file(hal_thermal_default, sysfs_iio_devices)
+r_dir_file(hal_thermal_default, sysfs_odpm)

sepolicy/legacy/zuma/vendor/hal_wifi_ext.te

@@ -0,0 +1,9 @@
+# Allow wifi_ext to report callbacks to gril-service app
+binder_call(hal_wifi_ext, grilservice_app)
+
+# Write wlan driver/fw version into property
+set_prop(hal_wifi_ext, vendor_wifi_version)
+
+# Allow wifi_ext to read and write /data/vendor/firmware/wifi
+allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms;
+allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms;

sepolicy/legacy/zuma/vendor/hal_wireless_charger.te

@@ -0,0 +1,7 @@
+type hal_wireless_charger, domain;
+type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type;
+
+allow hal_wireless_charger dumpstate:fd use;
+allow hal_wireless_charger dumpstate:fifo_file rw_file_perms;
+
+binder_call(hal_wireless_charger, systemui_app)

sepolicy/legacy/zuma/vendor/hwservice.te

@@ -0,0 +1,2 @@
+# Fingerprint
+type hal_fingerprint_ext_hwservice, hwservice_manager_type;

sepolicy/legacy/zuma/vendor/init.te

@@ -0,0 +1,13 @@
+allow init mnt_vendor_file:dir mounton;
+allow init custom_ab_block_device:lnk_file relabelto;
+
+# This is needed for chaining a boot partition vbmeta
+# descriptor, where init will probe the boot partition
+# to read the chained vbmeta in the first-stage, then
+# relabel /dev/block/by-name/boot_[a|b] to block_device
+# after loading sepolicy in the second stage.
+allow init boot_block_device:lnk_file relabelto;
+
+allow init persist_file:dir mounton;
+allow init ram_device:blk_file w_file_perms;
+

sepolicy/legacy/zuma/vendor/installd.te

@@ -0,0 +1 @@
+dontaudit installd modem_img_file:filesystem quotaget;

sepolicy/legacy/zuma/vendor/logd.te

@@ -0,0 +1,4 @@
+r_dir_file(logd, logbuffer_device)
+allow logd logbuffer_device:chr_file r_file_perms;
+allow logd trusty_log_device:chr_file r_file_perms;
+

sepolicy/legacy/zuma/vendor/mediacodec_google.te

@@ -0,0 +1,35 @@
+type mediacodec_google, domain;
+type mediacodec_google_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mediacodec_google)
+
+vndbinder_use(mediacodec_google)
+
+hal_server_domain(mediacodec_google, hal_codec2)
+
+# mediacodec_google may use an input surface from a different Codec2 service
+hal_client_domain(mediacodec_google, hal_codec2)
+
+hal_client_domain(mediacodec_google, hal_graphics_allocator)
+
+allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediacodec_google video_device:chr_file rw_file_perms;
+allow mediacodec_google gpu_device:chr_file rw_file_perms;
+
+crash_dump_fallback(mediacodec_google)
+
+# mediacodec_google should never execute any executable without a domain transition
+neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+userdebug_or_eng(`
+ allow mediacodec_google vendor_media_data_file:dir rw_dir_perms;
+ allow mediacodec_google vendor_media_data_file:file create_file_perms;
+')

sepolicy/legacy/zuma/vendor/pixeldisplayservice_app.te

@@ -0,0 +1,2 @@
+allow pixeldisplayservice_app hal_pixel_display_service:service_manager find;
+binder_call(pixeldisplayservice_app, hal_graphics_composer_default)

sepolicy/legacy/zuma/vendor/pixelstats_vendor.te

@@ -0,0 +1,28 @@
+# Batery history
+allow pixelstats_vendor battery_history_device:chr_file r_file_perms;
+
+# BCL
+allow pixelstats_vendor sysfs_bcl:dir search;
+allow pixelstats_vendor sysfs_bcl:file r_file_perms;
+allow pixelstats_vendor mitigation_vendor_data_file:dir search;
+allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms;
+get_prop(pixelstats_vendor, vendor_brownout_reason_prop);
+
+#vendor-metrics
+r_dir_file(pixelstats_vendor, sysfs_vendor_metrics)
+allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms;
+allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms;
+
+# Wireless charge
+allow pixelstats_vendor sysfs_wlc:dir search;
+allow pixelstats_vendor sysfs_wlc:file rw_file_perms;
+
+# PCIe Link Statistics
+allow pixelstats_vendor sysfs_pcie:dir search;
+allow pixelstats_vendor sysfs_pcie:file rw_file_perms;
+
+allow pixelstats_vendor sysfs_pixelstats:file r_file_perms;
+
+#Thermal
+r_dir_file(pixelstats_vendor, sysfs_thermal)
+allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms;

sepolicy/legacy/zuma/vendor/platform_app.te

@@ -0,0 +1,3 @@
+# WLC
+allow platform_app hal_wireless_charger_service:service_manager find;
+binder_call(platform_app, hal_wireless_charger)

sepolicy/legacy/zuma/vendor/recovery.te

@@ -0,0 +1,8 @@
+recovery_only(`
+  allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery st54spi_device:chr_file rw_file_perms;
+  allow recovery tee_device:chr_file rw_file_perms;
+  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+  set_prop(recovery, boottime_prop)
+')

sepolicy/legacy/zuma/vendor/shell.te

@@ -0,0 +1,2 @@
+# wlc
+dontaudit shell sysfs_wlc:dir search;

sepolicy/legacy/zuma/vendor/surfaceflinger.te

@@ -0,0 +1 @@
+allow surfaceflinger arm_mali_platform_service:service_manager find;

sepolicy/legacy/zuma/vendor/system_app.te

@@ -0,0 +1,3 @@
+# WLC
+allow system_app hal_wireless_charger_service:service_manager find;
+binder_call(system_app, hal_wireless_charger)

sepolicy/legacy/zuma/vendor/system_server.te

@@ -0,0 +1,3 @@
+binder_call(system_server, hal_camera_default);
+
+allow system_server arm_mali_platform_service:service_manager find;

sepolicy/legacy/zuma/vendor/systemui_app.te

@@ -0,0 +1,10 @@
+allow systemui_app pixel_battery_service_type:service_manager find;
+binder_call(systemui_app, pixel_battery_domain)
+
+allow systemui_app screen_protector_detector_service:service_manager find;
+allow systemui_app touch_context_service:service_manager find;
+binder_call(systemui_app, twoshay)
+
+# WLC
+allow systemui_app hal_wireless_charger_service:service_manager find;
+binder_call(systemui_app, hal_wireless_charger)

sepolicy/legacy/zuma/vendor/tcpdump_logger.te

@@ -0,0 +1,21 @@
+type tcpdump_logger, domain;
+type tcpdump_logger_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+  # make transition from init to its domain
+  init_daemon_domain(tcpdump_logger)
+
+  allow tcpdump_logger self:capability net_raw;
+  allow tcpdump_logger self:packet_socket create_socket_perms;
+  allowxperm tcpdump_logger self:packet_socket ioctl 0x8933;
+  allow tcpdump_logger tcpdump_exec:file rx_file_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:dir search;
+  allow tcpdump_logger radio_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms;
+  allow tcpdump_logger wifi_logging_data_file:file create_file_perms;
+  allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms;
+
+  set_prop(tcpdump_logger, vendor_tcpdump_log_prop)
+')

sepolicy/legacy/zuma/vendor/tee.te

@@ -0,0 +1,15 @@
+# Handle wake locks
+wakelock_use(tee)
+
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
+allow tee block_device:dir search;
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)
+
+set_prop(tee, vendor_trusty_storage_prop)

sepolicy/legacy/zuma/vendor/toolbox.te

@@ -0,0 +1,3 @@
+allow toolbox ram_device:blk_file rw_file_perms;
+allow toolbox per_boot_file:dir create_dir_perms;
+allow toolbox per_boot_file:file create_file_perms;

sepolicy/legacy/zuma/vendor/trusty_apploader.te

@@ -0,0 +1,7 @@
+type trusty_apploader, domain;
+type trusty_apploader_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(trusty_apploader)
+
+allow trusty_apploader ion_device:chr_file r_file_perms;
+allow trusty_apploader tee_device:chr_file rw_file_perms;
+allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms;

sepolicy/legacy/zuma/vendor/trusty_metricsd.te

@@ -0,0 +1,11 @@
+type trusty_metricsd, domain;
+type trusty_metricsd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(trusty_metricsd)
+
+allow trusty_metricsd tee_device:chr_file rw_file_perms;
+
+# For Suez metrics collection
+binder_use(trusty_metricsd)
+binder_call(trusty_metricsd, system_server)
+allow trusty_metricsd fwk_stats_service:service_manager find;

sepolicy/legacy/zuma/vendor/twoshay.te

@@ -0,0 +1,4 @@
+# Allow ITouchContextService callback
+binder_call(twoshay, systemui_app)
+
+binder_call(twoshay, hal_radioext_default)

sepolicy/legacy/zuma/vendor/ufs_firmware_update.te

@@ -0,0 +1,12 @@
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  init_daemon_domain(ufs_firmware_update)
+
+  allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
+  allow ufs_firmware_update block_device:dir r_dir_perms;
+  allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms;
+  allow ufs_firmware_update sysfs:dir r_dir_perms;
+  allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;
+')

sepolicy/legacy/zuma/vendor/update_engine.te

@@ -0,0 +1,4 @@
+allow update_engine custom_ab_block_device:blk_file rw_file_perms;
+allow update_engine dtbo_block_device:blk_file rw_file_perms;
+allow update_engine modem_block_device:blk_file rw_file_perms;
+allow update_engine proc_bootconfig:file r_file_perms;

sepolicy/legacy/zuma/vendor/vendor_init.te

@@ -0,0 +1,30 @@
+# Fingerprint property
+set_prop(vendor_init, vendor_fingerprint_prop)
+# Battery harness mode property
+set_prop(vendor_init, vendor_battery_defender_prop)
+
+set_prop(vendor_init, logpersistd_logging_prop)
+
+allow vendor_init proc_dirty:file w_file_perms;
+allow vendor_init proc_sched:file w_file_perms;
+allow vendor_init bootdevice_sysdev:file create_file_perms;
+allow vendor_init modem_img_file:filesystem { getattr };
+
+userdebug_or_eng(`
+allow vendor_init vendor_init:lockdown { integrity };
+')
+
+# Camera vendor property
+set_prop(vendor_init, vendor_camera_prop)
+
+# NFC vendor property
+set_prop(vendor_init, vendor_nfc_prop)
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)
+
+# Mali
+set_prop(vendor_init, vendor_arm_runtime_option_prop)
+set_prop(vendor_init, vendor_ssrdump_prop)
+
+# MM
+allow vendor_init proc_watermark_scale_factor:file w_file_perms;

sepolicy/legacy/zuma/vendor/wifi_sniffer.te

@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+allow wifi_sniffer sysfs_wifi:dir search;
+allow wifi_sniffer sysfs_wifi:file rw_file_perms;
+')

sepolicy/private/debug_camera_app.te

@@ -0,0 +1,16 @@
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app app_api_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+
+	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')

sepolicy/private/google_camera_app.te

@@ -0,0 +1,16 @@
+typeattribute google_camera_app coredomain;
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };

sepolicy/private/seapp_contexts

@@ -0,0 +1,11 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all

sepolicy/private/systemui_app.te

@@ -0,0 +1 @@
+

sepolicy/private/vendor_init.te

@@ -0,0 +1,2 @@
+# b/277300125
+dontaudit vendor_init device_config_configuration_prop:property_service { set };

sepolicy/public/debug_camera_app.te

@@ -0,0 +1 @@
+type debug_camera_app, domain;

sepolicy/public/google_camera_app.te

@@ -0,0 +1 @@
+type google_camera_app, domain;

sepolicy/radio/bipchmgr.te

@@ -0,0 +1,9 @@
+type bipchmgr, domain;
+type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(bipchmgr)
+
+get_prop(bipchmgr, hwservicemanager_prop);
+
+allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
+hwbinder_use(bipchmgr)
+binder_call(bipchmgr, rild)

sepolicy/radio/cat_engine_service_app.te

@@ -0,0 +1,8 @@
+type cat_engine_service_app, domain;
+
+userdebug_or_eng(`
+  app_domain(cat_engine_service_app)
+  get_prop(cat_engine_service_app, vendor_rild_prop)
+  allow cat_engine_service_app app_api_service:service_manager find;
+  allow cat_engine_service_app system_app_data_file:dir r_dir_perms;
+')

sepolicy/radio/cbd.te

@@ -0,0 +1,62 @@
+type cbd, domain;
+type cbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(cbd)
+
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_rild_prop)
+get_prop(cbd, telephony_modem_prop)
+set_prop(cbd, telephony_modemtype_prop)
+
+allow cbd mnt_vendor_file:dir r_dir_perms;
+
+allow cbd kmsg_device:chr_file rw_file_perms;
+
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;
+
+# Allow cbd to access modem block device
+allow cbd block_device:dir search;
+allow cbd modem_block_device:blk_file r_file_perms;
+
+# Allow cbd to access sysfs chosen files
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd sysfs_chosen:dir r_dir_perms;
+
+allow cbd radio_device:chr_file rw_file_perms;
+
+allow cbd proc_cmdline:file r_file_perms;
+
+allow cbd persist_modem_file:dir create_dir_perms;
+allow cbd persist_modem_file:file create_file_perms;
+allow cbd persist_file:dir search;
+
+allow cbd radio_vendor_data_file:dir create_dir_perms;
+allow cbd radio_vendor_data_file:file create_file_perms;
+
+# Allow cbd to operate with modem EFS file/dir
+allow cbd modem_efs_file:dir create_dir_perms;
+allow cbd modem_efs_file:file create_file_perms;
+
+# Allow cbd to operate with modem userdata file/dir
+allow cbd modem_userdata_file:dir create_dir_perms;
+allow cbd modem_userdata_file:file create_file_perms;
+
+# Allow cbd to access modem image file/dir
+allow cbd modem_img_file:dir r_dir_perms;
+allow cbd modem_img_file:file r_file_perms;
+allow cbd modem_img_file:lnk_file r_file_perms;
+
+# Allow cbd to collect crash info
+allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  r_dir_file(cbd, vendor_slog_file)
+
+  allow cbd kernel:system syslog_read;
+
+  allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
+

sepolicy/radio/cbrs_setup.te

@@ -0,0 +1,13 @@
+# GoogleCBRS app
+type cbrs_setup_app, domain;
+
+userdebug_or_eng(`
+  app_domain(cbrs_setup_app)
+  net_domain(cbrs_setup_app)
+
+  allow cbrs_setup_app app_api_service:service_manager find;
+  allow cbrs_setup_app cameraserver_service:service_manager find;
+  allow cbrs_setup_app radio_service:service_manager find;
+  set_prop(cbrs_setup_app, radio_prop)
+  set_prop(cbrs_setup_app, vendor_rild_prop)
+')

sepolicy/radio/certs/com_google_mds.x509.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----

sepolicy/radio/device.te

@@ -0,0 +1,3 @@
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type efs_block_device, dev_type;

sepolicy/radio/dmd.te

@@ -0,0 +1,33 @@
+type dmd, domain;
+type dmd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(dmd)
+
+# Grant to access serial device for external logging tool
+allow dmd serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow dmd radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow dmd node:tcp_socket node_bind;
+allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_slog_prop)
+set_prop(dmd, vendor_modem_prop)
+get_prop(dmd, vendor_persist_config_default_prop)
+
+# Grant to access hwservice manager
+get_prop(dmd, hwservicemanager_prop)
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
+binder_call(dmd, hwservicemanager)
+binder_call(dmd, modem_diagnostic_app)
+binder_call(dmd, modem_logging_control)
+binder_call(dmd, vendor_telephony_silentlogging_app)
+binder_call(dmd, liboemservice_proxy_default)

sepolicy/radio/file.te

@@ -0,0 +1,42 @@
+# Data
+type rild_vendor_data_file, file_type, data_file_type;
+type modem_ml_data_file, file_type, data_file_type;
+type modem_stat_data_file, file_type, data_file_type;
+type sysfs_gps, sysfs_type, fs_type;
+type vendor_gps_file, file_type, data_file_type;
+type vendor_log_file, file_type, data_file_type;
+type vendor_rfsd_log_file, file_type, data_file_type;
+type vendor_slog_file, file_type, data_file_type;
+userdebug_or_eng(`
+  typeattribute vendor_slog_file mlstrustedobject;
+  typeattribute vendor_gps_file mlstrustedobject;
+')
+
+# persist
+type persist_modem_file, file_type, vendor_persist_type;
+
+# Modem
+type modem_efs_file, file_type;
+type modem_userdata_file, file_type;
+type sysfs_modem, sysfs_type, fs_type;
+
+# Exynos Firmware
+type vendor_fw_file, vendor_file_type, file_type;
+
+# vendor extra images
+type modem_img_file, contextmount_type, file_type, vendor_file_type;
+allow modem_img_file self:filesystem associate;
+type modem_config_file, file_type, vendor_file_type;
+
+# sysfs
+type sysfs_chosen, sysfs_type, fs_type;
+type sysfs_sjtag, fs_type, sysfs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_sjtag mlstrustedobject;
+')
+
+# Vendor sched files
+userdebug_or_eng(`
+    typeattribute proc_vendor_sched mlstrustedobject;
+')
+

sepolicy/radio/file_contexts

@@ -0,0 +1,43 @@
+# Binaries
+/vendor/bin/init\.radio\.sh                                                 u:object_r:init_radio_exec:s0
+/vendor/bin/bipchmgr                                                        u:object_r:bipchmgr_exec:s0
+/vendor/bin/vcd                                                             u:object_r:vcd_exec:s0
+/vendor/bin/dmd                                                             u:object_r:dmd_exec:s0
+/vendor/bin/sced                                                            u:object_r:sced_exec:s0
+/vendor/bin/rfsd                                                            u:object_r:rfsd_exec:s0
+/vendor/bin/modem_logging_control                                           u:object_r:modem_logging_control_exec:s0
+/vendor/bin/modem_ml_svc_sit                                                u:object_r:modem_ml_svc_sit_exec:s0
+/vendor/bin/cbd                                                             u:object_r:cbd_exec:s0
+/vendor/bin/hw/rild_exynos                                                  u:object_r:rild_exec:s0
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                        u:object_r:hal_radioext_default_exec:s0
+/vendor/bin/liboemservice_proxy_default                                     u:object_r:liboemservice_proxy_default_exec:s0
+/vendor/bin/shared_modem_platform                                           u:object_r:modem_svc_sit_exec:s0
+
+# Config files
+/vendor/etc/modem_ml_models\.conf                                           u:object_r:modem_config_file:s0
+
+# Data
+/data/vendor/log/rfsd(/.*)?                                                 u:object_r:vendor_rfsd_log_file:s0
+/data/vendor/log(/.*)?                                                      u:object_r:vendor_log_file:s0
+/data/vendor/slog(/.*)?                                                     u:object_r:vendor_slog_file:s0
+/data/vendor/modem_ml(/.*)?                                                 u:object_r:modem_ml_data_file:s0
+/data/vendor/modem_stat(/.*)?                                               u:object_r:modem_stat_data_file:s0
+/data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
+
+# vendor extra images
+/mnt/vendor/efs(/.*)?                                                       u:object_r:modem_efs_file:s0
+/mnt/vendor/efs_backup(/.*)?                                                u:object_r:modem_efs_file:s0
+/mnt/vendor/modem_img(/.*)?                                                 u:object_r:modem_img_file:s0
+/mnt/vendor/modem_userdata(/.*)?                                            u:object_r:modem_userdata_file:s0
+/mnt/vendor/persist/modem(/.*)?                                             u:object_r:persist_modem_file:s0
+
+# Devices
+/dev/ttyGS[0-3]                                                             u:object_r:serial_device:s0
+/dev/oem_ipc[0-7]                                                           u:object_r:radio_device:s0
+/dev/oem_test                                                               u:object_r:radio_device:s0
+/dev/umts_boot0                                                             u:object_r:radio_device:s0
+/dev/umts_ipc0                                                              u:object_r:radio_device:s0
+/dev/umts_ipc1                                                              u:object_r:radio_device:s0
+/dev/umts_rfs0                                                              u:object_r:radio_device:s0
+/dev/umts_dm0                                                               u:object_r:radio_device:s0
+/dev/umts_router                                                            u:object_r:radio_device:s0

sepolicy/radio/fsck.te

@@ -0,0 +1,4 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+

sepolicy/radio/genfs_contexts

@@ -0,0 +1,11 @@
+# SJTAG
+genfscon sysfs /devices/platform/sjtag_ap/interface                       u:object_r:sysfs_sjtag:s0
+genfscon sysfs /devices/platform/sjtag_gsa/interface                      u:object_r:sysfs_sjtag:s0
+
+genfscon sysfs /firmware/devicetree/base/chosen                           u:object_r:sysfs_chosen:s0
+
+# Modem
+genfscon sysfs /devices/platform/cp-tm1/cp_temp  u:object_r:sysfs_modem:s0
+genfscon sysfs /devices/platform/cpif/dynamic_pcie_spd/tp_threshold  u:object_r:sysfs_modem:s0
+genfscon sysfs /devices/platform/cpif/dynamic_pcie_spd/tp_hysteresis  u:object_r:sysfs_modem:s0
+genfscon sysfs /devices/platform/cpif/dynamic_pcie_spd/dynamic_spd_enable  u:object_r:sysfs_modem:s0

sepolicy/radio/grilservice_app.te

@@ -0,0 +1,24 @@
+type grilservice_app, domain;
+app_domain(grilservice_app)
+
+allow grilservice_app app_api_service:service_manager find;
+allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
+allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_service:service_manager find;
+allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find;
+allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow grilservice_app radio_vendor_data_file:dir create_dir_perms;
+allow grilservice_app radio_vendor_data_file:file create_file_perms;
+allow grilservice_app gril_antenna_tuning_service:service_manager find;
+binder_call(grilservice_app, hal_bluetooth_btlinux)
+binder_call(grilservice_app, hal_radioext_default)
+binder_call(grilservice_app, hal_wifi_ext)
+binder_call(grilservice_app, hal_audiometricext_default)
+binder_call(grilservice_app, rild)
+hal_client_domain(grilservice_app, hal_power_stats)
+# Read access to /sys/kernel/irq
+allow grilservice_app sysfs_irq:dir r_dir_perms;
+allow grilservice_app sysfs_irq:file r_file_perms;
+get_prop(grilservice_app, telephony_modemtype_prop)

sepolicy/radio/hal_radioext_default.te

@@ -0,0 +1,24 @@
+type hal_radioext_default, domain;
+type hal_radioext_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_radioext_default)
+
+hwbinder_use(hal_radioext_default)
+get_prop(hal_radioext_default, hwservicemanager_prop)
+get_prop(hal_radioext_default, telephony_modemtype_prop)
+set_prop(hal_radioext_default, vendor_gril_prop)
+add_hwservice(hal_radioext_default, hal_radioext_hwservice)
+
+binder_call(hal_radioext_default, servicemanager)
+binder_call(hal_radioext_default, grilservice_app)
+binder_call(hal_radioext_default, hal_bluetooth_btlinux)
+
+# RW /dev/oem_ipc0
+allow hal_radioext_default radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_radioext_default hal_bluetooth_coexistence_service:service_manager find;

sepolicy/radio/hwservice.te

@@ -0,0 +1,9 @@
+# dmd servcie
+type hal_vendor_oem_hwservice, hwservice_manager_type;
+
+# GRIL service
+type hal_radioext_hwservice, hwservice_manager_type;
+
+# rild service
+type hal_exynos_rild_hwservice, hwservice_manager_type;
+

sepolicy/radio/hwservice_contexts

@@ -0,0 +1,8 @@
+# dmd HAL
+vendor.samsung_slsi.telephony.hardware.oemservice::IOemService                     u:object_r:hal_vendor_oem_hwservice:s0
+
+# rild HAL
+vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal        u:object_r:hal_exynos_rild_hwservice:s0
+
+# GRIL HAL
+vendor.google.radioext::IRadioExt                                                  u:object_r:hal_radioext_hwservice:s0

sepolicy/radio/hwservicemanager.te

@@ -0,0 +1 @@
+binder_call(hwservicemanager, bipchmgr)

sepolicy/radio/init.te

@@ -0,0 +1,4 @@
+allow init modem_efs_file:dir mounton;
+allow init modem_userdata_file:dir mounton;
+allow init modem_img_file:dir mounton;
+allow init modem_img_file:filesystem { getattr mount relabelfrom };

sepolicy/radio/init_radio.te

@@ -0,0 +1,8 @@
+type init_radio, domain;
+type init_radio_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_radio);
+
+allow init_radio vendor_toolbox_exec:file execute_no_trans;
+allow init_radio radio_vendor_data_file:dir create_dir_perms;
+allow init_radio radio_vendor_data_file:file create_file_perms;

sepolicy/radio/keys.conf

@@ -0,0 +1,3 @@
+[@MDS]
+ALL : device/google/zumapro-sepolicy/radio/certs/com_google_mds.x509.pem
+

sepolicy/radio/liboemservice_proxy.te

@@ -0,0 +1,34 @@
+type liboemservice_proxy_default, domain;
+type liboemservice_proxy_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(liboemservice_proxy_default)
+
+# Allow proxy to register as android service.
+binder_use(liboemservice_proxy_default);
+add_service(liboemservice_proxy_default, liboemservice_proxy_service);
+
+get_prop(liboemservice_proxy_default, hwservicemanager_prop)
+binder_call(liboemservice_proxy_default, hwservicemanager)
+binder_call(liboemservice_proxy_default, dmd)
+allow liboemservice_proxy_default hal_vendor_oem_hwservice:hwservice_manager find;
+allow liboemservice_proxy_default radio_vendor_data_file:dir create_dir_perms;
+allow liboemservice_proxy_default radio_vendor_data_file:file create_file_perms;
+
+# Grant to access serial device for external logging tool
+allow liboemservice_proxy_default serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow liboemservice_proxy_default radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow liboemservice_proxy_default vendor_slog_file:dir create_dir_perms;
+allow liboemservice_proxy_default vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow liboemservice_proxy_default node:tcp_socket node_bind;
+allow liboemservice_proxy_default self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(liboemservice_proxy_default, vendor_diag_prop)
+set_prop(liboemservice_proxy_default, vendor_slog_prop)
+set_prop(liboemservice_proxy_default, vendor_modem_prop)
+get_prop(liboemservice_proxy_default, vendor_persist_config_default_prop)

sepolicy/radio/logger_app.te

@@ -0,0 +1,27 @@
+userdebug_or_eng(`
+  allow logger_app vendor_gps_file:file create_file_perms;
+  allow logger_app vendor_gps_file:dir create_dir_perms;
+  allow logger_app vendor_slog_file:file {r_file_perms unlink};
+  allow logger_app radio_vendor_data_file:file create_file_perms;
+  allow logger_app radio_vendor_data_file:dir create_dir_perms;
+  allow logger_app sysfs_sscoredump_level:file r_file_perms;
+
+  r_dir_file(logger_app, sscoredump_vendor_data_coredump_file)
+  r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file)
+
+  set_prop(logger_app, vendor_audio_prop)
+  set_prop(logger_app, vendor_gps_prop)
+  set_prop(logger_app, vendor_logger_prop)
+  set_prop(logger_app, vendor_modem_prop)
+  set_prop(logger_app, vendor_ramdump_prop)
+  set_prop(logger_app, vendor_rild_prop)
+  set_prop(logger_app, vendor_ssrdump_prop)
+  set_prop(logger_app, vendor_tcpdump_log_prop)
+  set_prop(logger_app, vendor_usb_config_prop)
+  set_prop(logger_app, vendor_wifi_sniffer_prop)
+  set_prop(logger_app, logpersistd_logging_prop)
+  set_prop(logger_app, logd_prop)
+
+  # b/269383459 framework UI rendering properties
+  dontaudit logger_app default_prop:file { read };
+')

sepolicy/radio/mac_permissions.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@MDS" >
+        <seinfo value="mds" />
+    </signer>
+</policy>

sepolicy/radio/modem_diagnostic_app.te

@@ -0,0 +1,49 @@
+type modem_diagnostic_app, domain;
+
+app_domain(modem_diagnostic_app)
+net_domain(modem_diagnostic_app)
+
+allow modem_diagnostic_app app_api_service:service_manager find;
+allow modem_diagnostic_app radio_service:service_manager find;
+
+userdebug_or_eng(`
+  allow modem_diagnostic_app sysfs_modem_state:file r_file_perms;
+
+  hal_client_domain(modem_diagnostic_app, hal_power_stats);
+
+  allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find;
+  binder_call(modem_diagnostic_app, rild)
+
+  binder_call(modem_diagnostic_app, dmd)
+
+  set_prop(modem_diagnostic_app, vendor_cbd_prop)
+  set_prop(modem_diagnostic_app, vendor_rild_prop)
+  set_prop(modem_diagnostic_app, vendor_modem_prop)
+
+  allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms;
+  allow modem_diagnostic_app sysfs_chosen:file r_file_perms;
+
+  allow modem_diagnostic_app vendor_fw_file:file r_file_perms;
+
+  allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms;
+  allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms;
+
+  allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms;
+  allow modem_diagnostic_app mnt_vendor_file:file r_file_perms;
+
+  allow modem_diagnostic_app modem_img_file:dir r_dir_perms;
+  allow modem_diagnostic_app modem_img_file:file r_file_perms;
+  allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms;
+
+  allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find;
+
+  allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms;
+  allow modem_diagnostic_app sysfs_batteryinfo:dir search;
+
+  dontaudit modem_diagnostic_app default_prop:file r_file_perms;
+
+  # Modem Log Mask Library Permissions
+  allow modem_diagnostic_app liboemservice_proxy_service:service_manager find;
+  binder_use(modem_diagnostic_app)
+  binder_call(modem_diagnostic_app, liboemservice_proxy_default)
+')

sepolicy/radio/modem_logging_control.te

@@ -0,0 +1,17 @@
+type modem_logging_control, domain;
+type modem_logging_control_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(modem_logging_control)
+
+hwbinder_use(modem_logging_control)
+binder_call(modem_logging_control, dmd)
+
+allow modem_logging_control radio_device:chr_file rw_file_perms;
+allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find;
+allow modem_logging_control radio_vendor_data_file:dir create_dir_perms;
+allow modem_logging_control radio_vendor_data_file:file create_file_perms;
+allow modem_logging_control vendor_slog_file:dir create_dir_perms;
+allow modem_logging_control vendor_slog_file:file create_file_perms;
+
+set_prop(modem_logging_control, vendor_modem_prop)
+get_prop(modem_logging_control, hwservicemanager_prop)

sepolicy/radio/modem_ml_svc_sit.te

@@ -0,0 +1,30 @@
+type modem_ml_svc_sit, domain;
+type modem_ml_svc_sit_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(modem_ml_svc_sit)
+
+binder_use(modem_ml_svc_sit)
+
+# Grant radio device access
+allow modem_ml_svc_sit radio_device:chr_file rw_file_perms;
+
+# Grant vendor radio and modem file/dir creation permission
+allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms;
+allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms;
+
+# Grant modem ml data file/dir creation permission
+allow modem_ml_svc_sit modem_ml_data_file:dir create_dir_perms;
+allow modem_ml_svc_sit modem_ml_data_file:file create_file_perms;
+
+# Grant modem ml models config files access
+allow modem_ml_svc_sit modem_config_file:file r_file_perms;
+
+# RIL property
+get_prop(modem_ml_svc_sit, vendor_rild_prop)
+
+# Access to NNAPI service
+hal_client_domain(modem_ml_svc_sit, hal_neuralnetworks)
+allow modem_ml_svc_sit edgetpu_nnapi_service:service_manager find;
+
+# Access to TFLite binder service
+allow modem_ml_svc_sit modemml_tflite_service:service_manager find;
+binder_call(modem_ml_svc_sit, system_server)

sepolicy/radio/modem_svc_sit.te

@@ -0,0 +1,50 @@
+type modem_svc_sit, domain;
+type modem_svc_sit_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(modem_svc_sit)
+
+hwbinder_use(modem_svc_sit)
+binder_call(modem_svc_sit, rild)
+
+# Grant sysfs_modem access
+allow modem_svc_sit sysfs_modem:file rw_file_perms;
+
+# Grant radio device access
+allow modem_svc_sit radio_device:chr_file rw_file_perms;
+
+# Grant vendor radio and modem file/dir creation permission
+allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms;
+allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
+allow modem_svc_sit modem_stat_data_file:dir create_dir_perms;
+allow modem_svc_sit modem_stat_data_file:file create_file_perms;
+
+allow modem_svc_sit vendor_fw_file:dir search;
+allow modem_svc_sit vendor_fw_file:file r_file_perms;
+
+allow modem_svc_sit mnt_vendor_file:dir r_dir_perms;
+allow modem_svc_sit modem_userdata_file:dir create_dir_perms;
+allow modem_svc_sit modem_userdata_file:file create_file_perms;
+
+# RIL property
+get_prop(modem_svc_sit, vendor_rild_prop)
+
+# Modem property
+set_prop(modem_svc_sit, vendor_modem_prop)
+
+# logging property
+get_prop(modem_svc_sit, vendor_logger_prop)
+
+# hwservice permission
+allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find;
+get_prop(modem_svc_sit, hwservicemanager_prop)
+
+# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal.
+hal_server_domain(modem_svc_sit, hal_shared_modem_platform)
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(modem_svc_sit)
+
+# Allow modem_svc_sit to access modem image file/dir
+allow modem_svc_sit modem_img_file:dir r_dir_perms;
+allow modem_svc_sit modem_img_file:file r_file_perms;
+allow modem_svc_sit modem_img_file:lnk_file r_file_perms;

sepolicy/radio/oemrilservice_app.te

@@ -0,0 +1,9 @@
+type oemrilservice_app, domain;
+app_domain(oemrilservice_app)
+
+allow oemrilservice_app app_api_service:service_manager find;
+allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow oemrilservice_app radio_service:service_manager find;
+
+binder_call(oemrilservice_app, rild)
+set_prop(oemrilservice_app, vendor_rild_prop)

sepolicy/radio/pixel_modem_app.te

@@ -0,0 +1,11 @@
+# pixel_modem_app is the selinux domain for pixel_modem_service
+
+type pixel_modem_app, domain;
+
+app_domain(pixel_modem_app)
+
+allow pixel_modem_app app_api_service:service_manager find;
+allow pixel_modem_app radio_service:service_manager find;
+
+# Allow the pixel_modem_app to find and call shared modem platform service.
+hal_client_domain(pixel_modem_app, hal_shared_modem_platform)

sepolicy/radio/private/radio.te

@@ -0,0 +1 @@
+add_service(radio, uce_service)

sepolicy/radio/private/service_contexts

@@ -0,0 +1,2 @@
+telephony.oem.oemrilhook        u:object_r:radio_service:s0
+

sepolicy/radio/property.te

@@ -0,0 +1,19 @@
+# P23 vendor properties
+vendor_internal_prop(vendor_carrier_prop)
+vendor_internal_prop(vendor_cbd_prop)
+vendor_internal_prop(vendor_slog_prop)
+vendor_internal_prop(vendor_persist_config_default_prop)
+vendor_internal_prop(vendor_diag_prop)
+vendor_internal_prop(vendor_modem_prop)
+vendor_internal_prop(vendor_rild_prop)
+vendor_internal_prop(vendor_gps_prop)
+vendor_internal_prop(vendor_gril_prop)
+vendor_internal_prop(vendor_ssrdump_prop)
+vendor_internal_prop(vendor_wifi_version)
+vendor_internal_prop(vendor_imssvc_prop)
+vendor_internal_prop(vendor_ims_tiss_prop)
+vendor_internal_prop(vendor_tcpdump_log_prop)
+
+# Telephony debug app
+vendor_internal_prop(vendor_telephony_app_prop)
+

sepolicy/radio/property_contexts

@@ -0,0 +1,65 @@
+# for cbd
+vendor.cbd.                                u:object_r:vendor_cbd_prop:s0
+persist.vendor.cbd.                        u:object_r:vendor_cbd_prop:s0
+
+# for ims service
+persist.vendor.ims.                        u:object_r:vendor_imssvc_prop:s0
+
+# for ims test mode based on go/tiss (do not modify, setprop should not be enabled)
+persist.vendor.ims_tiss.                   u:object_r:vendor_ims_tiss_prop:s0
+
+# for slog
+vendor.sys.silentlog.                      u:object_r:vendor_slog_prop:s0
+vendor.sys.exynos.slog.                    u:object_r:vendor_slog_prop:s0
+persist.vendor.sys.silentlog               u:object_r:vendor_slog_prop:s0
+
+# for dmd
+persist.vendor.sys.dm.                     u:object_r:vendor_diag_prop:s0
+persist.vendor.sys.diag.                   u:object_r:vendor_diag_prop:s0
+vendor.sys.dmd.                            u:object_r:vendor_diag_prop:s0
+vendor.sys.diag.                           u:object_r:vendor_diag_prop:s0
+persist.vendor.config.                     u:object_r:vendor_persist_config_default_prop:s0
+
+# for logger app
+vendor.pixellogger.                        u:object_r:vendor_logger_prop:s0
+persist.vendor.pixellogger.                u:object_r:vendor_logger_prop:s0
+
+# Modem
+persist.vendor.modem.                      u:object_r:vendor_modem_prop:s0
+vendor.modem.                              u:object_r:vendor_modem_prop:s0
+vendor.sys.modem.                          u:object_r:vendor_modem_prop:s0
+vendor.sys.modem_reset                     u:object_r:vendor_modem_prop:s0
+ro.vendor.sys.modem.                       u:object_r:vendor_modem_prop:s0
+vendor.sys.exynos.modempath                u:object_r:vendor_modem_prop:s0
+persist.vendor.sys.modem.                  u:object_r:vendor_modem_prop:s0
+
+# for rild
+persist.vendor.ril.                        u:object_r:vendor_rild_prop:s0
+vendor.ril.                                u:object_r:vendor_rild_prop:s0
+vendor.radio.                              u:object_r:vendor_rild_prop:s0
+vendor.sys.rild_reset                      u:object_r:vendor_rild_prop:s0
+persist.vendor.radio.                      u:object_r:vendor_rild_prop:s0
+ro.vendor.config.build_carrier             u:object_r:vendor_carrier_prop:s0
+
+# for GRIL
+vendor.gril.                               u:object_r:vendor_gril_prop:s0
+
+# SSR Detector
+vendor.debug.ssrdump.                      u:object_r:vendor_ssrdump_prop:s0
+persist.vendor.sys.ssr.                    u:object_r:vendor_ssrdump_prop:s0
+
+# WiFi
+vendor.wlan.driver.version                 u:object_r:vendor_wifi_version:s0
+vendor.wlan.firmware.version               u:object_r:vendor_wifi_version:s0
+
+# for vendor telephony debug app
+vendor.config.debug.                       u:object_r:vendor_telephony_app_prop:s0
+
+# for gps
+vendor.gps.                                u:object_r:vendor_gps_prop:s0
+persist.vendor.gps.                        u:object_r:vendor_gps_prop:s0
+
+# Tcpdump_logger
+persist.vendor.tcpdump.log.alwayson        u:object_r:vendor_tcpdump_log_prop:s0
+vendor.tcpdump.                            u:object_r:vendor_tcpdump_log_prop:s0
+

sepolicy/radio/radio.te

@@ -0,0 +1,9 @@
+set_prop(radio, telephony_ril_prop)
+set_prop(radio, telephony_modemtype_prop)
+get_prop(radio, telephony_ntn_demo_mode_prop)
+
+allow radio radio_vendor_data_file:dir rw_dir_perms;
+allow radio radio_vendor_data_file:file create_file_perms;
+allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown };
+allow radio aoc_device:chr_file rw_file_perms;
+allow radio scheduling_policy_service:service_manager find;

sepolicy/radio/rfsd.te

@@ -0,0 +1,37 @@
+type rfsd, domain;
+type rfsd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(rfsd)
+
+# Allow to search block device and mnt dir for modem EFS partitions
+allow rfsd mnt_vendor_file:dir search;
+allow rfsd block_device:dir search;
+
+# Allow to operate with modem EFS file/dir
+allow rfsd modem_efs_file:dir create_dir_perms;
+allow rfsd modem_efs_file:file create_file_perms;
+
+allow rfsd radio_vendor_data_file:dir r_dir_perms;
+allow rfsd radio_vendor_data_file:file r_file_perms;
+
+r_dir_file(rfsd, vendor_fw_file)
+
+# Allow to access rfsd log file/dir
+allow rfsd vendor_log_file:dir search;
+allow rfsd vendor_rfsd_log_file:dir create_dir_perms;
+allow rfsd vendor_rfsd_log_file:file create_file_perms;
+
+# Allow to read/write modem block device
+allow rfsd modem_block_device:blk_file rw_file_perms;
+
+# Allow to operate with radio device
+allow rfsd radio_device:chr_file rw_file_perms;
+
+# Allow to set rild and modem property
+set_prop(rfsd, vendor_modem_prop)
+set_prop(rfsd, vendor_rild_prop)
+get_prop(rfsd, vendor_cbd_prop)
+
+# Allow rfsd to access modem image file/dir
+allow rfsd modem_img_file:dir r_dir_perms;
+allow rfsd modem_img_file:file r_file_perms;
+allow rfsd modem_img_file:lnk_file r_file_perms;

sepolicy/radio/rild.te

@@ -0,0 +1,48 @@
+set_prop(rild, vendor_rild_prop)
+set_prop(rild, vendor_modem_prop)
+get_prop(rild, vendor_persist_config_default_prop)
+get_prop(rild, vendor_carrier_prop)
+
+get_prop(rild, sota_prop)
+get_prop(rild, system_boot_reason_prop)
+
+set_prop(rild, telephony_ril_prop)
+set_prop(rild, telephony_modemtype_prop)
+get_prop(rild, telephony_ntn_demo_mode_prop)
+
+allow rild proc_net:file rw_file_perms;
+allow rild radio_vendor_data_file:dir create_dir_perms;
+allow rild radio_vendor_data_file:file create_file_perms;
+allow rild rild_vendor_data_file:dir create_dir_perms;
+allow rild rild_vendor_data_file:file create_file_perms;
+allow rild vendor_fw_file:file r_file_perms;
+allow rild mnt_vendor_file:dir r_dir_perms;
+
+r_dir_file(rild, modem_img_file)
+
+binder_call(rild, bipchmgr)
+binder_call(rild, hal_audio_default)
+binder_call(rild, modem_svc_sit)
+binder_call(rild, vendor_ims_app)
+binder_call(rild, vendor_rcs_app)
+binder_call(rild, oemrilservice_app)
+binder_call(rild, hal_secure_element_uicc)
+binder_call(rild, grilservice_app)
+binder_call(rild, vendor_engineermode_app)
+binder_call(rild, vendor_telephony_debug_app)
+binder_call(rild, logger_app)
+binder_call(rild, vendor_satellite_service)
+
+crash_dump_fallback(rild)
+
+# for hal service
+add_hwservice(rild, hal_exynos_rild_hwservice)
+
+# Allow rild to access files on modem img.
+allow rild modem_img_file:dir r_dir_perms;
+allow rild modem_img_file:file r_file_perms;
+allow rild modem_img_file:lnk_file r_file_perms;
+
+userdebug_or_eng(`
+  binder_call(rild, modem_diagnostic_app)
+')

sepolicy/radio/sced.te

@@ -0,0 +1,23 @@
+type sced, domain;
+type sced_exec, vendor_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  init_daemon_domain(sced)
+  typeattribute sced vendor_executes_system_violators;
+
+  hwbinder_use(sced)
+  binder_call(sced, dmd)
+  binder_call(sced, vendor_telephony_silentlogging_app)
+
+  get_prop(sced, hwservicemanager_prop)
+  allow sced self:packet_socket create_socket_perms_no_ioctl;
+
+  allow sced self:capability net_raw;
+  allow sced shell_exec:file rx_file_perms;
+  allow sced tcpdump_exec:file rx_file_perms;
+  allow sced vendor_shell_exec:file x_file_perms;
+  allow sced vendor_slog_file:dir create_dir_perms;
+  allow sced vendor_slog_file:file create_file_perms;
+  allow sced hidl_base_hwservice:hwservice_manager add;
+  allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
+')

sepolicy/radio/seapp_contexts

@@ -0,0 +1,37 @@
+# CBRS setup app
+user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
+
+# Modem Diagnostic System
+user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+
+# grilservice
+user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
+
+# exynos apps
+user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all
+user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all
+user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all
+
+
+# slsi logging apps
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all
+user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all
+
+# Samsung S.LSI engineer mode
+user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all
+
+# Domain for CatEngineService
+user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all
+
+# Vendor Satellite Service
+user=_app isPrivApp=true seinfo=platform name=com.samsung.slsi.telephony.satelliteservice domain=vendor_satellite_service levelFrom=all
+
+# Domain for pixel_modem_app
+user=_app isPrivApp=true seinfo=platform name=com.google.android.modem.pms domain=pixel_modem_app levelFrom=all

sepolicy/radio/service.te

@@ -0,0 +1,2 @@
+# Define liboemservice_proxy_service.
+type liboemservice_proxy_service, hal_service_type, service_manager_type;

sepolicy/radio/service_contexts

@@ -0,0 +1,2 @@
+# DMD oemservice aidl proxy.
+com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0

sepolicy/radio/vcd.te

@@ -0,0 +1,13 @@
+type vcd, domain;
+type vcd_exec, vendor_file_type, exec_type, file_type;
+userdebug_or_eng(`
+  init_daemon_domain(vcd)
+
+  get_prop(vcd, vendor_rild_prop);
+  get_prop(vcd, vendor_persist_config_default_prop);
+
+  allow vcd serial_device:chr_file rw_file_perms;
+  allow vcd radio_device:chr_file rw_file_perms;
+  allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+  allow vcd node:tcp_socket node_bind;
+')

sepolicy/radio/vendor_engineermode_app.te

@@ -0,0 +1,12 @@
+type vendor_engineermode_app, domain;
+app_domain(vendor_engineermode_app)
+
+binder_call(vendor_engineermode_app, rild)
+
+allow vendor_engineermode_app app_api_service:service_manager find;
+allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+userdebug_or_eng(`
+  dontaudit vendor_engineermode_app default_prop:file r_file_perms;
+')
+

sepolicy/radio/vendor_ims_app.te

@@ -0,0 +1,23 @@
+type vendor_ims_app, domain;
+app_domain(vendor_ims_app)
+net_domain(vendor_ims_app)
+
+allow vendor_ims_app app_api_service:service_manager find;
+allow vendor_ims_app audioserver_service:service_manager find;
+
+allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow vendor_ims_app radio_service:service_manager find;
+
+allow vendor_ims_app mediaserver_service:service_manager find;
+allow vendor_ims_app cameraserver_service:service_manager find;
+allow vendor_ims_app mediametrics_service:service_manager find;
+
+allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl };
+
+binder_call(vendor_ims_app, rild)
+set_prop(vendor_ims_app, vendor_rild_prop)
+set_prop(vendor_ims_app, radio_prop)
+get_prop(vendor_ims_app, vendor_imssvc_prop)
+userdebug_or_eng(`
+  get_prop(vendor_ims_app, vendor_ims_tiss_prop)
+')

sepolicy/radio/vendor_ims_remote_app.te

@@ -0,0 +1,4 @@
+type vendor_ims_remote_app, domain;
+app_domain(vendor_ims_remote_app)
+
+allow vendor_ims_remote_app app_api_service:service_manager find;

sepolicy/radio/vendor_init.te

@@ -0,0 +1,8 @@
+set_prop(vendor_init, vendor_cbd_prop)
+get_prop(vendor_init, telephony_modem_prop)
+set_prop(vendor_init, telephony_modemtype_prop)
+set_prop(vendor_init, vendor_carrier_prop)
+set_prop(vendor_init, vendor_modem_prop)
+set_prop(vendor_init, vendor_rild_prop)
+set_prop(vendor_init, vendor_logger_prop)
+set_prop(vendor_init, vendor_slog_prop)

sepolicy/radio/vendor_qualifiednetworks_app.te

@@ -0,0 +1,5 @@
+type vendor_qualifiednetworks_app, domain;
+app_domain(vendor_qualifiednetworks_app)
+
+allow vendor_qualifiednetworks_app app_api_service:service_manager find;
+allow vendor_qualifiednetworks_app radio_service:service_manager find;

sepolicy/radio/vendor_rcs_app.te

@@ -0,0 +1,9 @@
+type vendor_rcs_app, domain;
+app_domain(vendor_rcs_app)
+net_domain(vendor_rcs_app)
+
+allow vendor_rcs_app app_api_service:service_manager find;
+allow vendor_rcs_app radio_service:service_manager find;
+allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+binder_call(vendor_rcs_app, rild)

sepolicy/radio/vendor_rcs_service_app.te

@@ -0,0 +1,5 @@
+type vendor_rcs_service_app, domain;
+app_domain(vendor_rcs_service_app)
+
+allow vendor_rcs_service_app app_api_service:service_manager find;
+allow vendor_rcs_service_app radio_service:service_manager find;

sepolicy/radio/vendor_satellite_service.te

@@ -0,0 +1,6 @@
+type vendor_satellite_service, domain;
+
+app_domain(vendor_satellite_service);
+allow vendor_satellite_service app_api_service:service_manager find;
+allow vendor_satellite_service hal_exynos_rild_hwservice:hwservice_manager find;
+binder_call(vendor_satellite_service, rild)

sepolicy/radio/vendor_silentlogging_remote_app.te

@@ -0,0 +1,13 @@
+type vendor_silentlogging_remote_app, domain;
+app_domain(vendor_silentlogging_remote_app)
+
+allow vendor_silentlogging_remote_app vendor_slog_file:dir create_dir_perms;
+allow vendor_silentlogging_remote_app vendor_slog_file:file create_file_perms;
+
+allow vendor_silentlogging_remote_app app_api_service:service_manager find;
+
+userdebug_or_eng(`
+# Silent Logging Remote
+dontaudit vendor_silentlogging_remote_app system_app_data_file:dir create_dir_perms;
+dontaudit vendor_silentlogging_remote_app system_app_data_file:file create_file_perms;
+')