sm8550-common: Initial enforcing sepolicy

Change-Id: If928cb2d9e24a6639df4e555492209722162ed05
2024-09-02 23:53:14 +08:00
parent 2cf9d45a3c
commit 34b23b3a8c
46 changed files with 821 additions and 1 deletions
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -72,7 +72,6 @@ BOARD_MKBOOTIMG_INIT_ARGS += --header_version $(BOARD_INIT_BOOT_HEADER_VERSION)
 BOARD_BOOTCONFIG := \
    androidboot.hardware=qcom \
    androidboot.memcg=1 \
-    androidboot.selinux=permissive \
    androidboot.usbcontroller=a600000.dwc3

 BOARD_KERNEL_CMDLINE := \
@@ -167,6 +166,9 @@ VENDOR_SECURITY_PATCH := $(BOOT_SECURITY_PATCH)
 # SEPolicy
 include device/qcom/sepolicy_vndr/SEPolicy.mk
 include device/lineage/sepolicy/libperfmgr/sepolicy.mk
+BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
+PRODUCT_PRIVATE_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/private
+PRODUCT_PUBLIC_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/public

 # Verified Boot
 BOARD_AVB_ENABLE := true
--- a/sepolicy/private/property_contexts
+++ b/sepolicy/private/property_contexts
@@ -0,0 +1,30 @@
+# Camera
+service.camera.                                  u:object_r:sec_camera_prop:s0
+
+# CSC
+persist.sys.omcnw_path                           u:object_r:exported_config_prop:s0
+persist.sys.omcnw_path2                          u:object_r:exported_config_prop:s0
+ro.omc.region                                    u:object_r:exported_config_prop:s0
+ro.csc.                                          u:object_r:exported_config_prop:s0
+mdc.                                             u:object_r:exported_config_prop:s0
+
+# Hermesd
+security.securehw.                               u:object_r:vendor_securehw_prop:s0
+security.securenvm.available                     u:object_r:vendor_securenvm_prop:s0
+
+# Product
+ro.product_ship                                  u:object_r:product_ship_prop:s0
+
+# Radio
+persist.ril.                                     u:object_r:radio_prop:s0
+ro.multisim.                                     u:object_r:radio_prop:s0
+ril.NwNmId                                       u:object_r:telephony_config_prop:s0
+ril.NwNmId2                                      u:object_r:telephony_config_prop:s0
+ro.simbased.changetype                           u:object_r:telephony_config_prop:s0
+
+# Sensor
+persist.dm.passive.                              u:object_r:system_sensor_prop:s0
+ro.factory.sensor.                               u:object_r:exported_system_prop:s0
+
+# Thermal
+dev.sdhms.thermal.hv                             u:object_r:exported_system_prop:s0
--- a/sepolicy/public/property.te
+++ b/sepolicy/public/property.te
@@ -0,0 +1,5 @@
+system_public_prop(sec_camera_prop)
+system_public_prop(system_sensor_prop)
+system_public_prop(product_ship_prop)
+vendor_restricted_prop(vendor_securehw_prop)
+vendor_restricted_prop(vendor_securenvm_prop)
--- a/sepolicy/vendor/attributes
+++ b/sepolicy/vendor/attributes
@@ -0,0 +1,4 @@
+# Hyper
+attribute hal_hyper;
+attribute hal_hyper_server;
+attribute hal_hyper_client;
--- a/sepolicy/vendor/cameraserver.te
+++ b/sepolicy/vendor/cameraserver.te
@@ -0,0 +1,2 @@
+# Allow cameraserver to call hal_thermal_default
+binder_call(cameraserver, hal_thermal_default)
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,12 @@
+# Block Device
+type carrier_block_device, dev_type;
+type dsp_block_device, dev_type;
+type efs_block_device, dev_type;
+type omr_block_device, dev_type;
+type sec_efs_block_device, dev_type;
+
+# Hermesd Device
+type k250a_device, dev_type;
+
+# Radio Device
+type drb_device, dev_type;
--- a/sepolicy/vendor/factory_ssc.te
+++ b/sepolicy/vendor/factory_ssc.te
@@ -0,0 +1,19 @@
+type factory_ssc, domain;
+type factory_ssc_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(factory_ssc)
+
+allow factory_ssc self:netlink_socket { bind create read write };
+allow factory_ssc factory_ssc:qipcrtr_socket create_socket_perms_no_ioctl;
+allow factory_ssc property_socket:sock_file { append getattr ioctl read write };
+
+# Allow factory_ssc to read/write app_efs_file
+allow factory_ssc app_efs_file:dir create_dir_perms;
+allow factory_ssc app_efs_file:file create_file_perms;
+
+# Allow factory_ssc to read/write efs_file
+allow factory_ssc efs_file:dir create_dir_perms;
+allow factory_ssc efs_file:file create_file_perms;
+
+# Allow factory_ssc to read sec_efs_file
+allow factory_ssc sec_efs_file:dir r_dir_perms;
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1,52 @@
+# Audio
+type vendor_sysfs_cirrus_cal, fs_type, sysfs_type;
+
+# Battery
+type vendor_sysfs_battery, fs_type, sysfs_type;
+
+# Blutooth
+type vendor_convergence_data_file, file_type, data_file_type;
+
+# Camera
+type vendor_sysfs_camera_writable, fs_type, sysfs_type;
+
+# EFS
+type app_efs_file, file_type;
+type battery_efs_file, file_type;
+type camera_efs_file, file_type;
+type dak_efs_file, file_type;
+type imei_efs_file, file_type;
+type sec_efs_file, file_type;
+type tee_efs_file, file_type;
+
+# Fingerprint
+type vendor_biometrics_data_file, file_type, data_file_type;
+
+# Gatekeeper
+type vendor_gatekeeper_data_file, file_type, data_file_type;
+
+# Input
+type proc_bus_input, fs_type, proc_type;
+type vendor_sysfs_input, fs_type, sysfs_type;
+
+# Proc
+type proc_simslot_count, fs_type, proc_type;
+
+# Qms
+type vendor_qms_config_data_file, file_type, data_file_type;
+type vendor_qms_main_data_file, file_type, data_file_type;
+type vendor_qms_other_data_file, file_type, data_file_type;
+
+# Sensor
+type vendor_sysfs_sensors_writable, fs_type, sysfs_type;
+
+# Thermal
+type vendor_sysfs_thermal, fs_type, sysfs_type;
+
+# Touchscreen
+type vendor_sysfs_touchscreen, fs_type, sysfs_type;
+type vendor_sysfs_touchscreen_writable, fs_type, sysfs_type;
+
+# Vibrator
+type vendor_sysfs_vib_support, fs_type, sysfs_type;
+type vendor_sysfs_vib_writable, fs_type, sysfs_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,85 @@
+# efs files
+/efs/Battery(/.*)?                           u:object_r:battery_efs_file:s0
+/efs/DAK(/.*)?                               u:object_r:dak_efs_file:s0
+/efs/FactoryApp(/.*)?                        u:object_r:app_efs_file:s0
+/efs/afc(/.*)?                               u:object_r:sec_efs_file:s0
+/efs/biometrics(/.*)?                        u:object_r:sec_efs_file:s0
+/efs/cirrus(/.*)?                            u:object_r:sec_efs_file:s0
+/efs/imei(/.*)?                              u:object_r:imei_efs_file:s0
+/efs/recovery(/.*)?                          u:object_r:sec_efs_file:s0
+/efs/sec_efs(/.*)?                           u:object_r:sec_efs_file:s0
+/efs/usb_hw_param(/.*)?                      u:object_r:sec_efs_file:s0
+
+# mnt/efs files
+/mnt/vendor/efs(/.*)?                        u:object_r:sec_efs_file:s0
+/mnt/vendor/efs/DAK(/.*)?                    u:object_r:dak_efs_file:s0
+/mnt/vendor/efs/bluetooth(/.*)?              u:object_r:bluetooth_efs_file:s0
+/mnt/vendor/efs/camera(/.*)?                 u:object_r:camera_efs_file:s0
+/mnt/vendor/efs/prov(/.*)?                   u:object_r:dak_efs_file:s0
+/mnt/vendor/efs/prov_data(/.*)?              u:object_r:dak_efs_file:s0
+/mnt/vendor/efs/tee(/.*)?                    u:object_r:tee_efs_file:s0
+
+# Convergence data
+/data/vendor/conn(/.*)?                      u:object_r:vendor_convergence_data_file:s0
+
+# Fingerprint data
+/data/vendor/biometrics(/.*)?                u:object_r:vendor_biometrics_data_file:s0
+
+# Firmware
+/odm/firmware(/.*)?                          u:object_r:vendor_firmware_file:s0
+
+# Gatekeeper data
+/data/vendor/gatekeeper(/.*)?                u:object_r:vendor_gatekeeper_data_file:s0
+
+# Hermesd device
+/dev/k250a                                   u:object_r:k250a_device:s0
+
+# NFC device
+/dev/pn547                                   u:object_r:nfc_device:s0
+
+# Qms logs
+/data/vendor/qms_logs/config(/.*)?           u:object_r:vendor_qms_config_data_file:s0
+/data/vendor/qms_logs/main(/.*)?             u:object_r:vendor_qms_main_data_file:s0
+/data/vendor/qms_logs/other(/.*)?            u:object_r:vendor_qms_other_data_file:s0
+
+# Radio device
+/dev/drb                                     u:object_r:drb_device:s0
+
+# Secradio data
+/data/vendor/secradio(/.*)?                  u:object_r:vendor_radio_vendor_data_file:s0
+
+# Secure Element device
+/dev/p61                                     u:object_r:secure_element_device:s0
+
+# Serial device
+/dev/ttyGS[0-9]*                             u:object_r:serial_device:s0
+/dev/ttyHS[0-9]*                             u:object_r:serial_device:s0
+
+# Touchscreen
+/sys/devices/platform/soc/ac0000.qcom,qupv3_1_geni_se/a90000.spi/spi_master/spi[0-9]/spi[0-9].[0-9]/input/input[0-9]/enabled  u:object_r:vendor_sysfs_touchscreen_writable:s0
+
+# UFS Devices
+/dev/block/platform/soc/1d84000.ufshc/by-name/bluetooth      u:object_r:vendor_modem_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/carrier        u:object_r:carrier_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dsp            u:object_r:dsp_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dtbo           u:object_r:dtbo_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/efs            u:object_r:efs_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/modem          u:object_r:vendor_modem_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/omr            u:object_r:omr_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/persistent     u:object_r:frp_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/sec_efs        u:object_r:sec_efs_block_device:s0
+
+# Vendor
+/(vendor|system/vendor)/bin/factory\.ssc                                                                     u:object_r:factory_ssc_exec:s0
+/(vendor|system/vendor)/bin/hermesd                                                                          u:object_r:hermesd_exec:s0
+/(vendor|system/vendor)/bin/hw/android.hardware.sensors-service.samsung-multihal                             u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint(@[0-9].[0-9])?-service\.samsung    u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service                                u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/nxp\.android\.hardware\.nfc@1\.2-service                                      u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/sehradiomanager                                                               u:object_r:sehradiomanager_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.camera\.provider-service_64                        u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.health-service                                     u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.hyper-service                                      u:object_r:hal_hyper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.thermal@1\.0-service                               u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.vibrator-service                                   u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/secril_config_svc                                                                u:object_r:vendor_secril_config_svc_exec:s0
--- a/sepolicy/vendor/fsck.te
+++ b/sepolicy/vendor/fsck.te
@@ -0,0 +1,7 @@
+allow fsck self:capability kill;
+
+allow fsck {
+    efs_block_device
+    sec_efs_block_device
+    carrier_block_device
+}:blk_file rw_file_perms;
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,88 @@
+# Proc
+genfscon proc "/simslot_count"                               u:object_r:proc_simslot_count:s0
+
+# Audio
+genfscon sysfs "/devices/virtual/cirrus/cirrus_bd"           u:object_r:vendor_sysfs_cirrus_cal:s0
+genfscon sysfs "/devices/virtual/cirrus/cirrus_cal"          u:object_r:vendor_sysfs_cirrus_cal:s0
+
+# Battery
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply"                                                  u:object_r:vendor_sysfs_battery:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/battery/batt_factory_mode"                        u:object_r:vendor_sysfs_battery:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:sec-direct-charger/power_supply/sec-direct-charger"                    u:object_r:vendor_sysfs_battery:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/994000.i2c/i2c-36/36-005b/power_supply/mfc-charger"                              u:object_r:vendor_sysfs_battery:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0057/power_supply/pca9481-charger"                          u:object_r:vendor_sysfs_battery:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-charger"        u:object_r:vendor_sysfs_battery:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-otg"            u:object_r:vendor_sysfs_battery:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-fuelgauge/power_supply/max77705-fuelgauge"    u:object_r:vendor_sysfs_battery:s0
+
+# Camera
+genfscon sysfs "/devices/virtual/camera"                          u:object_r:vendor_sysfs_camera:s0
+genfscon sysfs "/devices/virtual/camera/flash/rear_flash"         u:object_r:vendor_sysfs_camera_writable:s0
+genfscon sysfs "/devices/virtual/camera/rear/ssrm_camera_info"    u:object_r:vendor_sysfs_camera_writable:s0
+
+# Input
+genfscon proc "/bus/input/devices"                                u:object_r:proc_bus_input:s0
+genfscon sysfs "/class/input"                                     u:object_r:vendor_sysfs_input:s0
+genfscon sysfs "/devices/virtual/input"                           u:object_r:vendor_sysfs_input:s0
+
+# Wakeup
+genfscon sysfs "/devices/platform/i2c@31/i2c-31/31-0059/wakeup"                                                                                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/i2c@33/i2c-33/33-0028/wakeup"                                                                                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/ac/wakeup"                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/battery/wakeup"                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/otg/wakeup"                                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/pogo/wakeup"                                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/usb/wakeup"                                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/wireless/wakeup"                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/wakeup"                                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:hall_ic/wakeup"                                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:sec-direct-charger/power_supply/sec-direct-charger/wakeup"                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:sec-direct-charger/wakeup"                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi_1103_00.01.00/wakeup"                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/994000.i2c/i2c-36/36-005b/power_supply/mfc-charger/wakeup"                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/994000.i2c/i2c-36/36-005b/wakeup"                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/998000.i2c/i2c-18/18-0040/wakeup"                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/998000.i2c/i2c-18/18-0041/wakeup"                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0057/power_supply/pca9481-charger/wakeup"                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0057/wakeup"                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-charger/wakeup"        u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-otg/wakeup"            u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/wakeup"                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-fuelgauge/power_supply/max77705-fuelgauge/wakeup"    u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-fuelgauge/wakeup"                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-usbc/wakeup"                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/wakeup"                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/ac0000.qcom,qupv3_1_geni_se/a90000.spi/spi_master/spi0/spi0.0/wakeup"                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/ac0000.qcom,qupv3_1_geni_se/a90000.spi/spi_master/spi1/spi1.0/wakeup"                                                 u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/ae90000.qcom,dp_display/wakeup"                                                                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs "/devices/platform/soc/soc:qcom,qbt2000/wakeup"                                                                                              u:object_r:sysfs_wakeup:s0
+
+# Sensor
+genfscon sysfs "/devices/virtual/sensor_event"                                               u:object_r:vendor_sysfs_sensors:s0
+genfscon sysfs "/devices/virtual/sensors"                                                    u:object_r:vendor_sysfs_sensors:s0
+genfscon sysfs "/devices/virtual/sensors/flip_cover_detector_sensor/factory_cover_status"    u:object_r:vendor_sysfs_sensors_writable:s0
+genfscon sysfs "/devices/virtual/sensors/flip_cover_detector_sensor/nfc_cover_status"        u:object_r:vendor_sysfs_sensors_writable:s0
+
+# Hall
+genfscon sysfs "/devices/virtual/sec/hall_ic/hall_detect"                     u:object_r:vendor_sysfs_sensors_writable:s0
+
+# Thermal
+genfscon sysfs "/devices/virtual/audio/amp"                                   u:object_r:vendor_sysfs_thermal:s0
+genfscon sysfs "/devices/virtual/sec/sec-ap-thermistor"                       u:object_r:vendor_sysfs_thermal:s0
+genfscon sysfs "/devices/virtual/sec/sec-cf-thermistor"                       u:object_r:vendor_sysfs_thermal:s0
+genfscon sysfs "/devices/virtual/sec/sec-cp-thermistor"                       u:object_r:vendor_sysfs_thermal:s0
+genfscon sysfs "/devices/virtual/sec/sec-pa-thermistor"                       u:object_r:vendor_sysfs_thermal:s0
+genfscon sysfs "/devices/virtual/sec/sec-wf-thermistor"                       u:object_r:vendor_sysfs_thermal:s0
+
+# Touchscreen
+genfscon sysfs "/class/sec/tsp"                                               u:object_r:vendor_sysfs_touchscreen:s0
+genfscon sysfs "/class/sec/tsp/input/enabled"                                 u:object_r:vendor_sysfs_touchscreen_writable:s0
+genfscon sysfs "/devices/virtual/sec/tsp"                                     u:object_r:vendor_sysfs_touchscreen:s0
+genfscon sysfs "/devices/virtual/sec/tsp/cmd"                                 u:object_r:vendor_sysfs_touchscreen_writable:s0
+genfscon sysfs "/devices/virtual/sec/tsp/ear_detect_enable"                   u:object_r:vendor_sysfs_touchscreen_writable:s0
+genfscon sysfs "/devices/virtual/sec/tsp/input/enabled"                       u:object_r:vendor_sysfs_touchscreen_writable:s0
+genfscon sysfs "/devices/virtual/sec/tsp/prox_power_off"                      u:object_r:vendor_sysfs_touchscreen_writable:s0
+
+# Vibrator
+genfscon sysfs "/devices/virtual/sec_vib_inputff/control/use_sep_index"       u:object_r:vendor_sysfs_vib_writable:s0
+genfscon sysfs "/devices/virtual/vib_info_class/vib_support_info/functions"   u:object_r:vendor_sysfs_vib_support:s0
--- a/sepolicy/vendor/hal_audio_default.te
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1,20 @@
+# Allow audio HAL to read sec_efs_file
+r_dir_file(hal_audio_default, sec_efs_file)
+
+# Allow audio HAL to read imei_efs_file
+r_dir_file(hal_audio_default, imei_efs_file)
+
+# Allow audio HAL to search efs_file
+allow hal_audio_default efs_file:dir search;
+
+# Allow audio HAL to read/write vendor_sysfs_cirrus_cal
+allow hal_audio_default vendor_sysfs_cirrus_cal:dir r_dir_perms;
+allow hal_audio_default vendor_sysfs_cirrus_cal:file rw_file_perms;
+
+# Allow audio HAL to read vendor_radio_prop
+get_prop(hal_audio_default, vendor_radio_prop)
+
+# Allow audio HAL to access hal_bluetooth_a2dp_hwservice
+allow hal_audio_default hal_bluetooth_a2dp_hwservice:hwservice_manager find;
+
+dontaudit hal_audio_default default_prop:file { read open getattr map };
--- a/sepolicy/vendor/hal_bluetooth_default.te
+++ b/sepolicy/vendor/hal_bluetooth_default.te
@@ -0,0 +1,25 @@
+# Allow bluetooth HAL to create bluetooth_efs_file
+allow hal_bluetooth_default bluetooth_efs_file:dir create_dir_perms;
+allow hal_bluetooth_default bluetooth_efs_file:file create_file_perms;
+
+# Allow bluetooth HAL to read app_efs_file
+r_dir_file(hal_bluetooth_default, app_efs_file)
+
+# Allow bluetooth HAL to search sec_efs_file
+allow hal_bluetooth_default sec_efs_file:dir search;
+
+# Allow bluetooth HAL to read/write serial device
+allow hal_bluetooth_default serial_device:chr_file rw_file_perms;
+
+# Allow bluetooth HAL to read vendor_convergence_data_file
+r_dir_file(hal_bluetooth_default, vendor_convergence_data_file)
+
+# Allow bluetooth HAL to write vendor_convergence_data_file
+allow hal_bluetooth_default vendor_convergence_data_file:file rw_file_perms;
+
+# Allow bluetooth HAL to read /mnt/vendor/
+r_dir_file(hal_bluetooth_default, mnt_vendor_file)
+
+# Allow bluetooth HAL to write bluetooth properties
+set_prop(hal_bluetooth_default, bluetooth_a2dp_offload_prop)
+set_prop(hal_bluetooth_default, vendor_bluetooth_prop)
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,34 @@
+# Allow camera HAL to read app_efs_file
+r_dir_file(hal_camera_default, app_efs_file)
+
+# Allow camera HAL to read efs_file
+r_dir_file(hal_camera_default, efs_file)
+
+# Allow camera HAL to read/write camera_efs_file
+allow hal_camera_default camera_efs_file:dir create_dir_perms;
+allow hal_camera_default camera_efs_file:file create_file_perms;
+
+# Allow camera HAL to read vendor_sysfs_camera
+r_dir_file(hal_camera_default, vendor_sysfs_camera)
+
+# Allow camera HAL to write vendor_sysfs_camera_writable
+allow hal_camera_default vendor_sysfs_camera_writable:file rw_file_perms;
+
+# Allow camera HAL to read /mnt/vendor/
+r_dir_file(hal_camera_default, mnt_vendor_file)
+
+# Allow camera HAL to read vendor_sysfs_sensors
+r_dir_file(hal_camera_default, vendor_sysfs_sensors)
+
+# Allow camera HAL to read proc_meminfo
+allow hal_camera_default proc_meminfo:file r_file_perms;
+
+hal_client_domain(hal_camera_default, hal_hyper)
+hal_client_domain(hal_camera_default, hal_thermal)
+
+get_prop(hal_camera_default, sec_camera_prop)
+set_prop(hal_camera_default, sec_camera_prop)
+
+allow hal_camera_default system_server:binder call;
+
+allow hal_camera_default rild:unix_stream_socket connectto;
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,24 @@
+# Allow fingerprint HAL to read efs_file
+r_dir_file(hal_fingerprint_default, efs_file)
+
+# Allow fingerprint HAL to read sec_efs_file
+allow hal_fingerprint_default sec_efs_file:dir create_dir_perms;
+allow hal_fingerprint_default sec_efs_file:file create_file_perms;
+
+# Allow fingerprint HAL to access qbt device
+allow hal_fingerprint_default vendor_qbt_device:chr_file rw_file_perms;
+
+# Allow fingerprint HAL to access tee device
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default vendor_dmabuf_qseecom_heap_device:chr_file rw_file_perms;
+allow hal_fingerprint_default vendor_dmabuf_qseecom_ta_heap_device:chr_file rw_file_perms;
+
+# Allow fingerprint HAL to search tee_efs_file
+allow hal_fingerprint_default tee_efs_file:dir search;
+
+# Allow fingerprint HAL to read/write vendor_biometrics_data_file
+allow hal_fingerprint_default vendor_biometrics_data_file:dir create_dir_perms;
+allow hal_fingerprint_default vendor_biometrics_data_file:file create_file_perms;
+
+# Allow fingerprint HAL to search vendor_sysfs_battery files
+allow hal_fingerprint_default vendor_sysfs_battery:dir search;
--- a/sepolicy/vendor/hal_gatekeeper_default.te
+++ b/sepolicy/vendor/hal_gatekeeper_default.te
@@ -0,0 +1,2 @@
+# Allow gatekeeper HAL to access sqeecom device
+allow hal_gatekeeper_default vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
--- a/sepolicy/vendor/hal_health_default.te
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1,22 @@
+# Allow health HAL to read/write app_efs_file
+allow hal_health_default app_efs_file:dir rw_dir_perms;
+allow hal_health_default app_efs_file:file create_file_perms;
+
+# Allow health HAL to read/write battery_efs_file
+allow hal_health_default battery_efs_file:dir create_dir_perms;
+allow hal_health_default battery_efs_file:file create_file_perms;
+
+# Allow health HAL to search efs_file
+allow hal_health_default efs_file:dir search;
+
+# Allow health HAL to read/write vendor_sysfs_battery
+r_dir_file(hal_health_default, vendor_sysfs_battery)
+allow hal_health_default vendor_sysfs_battery:file w_file_perms;
+
+# Allow health HAL to access sysfs wakeup files
+allow hal_health_default sysfs_wakeup:dir r_dir_perms;
+allow hal_health_default sysfs_wakeup:file r_file_perms;
+
+# Allow Thermal service to access the health HAL
+allow hal_health_default hal_thermal_samsung_hwservice:hwservice_manager find;
+binder_call(hal_health_default, hal_thermal_default)
--- a/sepolicy/vendor/hal_hyper_default.te
+++ b/sepolicy/vendor/hal_hyper_default.te
@@ -0,0 +1,15 @@
+type hal_hyper_default, domain;
+
+hal_server_domain(hal_hyper_default, hal_hyper)
+
+type hal_hyper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_hyper_default)
+
+binder_call(hal_hyper_client, hal_hyper_server)
+
+add_service(hal_hyper_server, hal_hyper_service)
+allow hal_hyper_client hal_hyper_service:service_manager find;
+
+allow hal_hyper_default servicemanager:binder { call transfer };
+
+get_prop(hal_hyper_default, product_ship_prop)
--- a/sepolicy/vendor/hal_keymint_default.te
+++ b/sepolicy/vendor/hal_keymint_default.te
@@ -0,0 +1,25 @@
+# Allow keymint HAL to read/write efs_file
+allow hal_keymint_default efs_file:dir create_dir_perms;
+allow hal_keymint_default efs_file:file create_file_perms;
+
+# Allow keymint HAL to read/write dak_efs_file
+allow hal_keymint_default dak_efs_file:dir create_dir_perms;
+allow hal_keymint_default dak_efs_file:file create_file_perms;
+
+# Allow keymint HAL to read/write sec_efs_file
+allow hal_keymint_default sec_efs_file:dir create_dir_perms;
+allow hal_keymint_default sec_efs_file:file create_file_perms;
+
+# Allow keymint HAL to access TZ device
+allow hal_keymint_default vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms;
+allow hal_keymint_default vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
+allow hal_keymint_default vendor_dmabuf_secure_sp_tz_heap_device:chr_file r_file_perms;
+allow hal_keymint_default vendor_skp_device:chr_file r_file_perms;
+allow hal_keymint_default vendor_spcom_device:chr_file rw_file_perms;
+allow hal_keymint_default vendor_spss_utils_device:chr_file rw_file_perms;
+
+get_prop(hal_keymint_default, vendor_tee_listener_prop)
+get_prop(hal_keymint_default, vendor_spcomlib_prop)
+allow hal_keymint_default mnt_vendor_file:dir search;
+
+unix_socket_connect(hal_keymint_default, property, hermesd)
--- a/sepolicy/vendor/hal_nfc_default.te
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -0,0 +1,8 @@
+# Allow vibrator HAL to search sec_efs files
+allow hal_nfc_default sec_efs_file:dir search;
+
+# Allow NFC HAL to use nfc devices
+allow hal_nfc_default nfc_device:chr_file rw_file_perms;
+
+# Allow NFC HAL to read NFC properties
+get_prop(hal_nfc_default, vendor_sec_nfc_prop)
--- a/sepolicy/vendor/hal_power_default.te
+++ b/sepolicy/vendor/hal_power_default.te
@@ -0,0 +1,19 @@
+# Allow power HAL to to read/write proc file
+allow hal_power_default proc:file rw_file_perms;
+
+# Allow power HAL to read/write vendor_sysfs_input
+allow hal_power_default vendor_sysfs_input:dir r_dir_perms;
+allow hal_power_default vendor_sysfs_input:file rw_file_perms;
+
+# Allow power HAL to to read vendor_sysfs_touchscreen
+r_dir_file(hal_power_default, vendor_sysfs_touchscreen)
+allow hal_power_default vendor_sysfs_touchscreen:file w_file_perms;
+
+# Allow power HAL to to read/write vendor_sysfs_touchscreen_writable
+allow hal_power_default vendor_sysfs_touchscreen_writable:file rw_file_perms;
+
+# Allow power HAL to to read/write vendor_sysfs_battery
+allow hal_power_default vendor_sysfs_battery:dir r_dir_perms;
+allow hal_power_default vendor_sysfs_battery:file rw_file_perms;
+
+hal_client_domain(hal_power_default, hal_hyper)
--- a/sepolicy/vendor/hal_secure_element_default.te
+++ b/sepolicy/vendor/hal_secure_element_default.te
@@ -0,0 +1,8 @@
+# Allow secure element HAL to access secure_element_device
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+
+init_daemon_domain(hal_secure_element_default)
+unix_socket_connect(hal_secure_element_default, property, rild)
+
+# Allow secure element HAL to write vendor_sehal_init_prop
+set_prop(hal_secure_element_default, vendor_sehal_init_prop)
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1,30 @@
+# Allow sensor HAL to to read/write app_efs_file
+allow hal_sensors_default app_efs_file:dir rw_dir_perms;
+allow hal_sensors_default app_efs_file:file create_file_perms;
+
+# Allow sensor HAL to to read/write efs_file
+allow hal_sensors_default efs_file:dir rw_dir_perms;
+allow hal_sensors_default efs_file:file create_file_perms;
+
+# Allow sensor HAL to access iio device
+allow hal_sensors_default iio_device:chr_file r_file_perms;
+
+# Allow sensor HAL to read/write vendor_sysfs_input
+allow hal_sensors_default vendor_sysfs_input:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_input:file rw_file_perms;
+
+# Allow sensor HAL to read/write vendor_sysfs_sensors_writable
+allow hal_sensors_default vendor_sysfs_sensors_writable:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_sensors_writable:file rw_file_perms;
+
+# Allow sensor HAL to to read/wite sec touchscreen
+r_dir_file(hal_sensors_default, vendor_sysfs_touchscreen)
+
+# Allow sensor HAL to to read/write vendor_sysfs_touchscreen_writable
+allow hal_sensors_default vendor_sysfs_touchscreen_writable:file rw_file_perms;
+
+binder_call(hal_sensors_default, system_server)
+
+get_prop(hal_sensors_default, build_bootimage_prop)
+
+get_prop(hal_sensors_default, system_sensor_prop)
--- a/sepolicy/vendor/hal_thermal_default.te
+++ b/sepolicy/vendor/hal_thermal_default.te
@@ -0,0 +1,21 @@
+# Allow thermal HAL to read/write vendor_sysfs_thermal files
+r_dir_file(hal_thermal_default, vendor_sysfs_thermal)
+allow hal_thermal_default vendor_sysfs_thermal:file w_file_perms;
+
+# Allow thermal HAL to read vendor_sysfs_battery files
+r_dir_file(hal_thermal_default, vendor_sysfs_battery)
+
+# Allow hwservice_manager to find fwk_camera_hwservice
+allow hal_thermal_default fwk_camera_hwservice:hwservice_manager find;
+
+# Allow hal_thermal_default to call cameraserver
+binder_call(hal_thermal_default, cameraserver)
+
+hal_client_domain(hal_thermal_default, hal_audio)
+hal_client_domain(hal_thermal_default, hal_hyper)
+
+unix_socket_connect(hal_thermal_default, property, rild)
+get_prop(hal_thermal_default, vendor_thermal_prop)
+set_prop(hal_thermal_default, vendor_thermal_test_prop)
+
+add_hwservice(hal_thermal_server, hal_thermal_samsung_hwservice)
--- a/sepolicy/vendor/hal_vibrator_default.te
+++ b/sepolicy/vendor/hal_vibrator_default.te
@@ -0,0 +1,18 @@
+# Allow vibrator HAL to read input_device files
+allow hal_vibrator_default input_device:dir r_dir_perms;
+
+# Allow vibrator HAL to access input device
+allow hal_vibrator_default input_device:chr_file rw_file_perms;
+
+# Allow vibrator HAL to read app_efs_file files
+allow hal_vibrator_default app_efs_file:dir rw_dir_perms;
+allow hal_vibrator_default app_efs_file:file create_file_perms;
+
+# Allow vibrator HAL to search efs files
+allow hal_vibrator_default efs_file:dir search;
+
+# Allow vibrator HAL to read proc_bus_input files
+r_dir_file(hal_vibrator_default, proc_bus_input)
+
+allow hal_vibrator_default vendor_sysfs_vib_support:file rw_file_perms;
+allow hal_vibrator_default vendor_sysfs_vib_writable:file rw_file_perms;
--- a/sepolicy/vendor/hermesd.te
+++ b/sepolicy/vendor/hermesd.te
@@ -0,0 +1,29 @@
+type hermesd, domain;
+type hermesd_exec, exec_type, file_type, vendor_file_type;
+hal_server_domain(hermesd, hal_weaver)
+hal_client_domain(hermesd, hal_keymint)
+
+init_daemon_domain(hermesd)
+unix_socket_connect(hermesd, property, init)
+
+# Allow hermesd to access k250a device
+allow hermesd k250a_device:chr_file rw_file_perms;
+
+# Allow hermesd to access tee device
+allow hermesd tee_device:chr_file rw_file_perms;
+
+# Allow hermesd to search tee_efs_file
+allow hermesd tee_efs_file:dir search;
+
+# Allow hermesd to access TZ device
+allow hermesd vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
+allow hermesd vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms;
+
+# Allow hermesd to read/write vendor_gatekeeper_data_file
+allow hermesd vendor_gatekeeper_data_file:dir create_dir_perms;
+allow hermesd vendor_gatekeeper_data_file:file create_file_perms;
+
+allow hermesd hal_keymint_default:binder transfer;
+
+set_prop(hermesd, vendor_securenvm_prop)
+set_prop(hermesd, vendor_securehw_prop)
--- a/sepolicy/vendor/hwservice.te
+++ b/sepolicy/vendor/hwservice.te
@@ -0,0 +1,3 @@
+type hal_bluetooth_a2dp_hwservice, hwservice_manager_type;
+
+type hal_thermal_samsung_hwservice, hwservice_manager_type;
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,11 @@
+# Bluetooth
+vendor.samsung.hardware.bluetooth.a2dp::ISehBluetoothAudioOffload		                u:object_r:hal_bluetooth_a2dp_hwservice:s0
+vendor.samsung.hardware.bluetooth.a2dpsink::ISehBluetoothA2dpSinkProvidersFactory		u:object_r:hal_bluetooth_a2dp_hwservice:s0
+vendor.samsung.hardware.bluetooth.audio::ISehBluetoothAudioProviderFactory			    u:object_r:hal_audio_hwservice:s0
+vendor.samsung.hardware.bluetooth::ISehBluetooth                                        u:object_r:hal_bluetooth_hwservice:s0
+
+# NFC
+vendor.samsung.hardware.nfc::ISehNfc                                                    u:object_r:hal_nfc_hwservice:s0
+
+# Thermal
+vendor.samsung.hardware.thermal::ISehThermal                                            u:object_r:hal_thermal_samsung_hwservice:s0
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -0,0 +1,5 @@
+allow init efs_file:dir mounton;
+
+allow init sec_efs_file:dir mounton;
+
+allow init vendor_firmware_file:file mounton;
--- a/sepolicy/vendor/netutils_wrapper.te
+++ b/sepolicy/vendor/netutils_wrapper.te
@@ -0,0 +1,15 @@
+# Allow netutils_wrapper to access drb_device
+allow netutils_wrapper drb_device:chr_file rw_file_perms;
+
+# Allow netutils_wrapper to read/write sec_efs_file
+allow netutils_wrapper sec_efs_file:file rw_file_perms;
+
+# Allow netutils_wrapper to access rild
+allow netutils_wrapper rild:fd use;
+allow netutils_wrapper rild:fifo_file { getattr read write };
+allow netutils_wrapper rild:netlink_route_socket { read write };
+allow netutils_wrapper rild:unix_stream_socket { read write };
+allow netutils_wrapper rild:netlink_generic_socket { read write };
+allow netutils_wrapper rild:netlink_xfrm_socket { read write };
+allow netutils_wrapper rild:udp_socket { read write };
+allow netutils_wrapper rild:tcp_socket { read write };
--- a/sepolicy/vendor/network_stack.te
+++ b/sepolicy/vendor/network_stack.te
@@ -0,0 +1,2 @@
+# Allow network_stack to read proc_net file
+allow network_stack proc_net:file rw_file_perms;
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,12 @@
+# NFC
+vendor_internal_prop(vendor_sec_nfc_prop)
+
+# Secure Element
+vendor_internal_prop(vendor_sehal_init_prop)
+
+# Tee
+vendor_internal_prop(vendor_qseecomd_prop)
+
+# Thermal
+vendor_internal_prop(vendor_thermal_prop)
+vendor_internal_prop(vendor_thermal_test_prop)
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,22 @@
+# Bluetooth
+vendor.bluetooth_fw_ver u:object_r:vendor_bluetooth_prop:s0
+vendor.bluetooth_nv_ver u:object_r:vendor_bluetooth_prop:s0
+
+# NFC
+ro.vendor.nfc.          u:object_r:vendor_sec_nfc_prop:s0
+
+# Radio
+ro.vendor.multisim.     u:object_r:vendor_radio_prop:s0
+ro.vendor.radio.        u:object_r:vendor_radio_prop:s0
+ro.vendor.sec.radio.    u:object_r:vendor_radio_prop:s0
+vendor.calls.           u:object_r:vendor_radio_prop:s0
+
+# Secure Element
+vendor.seHal.init       u:object_r:vendor_sehal_init_prop:s0
+
+# Tee
+vendor.sys.qseecomd.    u:object_r:vendor_qseecomd_prop:s0
+
+# Thermal
+vendor.thermal.          u:object_r:vendor_thermal_prop:s0
+vendor.thermal.amb.      u:object_r:vendor_thermal_test_prop:s0
--- a/sepolicy/vendor/qms.te
+++ b/sepolicy/vendor/qms.te
@@ -0,0 +1,7 @@
+# Allow qms to read/write vendor_qms_main_data_file
+allow vendor_qms vendor_qms_main_data_file:dir create_dir_perms;
+allow vendor_qms vendor_qms_main_data_file:file create_file_perms;
+
+# Allow qms to read/write vendor_qms_config_data_file
+allow vendor_qms vendor_qms_config_data_file:dir r_dir_perms;
+allow vendor_qms vendor_qms_config_data_file:file r_file_perms;
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -0,0 +1,45 @@
+# Allow rild to read/write proc file
+allow rild proc_net:file rw_file_perms;
+allow rild proc_qtaguid_stat:file r_file_perms;
+
+# Allow rild to read/write app_efs_file
+allow rild app_efs_file:dir create_dir_perms;
+allow rild app_efs_file:file create_file_perms;
+
+# Allow rild to read/write dak_efs_file
+allow rild dak_efs_file:dir create_dir_perms;
+allow rild dak_efs_file:file create_file_perms;
+
+# Allow rild to read/write efs_file
+allow rild efs_file:dir rw_dir_perms;
+
+# Allow rild to read/write imei_efs_file
+allow rild imei_efs_file:dir create_dir_perms;
+allow rild imei_efs_file:file create_file_perms;
+
+# Allow rild to read/write sec_efs_file
+allow rild sec_efs_file:dir create_dir_perms;
+allow rild sec_efs_file:file create_file_perms;
+
+# Allow rild to access drb_device
+allow rild drb_device:chr_file rw_file_perms;
+
+# Allow rild to access tun_device
+allow rild tun_device:chr_file rw_file_perms;
+allow rild self:tun_socket { create relabelfrom relabelto };
+allowxperm rild tun_device:chr_file ioctl { 0x54ca 0x54cb };
+
+# Allow rild to access data files
+allow rild mnt_vendor_file:dir r_dir_perms;
+allow rild system_data_file:dir { getattr search };
+allow rild vendor_radio_vendor_data_file:dir create_dir_perms;
+allow rild vendor_radio_vendor_data_file:file create_file_perms;
+
+# Allow rild to access vendor hals
+r_dir_file(rild, hal_audio_default)
+r_dir_file(rild, hal_camera_default)
+
+set_prop(rild, vendor_data_ko_prop)
+set_prop(rild, vendor_data_shsusr_prop)
+
+dontaudit rild { default_prop system_prop }:file { read open getattr map };
--- a/sepolicy/vendor/sehradiomanager.te
+++ b/sepolicy/vendor/sehradiomanager.te
@@ -0,0 +1,11 @@
+type sehradiomanager, domain;
+type sehradiomanager_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(sehradiomanager)
+
+get_prop(sehradiomanager, vendor_radio_prop)
+get_prop(sehradiomanager, hwservicemanager_prop)
+binder_call(sehradiomanager, hwservicemanager)
+binder_call(sehradiomanager, servicemanager)
+binder_call(servicemanager, sehradiomanager)
+hal_client_domain(sehradiomanager, hal_telephony)
--- a/sepolicy/vendor/service.te
+++ b/sepolicy/vendor/service.te
@@ -0,0 +1 @@
+type hal_hyper_service, hal_service_type, service_manager_type;
--- a/sepolicy/vendor/service_contexts
+++ b/sepolicy/vendor/service_contexts
@@ -0,0 +1,25 @@
+# Hyper
+vendor.samsung.hardware.hyper.ISehHyPer/default                     u:object_r:hal_hyper_service:s0
+
+# Gnss
+vendor.samsung.hardware.gnss.ISehGnss/default                       u:object_r:hal_gnss_service:s0
+
+# Keymint
+vendor.samsung.hardware.keymint.ISehKeyMintExtension/default        u:object_r:hal_keymint_service:s0
+vendor.samsung.hardware.keymint.ISehKeyMintFactory/default          u:object_r:hal_keymint_service:s0
+
+# Radio
+vendor.samsung.hardware.radio.bridge.ISehRadioBridge/slot1          u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.bridge.ISehRadioBridge/slot2          u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.channel.ISehRadioChannel/epdgd        u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.channel.ISehRadioChannel/epdgd2       u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.channel.ISehRadioChannel/imsd         u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.channel.ISehRadioChannel/imsd2        u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.data.ISehRadioData/slot1              u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.data.ISehRadioData/slot2              u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.messaging.ISehRadioMessaging/slot1    u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.messaging.ISehRadioMessaging/slot2    u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.network.ISehRadioNetwork/slot1        u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.network.ISehRadioNetwork/slot2        u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.sim.ISehRadioSim/slot1                u:object_r:hal_radio_service:s0
+vendor.samsung.hardware.radio.sim.ISehRadioSim/slot2                u:object_r:hal_radio_service:s0
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -0,0 +1,12 @@
+# Allow tee to read/write sec_efs_file
+allow tee sec_efs_file:dir create_dir_perms;
+allow tee sec_efs_file:file create_file_perms;
+
+# Allow tee to read/write vendor_gatekeeper_data_file
+allow tee vendor_gatekeeper_data_file:dir create_dir_perms;
+allow tee vendor_gatekeeper_data_file:file create_file_perms;
+
+# Allow tee to access kmsg device
+allow tee kmsg_device:chr_file rw_file_perms;
+
+set_prop(tee, vendor_qseecomd_prop)
--- a/sepolicy/vendor/vendor_hal_gnss_qti.te
+++ b/sepolicy/vendor/vendor_hal_gnss_qti.te
@@ -0,0 +1,7 @@
+# Allow gnss HAL to read/write vendor_sysfs_battery
+allow vendor_hal_gnss_qti vendor_sysfs_battery:file rw_file_perms;
+allow vendor_hal_gnss_qti vendor_sysfs_battery:dir r_dir_perms;
+
+allow vendor_hal_gnss_qti hal_gnss_service:service_manager add;
+
+dontaudit vendor_hal_gnss_qti { default_prop system_prop }:file { read open getattr map };
--- a/sepolicy/vendor/vendor_hal_usb_qti.te
+++ b/sepolicy/vendor/vendor_hal_usb_qti.te
@@ -0,0 +1 @@
+allow vendor_hal_usb_qti vendor_sysfs_battery:dir search;
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,7 @@
+allow vendor_init tmpfs:dir create_dir_perms;
+
+allow vendor_init cgroup:file rw_file_perms;
+
+allow vendor_init block_device:lnk_file setattr;
+
+allow vendor_init vendor_ssr_prop:property_service set;
--- a/sepolicy/vendor/vendor_qti_init_shell.te
+++ b/sepolicy/vendor/vendor_qti_init_shell.te
@@ -0,0 +1 @@
+allow vendor_qti_init_shell kmsg_device:chr_file rw_file_perms;
--- a/sepolicy/vendor/vendor_secril_config_svc.te
+++ b/sepolicy/vendor/vendor_secril_config_svc.te
@@ -0,0 +1,21 @@
+type vendor_secril_config_svc, domain, halserverdomain, hal_telephony, hal_telephony_server;
+type vendor_secril_config_svc_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(vendor_secril_config_svc)
+unix_socket_connect(vendor_secril_config_svc, property, init)
+
+# Allow secril_config_svc to read sec_efs_file
+r_dir_file(vendor_secril_config_svc, sec_efs_file)
+
+# Allow secril_config_svc to search mnt_vendor_file
+allow vendor_secril_config_svc mnt_vendor_file:dir search;
+
+# Allow secril_config_svc to read/write imei_efs_file
+allow vendor_secril_config_svc imei_efs_file:dir create_dir_perms;
+allow vendor_secril_config_svc imei_efs_file:file create_file_perms;
+
+# Allow secril_config_svc to read/write radio props
+set_prop(vendor_secril_config_svc, radio_prop)
+set_prop(vendor_secril_config_svc, vendor_radio_prop)
+
+allow vendor_secril_config_svc proc_simslot_count:file r_file_perms;
--- a/sepolicy/vendor/vendor_thermal-engine.te
+++ b/sepolicy/vendor/vendor_thermal-engine.te
@@ -0,0 +1,2 @@
+# Allow thermal-engine to read vendor_sysfs_battery
+r_dir_file(vendor_thermal-engine, vendor_sysfs_battery)
--- a/sepolicy/vendor/vendor_time_daemon.te
+++ b/sepolicy/vendor/vendor_time_daemon.te
@@ -0,0 +1,4 @@
+allow vendor_time_daemon rild:dir search;
+allow vendor_time_daemon rild:file { read open };
+allow vendor_time_daemon tee:dir { search };
+allow vendor_time_daemon tee:file { read open };
				`@@ -0,0 +1 @@`
				`type hal_hyper_service, hal_service_type, service_manager_type;`
				`@@ -0,0 +1 @@`
				`allow vendor_hal_usb_qti vendor_sysfs_battery:dir search;`
				`@@ -0,0 +1 @@`
				`allow vendor_qti_init_shell kmsg_device:chr_file rw_file_perms;`