Merge "sepolicy: add file define for oem path"
diff --git a/Android.mk b/Android.mk
index c03abd3..e7ef81b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,11 +10,16 @@
genfs_contexts \
file_contexts \
service_contexts \
+ property_contexts \
te_macros \
+ ims_datad.te \
+ ims_qmid.te \
device.te \
vold.te \
ueventd.te \
file.te \
+ property.te \
+ untrusted_app.te \
drmserver.te \
adbd.te \
app.te \
@@ -39,26 +44,41 @@
service.te \
system_app.te \
thermal-engine.te \
+ vm_bms.te \
global_macros.te \
system_app.te \
bluetooth.te \
init_shell.te \
mpdecision.te \
+ perfd.te \
mm-qcamerad.te \
domain.te \
- init_shell.te \
+ init.te \
time_daemon.te \
rmt_storage.te \
+ rfs_access.te \
hvdcp.te \
qseecomd.te \
mcStarter.te \
keystore.te \
ims_rmt.te \
healthd.te \
+ charger_monitor.te \
surfaceflinger.te \
+ mm-pp-daemon.te \
wpa.te \
bootanim.te \
- zygote.te
+ zygote.te \
+ mdm_helper.te \
+ peripheral_manager.te \
+ qcomsysd.te \
+ servicemanager.te \
+ usb_uicc_daemon.te \
+ adsprpcd.te \
+ qlogd.te \
+ ipacm.te \
+ dpmd.te \
+ ssr_setup.te
# Compile sensor pilicy only for SSC targets
SSC_TARGET_LIST := apq8084
diff --git a/common/adsprpcd.te b/common/adsprpcd.te
new file mode 100644
index 0000000..795115d
--- /dev/null
+++ b/common/adsprpcd.te
@@ -0,0 +1,9 @@
+# adsprpcd daemon
+type adsprpcd, domain;
+type adsprpcd_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(adsprpcd)
+
+#============= adsprpcd ==============
+allow adsprpcd qdsp_device:chr_file { read ioctl open };
diff --git a/common/app.te b/common/app.te
index bf62452..2714ae2 100644
--- a/common/app.te
+++ b/common/app.te
@@ -1,5 +1,6 @@
# allow application to access cnd domain and socket
unix_socket_connect(appdomain, cnd, cnd)
+unix_socket_connect(appdomain, qlogd, qlogd)
#Allow all apps to open and send ioctl to qdsp device
-allow appdomain qdsp_device:chr_file { ioctl open };
+allow appdomain qdsp_device:chr_file r_file_perms;
diff --git a/common/atfwd.te b/common/atfwd.te
index b4a3fdf..b4f5cec 100644
--- a/common/atfwd.te
+++ b/common/atfwd.te
@@ -11,3 +11,4 @@
binder_use(atfwd);
binder_call(atfwd, system_app);
binder_call(atfwd, servicemanager);
+r_dir_file(atfwd, sysfs_ssr);
diff --git a/common/bluetooth.te b/common/bluetooth.te
index 6cba71f..ce58dab 100644
--- a/common/bluetooth.te
+++ b/common/bluetooth.te
@@ -1,2 +1,18 @@
#BT needes read and write on smd device node
allow bluetooth smd_device:chr_file rw_file_perms;
+
+allow bluetooth bluetooth_prop:property_service set;
+allow bluetooth serial_device:chr_file rw_file_perms;
+allow bluetooth sysfs:file rw_file_perms;
+
+#BT Snoop logging
+allow bluetooth self:tcp_socket { create setopt bind accept listen };
+allow bluetooth port:tcp_socket name_bind;
+allow bluetooth node:tcp_socket node_bind;
+
+allow bluetooth uhid_device:chr_file rw_file_perms;
+allow bluetooth input_device:chr_file { open read write ioctl };
+
+allow bluetooth persist_file:dir search;
+allow bluetooth persist_file:file rw_file_perms;
+allow bluetooth wpa:unix_stream_socket connectto;
diff --git a/common/charger_monitor.te b/common/charger_monitor.te
new file mode 100644
index 0000000..125cb1b
--- /dev/null
+++ b/common/charger_monitor.te
@@ -0,0 +1,16 @@
+#integrated process
+type charger_monitor, domain;
+type charger_monitor_exec, exec_type, file_type;
+
+#started by init
+init_daemon_domain(charger_monitor)
+
+#charger monitor will use uevent, visit sysfs and use the wake lock
+allow charger_monitor self:netlink_kobject_uevent_socket { read create setopt bind };
+allow charger_monitor sysfs:file rw_file_perms;
+allow charger_monitor sysfs_wake_lock:file rw_file_perms;
+
+allow charger_monitor sysfs_battery_supply:dir search;
+allow charger_monitor sysfs_battery_supply:file rw_file_perms;
+allow charger_monitor sysfs_usb_supply:dir search;
+allow charger_monitor sysfs_usb_supply:file r_file_perms;
diff --git a/common/device.te b/common/device.te
old mode 100755
new mode 100644
index 0702ccf..8b3796d
--- a/common/device.te
+++ b/common/device.te
@@ -13,11 +13,13 @@
#device type for smd device nodes, ie /dev/smd*
type smd_device, dev_type;
-type subsys_esoc0_device, dev_type;
-
#Define thermal-engine devices
type thermal_device, dev_type;
+#Define vm_bms devices
+type vm_bms_device, dev_type;
+type battery_data_device, dev_type;
+
#Add qdsp_device type
type qdsp_device, dev_type;
#Define hvdcp/quickcharge device
@@ -38,3 +40,32 @@
#Define device for partition links
type ssd_device, dev_type;
type rpmb_device, dev_type;
+
+#ESOC device
+type esoc_device, dev_type;
+
+#SSR device
+type ssr_device, dev_type;
+
+#Kickstart bridge devices
+type ksbridgehsic_device, dev_type;
+
+#EFS sync bridge devices
+type efsbridgehsic_device, dev_type;
+
+#EFS sync block devices
+type efs_boot_dev, dev_type;
+
+#Misc partition
+type misc_partition, dev_type;
+
+#Bootselect partition
+type bootselect_device, dev_type;
+
+#define usb_uicc_device for usb_uicc daemon
+type usb_uicc_device, dev_type;
+
+# Define IPA devices
+type ipa_dev, dev_type;
+
+type mmc_block_device, dev_type;
diff --git a/common/domain.te b/common/domain.te
index 07223d1..e5fc562 100644
--- a/common/domain.te
+++ b/common/domain.te
@@ -1,3 +1,6 @@
userdebug_or_eng(`
allow domain diag_device:chr_file rw_file_perms;
')
+
+r_dir_file(domain, sysfs_socinfo);
+r_dir_file(domain, sysfs_esoc);
diff --git a/common/dpmd.te b/common/dpmd.te
new file mode 100644
index 0000000..683e22e
--- /dev/null
+++ b/common/dpmd.te
@@ -0,0 +1,44 @@
+#dpmd as domain
+type dpmd, domain;
+type dpmd_exec, exec_type, file_type;
+
+#file_type_auto_trans(dpmd, socket_device, dpmd_socket);
+init_daemon_domain(dpmd)
+type_transition dpmd system_data_file:{ file } dpmd_data_file;
+
+allow dpmd dpmd_exec:file execute_no_trans;
+
+#allow dpmd to access diag service
+userdebug_or_eng(`
+ allow dpmd diag_device:chr_file { read write ioctl open };
+')
+allow dpmd dpmd_data_file:file { read lock getattr open setattr execute };
+
+#allow dpmd to access qmux radio socket
+qmux_socket(dpmd);
+
+#self capability
+allow dpmd self:capability net_raw;
+allow dpmd self:capability { chown fsetid dac_override };
+allow dpmd self:netlink_route_socket { create read write bind create nlmsg_read };
+allow dpmd sysfs_wake_lock:file { open append };
+allow dpmd self:capability net_admin;
+allow dpmd self:rawip_socket { getopt create setopt };
+allow dpmd self:socket rw_socket_perms;
+allow dpmd self:netlink_socket rw_socket_perms;
+
+#socket
+allow dpmd self:udp_socket { ioctl create getopt };
+allow dpmd smem_log_device:chr_file { read write ioctl open };
+allow dpmd init:unix_stream_socket connectto;
+
+#llow dpmd to set system property
+allow dpmd property_socket:sock_file write;
+allow dpmd self:capability2 block_suspend;
+allow dpmd system_prop:property_service set;
+
+allow dpmd shell_exec:file { read execute open execute_no_trans };
+allow dpmd system_file:file execute_no_trans;
+
+#kernel
+allow dpmd kernel:system module_request;
diff --git a/common/file.te b/common/file.te
old mode 100755
new mode 100644
index f773d79..6ef2c45
--- a/common/file.te
+++ b/common/file.te
@@ -8,6 +8,10 @@
type cnd_socket, file_type;
type cnd_data_file, file_type;
+# Define dpmd data file type
+type dpmd_socket, file_type;
+type dpmd_data_file, data_file_type;
+
#Define the timeout for platform specific transports
type sysfs_hsic_modem_wait, sysfs_type, fs_type;
type sysfs_smd_open_timeout, sysfs_type, fs_type;
@@ -55,9 +59,33 @@
type sysfs_mpdecision, fs_type, sysfs_type;
type sysfs_rqstats, fs_type, sysfs_type;
type sysfs_cpu_online, fs_type, sysfs_type;
+type mpctl_socket, file_type;
+type mpctl_data_file, file_type, data_file_type;
#mm-qcamera-daemon socket
type camera_socket, file_type;
#Socket node needed by ims_data daemon
type ims_socket, file_type;
+
+#File types required by mdm-helper
+type sysfs_esoc, sysfs_type, fs_type;
+type sysfs_ssr, sysfs_type, fs_type;
+type sysfs_ssr_toggle, sysfs_type, file_type;
+type sysfs_hsic, sysfs_type, fs_type;
+type sysfs_hsic_host_rdy, sysfs_type, file_type;
+
+# Files accessed by qcom-system-daemon
+type sysfs_socinfo, fs_type, sysfs_type;
+
+#Define the sysfs files for usb_uicc_daemon
+type sysfs_usb_uicc, sysfs_type, fs_type;
+
+type qlogd_socket, file_type;
+
+#Define the files written during the operation of mm-pp-daemon
+type display_config, file_type, data_file_type;
+
+# IPA file types
+type ipacm_socket, file_type;
+type ipacm_data_file, file_type;
diff --git a/common/file_contexts b/common/file_contexts
old mode 100755
new mode 100644
index 9d2ad1c..1a5fdb4
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -17,19 +17,36 @@
/dev/sensors u:object_r:sensors_device:s0
/dev/smd.* u:object_r:smd_device:s0
/dev/smem_log u:object_r:smem_log_device:s0
-/dev/subsys_esoc0 u:object_r:subsys_esoc0_device:s0
/dev/ttyHSL0 u:object_r:console_device:s0
/dev/ttyHS[0-9]* u:object_r:serial_device:s0
/dev/usb_ext_chg u:object_r:hvdcp_device:s0
/dev/media([0-9])+ u:object_r:camera_device:s0
/dev/jpeg[0-9]* u:object_r:camera_device:s0
/dev/v4l-subdev.* u:object_r:camera_device:s0
+/dev/vm_bms u:object_r:vm_bms_device:s0
+/dev/battery_data u:object_r:battery_data_device:s0
/dev/block/bootdevice/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
/dev/block/bootdevice/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
/dev/block/bootdevice/by-name/fsg u:object_r:modem_efs_partition_device:s0
/dev/block/bootdevice/by-name/fsc u:object_r:modem_efs_partition_device:s0
/dev/block/bootdevice/by-name/ssd u:object_r:ssd_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
+/dev/ccid_bridge u:object_r:usb_uicc_device:s0
+/dev/block/bootdevice/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0
+/dev/subsys_.* u:object_r:ssr_device:s0
+/dev/esoc.* u:object_r:esoc_device:s0
+/dev/ks_hsic_bridge u:object_r:ksbridgehsic_device:s0
+/dev/efs_hsic_bridge u:object_r:efsbridgehsic_device:s0
+/dev/block/platform/msm_sdcc.1/by-name/misc u:object_r:misc_partition:s0
+/dev/block/platform/msm_sdcc.1/by-name/bootselect u:object_r:bootselect_device:s0
+/dev/ipa u:object_r:ipa_dev:s0
+/dev/wwan_ioctl u:object_r:ipa_dev:s0
+/dev/ipaNatTable u:object_r:ipa_dev:s0
+/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+
###################################
# Dev socket nodes
#
@@ -46,6 +63,10 @@
/dev/socket/ims_qmid u:object_r:ims_socket:s0
/dev/socket/ims_datad u:object_r:ims_socket:s0
/dev/socket/ims_rtpd u:object_r:ims_socket:s0
+/dev/socket/perfd(/.*)? u:object_r:mpctl_socket:s0
+/dev/socket/qlogd u:object_r:qlogd_socket:s0
+/dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0
+/dev/socket/dpmd u:object_r:dpmd_socket:s0
###################################
# System files
@@ -53,6 +74,7 @@
/system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0
/system/bin/PktRspTest u:object_r:diag_exec:s0
/system/bin/audiod u:object_r:audiod_exec:s0
+/system/bin/charger_monitor u:object_r:charger_monitor_exec:s0
/system/bin/cnd u:object_r:cnd_exec:s0
/system/bin/diag_callback_client u:object_r:diag_exec:s0
/system/bin/diag_dci_sample u:object_r:diag_exec:s0
@@ -62,7 +84,9 @@
/system/bin/diag_socket_log u:object_r:diag_exec:s0
/system/bin/diag_uart_log u:object_r:diag_exec:s0
/system/bin/irsc_util u:object_r:irsc_util_exec:s0
+/system/bin/mm-pp-daemon u:object_r:mm-pp-daemon_exec:s0
/system/bin/mpdecision u:object_r:mpdecision_exec:s0
+/system/bin/perfd u:object_r:perfd_exec:s0
/system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0
/system/bin/netmgrd u:object_r:netmgrd_exec:s0
/system/bin/qmuxd u:object_r:qmuxd_exec:s0
@@ -70,12 +94,28 @@
/system/bin/sns.* u:object_r:sensors_test_exec:s0
/system/bin/test_diag u:object_r:diag_exec:s0
/system/bin/thermal-engine u:object_r:thermal-engine_exec:s0
+/system/bin/vm_bms u:object_r:vm_bms_exec:s0
/system/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
/system/rfs.* u:object_r:rfs_system_file:s0
/system/bin/time_daemon u:object_r:time_daemon_exec:s0
/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0
/system/bin/hvdcp u:object_r:hvdcp_exec:s0
/system/bin/qseecomd u:object_r:qseecomd_exec:s0
+/system/bin/hostapd_cli u:object_r:hostapd_exec:s0
+/system/bin/adsprpcd u:object_r:adsprpcd_exec:s0
+/system/bin/wpa_cli u:object_r:wpa_exec:s0
+/system/bin/cnss-daemon u:object_r:wpa_exec:s0
+/system/bin/mdm_helper u:object_r:mdm_helper_exec:s0
+/system/bin/mdm_helper_proxy u:object_r:mdm_helper_exec:s0
+/system/bin/ks u:object_r:mdm_helper_exec:s0
+/system/bin/pm-service u:object_r:per_mgr_exec:s0
+/system/bin/usb_uicc_client u:object_r:usb_uicc_daemon_exec:s0
+/system/bin/qcom-system-daemon u:object_r:qcomsysd_exec:s0
+/system/xbin/qlogd u:object_r:qlogd_exec:s0
+/system/bin/ipacm u:object_r:ipacm_exec:s0
+/system/bin/ipacm-diag u:object_r:ipacm-diag_exec:s0
+/system/bin/dpmd u:object_r:dpmd_exec:s0
+/system/bin/ssr_setup u:object_r:ssr_setup_exec:s0
###################################
# sysfs files
@@ -89,9 +129,9 @@
/sys/devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
/sys/devices/qpnp-charger.*/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
/sys/devices/system/cpu/cpu0/rq-stats/* u:object_r:sysfs_rqstats:s0
-/sys/devices/virtual/graphics/fb0/idle_time u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb1/product_description u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb1/vendor_name u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-2])+/idle_time u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-2])+/product_description u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-2])+/vendor_name u:object_r:sysfs_graphics:s0
/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
@@ -101,6 +141,20 @@
/sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0
/sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_mpdecision:s0
/sys/devices/f9a55000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/virtual/graphics/fb([0-2])+/hpd u:object_r:sysfs_graphics:s0
+/sys/class/graphics/fb([0-2])+/mdp/caps u:object_r:sysfs_graphics:s0
+/sys/class/graphics/fb([0-2])+/ad u:object_r:sysfs_graphics:s0
+/sys/bus/platform/drivers/xhci_msm_hsic(/.*)? u:object_r:sysfs_hsic:s0
+/sys/devices/msm_hsic_host/host_ready u:object_r:sysfs_hsic_host_rdy:s0
+/sys/bus/esoc(/.*)? u:object_r:sysfs_esoc:s0
+/sys/bus/msm_subsys(/.*)? u:object_r:sysfs_ssr:s0
+/sys/module/ccid_bridge(/.*)? u:object_r:sysfs_usb_uicc:s0
+/sys/bus/msm_subsys/devices/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/devices/soc0/.* u:object_r:sysfs_socinfo:s0
###################################
# data files
@@ -113,6 +167,12 @@
/data/camera(/.*)? u:object_r:camera_socket:s0
/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0
/data/time/* u:object_r:time_data_file:s0
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/system/perfd(/.*)? u:object_r:mpctl_data_file:s0
+/data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0
+/data/misc/display(/.*)? u:object_r:display_config:s0
+/data/misc/ipa(/.*)? u:object_r:ipacm_data_file:s0
+/data/dpm(/.*)? u:object_r:dpmd_data_file:s0
###################################
# persist files
diff --git a/common/ims_datad.te b/common/ims_datad.te
new file mode 100644
index 0000000..a6b4a98
--- /dev/null
+++ b/common/ims_datad.te
@@ -0,0 +1,6 @@
+type imsdatadaemon, domain;
+type imsdatadaemon_exec, exec_type, file_type;
+init_daemon_domain(imsdatadaemon)
+
+allow radio ims_socket:sock_file rw_file_perms;
+allow imsdatadaemon ims_socket:sock_file rw_file_perms;
diff --git a/common/ims_qmid.te b/common/ims_qmid.te
new file mode 100644
index 0000000..07085ed
--- /dev/null
+++ b/common/ims_qmid.te
@@ -0,0 +1,6 @@
+type imsqmidaemon, domain;
+type imsqmidaemon_exec, exec_type, file_type;
+init_daemon_domain(imsqmidaemon)
+
+allow radio ims_socket:sock_file rw_file_perms;
+allow imsqmidaemon ims_socket:sock_file rw_file_perms;
diff --git a/common/init.te b/common/init.te
index 18f4a4d..c31af56 100644
--- a/common/init.te
+++ b/common/init.te
@@ -1,2 +1,8 @@
# Adding allow rule for search on /fuse
allow init fuse:dir search;
+
+#allow dpmd to read, write on data file
+allow init dpmd_data_file:dir { read open setattr };
+
+allow init self:capability sys_module;
+allow init fuse:dir mounton;
diff --git a/common/init_shell.te b/common/init_shell.te
index f0b77cc..9c61ff0 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -14,3 +14,11 @@
allow init_shell default_prop:property_service set;
allow init_shell shell_exec:file execute_no_trans;
+
+#Needed in order to set properties while going in/out of debug mode.
+allow init_shell ctl_default_prop:property_service set;
+
+allow init_shell efs_boot_dev:blk_file r_file_perms;
+
+#perfd
+allow init_shell ctl_default_prop:property_service set;
diff --git a/common/ipacm.te b/common/ipacm.te
new file mode 100644
index 0000000..1c061fd
--- /dev/null
+++ b/common/ipacm.te
@@ -0,0 +1,31 @@
+# General definitions
+type ipacm, domain;
+type ipacm-diag, domain;
+type ipacm_exec, exec_type, file_type;
+type ipacm-diag_exec, exec_type, file_type;
+init_daemon_domain(ipacm)
+init_daemon_domain(ipacm-diag)
+
+userdebug_or_eng(`
+ # Allow using the logging file between ipacm and ipacm-diag
+ allow ipacm ipacm-diag:unix_dgram_socket sendto;
+ allow ipacm ipacm_socket:sock_file write;
+')
+
+# Allow capabilities to perform network operations and interactions with network interfaces
+allow ipacm kernel:system module_request;
+allow ipacm ipacm:capability net_admin;
+
+# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
+allow ipacm ipa_dev:chr_file rw_file_perms;
+
+# Allow querying the network stack via IOCTLs
+allow ipacm ipacm:udp_socket { create ioctl };
+
+# Allow receiving NETLINK messages
+allow ipacm ipacm:netlink_route_socket { create getopt setopt bind read };
+allow ipacm ipacm:netlink_socket { create setopt bind getattr read write };
+
+# Allow creating and modifying the PID file
+allow ipacm ipacm_data_file:file create_file_perms;
+allow ipacm ipacm_data_file:dir w_dir_perms;
diff --git a/common/mdm_helper.te b/common/mdm_helper.te
new file mode 100755
index 0000000..fe9a099
--- /dev/null
+++ b/common/mdm_helper.te
@@ -0,0 +1,57 @@
+#Policy for mdm_helper
+#mdm_helper - mdm_helper domain
+type mdm_helper, domain;
+type mdm_helper_exec, exec_type, file_type;
+init_daemon_domain(mdm_helper);
+
+#block_suspend capability is needed by kickstart(ks)
+allow mdm_helper self:capability2 block_suspend;
+
+#Needed to power on the peripheral
+allow mdm_helper ssr_device:chr_file { open read };
+
+#Needed to access the esoc device to control the mdm
+allow mdm_helper esoc_device:chr_file { read write ioctl open };
+allow mdm_helper esoc_device:dir { open search };
+
+#Needed to detect presence of hsic bridge and to xfer images
+allow mdm_helper ksbridgehsic_device:chr_file { read write open getattr ioctl};
+
+#Needed to detect efs sync and for kickstart to run the efs sync server
+allow mdm_helper efsbridgehsic_device:chr_file { read write open getattr ioctl};
+
+#Needed for communication with the HSIC driver
+allow mdm_helper sysfs_hsic:dir { open read search };
+allow mdm_helper sysfs_hsic:file { read write open };
+
+#Needed by libmdmdetect to figure out the system configuration
+allow mdm_helper sysfs_esoc:dir { open search read };
+allow mdm_helper sysfs_esoc:lnk_file { read };
+
+#Needed by libmdmdetect to get system information regarding subsystems and to check their states
+allow mdm_helper sysfs_ssr:dir { open search read };
+allow mdm_helper sysfs_ssr:lnk_file { read open };
+
+#Needed in order to run kickstart
+allow mdm_helper shell:fd { use };
+allow mdm_helper shell_exec:file { read open execute execute_no_trans };
+allow mdm_helper system_file:file { execute_no_trans };
+allow mdm_helper mdm_helper_exec:file {execute_no_trans };
+
+#Needed to inform the hsic driver that mdm has booted up
+allow mdm_helper sysfs:file { open read write getattr };
+
+#Needed by ks in order to access the efs sync partitions.
+allow mdm_helper efs_boot_dev:blk_file { open read getattr write};
+allow mdm_helper block_device:dir { getattr search write };
+
+#Ks needs to aquire the wake lock
+allow mdm_helper sysfs_wake_lock:file {open append};
+
+#Needed in order to access the firmware partition
+allow mdm_helper firmware_file:dir { search };
+allow mdm_helper firmware_file:file { open read getattr };
+
+#Needed in order to collect ramdumps
+allow mdm_helper tombstone_data_file:file { create read write open getattr };
+allow mdm_helper tombstone_data_file:dir { create search open read write getattr add_name };
diff --git a/common/mediaserver.te b/common/mediaserver.te
index 731ea42..8aff7e1 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -12,3 +12,16 @@
qmux_socket(mediaserver)
allow mediaserver camera_data_file:sock_file write;
+
+allow mediaserver sysfs_esoc:dir r_dir_perms;
+allow mediaserver sysfs_esoc:lnk_file read;
+
+# access to perflock
+allow mediaserver mpctl_socket:dir r_dir_perms;
+unix_socket_send(mediaserver, mpctl, mpdecision)
+unix_socket_connect(mediaserver, mpctl, mpdecision)
+
+# access to perflock
+allow mediaserver mpctl_socket:dir r_dir_perms;
+unix_socket_send(mediaserver, mpctl, perfd)
+unix_socket_connect(mediaserver, mpctl, perfd)
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
new file mode 100755
index 0000000..b515c47
--- /dev/null
+++ b/common/mm-pp-daemon.te
@@ -0,0 +1,42 @@
+type mm-pp-daemon, domain;
+type mm-pp-daemon_exec, exec_type, file_type;
+
+init_daemon_domain(mm-pp-daemon)
+
+#============= mm-pp-daemon ==============
+#Need to use fb ioctls to communicate with kernel
+allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
+allow mm-pp-daemon graphics_device:dir search;
+
+# Allow reading calibration data from persist
+allow mm-pp-daemon persist_file:file r_file_perms;
+allow mm-pp-daemon persist_file:dir search;
+
+# Allow pp daemon to save settings to /data
+allow mm-pp-daemon display_config:file rw_file_perms;
+
+#Calibration can only be done on userdebug or eng builds
+userdebug_or_eng(`
+ # Display calibration service opens /dev/diag in order to communicate with the
+ # target device
+ allow mm-pp-daemon diag_device:chr_file rw_file_perms;
+
+ # QDCM needs to trigger screen refreshes in some cases to reach the
+ # convergent state
+ binder_use(mm-pp-daemon)
+ binder_call(mm-pp-daemon, system_server)
+ binder_call(mm-pp-daemon, surfaceflinger)
+
+ # This allows pp-daemon to use shell commands to blank
+ # the display - it uses input keyevent to do this
+ allow mm-pp-daemon shell_exec:file rx_file_perms;
+ allow mm-pp-daemon system_file:file execute_no_trans;
+ allow mm-pp-daemon zygote_exec:file rx_file_perms;
+
+ # Allow writing to persist
+ allow mm-pp-daemon persist_file:file rw_file_perms;
+
+ # Allow mm-pp-daemon to change the brightness of the target during display
+ # calibration
+ allow mm-pp-daemon sysfs:file rw_file_perms;
+')
diff --git a/common/mpdecision.te b/common/mpdecision.te
index 6241f77..0c68fde 100644
--- a/common/mpdecision.te
+++ b/common/mpdecision.te
@@ -13,3 +13,22 @@
allow mpdecision self:netlink_kobject_uevent_socket read;
allow mpdecision self:socket create_socket_perms;
allow mpdecision device_latency:chr_file w_file_perms;
+
+allow mpdecision sysfs_rqstats:dir search;
+allow mpdecision socket_device:dir w_file_perms;
+allow mpdecision sysfs_thermal:dir search;
+
+#policies for mpctl
+#mpctl socket
+allow mpdecision mpctl_socket:dir rw_dir_perms;
+allow mpdecision mpctl_socket:sock_file { create_file_perms unlink };
+
+allow mpdecision sysfs:file write;
+
+#default_values file
+allow mpdecision mpctl_data_file:dir rw_dir_perms;
+allow mpdecision mpctl_data_file:file { create_file_perms unlink };
+
+#allow poll of system_server status
+allow mpdecision system_server:dir search;
+allow mpdecision system_server:file { open read };
diff --git a/common/netd.te b/common/netd.te
index 3b480ef..cfdc509 100644
--- a/common/netd.te
+++ b/common/netd.te
@@ -3,3 +3,6 @@
allow netd netd:packet_socket { create bind setopt read ioctl };
dontaudit netd self:capability sys_module;
+
+#needed for ipt_TCPMSS and ip6t_TCPMSS
+allow netd kernel:system module_request;
diff --git a/common/netmgrd.te b/common/netmgrd.te
index 03243c1..95226c9 100644
--- a/common/netmgrd.te
+++ b/common/netmgrd.te
@@ -12,7 +12,7 @@
file_type_auto_trans(netmgrd, system_data_file, data_test_data_file)
#Allow netmgrd operations
-allow netmgrd netmgrd:capability { dac_override net_raw net_admin sys_module fsetid setgid setuid };
+allow netmgrd netmgrd:capability { dac_override net_raw net_admin sys_module fsetid setgid setuid setpcap };
#Allow access to kernel modules
allow netmgrd kernel:system { module_request };
@@ -28,7 +28,7 @@
allow netmgrd netmgrd:socket { create ioctl };
allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
allow netmgrd init:unix_stream_socket { connectto };
-allow netmgrd property_socket:sock_file { write };
+allow netmgrd property_socket:sock_file write;
qmux_socket(netmgrd);
@@ -38,10 +38,20 @@
#Allow address configuration
allow netmgrd system_prop:property_service { set };
+#Allow setting of DNS and GW Android properties
+allow netmgrd net_radio_prop:property_service { set };
+
#Allow execution of commands in shell
allow netmgrd system_file:file { execute_no_trans };
allow netmgrd self:socket read;
+allow netmgrd sysfs_esoc:dir r_dir_perms;
#Allow communication with netd
allow netmgrd netd_socket:sock_file write;
+
+#Allow nemtgrd to use esoc api's to determine target
+allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans };
+allow netmgrd sysfs_esoc:lnk_file read;
+
+r_dir_file(netmgrd, sysfs_ssr);
diff --git a/common/perfd.te b/common/perfd.te
new file mode 100644
index 0000000..00237d8
--- /dev/null
+++ b/common/perfd.te
@@ -0,0 +1,31 @@
+type perfd, domain;
+type perfd_exec, exec_type, file_type;
+
+init_daemon_domain(perfd)
+
+allow perfd self:capability { chown dac_override fsetid };
+allow perfd sysfs_devices_system_cpu:file rw_file_perms;
+allow perfd sysfs_cpu_online:file rw_file_perms;
+allow perfd cpuctl_device:file rw_file_perms;
+allow perfd self:netlink_kobject_uevent_socket { create read setopt bind };
+allow perfd self:socket create_socket_perms;
+
+#mpctl socket
+allow perfd mpctl_socket:dir rw_dir_perms;
+allow perfd mpctl_socket:sock_file { create_file_perms unlink };
+
+allow perfd sysfs:file write;
+
+#default_values file
+allow perfd mpctl_data_file:dir rw_dir_perms;
+allow perfd mpctl_data_file:file { create_file_perms unlink };
+
+#allow poll of system_server status
+allow perfd system_server:dir search;
+allow perfd system_server:file { open read };
+
+allow perfd proc:file write;
+
+#KTM
+allow perfd sysfs_thermal:dir search;
+allow perfd sysfs_thermal:file { open write };
diff --git a/common/peripheral_manager.te b/common/peripheral_manager.te
new file mode 100644
index 0000000..fb08d2e
--- /dev/null
+++ b/common/peripheral_manager.te
@@ -0,0 +1,32 @@
+#Policy for peripheral_manager
+#per_mgr - peripheral_manager domain
+type per_mgr, domain;
+
+type per_mgr_exec, exec_type, file_type;
+init_daemon_domain(per_mgr);
+
+#Needed for binder transactions
+binder_use(per_mgr);
+binder_service(per_mgr);
+allow per_mgr self:socket { create ioctl bind read write };
+allow per_mgr per_mgr_service:service_manager add;
+
+#Rules for peripheral manager clients
+#Rules for RILD
+binder_call(per_mgr, rild);
+binder_call(rild, per_mgr);
+
+#Needed by ipc_router
+allow per_mgr self:capability { net_raw };
+
+#Needed to power on the peripheral
+allow per_mgr ssr_device:chr_file { open read };
+
+#Needed by libmdmdetect to figure out the system configuration
+allow per_mgr sysfs_esoc:dir { open search read };
+allow per_mgr sysfs_esoc:lnk_file { read };
+
+#Needed by libmdmdetect to get subsystem info and to check their states
+allow per_mgr sysfs_ssr:dir { open search read };
+allow per_mgr sysfs_ssr:lnk_file { read open };
+
diff --git a/common/property.te b/common/property.te
new file mode 100644
index 0000000..1e54640
--- /dev/null
+++ b/common/property.te
@@ -0,0 +1,2 @@
+# property for uicc_daemon
+type uicc_prop, property_type;
diff --git a/common/property_contexts b/common/property_contexts
new file mode 100644
index 0000000..fd1f716
--- /dev/null
+++ b/common/property_contexts
@@ -0,0 +1,2 @@
+wc_transport. u:object_r:bluetooth_prop:s0
+usb_uicc. u:object_r:uicc_prop:s0
diff --git a/common/qcomsysd.te b/common/qcomsysd.te
new file mode 100644
index 0000000..483b97b
--- /dev/null
+++ b/common/qcomsysd.te
@@ -0,0 +1,21 @@
+#Policy file for qcom-system-daemon
+#qcomsysd = qcom-system-daemon domain
+type qcomsysd, domain;
+type qcomsysd_exec, exec_type, file_type;
+init_daemon_domain(qcomsysd);
+
+#Needed for logging
+allow qcomsysd smem_log_device:chr_file { open read write ioctl };
+
+#Needed for handling diag commands
+allow qcomsysd diag_device:chr_file { open read write ioctl };
+
+#Needed to read/write cookies to the misc partition
+allow qcomsysd misc_partition:blk_file { open read getattr write };
+
+#Needed to access the bootselect partition
+allow qcomsysd bootselect_device:blk_file { open read getattr write };
+
+#Needed to get image info from socinfo
+allow qcomsysd sysfs_socinfo:dir { open search read };
+allow qcomsysd sysfs_socinfo:file { open read write };
diff --git a/common/qlogd.te b/common/qlogd.te
new file mode 100644
index 0000000..74e154f
--- /dev/null
+++ b/common/qlogd.te
@@ -0,0 +1,36 @@
+# qlogd
+type qlogd, domain;
+type qlogd_exec, exec_type, file_type;
+
+# make transition from init to its domain
+init_daemon_domain(qlogd)
+
+# need to access sharemem log device for smem logs
+allow qlogd smem_log_device:chr_file { open read write ioctl };
+
+# need to add more capabilities for qlogd
+allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin };
+allow qlogd self:capability2 syslog;
+
+# need to access system_data partitions for configration files
+allow qlogd system_data_file:dir { write add_name };
+allow qlogd system_data_file:file { open read write create };
+allow qlogd system_file:file execute_no_trans;
+
+# need to create and listen socket
+allow qlogd socket_device:sock_file { create setattr };
+allow qlogd qlogd_socket:sock_file { create read write setattr };
+
+# need to start shell execute files
+allow qlogd shell_exec:file { execute read open execute_no_trans };
+
+# need to create and write files in fuse partition
+allow qlogd fuse:dir { search read write add_name create open };
+allow qlogd fuse:file { create read write append open getattr };
+
+#need to capture kmsg
+allow qlogd kernel:system syslog_mod;
+
+# need for capture adb logs
+allow qlogd logdr_socket:sock_file write;
+allow qlogd logd:unix_stream_socket connectto;
diff --git a/common/qmuxd.te b/common/qmuxd.te
index 40cdac8..daab790 100644
--- a/common/qmuxd.te
+++ b/common/qmuxd.te
@@ -28,8 +28,20 @@
allow qmuxd hsic_device:chr_file { rw_file_perms };
#Allow qmuxd to operate in platform specific transports
-allow qmuxd sysfs_smd_open_timeout:file { append write };
+allow qmuxd sysfs_smd_open_timeout:file w_file_perms;
allow qmuxd sysfs_wake_lock:file { append open };
#Allow qmuxd to write in hsic specific transport
-allow qmuxd sysfs:file { write };
+allow qmuxd sysfs:file w_file_perms;
+
+allow qmuxd self:capability { setuid setgid setpcap dac_override };
+
+#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability
+allow qmuxd qmuxd:capability2 { block_suspend };
+
+allow qmuxd sysfs_esoc:dir r_dir_perms;
+allow qmuxd sysfs_hsic_modem_wait:file w_file_perms;
+allow qmuxd sysfs_esoc:lnk_file read;
+
+r_dir_file(qmuxd, sysfs_ssr);
+allow qmuxd mhi_device:chr_file rw_file_perms;
diff --git a/common/radio.te b/common/radio.te
index f8e3ace..b7f248c 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -4,3 +4,4 @@
#Need permission to execute com.qualcomm.qti.telephony/app_dex/xx
allow radio radio_data_file:file execute;
+allow radio shell_data_file:dir search;
diff --git a/common/rfs_access.te b/common/rfs_access.te
new file mode 100644
index 0000000..129ffa3
--- /dev/null
+++ b/common/rfs_access.te
@@ -0,0 +1,40 @@
+# rfs_access - rfs_access daemon
+type rfs_access, domain;
+type rfs_access_exec, exec_type, file_type;
+init_daemon_domain(rfs_access)
+
+#The files created by rfs_access process in the /data folder will have type rfs_data_file
+type_transition rfs_access system_data_file:{ dir file } rfs_data_file;
+
+#To read the uio char device
+allow rfs_access uio_device:chr_file { read write open };
+
+#For QMI sockets
+allow rfs_access self:socket { create_socket_perms };
+
+#For Wakelocks
+allow rfs_access self:capability2 block_suspend;
+allow rfs_access sysfs_wake_lock:file { open write append };
+
+#To create the /data/rfs
+allow rfs_access system_data_file:dir { write add_name };
+
+#For system folder entries
+allow rfs_access rfs_system_file:dir search;
+allow rfs_access rfs_system_file:lnk_file read;
+
+#For data folder entries
+allow rfs_access rfs_data_file:dir { write search create add_name };
+allow rfs_access rfs_data_file:file { open read write create append getattr };
+
+#For ramdump entries in /data/tombstones.
+allow rfs_access tombstone_data_file:dir { write search create add_name };
+allow rfs_access tombstone_data_file:file { open read write create append getattr };
+
+#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
+allow rfs_access firmware_file:dir { search };
+allow rfs_access firmware_file:file { open read getattr };
+
+#Prevent other domains from accessing RFS data files.
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name };
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr };
diff --git a/common/rild.te b/common/rild.te
index 900aced..73631c0 100644
--- a/common/rild.te
+++ b/common/rild.te
@@ -1,13 +1,23 @@
-
#allow rild qmux_radio_socket:dir { write remove_name search add_name };
#allow rild qmux_radio_socket:sock_file { write create unlink setattr };
#allow rild qmuxd:unix_stream_socket connectto;
qmux_socket(rild);
+binder_use(rild)
-allow rild subsys_esoc0_device:chr_file { open read };
+allow rild ssr_device:chr_file { open read };
+allow rild sysfs_esoc:dir { search read open};
+allow rild sysfs_esoc:lnk_file { read };
+allow rild sysfs_esoc:file { write };
+allow rild sysfs_ssr:dir { open search read };
+allow rild sysfs_ssr:lnk_file { read open };
-allow rild servicemanager:binder call;
allow rild mediaserver:binder { transfer call };
#allow rild diag_device:chr_file { open read write };
allow rild rild_socket:chr_file { open read write };
+
+allow rild sysfs_ssr:dir r_dir_perms;
+allow rild sysfs_ssr:lnk_file read;
+allow rild system_data_file:dir w_dir_perms;
+allow rild system_data_file:file create_file_perms;
+allow rild time_daemon:unix_stream_socket connectto;
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index 2ee8365..ad70463 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -12,3 +12,5 @@
allow rmt_storage self:socket { create_socket_perms };
allow rmt_storage sysfs_wake_lock:file { open write append };
allow rmt_storage uio_device:chr_file { read write open };
+allow rmt_storage mmc_block_device:blk_file read;
+allow rmt_storage self:capability { net_raw setpcap };
diff --git a/common/sensors.te b/common/sensors.te
index e865b35..ef4abad 100644
--- a/common/sensors.te
+++ b/common/sensors.te
@@ -5,6 +5,8 @@
# Started by init
init_daemon_domain(sensors)
+type_transition sensors system_data_file:{ dir file } sensors_data_file;
+
# Change own perms to (nobody,nobody)
allow sensors self:capability { setuid setgid };
# Chown /data/misc/sensors/debug/ to nobody
@@ -21,6 +23,7 @@
# Create directories and files under /data/misc/sensors
# and /data/system/sensors. Allow generic r/w file access.
+allow sensors system_data_file:dir create_dir_perms;
allow sensors sensors_data_file:dir create_dir_perms;
allow sensors sensors_data_file:file create_file_perms;
@@ -29,7 +32,7 @@
# Access to /persist/sensors
allow sensors persist_file:dir r_dir_perms;
-allow sensors sensors_persist_file:dir rw_dir_perms;
+allow sensors sensors_persist_file:dir create_dir_perms;
allow sensors sensors_persist_file:file create_file_perms;
# Wake lock access
diff --git a/common/service.te b/common/service.te
index 612d43d..ca44082 100644
--- a/common/service.te
+++ b/common/service.te
@@ -1 +1,3 @@
type atfwd_service, service_manager_type;
+type per_mgr_service, service_manager_type;
+type dpmservice, service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
index c549ecf..80919b8 100644
--- a/common/service_contexts
+++ b/common/service_contexts
@@ -1 +1,3 @@
-AtCmdFwd u:object_r:atfwd_service:s0
+AtCmdFwd u:object_r:atfwd_service:s0
+vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0
+dpmservice u:object_r:dpmservice:s0
diff --git a/common/servicemanager.te b/common/servicemanager.te
new file mode 100644
index 0000000..2949b4d
--- /dev/null
+++ b/common/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager rild:dir search;
+allow servicemanager rild:file r_file_perms;
+allow servicemanager rild:process getattr;
diff --git a/common/ssr_setup.te b/common/ssr_setup.te
new file mode 100644
index 0000000..0ec733a
--- /dev/null
+++ b/common/ssr_setup.te
@@ -0,0 +1,17 @@
+#Policy for ssr_setup
+#ssr_setup - ssr_setup domain
+type ssr_setup, domain;
+type ssr_setup_exec, exec_type, file_type;
+init_daemon_domain(ssr_setup);
+
+#Required to discover esoc's
+allow ssr_setup sysfs_esoc:dir { r_file_perms search };
+allow ssr_setup sysfs_esoc:lnk_file r_file_perms;
+
+#Required to enable/disable ssr
+allow ssr_setup sysfs_ssr:dir { r_file_perms search };
+allow ssr_setup sysfs_ssr_toggle:file rw_file_perms;
+allow ssr_setup sysfs_ssr:lnk_file rw_file_perms;
+
+#Keeping this here till sysfs labeling is resolved
+allow ssr_setup sysfs:file w_file_perms;
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
index 9193f38..70eb70d 100644
--- a/common/surfaceflinger.te
+++ b/common/surfaceflinger.te
@@ -1,2 +1,8 @@
-allow surfaceflinger sysfs_graphics:chr_file rw_file_perms;
+allow surfaceflinger sysfs_graphics:file rw_file_perms;
allow surfaceflinger shell_data_file:dir search;
+
+# Allows pp-daemon to refresh the screen in calibration mode
+userdebug_or_eng(`
+ allow surfaceflinger mm-pp-daemon:dir search;
+ allow surfaceflinger mm-pp-daemon:file r_file_perms;
+')
diff --git a/common/system_app.te b/common/system_app.te
index da0489e..a6ddf47 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -2,3 +2,11 @@
allow system_app fm_radio_device:chr_file { read open ioctl};
allow system_app ctl_default_prop:property_service set;
allow system_app atfwd_service:service_manager add;
+
+# access to perflock
+allow system_app mpctl_socket:dir r_dir_perms;
+unix_socket_send(system_app, mpctl, mpdecision)
+unix_socket_connect(system_app, mpctl, mpdecision)
+allow system_app dpmservice:service_manager add;
+unix_socket_send(system_app, mpctl, perfd)
+unix_socket_connect(system_app, mpctl, perfd)
diff --git a/common/system_server.te b/common/system_server.te
index 920bb9f..2c194da 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -11,3 +11,21 @@
allow system_server sensors:unix_stream_socket sendto;
allow system_server sensors_socket:sock_file r_file_perms;
qmux_socket(system_server);
+
+# access to perflock
+allow system_server mpctl_socket:dir r_dir_perms;
+unix_socket_send(system_server, mpctl, mpdecision)
+unix_socket_connect(system_server, mpctl, mpdecision)
+
+# allow system/framework applications to update the dpmd configuration files
+#allow system_server dpmd:unix_stream_socket connectto;
+unix_socket_connect(system_server, dpmd, dpmd);
+allow system_server dpmd_socket:sock_file write;
+#allow system_server dpmd_data_file:dir { write read getattr open add_name };
+allow system_server dpmd_data_file:dir rw_dir_perms;
+#allow system_server dpmd_data_file:file { write getattr setattr read lock create open };
+allow system_server dpmd_data_file:file rw_file_perms;
+allow system_server dpmservice:service_manager add;
+allow system_server socket_device:sock_file write;
+unix_socket_send(system_server, mpctl, perfd)
+unix_socket_connect(system_server, mpctl, perfd)
diff --git a/common/te_macros b/common/te_macros
index 927de5a..485bfb7 100644
--- a/common/te_macros
+++ b/common/te_macros
@@ -5,9 +5,7 @@
# Also allow the client domain to remove
# its own socket.
define(`qmux_socket', `
-type $1_qmuxd_socket, file_type;
-file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
-allow $1 qmuxd_socket:dir remove_name;
+allow $1 qmuxd_socket:dir create_dir_perms;
unix_socket_connect($1, qmuxd, qmuxd)
-allow qmuxd $1_qmuxd_socket:sock_file { getattr unlink };
+allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink };
')
diff --git a/common/thermal-engine.te b/common/thermal-engine.te
index 8e0e7a8..e42e9b2 100644
--- a/common/thermal-engine.te
+++ b/common/thermal-engine.te
@@ -21,4 +21,5 @@
allow thermal-engine sysfs_thermal:lnk_file read;
#This is required for qmi access
qmux_socket(thermal-engine);
-allow thermal-engine sysfs_mpdecision:file { read open };
+allow thermal-engine sysfs_mpdecision:file rw_file_perms;
+r_dir_file(thermal-engine, sysfs_ssr);
diff --git a/common/time_daemon.te b/common/time_daemon.te
index b2be79f..5793197 100644
--- a/common/time_daemon.te
+++ b/common/time_daemon.te
@@ -5,7 +5,7 @@
# Make transition to its own time_daemon domain from init
init_daemon_domain(time_daemon)
-allow time_daemon smem_log_device:chr_file { read write };
+allow time_daemon smem_log_device:chr_file rw_file_perms;
# Add rules for access permissions
#============= IOCTL operations ==============
@@ -17,3 +17,5 @@
allow time_daemon time_data_file:dir { write add_name search};
allow time_daemon self:socket { write read create ioctl};
allow time_daemon self:capability { setuid setgid };
+
+r_dir_file(time_daemon, sysfs_esoc);
diff --git a/common/ueventd.te b/common/ueventd.te
index fe115de..eb390a8 100644
--- a/common/ueventd.te
+++ b/common/ueventd.te
@@ -13,3 +13,5 @@
allow ueventd sysfs_battery_supply:file w_file_perms;
allow ueventd sysfs_thermal:file w_file_perms;
allow ueventd sysfs_usb_supply:file w_file_perms;
+
+allow ueventd sysfs_socinfo:file w_file_perms;
diff --git a/common/untrusted_app.te b/common/untrusted_app.te
new file mode 100644
index 0000000..4968a67
--- /dev/null
+++ b/common/untrusted_app.te
@@ -0,0 +1,4 @@
+allow dpmd untrusted_app:fd use;
+allow dpmd untrusted_app:tcp_socket { read write };
+allow untrusted_app dpmd:unix_stream_socket connectto;
+allow untrusted_app dpmd_socket:sock_file write;
diff --git a/common/usb_uicc_daemon.te b/common/usb_uicc_daemon.te
new file mode 100644
index 0000000..7b4a056
--- /dev/null
+++ b/common/usb_uicc_daemon.te
@@ -0,0 +1,14 @@
+# usb_uicc_daemon
+type usb_uicc_daemon, domain;
+type usb_uicc_daemon_exec, exec_type, file_type;
+
+# Make transition from init to its domain
+init_daemon_domain(usb_uicc_daemon)
+
+allow usb_uicc_daemon property_socket:sock_file w_file_perms;
+allow usb_uicc_daemon self:socket create_socket_perms;
+allow usb_uicc_daemon usb_uicc_device:chr_file rw_file_perms;
+allow usb_uicc_daemon uicc_prop:property_service set;
+allow usb_uicc_daemon sysfs_usb_uicc:file rw_file_perms;
+allow usb_uicc_daemon sysfs_usb_uicc:dir rw_dir_perms;
+allow usb_uicc_daemon init:unix_stream_socket connectto;
diff --git a/common/vm_bms.te b/common/vm_bms.te
new file mode 100644
index 0000000..68f2862
--- /dev/null
+++ b/common/vm_bms.te
@@ -0,0 +1,23 @@
+#integrated process
+type vm_bms, domain;
+type vm_bms_exec, exec_type, file_type;
+
+#started by init
+init_daemon_domain(vm_bms)
+
+#allow vm_bms to visit chr_file
+allow vm_bms tmpfs:chr_file { read write getattr };
+allow vm_bms vm_bms_device:chr_file { open read write ioctl };
+allow vm_bms battery_data_device:chr_file { open read write ioctl };
+
+#allow vm_bms to drop down to system service
+allow vm_bms self:capability { setpcap setgid setuid };
+
+#allow vm_bms to block the system suspend
+allow vm_bms self:capability2 block_suspend;
+
+#allow vm_bms to get the wake lock
+allow vm_bms sysfs_wake_lock:file rw_file_perms;
+
+#allow vm_bms to visit sysfs
+allow vm_bms sysfs:file rw_file_perms;
diff --git a/common/wpa.te b/common/wpa.te
index ffd68cc..1917ef7 100644
--- a/common/wpa.te
+++ b/common/wpa.te
@@ -1 +1,2 @@
allow wpa persist_file:dir search;
+qmux_socket(wpa);
diff --git a/test/file_contexts b/test/file_contexts
index 2a4319c..d1e7b1d 100644
--- a/test/file_contexts
+++ b/test/file_contexts
@@ -3,3 +3,23 @@
/system/bin/qmi-framework-tests/qmi_test.* u:object_r:qmi_test_service_exec:s0
/system/bin/diag_dci_client u:object_r:diagdciclient_exec:s0
+
+/system/bin/ptt_socket_app u:object_r:wpa_exec:s0
+/system/bin/athdiag u:object_r:wpa_exec:s0
+/system/bin/cld-fwlog-netlink u:object_r:wpa_exec:s0
+/system/bin/cld-fwlog-record u:object_r:wpa_exec:s0
+/system/bin/cld-fwlog-parser u:object_r:wpa_exec:s0
+/system/bin/cnss-diag u:object_r:wpa_exec:s0
+/system/bin/iwpriv u:object_r:wpa_exec:s0
+/system/bin/iwconfig u:object_r:wpa_exec:s0
+/system/bin/iwlist u:object_r:wpa_exec:s0
+/system/bin/iwss_test u:object_r:wpa_exec:s0
+/system/bin/pktlogconf u:object_r:wpa_exec:s0
+/system/bin/iperf u:object_r:wpa_exec:s0
+/system/bin/mboxping u:object_r:wpa_exec:s0
+/system/bin/sigma_dut u:object_r:wpa_exec:s0
+/system/bin/pktlog u:object_r:wpa_exec:s0
+/system/bin/hal_proxy_daemon u:object_r:wpa_exec:s0
+/system/bin/Wifilogger_app u:object_r:wpa_exec:s0
+/system/bin/hs20-osu-client u:object_r:wpa_exec:s0
+/system/bin/ndc u:object_r:wpa_exec:s0