sm8450-common: Initial sepolicy

Change-Id: Ia21793576649e8518e79e4680e0b79b6a9331720

BoardConfigCommon.mk

@@ -108,6 +108,10 @@ ENABLE_VENDOR_RIL_SERVICE := true
 # Sepolicy
 include device/qcom/sepolicy_vndr/SEPolicy.mk
 
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/private
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/public
+BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
+
 # VINTF
 DEVICE_MATRIX_FILE := $(COMMON_PATH)/vintf/compatibility_matrix.xml
 

sepolicy/public/property_contexts

@@ -0,0 +1,5 @@
+# MIUI
+ro.miui.                       u:object_r:exported_system_prop:s0
+ro.product.mod_device    u:object_r:exported_default_prop:s0 exact string
+ro.cust.test                      u:object_r:exported_system_prop:s0
+ro.carrier u:object_r:exported_default_prop:s0 exact string

sepolicy/vendor/agmservice_qti.te

@@ -0,0 +1 @@
+allow vendor_agmservice_qti debugfs:dir r_dir_perms;

sepolicy/vendor/audioadsprpcd.te

@@ -0,0 +1,2 @@
+allow vendor_audioadsprpcd vendor_audio_data_file:dir search;
+allow vendor_audioadsprpcd vendor_audio_data_file:file { append create getattr open read setattr write };

sepolicy/vendor/audioserver.te

@@ -0,0 +1,8 @@
+allow audioserver system_server:dir search;
+allow audioserver mediaserver:dir search;
+allow audioserver mediaserver:file { open read };
+allow audioserver system_app:dir search;
+allow audioserver hal_audio_default:process signal;
+allow audioserver sound_device:chr_file rw_file_perms;
+get_prop(audioserver, bootanim_system_prop)
+set_prop(audioserver, audio_prop)

sepolicy/vendor/batterysecret.te

@@ -0,0 +1,35 @@
+allow batterysecret rootfs:dir write;
+allow batterysecret self:capability sys_tty_config;
+allow batterysecret self:capability sys_boot;
+allow batterysecret self:capability { chown fsetid };
+allow batterysecret self:netlink_kobject_uevent_socket { bind create read setopt };
+allow batterysecret self:capability2 block_suspend;
+allow batterysecret self:cap2_userns block_suspend;
+allow batterysecret sysfs_wake_lock:file rw_file_perms;
+allow batterysecret vendor_sysfs_battery_supply:file rw_file_perms;
+allow batterysecret vendor_sysfs_battery_supply:dir r_dir_perms;
+allow batterysecret vendor_sysfs_qcom_battery:file rw_file_perms;
+allow batterysecret vendor_sysfs_qcom_battery:file write;
+allow batterysecret vendor_sysfs_qcom_battery:file { open read write };
+allow batterysecret vendor_sysfs_qcom_battery:dir r_dir_perms;
+allow batterysecret system_suspend_server:binder { call transfer };
+allow batterysecret system_suspend_server:fd *;
+allow batterysecret system_suspend_hwservice:hwservice_manager find;
+allow batterysecret hidl_manager_hwservice:hwservice_manager find;
+allow batterysecret sysfs:file write;
+allow batterysecret sysfs_usb:file w_file_perms;
+allow batterysecret vendor_sysfs_usb_supply:file write;
+allow batterysecret sysfs_batteryinfo:file r_file_perms;
+allow batterysecret kmsg_device:chr_file rw_file_perms;
+allow batterysecret mnt_vendor_file:dir rw_dir_perms;
+init_daemon_domain(batterysecret)
+r_dir_file(batterysecret, sysfs_type)
+r_dir_file(batterysecret, rootfs)
+r_dir_file(batterysecret, cgroup)
+r_dir_file(batterysecret, vendor_sysfs_usb_supply)
+get_prop(batterysecret, hwservicemanager_prop)
+get_prop(batterysecret, vendor_default_prop)
+set_prop(batterysecret, vendor_system_prop)
+hwbinder_use(batterysecret)
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;

sepolicy/vendor/bluetooth.te

@@ -0,0 +1,27 @@
+allow bluetooth hal_audio:binder { call transfer };
+allow bluetooth hal_audio:fd *;
+allow bluetooth sysfs_bluetooth_writable:file w_file_perms;
+allow bluetooth media_rw_data_file:dir create_dir_perms;
+allow bluetooth media_rw_data_file:file create_file_perms;
+allow bluetooth serial_device:chr_file rw_file_perms;
+allow bluetooth uhid_device:chr_file rw_file_perms;
+allow bluetooth vendor_bt_device:chr_file rw_file_perms;
+allow bluetooth vendor_smd_device:chr_file rw_file_perms;
+allow bluetooth vendor_hal_iop_hwservice:hwservice_manager find;
+allow bluetooth vendor_default_prop:file { getattr map };
+allow bluetooth vendor_bt_data_file:dir search;
+allow bluetooth vendor_bt_data_file:file { getattr open read };
+allow bluetooth system_app_data_file:dir getattr;
+allow bluetooth system_app_data_file:file { getattr open read };
+allow bluetooth self:socket { create getopt read write };
+#allow bluetooth self:socket ioctl;
+allow bluetooth servicemanager:fd *;
+allow bluetooth system_app:binder { call transfer };
+allow bluetooth system_app:fd *;
+allow bluetooth vendor_dun_service:service_manager find;
+allow bluetooth hal_audio_hwservice:hwservice_manager find;
+#allowxperm bluetooth self:ioctl socket ((range 0xc300 0xc305));
+dontaudit bluetooth netd_service:service_manager find;
+get_prop(bluetooth, vendor_display_prop)
+get_prop(bluetooth, vendor_audio_prop)
+binder_use(bluetooth)

sepolicy/vendor/bootanim.te

@@ -0,0 +1,2 @@
+allow bootanim vendor_audio_prop:file read;
+allow bootanim vendor_proc_audiod:file read;

sepolicy/vendor/ddr_training.te

@@ -0,0 +1,8 @@
+allow ddr_training ddr_training_exec:file { entrypoint execute getattr open read };
+allow ddr_training vendor_toolbox_exec:file { entrypoint execute execute_no_trans getattr open read };
+allow ddr_training block_device:dir r_dir_perms;
+allow ddr_training ddr_partition:blk_file rw_file_perms;
+init_daemon_domain(ddr_training)
+unix_socket_connect(ddr_training, property, init)
+type ddr_training, domain;
+type ddr_training_exec, exec_type, file_type, vendor_file_type;

sepolicy/vendor/device.te

@@ -0,0 +1,9 @@
+type vendor_displayfeature_device, dev_type;
+type sound_device, dev_type, mlstrustedobject;
+type stmvl53l5_device, dev_type;
+type vendor_fingerprint_device, dev_type;
+type touchfeature_device, dev_type;
+type vendor_radio_smd_device, dev_type;
+type ir_spi_device, dev_type;
+type ddr_partition, dev_type;
+type minidump_data_file, data_file_type, file_type;

sepolicy/vendor/file.te

@@ -0,0 +1,41 @@
+# Audio
+type sysfs_f0_value, fs_type, sysfs_type;
+type audio_socket, file_type;
+
+# Battery
+type vendor_sysfs_qcom_battery, fs_type, sysfs_type;
+
+# Camera
+type camera_persist_file, file_type, mlstrustedobject, vendor_persist_type;
+
+# Diag
+type vendor_modem_data_file, data_file_type, file_type;
+
+# Display
+type vendor_sysfs_displayfeature, fs_type, sysfs_type;
+
+# Fingerprint
+type vendor_fingerprint_data_file, data_file_type, file_type;
+type vendor_fingerprint_data_file_fpdump, data_file_type, file_type;
+
+# GNSS
+type qx_oss_vendor_data_file, data_file_type, file_type;
+type vendor_ins_vendor_data_file, data_file_type, file_type;
+
+# Mac Address
+type vendor_mac_vendor_data_file, data_file_type, file_type, mlstrustedobject;
+
+# Mlipay
+type ta_data_file, data_file_type, file_type;
+
+# SLA
+type sla_data_file, data_file_type, file_type;
+type slad_socket, file_type;
+
+# Thermal
+type sys_thermal_wifi_limit, fs_type, sysfs_type;
+type sys_thermal_flash_state, fs_type, sysfs_type;
+type thermal_data_file, data_file_type, file_type;
+
+# Touchfeature
+type sysfs_tp_fodstatus, fs_type, sysfs_type;

sepolicy/vendor/file_contexts

@@ -0,0 +1,97 @@
+# Audio
+/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
+/dev/socket/audio_us_socket_0 u:object_r:audio_socket:s0
+/dev/socket/audio_us_socket_1 u:object_r:audio_socket:s0
+/dev/xlog u:object_r:sound_device:s0
+/sys/devices/platform/soc/[a-z0-9]+.i2c/i2c-+[0-9]/[0-9]+-00+[a-z0-9]+[a-z0-9]/f0_value u:object_r:sysfs_f0_value:s0
+
+# Battery
+/(vendor|system/vendor)/bin/batterysecret u:object_r:batterysecret_exec:s0
+
+# Camera
+/(vendor|system/vendor)/bin/hw/[email protected] u:object_r:hal_quickcamera_default_exec:s0
+/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
+#/vendor/bin/camera_cal u:object_r:DualCameraCal_exec:s0
+
+# CIT
+/(vendor|system/vendor)/bin/hw/[email protected] u:object_r:vendor_hal_citsensorservice_xiaomi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/[email protected] u:object_r:vendor_hal_citsensorservice_xiaomi_default_exec:s0
+
+# Diag
+/data/vendor/modem(/.*)? u:object_r:vendor_modem_data_file:s0
+
+# Display
+/(vendor|system/vendor)/bin/displayfeature           u:object_r:vendor_displayfeature_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.xiaomi\.hardware\.displayfeature@1\.0-service u:object_r:vendor_hal_displayfeature_xiaomi_default_exec:s0
+/dev/mi_display/disp_feature u:object_r:vendor_displayfeature_device:s0
+/sys/devices/virtual/mi_display/disp_feature/disp-DSI-+[0-1](/.*)? u:object_r:vendor_sysfs_displayfeature:s0
+
+# Dolby
+/data/vendor/dolby(/.*)? u:object_r:vendor_data_file:s0
+/vendor/bin/hw/dolbycodec2 u:object_r:vendorcodec_exec:s0
+
+# Fingerprint
+/data/vendor/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/dev/goodix_fp u:object_r:vendor_fingerprint_device:s0
+/mnt/vendor/persist/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/mnt/vendor/persist/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0
+
+# GNSS
+/data/vendor/ins(/.*)? u:object_r:vendor_ins_vendor_data_file:s0
+/data/vendor/qxwz(/.*)? u:object_r:qx_oss_vendor_data_file:s0
+/mnt/vendor/persist/qxwz u:object_r:qx_oss_vendor_data_file:s0
+
+# IR
+/dev/ir_spi u:object_r:ir_spi_device:s0
+
+# Mac Address
+/data/vendor/mac_addr(/.*)? u:object_r:vendor_mac_vendor_data_file:s0
+/vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0
+
+# Mlipay
+/(vendor|system/vendor)/bin/fidoca                   u:object_r:hal_mfidoca_default_exec:s0
+/(vendor|system/vendor)/bin/mlipayd u:object_r:hal_mlipay_default_exec:s0
+/(vendor|system/vendor)/bin/[email protected] u:object_r:hal_mlipay_default_exec:s0
+/(vendor|system/vendor)/bin/mtd u:object_r:hal_mtdservice_default_exec:s0
+/(vendor|system/vendor)/bin/[email protected] u:object_r:hal_mtdservice_default_exec:s0
+/(vendor|system/vendor)/bin/[email protected] u:object_r:hal_mtdservice_default_exec:s0
+/(vendor|system/vendor)/bin/[email protected] u:object_r:hal_mtdservice_default_exec:s0
+/(vendor|system/vendor)/bin/tidad u:object_r:hal_tidaservice_default_exec:s0
+/(vendor|system/vendor)/bin/[email protected] u:object_r:hal_tidaservice_default_exec:s0
+/(vendor|system/vendor)/bin/[email protected] u:object_r:hal_tidaservice_default_exec:s0
+/data/vendor/images(/.*)? u:object_r:ta_data_file:s0
+/mnt/vendor/persist/fdsd(/.*)? u:object_r:vendor_persist_drm_file:s0
+
+# Modem
+/dev/smd8 u:object_r:vendor_radio_smd_device:s0
+
+# QRTR
+/(vendor|system/vendor)/bin/qrtr-lookup u:object_r:vendor_qrtr_exec:s0
+
+# RIL
+/data/vendor/diag(/.*)? u:object_r:minidump_data_file:s0
+
+# Sensors
+/(vendor|system/vendor)/bin/hw/android\.hardware\[email protected]\.xiaomi-multihal u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/[email protected] u:object_r:vendor_hal_sensorcommunicate_default_exec:s0
+/dev/stmvl53l5 u:object_r:stmvl53l5_device:s0
+
+# SLA
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.sla\.service\@1\.0-service u:object_r:hal_slaservice_qti_exec:s0
+/data/vendor/sla(/.*)? u:object_r:sla_data_file:s0
+/dev/socket/slad u:object_r:slad_socket:s0
+
+# Thermal
+/(vendor|system/vendor)/bin/mi_thermald u:object_r:mi_thermald_exec:s0
+/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
+/sys/class/thermal/thermal_message/flash_state u:object_r:sys_thermal_flash_state:s0
+/sys/class/thermal/thermal_message/wifi_limit u:object_r:sys_thermal_wifi_limit:s0
+/sys/class/thermal/thermal_zone87/temp u:object_r:sysfs_thermal:s0
+/sys/devices/virtual/thermal/thermal_message/flash_state u:object_r:sys_thermal_flash_state:s0
+/sys/devices/virtual/thermal/thermal_message/wifi_limit u:object_r:sys_thermal_wifi_limit:s0
+
+# Touchfeature
+/dev/xiaomi-touch u:object_r:touchfeature_device:s0
+/sys/devices/virtual/touch/tp_dev/fod_status u:object_r:sysfs_tp_fodstatus:s0

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,15 @@
+# Extcon
+genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon u:object_r:sysfs_extcon:s0
+
+# Suspend
+genfscon sysfs /devices/platform/soc/3000000.remoteproc-adsp/remoteproc/remoteproc2/3000000.remoteproc-adsp:glink-edge/3000000.remoteproc-adsp:glink-edge.adsp_apps.-1.-1/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-005a/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/990000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-bark/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-resin-bark/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_goodix/wakeup u:object_r:sysfs_wakeup:s0
+
+# Touchfeature
+genfscon sysfs /devices/virtual/touch/touch_dev/fod_press_status u:object_r:sysfs_tp_fodstatus:s0

sepolicy/vendor/hal_audio.te

@@ -0,0 +1,12 @@
+hal_attribute(dms)
+allow hal_audio_default vendor_persist_audio_file:file rw_file_perms;
+allow hal_audio_default mnt_vendor_file:dir r_dir_perms;
+allow hal_audio_default vendor_audio_prop:property_service set;
+allow hal_audio_default audio_socket:sock_file rw_file_perms;
+allow hal_audio_default sound_device:chr_file rw_file_perms;
+allow hal_audio_default sysfs_f0_value:file rw_file_perms;
+allow hal_audio_default sysfs:file rw_file_perms;
+unix_socket_connect(hal_audio_default, property, init)
+unix_socket_connect(hal_audio_default, property, hal_sensors_default)
+hal_client_domain(hal_audio_default, hal_dms)
+set_prop(hal_audio_default, vendor_audio_prop)

sepolicy/vendor/hal_bluetooth.te

@@ -0,0 +1,2 @@
+allow hal_bluetooth_default vendor_mac_vendor_data_file:dir search;
+allow hal_bluetooth_default vendor_mac_vendor_data_file:file { open read };

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,37 @@
+attribute vendor_hal_camerapostproc_xiaomi;
+attribute vendor_hal_camerapostproc_xiaomi_client;
+attribute vendor_hal_camerapostproc_xiaomi_server;
+type vendor_hal_camerapostproc_xiaomi_hwservice, hwservice_manager_type;
+
+allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder { call transfer };
+allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder transfer;
+allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:fd *;
+allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
+allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder transfer;
+allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder { call transfer };
+allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:fd *;
+allow vendor_hal_camerapostproc_xiaomi platform_app:binder transfer;
+allow vendor_hal_camerapostproc_xiaomi platform_app:binder { call transfer };
+allow vendor_hal_camerapostproc_xiaomi platform_app:fd *;
+allow vendor_hal_camerapostproc_xiaomi priv_app:binder transfer;
+allow vendor_hal_camerapostproc_xiaomi priv_app:binder { call transfer };
+allow vendor_hal_camerapostproc_xiaomi priv_app:fd *;
+allow vendor_hal_camerapostproc_xiaomi system_app:binder transfer;
+allow vendor_hal_camerapostproc_xiaomi system_app:binder { call transfer };
+allow vendor_hal_camerapostproc_xiaomi system_app:fd *;
+add_hwservice(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_hwservice)
+
+allow hal_camera_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default camera_persist_file:dir search;
+allow hal_camera_default vendor_persist_sensors_file:dir search;
+allow hal_camera_default stmvl53l5_device:chr_file { ioctl open read write };
+allow hal_camera_default hal_quickcamera_hwservice:hwservice_manager { add find };
+dontaudit hal_camera graphics_device:dir search;
+dontaudit hal_camera_default default_prop:file read;
+r_dir_file(hal_camera_default, mnt_vendor_file)
+r_dir_file(hal_camera_default, camera_persist_file)
+r_dir_file(hal_camera_default, vendor_persist_sensors_file)
+hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi)
+add_hwservice(hal_camera_server, vendor_hal_camerapostproc_xiaomi_hwservice)
+set_prop(hal_camera_default, vendor_camera_sensor_prop)

sepolicy/vendor/hal_citsensorservice_xiaomi.te

@@ -0,0 +1,50 @@
+type vendor_hal_citsensorservice_xiaomi_default, domain;
+type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type;
+type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type;
+attribute vendor_hal_citsensorservice_xiaomi;
+attribute vendor_hal_citsensorservice_xiaomi_client;
+attribute vendor_hal_citsensorservice_xiaomi_server;
+init_daemon_domain(vendor_hal_citsensorservice_xiaomi_default)
+r_dir_file(vendor_hal_citsensorservice_xiaomi_default, mnt_vendor_file)
+#set_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_cct_prop)
+vndbinder_use(vendor_hal_citsensorservice_xiaomi)
+hal_server_domain(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_citsensorservice_xiaomi)
+hal_client_domain(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_allocator)
+add_hwservice(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_hwservice)
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:fd *;
+allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:fd *;
+allow vendor_hal_citsensorservice_xiaomi_default input_device:dir rw_dir_perms;
+allow vendor_hal_citsensorservice_xiaomi_default input_device:chr_file rw_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_data:file r_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default self:socket create_socket_perms;
+allow vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket create_socket_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:dir r_dir_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:file r_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:dir create_dir_perms;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:file create_file_perms;
+allow vendor_hal_citsensorservice_xiaomi_default fwk_sensor_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default system_server:binder call;
+allow vendor_hal_citsensorservice_xiaomi_default system_server:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:dir search;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:file { open read };
+allow vendor_hal_citsensorservice_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write };
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_mapper_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:fd *;
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:binder { call transfer };
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:fd *;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_qdisplay_service:service_manager find;
+allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer_default:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder call;
+allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder transfer;
+allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
+allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
+
+get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_prop)
+get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_debug_prop)

sepolicy/vendor/hal_display_config.te

@@ -0,0 +1,2 @@
+allow vendor_hal_display_config_hwservice vendor_hal_displayfeature_xiaomi_default:binder transfer;
+allow vendor_hal_display_config_hwservice vendor_hal_citsensorservice_xiaomi_default:binder transfer;

sepolicy/vendor/hal_displayfeature_xiaomi.te

@@ -0,0 +1,69 @@
+type vendor_hal_displayfeature_xiaomi_default, domain;
+type vendor_hal_displayfeature_xiaomi_default_exec, exec_type, file_type, vendor_file_type;
+type vendor_hal_displayfeature_xiaomi_hwservice, hwservice_manager_type;
+type vendor_mistcdisplay_service, vndservice_manager_type;
+
+type vendor_displayfeature, domain;
+type vendor_displayfeature_exec, exec_type, file_type, vendor_file_type;
+type vendor_DisplayFeatureControl_service, vndservice_manager_type;
+
+allow vendor_hal_displayfeature_xiaomi vendor_sysfs_graphics:file rw_file_perms;
+allow vendor_hal_displayfeature_xiaomi vendor_qdisplay_service:service_manager find;
+allow vendor_hal_displayfeature_xiaomi hal_graphics_composer:binder { call transfer };
+allow vendor_hal_displayfeature_xiaomi hal_graphics_composer:fd *;
+allow vendor_hal_displayfeature_xiaomi graphics_device:chr_file rw_file_perms;
+allow vendor_hal_displayfeature_xiaomi graphics_device:dir r_dir_perms;
+allow vendor_hal_displayfeature_xiaomi_default sysfs:file { getattr open read write };
+allow vendor_hal_displayfeature_xiaomi_default sensors_device:chr_file r_file_perms;
+allow vendor_hal_displayfeature_xiaomi_default fwk_sensor_hwservice:hwservice_manager find;
+allow vendor_hal_displayfeature_xiaomi_default system_server:binder { call transfer };
+allow vendor_hal_displayfeature_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find;
+allow vendor_hal_displayfeature_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer };
+allow vendor_hal_displayfeature_xiaomi_default vendor_hal_display_config_hwservice:fd *;
+allow vendor_hal_displayfeature_xiaomi_default vendor_display_vendor_data_file:dir create_dir_perms;
+allow vendor_hal_displayfeature_xiaomi_default vendor_display_vendor_data_file:file create_file_perms;
+allow vendor_hal_displayfeature_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write };
+allow vendor_hal_displayfeature_xiaomi_default vendor_sysfs_displayfeature:dir r_dir_perms;
+allow vendor_hal_displayfeature_xiaomi_default vendor_sysfs_displayfeature:file rw_file_perms;
+allow vendor_hal_displayfeature_xiaomi_default vendor_mistcdisplay_service:service_manager find;
+allow vendor_hal_displayfeature_xiaomi_default system_app:binder { call transfer };
+allow vendor_hal_displayfeature_xiaomi_default system_app:fd *;
+allow vendor_hal_displayfeature_xiaomi_default surfaceflinger:binder call;
+allow vendor_hal_displayfeature_xiaomi_client vendor_hal_displayfeature_xiaomi_server:binder { call transfer };
+allow vendor_hal_displayfeature_xiaomi_client vendor_hal_displayfeature_xiaomi_server:fd *;
+allow vendor_hal_displayfeature_xiaomi_client vendor_hal_displayfeature_xiaomi_hwservice:hwservice_manager find;
+allow vendor_hal_displayfeature_xiaomi_server vendor_hal_displayfeature_xiaomi_client:binder transfer;
+attribute vendor_hal_displayfeature_xiaomi;
+attribute vendor_hal_displayfeature_xiaomi_client;
+attribute vendor_hal_displayfeature_xiaomi_server;
+init_daemon_domain(vendor_hal_displayfeature_xiaomi_default)
+r_dir_file(vendor_hal_displayfeature_xiaomi, vendor_sysfs_graphics)
+unix_socket_connect(vendor_hal_displayfeature_xiaomi_default, property, vendor_sensors)
+get_prop(vendor_hal_displayfeature_xiaomi_default, vendor_mpctl_prop)
+set_prop(vendor_hal_displayfeature_xiaomi_default, vendor_displayfeature_prop)
+vndbinder_use(vendor_hal_displayfeature_xiaomi)
+hal_server_domain(vendor_hal_displayfeature_xiaomi_default, vendor_hal_displayfeature_xiaomi)
+hal_client_domain(vendor_hal_displayfeature_xiaomi_default, vendor_hal_display_color)
+hal_client_domain(vendor_hal_displayfeature_xiaomi_default, vendor_hal_display_postproc)
+add_hwservice(vendor_hal_displayfeature_xiaomi_server, vendor_hal_displayfeature_xiaomi_hwservice)
+
+allow vendor_displayfeature system_server:binder transfer;
+allow vendor_displayfeature system_server:binder { call transfer };
+allow vendor_displayfeature system_server:fd *;
+allow vendor_displayfeature appdomain:binder { call transfer };
+allow vendor_displayfeature appdomain:fd *;
+allow vendor_displayfeature sysfs:file { getattr open read write };
+allow vendor_displayfeature vendor_file:file r_file_perms;
+allow vendor_displayfeature graphics_device:dir r_dir_perms;
+allow vendor_displayfeature graphics_device:chr_file rw_file_perms;
+init_daemon_domain(vendor_displayfeature)
+get_prop(vendor_displayfeature, hwservicemanager_prop)
+get_prop(vendor_displayfeature, vendor_displayfeature_prop)
+hwbinder_use(vendor_displayfeature)
+vndbinder_use(vendor_displayfeature)
+hal_client_domain(vendor_displayfeature, hal_graphics_composer)
+hal_client_domain(vendor_displayfeature, hal_light)
+hal_client_domain(vendor_displayfeature, vendor_hal_display_color)
+hal_client_domain(vendor_displayfeature, vendor_hal_display_postproc)
+hal_client_domain(vendor_displayfeature, vendor_hal_displayfeature_xiaomi)
+add_service(vendor_displayfeature, vendor_DisplayFeatureControl_service)

sepolicy/vendor/hal_dms.te

@@ -0,0 +1,18 @@
+type hal_dms_default, domain;
+type hal_dms_default_exec, exec_type, file_type, vendor_file_type;
+type hal_dms_hwservice, hwservice_manager_type;
+#hal_attribute(dms)
+allow hal_dms_client hal_dms_server:binder { call transfer };
+allow hal_dms_client hal_dms_server:binder transfer;
+allow hal_dms_client hal_dms_server:fd *;
+allow hal_dms_client hal_dms_hwservice:hwservice_manager find;
+allow hal_dms_server hal_dms_client:binder transfer;
+allow hal_dms_server hal_dms_client:binder { call transfer };
+allow hal_dms_server hal_dms_client:fd *;
+allow hal_dms_default hal_dms_hwservice:hwservice_manager add;
+allow hal_dms_default vendor_data_file:dir rw_dir_perms;
+allow hal_dms_default vendor_data_file:file create_file_perms;
+init_daemon_domain(hal_dms_default)
+set_prop(hal_dms_default, vendor_audio_prop)
+hal_server_domain(hal_dms_default, hal_dms)
+add_hwservice(hal_dms_server, hal_dms_hwservice)

sepolicy/vendor/hal_fingerprint.te

@@ -0,0 +1,26 @@
+type vendor_hal_fingerprint_hwservice_xiaomi, hwservice_manager_type;
+
+allow hal_fingerprint_default vendor_fingerprint_data_file:dir create_dir_perms;
+allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
+allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;
+allow hal_fingerprint_default vendor_hal_perf_default:binder call;
+allow hal_fingerprint_default vendor_sysfs_graphics:dir r_dir_perms;
+allow hal_fingerprint_default vendor_sysfs_graphics:file rw_file_perms;
+allow hal_fingerprint_default input_device:dir r_dir_perms;
+allow hal_fingerprint_default input_device:chr_file rwx_file_perms;
+allow hal_fingerprint_default mnt_vendor_file:dir search;
+allow hal_fingerprint_default vendor_fingerprint_device:chr_file rwx_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default vendor_sysfs_displayfeature:dir { open read };
+allow hal_fingerprint_default vendor_sysfs_displayfeature:file { open read };
+allow hal_fingerprint_default vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms;
+allow hal_fingerprint_default vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
+allow hal_fingerprint_default sysfs_tp_fodstatus:chr_file r_file_perms;
+allow hal_fingerprint_default sysfs_tp_fodstatus:file r_file_perms;
+allow hal_fingerprint_default vendor_hal_fingerprint_hwservice_xiaomi:hwservice_manager { add find };
+allow hal_fingerprint_default touchfeature_device:chr_file rw_file_perms;
+
+get_prop(hal_fingerprint_default, vendor_panel_info_prop)
+set_prop(hal_fingerprint_default, vendor_fp_prop)
+set_prop(hal_fingerprint_default, vendor_fp_info_prop)

sepolicy/vendor/hal_gnss.te

@@ -0,0 +1,8 @@
+allow vendor_hal_gnss_qti vendor_ins_vendor_data_file:dir rw_dir_perms;
+allow vendor_hal_gnss_qti vendor_ins_vendor_data_file:file create_file_perms;
+allow vendor_hal_gnss_qti vendor_persist_sensors_file:dir rw_dir_perms;
+allow vendor_hal_gnss_qti vendor_persist_sensors_file:file create_file_perms;
+allow vendor_hal_gnss_qti mnt_vendor_file:dir search;
+allow vendor_hal_gnss_qti mnt_vendor_file:dir rw_dir_perms;
+get_prop(vendor_hal_gnss_qti, vendor_sensors_prop)
+get_prop(vendor_hal_gnss_qti, vendor_mi_ins_prop)

sepolicy/vendor/hal_graphics_composer.te

@@ -0,0 +1,15 @@
+allow hal_graphics_composer vendor_hal_displayfeature_xiaomi:binder transfer;
+allow hal_graphics_composer vendor_hal_citsensorservice_xiaomi_default:binder transfer;
+allow hal_graphics_composer vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
+allow hal_graphics_composer_default vendor_displayfeature_device:chr_file { ioctl open read };
+allow hal_graphics_composer_default vendor_sysfs_displayfeature:dir { open read search };
+allow hal_graphics_composer_default vendor_sysfs_displayfeature:file { open read write };
+allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:binder call;
+allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:binder { call transfer };
+allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:fd *;
+get_prop(hal_graphics_composer, vendor_displayfeature_prop)
+set_prop(hal_graphics_composer_default, vendor_ctl_vendor_display_prop)
+set_prop(hal_graphics_composer_default, vendor_display_prop)
+hal_client_domain(hal_graphics_composer_default, vendor_hal_displayfeature_xiaomi)
+allow hal_graphics_composer_default vendor_mistcdisplay_service:service_manager find;
+add_service(hal_graphics_composer_default, vendor_mistcdisplay_service)

sepolicy/vendor/hal_light.te

@@ -0,0 +1,3 @@
+allow hal_light_default vendor_displayfeature_device:chr_file { ioctl open read write };
+allow hal_light_default vendor_sysfs_displayfeature:dir r_dir_perms;
+allow hal_light_default vendor_sysfs_displayfeature:file rw_file_perms;

sepolicy/vendor/hal_mfidoca.te

@@ -0,0 +1,24 @@
+type hal_mfidoca_default, domain;
+type hal_mfidoca_default_exec, exec_type, file_type, vendor_file_type;
+type hal_mfidoca_hwservice, hwservice_manager_type;
+hal_attribute(mfidoca)
+allow hal_mfidoca_client hal_mfidoca_server:binder { call transfer };
+allow hal_mfidoca_client hal_mfidoca_server:binder transfer;
+allow hal_mfidoca_client hal_mfidoca_server:fd *;
+allow hal_mfidoca_server hal_mfidoca_client:binder transfer;
+allow hal_mfidoca_server hal_mfidoca_client:binder { call transfer };
+allow hal_mfidoca_server hal_mfidoca_client:fd *;
+allow hal_mfidoca_default tee_device:chr_file rw_file_perms;
+allow hal_mfidoca_default firmware_file:dir r_dir_perms;
+allow hal_mfidoca_default firmware_file:file r_file_perms;
+allow hal_mfidoca_default ion_device:chr_file rw_file_perms;
+allow hal_mfidoca_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
+allow hal_mfidoca_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
+allow hal_mfidoca_default hal_mtdservice_default:binder transfer;
+init_daemon_domain(hal_mfidoca_default)
+get_prop(hal_mfidoca_default, vendor_fp_prop)
+get_prop(hal_mfidoca_default, vendor_system_prop)
+set_prop(hal_mfidoca_default, vendor_payment_security_prop)
+hwbinder_use(hal_mfidoca_default)
+hal_server_domain(hal_mfidoca_default, hal_mfidoca)
+add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice)

sepolicy/vendor/hal_mlipay.te

@@ -0,0 +1,27 @@
+type hal_mlipay_default, domain;
+type hal_mlipay_default_exec, exec_type, file_type, vendor_file_type;
+type hal_mlipay_hwservice, hwservice_manager_type;
+hal_attribute(mlipay)
+allow hal_mlipay_client hal_mlipay_server:binder { call transfer };
+allow hal_mlipay_client hal_mlipay_server:binder transfer;
+allow hal_mlipay_client hal_mlipay_server:fd *;
+allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find;
+allow hal_mlipay_server hal_mlipay_client:binder transfer;
+allow hal_mlipay_server hal_mlipay_client:binder { call transfer };
+allow hal_mlipay_server hal_mlipay_client:fd *;
+allow hal_mlipay_default hal_mlipay_hwservice:hwservice_manager add;
+allow hal_mlipay_default tee_device:chr_file rw_file_perms;
+allow hal_mlipay_default firmware_file:dir r_dir_perms;
+allow hal_mlipay_default firmware_file:file r_file_perms;
+allow hal_mlipay_default ion_device:chr_file rw_file_perms;
+allow hal_mlipay_default rootfs:lnk_file r_file_perms;
+allow hal_mlipay_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
+allow hal_mlipay_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
+allow hal_mlipay_default hal_mtdservice_default:binder transfer;
+init_daemon_domain(hal_mlipay_default)
+get_prop(hal_mlipay_default, vendor_fp_prop)
+get_prop(hal_mlipay_default, vendor_system_prop)
+set_prop(hal_mlipay_default, vendor_payment_security_prop)
+hwbinder_use(hal_mlipay_default)
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)

sepolicy/vendor/hal_mtdservice.te

@@ -0,0 +1,55 @@
+type hal_mtdservice_default, domain;
+type hal_mtdservice_default_exec, exec_type, file_type, vendor_file_type;
+type hal_mtdservice_hwservice, hwservice_manager_type;
+hal_attribute(mtdservice)
+allow hal_mtdservice_client hal_mtdservice_server:binder { call transfer };
+allow hal_mtdservice_client hal_mtdservice_server:binder transfer;
+allow hal_mtdservice_client hal_mtdservice_server:fd *;
+allow hal_mtdservice_server hal_mtdservice_client:binder transfer;
+allow hal_mtdservice_server hal_mtdservice_client:binder { call transfer };
+allow hal_mtdservice_server hal_mtdservice_client:fd *;
+allow hal_mtdservice_default hal_mlipay_default:binder { call transfer };
+allow hal_mtdservice_default hal_mlipay_default:fd *;
+allow hal_mtdservice_default hal_mfidoca_default:binder { call transfer };
+allow hal_mtdservice_default hal_mfidoca_default:fd *;
+allow hal_mtdservice_default hal_mtdservice_hwservice:hwservice_manager add;
+allow hal_mtdservice_default firmware_file:dir r_dir_perms;
+allow hal_mtdservice_default firmware_file:file r_file_perms;
+allow hal_mtdservice_default ion_device:chr_file rw_file_perms;
+allow hal_mtdservice_default vendor_persist_drm_file:dir { create_dir_perms relabelto };
+allow hal_mtdservice_default vendor_persist_drm_file:file { create_file_perms relabelto };
+allow hal_mtdservice_default vendor_persist_file:dir r_dir_perms;
+allow hal_mtdservice_default mnt_vendor_file:dir { create_dir_perms relabelfrom };
+allow hal_mtdservice_default proc:file r_file_perms;
+allow hal_mtdservice_default tee_device:chr_file rw_file_perms;
+allow hal_mtdservice_default system_data_file:dir getattr;
+allow hal_mtdservice_default hal_mlipay_hwservice:hwservice_manager find;
+allow hal_mtdservice_default hal_mfidoca_hwservice:hwservice_manager find;
+allow hal_mtdservice_default platform_app:binder transfer;
+allow hal_mtdservice_default system_app:binder transfer;
+allow hal_mtdservice_default ta_data_file:file create_file_perms;
+allow hal_mtdservice_default ta_data_file:dir rw_dir_perms;
+allow hal_mtdservice_default vendor_hal_tui_comm_hwservice:hwservice_manager find;
+allow hal_mtdservice_default vendor_hal_tui_comm_hwservice:binder { call transfer };
+allow hal_mtdservice_default vendor_hal_tui_comm_qti:binder { call transfer };
+allow hal_mtdservice_default sysfs:dir { open read };
+allow hal_mtdservice_default sysfs:file { open read write };
+allow hal_mtdservice_default vendor_qce_device:chr_file rw_file_perms;
+allow hal_mtdservice_default vendor_sg_device:chr_file { open read };
+allow hal_mtdservice_default vendor_sg_device:chr_file { ioctl write };
+allow hal_mtdservice_default vendor_persist_data_file:dir getattr;
+allow hal_mtdservice_default vendor_smcinvoke_device:chr_file { ioctl open read write };
+allow hal_mtdservice_default system_server:binder transfer;
+allow hal_mtdservice_default block_device:dir r_dir_perms;
+allow hal_mtdservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
+allow hal_mtdservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
+allow hal_mtdservice_default hal_tidaservice_default:binder transfer;
+allow hal_mtdservice_default hal_secure_element_default:binder transfer;
+type_transition hal_mtdservice mnt_vendor_file:dir vendor_persist_drm_file "fdsd";
+init_daemon_domain(hal_mtdservice_default)
+get_prop(hal_mtdservice_default, vendor_system_prop)
+get_prop(hal_mtdservice_default, vendor_cpuid_prop)
+set_prop(hal_mtdservice_default, vendor_payment_security_prop)
+hwbinder_use(hal_mtdservice_default)
+hal_server_domain(hal_mtdservice_default, hal_mtdservice)
+add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice)

sepolicy/vendor/hal_nfc.te

@@ -0,0 +1,3 @@
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_data_file:dir rw_dir_perms;
+allow hal_nfc_default vendor_data_file:file { create rw_file_perms };

sepolicy/vendor/hal_perf.te

@@ -0,0 +1,20 @@
+allow vendor_hal_perf_default hal_graphics_composer_default:process getpgid;
+allow vendor_hal_perf_default hal_graphics_composer_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_graphics_composer_default:file r_file_perms;
+allow vendor_hal_perf_default hal_graphics_composer_default:file append;
+allow vendor_hal_perf_default hal_graphics_composer:dir search;
+allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_camera_default:file r_file_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms;
+allow vendor_hal_perf_default sysfs_thermal:file rw_file_perms;
+allow vendor_hal_perf_default hal_audio_default:dir search;
+allow vendor_hal_perf_default hal_audio_default:file { open read };
+allow vendor_hal_perf_default thermal_data_file:dir { read search watch };
+allow vendor_hal_perf_default thermal_data_file:file { getattr open read setattr unlink };
+allow vendor_hal_perf_default vendor_hal_displayfeature_xiaomi_default:dir search;
+allow vendor_hal_perf_default vendor_hal_displayfeature_xiaomi_default:file read;
+allow vendor_hal_perf_default mi_thermald:dir r_dir_perms;
+allow vendor_hal_perf_default mi_thermald:file r_file_perms;
+
+set_prop(vendor_hal_perf_default, vendor_wlc_public_prop)

sepolicy/vendor/hal_power.te

@@ -0,0 +1 @@
+allow hal_power_default touchfeature_device:chr_file rw_file_perms;

sepolicy/vendor/hal_quickcamera.te

@@ -0,0 +1,27 @@
+type hal_quickcamera_default, domain;
+type hal_quickcamera_default_exec, exec_type, file_type, vendor_file_type;
+type hal_quickcamera_hwservice, hwservice_manager_type;
+hal_attribute(quickcamera)
+allow hal_quickcamera_client hal_quickcamera_server:binder { call transfer };
+allow hal_quickcamera_client hal_quickcamera_server:binder transfer;
+allow hal_quickcamera_client hal_quickcamera_server:fd *;
+allow hal_quickcamera_client hal_quickcamera_hwservice:hwservice_manager find;
+allow hal_quickcamera_server hal_quickcamera_client:binder transfer;
+allow hal_quickcamera_server hal_quickcamera_client:binder { call transfer };
+allow hal_quickcamera_server hal_quickcamera_client:fd *;
+allow hal_quickcamera_server hidl_base_hwservice:hwservice_manager add;
+allow hal_quickcamera_server hal_quickcamera_hwservice:hwservice_manager { add find };
+allow hal_quickcamera_default platform_app:binder transfer;
+allow hal_quickcamera_default platform_app:binder { call transfer };
+allow hal_quickcamera_default platform_app:fd *;
+allow hal_quickcamera_default system_app:binder transfer;
+allow hal_quickcamera_default system_app:binder { call transfer };
+allow hal_quickcamera_default system_app:fd *;
+allow hal_quickcamera platform_app:binder transfer;
+allow hal_quickcamera platform_app:binder { call transfer };
+allow hal_quickcamera platform_app:fd *;
+allow hal_quickcamera system_app:binder transfer;
+allow hal_quickcamera system_app:binder { call transfer };
+allow hal_quickcamera system_app:fd *;
+init_daemon_domain(hal_quickcamera_default)
+hal_server_domain(hal_quickcamera_default, hal_quickcamera)

sepolicy/vendor/hal_secure_element.te

@@ -0,0 +1,3 @@
+allow hal_secure_element_default hal_mtdservice_hwservice:hwservice_manager find;
+allow hal_secure_element_default hal_mtdservice_default:binder { call transfer };
+allow hal_secure_element_default hal_mtdservice_default:fd *;

sepolicy/vendor/hal_sensorcommunicate.te

@@ -0,0 +1,26 @@
+type vendor_hal_sensorcommunicate_default, domain;
+type vendor_hal_sensorcommunicate_default_exec, exec_type, file_type, vendor_file_type;
+type vendor_hal_sensorcommunicate_hwservice, hwservice_manager_type;
+attribute vendor_hal_sensorcommunicate;
+attribute vendor_hal_sensorcommunicate_client;
+attribute vendor_hal_sensorcommunicate_server;
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder { call transfer };
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder transfer;
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:fd *;
+allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_hwservice:hwservice_manager find;
+allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder transfer;
+allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder { call transfer };
+allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:fd *;
+allow vendor_hal_sensorcommunicate_default fwk_sensor_hwservice:hwservice_manager find;
+allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
+allow vendor_hal_sensorcommunicate_default system_server:binder call;
+allow vendor_hal_sensorcommunicate_default system_server:binder transfer;
+allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder call;
+allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder transfer;
+allow vendor_hal_sensorcommunicate_default mnt_vendor_file:dir search;
+allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:dir search;
+allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:file { getattr open read };
+init_daemon_domain(vendor_hal_sensorcommunicate_default)
+hwbinder_use(vendor_hal_sensorcommunicate_default)
+hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate)
+add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice)

sepolicy/vendor/hal_sensors.te

@@ -0,0 +1,8 @@
+allow hal_sensors_default audio_socket:sock_file rw_file_perms;
+allow hal_sensors_default hal_audio_default:unix_stream_socket connectto;
+allow hal_sensors_default sound_device:chr_file rw_file_perms;
+allow hal_sensors_default vendor_sysfs_graphics:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_graphics:file r_file_perms;
+allow hal_sensors_default stmvl53l5_device:chr_file { ioctl open read write };
+
+allow hal_sensors_default sysfs_tp_fodstatus:file r_file_perms;

sepolicy/vendor/hal_slaservice.te

@@ -0,0 +1,17 @@
+type hal_slaservice_qti, domain;
+type hal_slaservice_qti_exec, exec_type, file_type, vendor_file_type;
+type hal_slaservice_hwservice, hwservice_manager_type;
+hal_attribute(slaservice)
+allow hal_slaservice_qti vendor_slad_prop:file read;
+allow hal_slaservice_qti socket_device:sock_file write;
+allow hal_slaservice_client hal_slaservice_server:binder { call transfer };
+allow hal_slaservice_client hal_slaservice_server:fd *;
+allow hal_slaservice_client hal_slaservice_hwservice:hwservice_manager find;
+allow hal_slaservice_server hal_slaservice_client:binder transfer;
+init_daemon_domain(hal_slaservice_qti)
+unix_socket_connect(hal_slaservice_qti, property, slad)
+unix_socket_connect(hal_slaservice_qti, slad, init)
+unix_socket_connect(hal_slaservice_qti, slad, slad)
+set_prop(hal_slaservice_qti, vendor_slad_prop)
+hal_server_domain(hal_slaservice_qti, hal_slaservice)
+add_hwservice(hal_slaservice_server, hal_slaservice_hwservice)

sepolicy/vendor/hal_tidaservice.te

@@ -0,0 +1,34 @@
+type hal_tidaservice_default, domain;
+type hal_tidaservice_default_exec, exec_type, file_type, vendor_file_type;
+type hal_tidaservice_hwservice, hwservice_manager_type;
+hal_attribute(tidaservice)
+allow hal_tidaservice_client hal_tidaservice_server:binder { call transfer };
+allow hal_tidaservice_client hal_tidaservice_server:binder transfer;
+allow hal_tidaservice_client hal_tidaservice_server:fd *;
+allow hal_tidaservice_client hal_tidaservice_hwservice:hwservice_manager find;
+allow hal_tidaservice_server hal_tidaservice_client:binder transfer;
+allow hal_tidaservice_server hal_tidaservice_client:binder { call transfer };
+allow hal_tidaservice_server hal_tidaservice_client:fd *;
+allow hal_tidaservice_default hal_mtdservice_default:binder { call transfer };
+allow hal_tidaservice_default hal_mtdservice_default:fd *;
+allow hal_tidaservice_default tee_device:chr_file rw_file_perms;
+allow hal_tidaservice_default firmware_file:dir r_dir_perms;
+allow hal_tidaservice_default firmware_file:file r_file_perms;
+allow hal_tidaservice_default ion_device:chr_file rw_file_perms;
+allow hal_tidaservice_default rootfs:lnk_file r_file_perms;
+allow hal_tidaservice_default hal_mtdservice_hwservice:hwservice_manager find;
+allow hal_tidaservice_default platform_app:binder transfer;
+allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:hwservice_manager find;
+allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:binder { call transfer };
+allow hal_tidaservice_default vendor_hal_tui_comm_qti:binder { call transfer };
+allow hal_tidaservice_default sysfs:dir { open read };
+allow hal_tidaservice_default sysfs:file { open read write };
+allow hal_tidaservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
+allow hal_tidaservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
+init_daemon_domain(hal_tidaservice_default)
+get_prop(hal_tidaservice_default, vendor_fp_prop)
+get_prop(hal_tidaservice_default, vendor_system_prop)
+get_prop(hal_tidaservice_default, vendor_payment_security_prop)
+hwbinder_use(hal_tidaservice_default)
+hal_server_domain(hal_tidaservice_default, hal_tidaservice)
+add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice)

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,14 @@
+vendor.xiaomi.hardware.campostproc::IMiPostProcService       u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
+vendor.xiaomi.hardware.displayfeature::IDisplayFeature       u:object_r:vendor_hal_displayfeature_xiaomi_hwservice:s0
+vendor.qti.sla.service::ISlaService                          u:object_r:hal_slaservice_hwservice:s0
+vendor.xiaomi.sensor.citsensorservice::ICitSensorService   u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0
+vendor.xiaomi.sensor.communicate::ISensorCommunicate  u:object_r:vendor_hal_sensorcommunicate_hwservice:s0
+vendor.xiaomi.hardware.quickcamera::IQuickCameraService    u:object_r:hal_quickcamera_hwservice:s0
+
+vendor.dolby.hardware.dms::IDms          u:object_r:hal_dms_hwservice:s0
+vendor.xiaomi.hardware.mfidoca::IFidoService       u:object_r:hal_mfidoca_hwservice:s0
+vendor.xiaomi.hardware.mlipay::IMlipayService       u:object_r:hal_mlipay_hwservice:s0
+vendor.xiaomi.hardware.mtdservice::IMTService       u:object_r:hal_mtdservice_hwservice:s0
+vendor.xiaomi.hardware.tidaservice::ITidaService       u:object_r:hal_tidaservice_hwservice:s0
+vendor.xiaomi.hardware.bgservice::IBGService                 u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
+vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel                                        u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0

sepolicy/vendor/init.te

@@ -0,0 +1,8 @@
+allow init ddr_training_exec:file { execute getattr open read };
+allow init slad_exec:file { getattr open read };
+allow init sla_data_file:file rw_file_perms;
+allow vendor_init vendor_ddr_prop:property_service set;
+set_prop(vendor_init, vendor_fp_prop)
+set_prop(vendor_init, vendor_fp_info_prop)
+set_prop(vendor_init, vendor_qcc_prop)
+allow vendor_init cgroup:file getattr;

sepolicy/vendor/mi_thermald.te

@@ -0,0 +1,30 @@
+type mi_thermald, domain, mlstrustedsubject;
+type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
+allow mi_thermald self:capability { fsetid sys_boot };
+allow mi_thermald sysfs_thermal:file w_file_perms;
+allow mi_thermald sysfs:file w_file_perms;
+allow mi_thermald vendor_sysfs_kgsl:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_kgsl:file rw_file_perms;
+allow mi_thermald vendor_sysfs_kgsl:lnk_file r_file_perms;
+allow mi_thermald vendor_sysfs_battery_supply:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_battery_supply:file rw_file_perms;
+allow mi_thermald vendor_sysfs_battery_supply:lnk_file r_file_perms;
+allow mi_thermald vendor_sysfs_qcom_battery:file rw_file_perms;
+allow mi_thermald vendor_sysfs_graphics:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_graphics:file rw_file_perms;
+allow mi_thermald vendor_sysfs_graphics:lnk_file r_file_perms;
+allow mi_thermald thermal_data_file:dir { add_name read remove_name search watch write };
+allow mi_thermald thermal_data_file:file { create getattr open read rename setattr unlink write };
+allow mi_thermald mi_thermald:capability { chown fowner };
+allow mi_thermald mi_thermald:capability2 { block_suspend wake_alarm };
+allow mi_thermald vendor_data_file:dir { add_name read remove_name watch write };
+allow mi_thermald vendor_data_file:file { create getattr open read rename setattr unlink write };
+allow mi_thermald sys_thermal_wifi_limit:file { open read write };
+allow mi_thermald sys_thermal_wifi_limit:file rw_file_perms;
+init_daemon_domain(mi_thermald)
+r_dir_file(mi_thermald, sysfs_thermal)
+r_dir_file(mi_thermald, sysfs)
+r_dir_file(mi_thermald, sysfs_leds)
+r_dir_file(mi_thermald, vendor_sysfs_qcom_battery)
+set_prop(mi_thermald, vendor_thermal_normal_prop)

sepolicy/vendor/modprobe.te

@@ -0,0 +1 @@
+allow vendor_modprobe block_device:dir search;

sepolicy/vendor/property.te

@@ -0,0 +1,40 @@
+# Camera
+vendor_public_prop(vendor_camera_sensor_prop)
+
+# DDR
+vendor_public_prop(vendor_ddr_prop)
+
+# Device ID
+vendor_public_prop(vendor_deviceid_prop)
+vendor_public_prop(vendor_sno_prop)
+vendor_public_prop(vendor_cpuid_prop)
+
+# Dolby
+vendor_internal_prop(vendor_dolbyv_prop)
+
+# Display
+vendor_public_prop(vendor_displayfeature_prop)
+vendor_internal_prop(vendor_ctl_vendor_display_prop)
+
+# Fingerprint
+vendor_restricted_prop(vendor_fp_info_prop)
+vendor_public_prop(vendor_fp_prop)
+
+# GNSS
+vendor_public_prop(vendor_edgnss_qxwz_downloadak_prop)
+vendor_public_prop(vendor_mi_ins_prop)
+
+# Mlipay
+vendor_public_prop(vendor_payment_security_prop)
+
+# NFC
+vendor_public_prop(vendor_nfc_mi_prop)
+
+# Panel
+vendor_public_prop(vendor_panel_info_prop)
+
+# SLA
+type vendor_slad_prop, property_type, vendor_property_type;
+
+# Thermal
+vendor_public_prop(vendor_thermal_normal_prop)

sepolicy/vendor/property_contexts

@@ -0,0 +1,144 @@
+# Camera
+vendor.camera.sensor. u:object_r:vendor_camera_sensor_prop:s0
+
+# DDR
+vendor.ddr_training.is.start u:object_r:vendor_ddr_prop:s0
+
+# Device ID
+persist.vendor.radio.imei u:object_r:vendor_deviceid_prop:s0
+persist.vendor.radio.meid u:object_r:vendor_deviceid_prop:s0
+ro.vendor.oem.imei u:object_r:vendor_deviceid_prop:s0
+ro.vendor.oem.meid u:object_r:vendor_deviceid_prop:s0
+ro.vendor.oem.psno u:object_r:vendor_sno_prop:s0
+ro.vendor.oem.sno u:object_r:vendor_sno_prop:s0
+
+# Display
+persist.vendor.dc_backlight.enable u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.dc_backlight.threshold u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.df.color.temp u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.df.extcolor.proc u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.dfps.level u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.disable_idle_fps u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.disable_idle_fps.threshold u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.displayfeature.video.pq.type u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.dolbyvision.flat_on u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.fod.modified.dc_status u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.max.brightness u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.power.dfps.level u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.all_modes.colorpick_adjust u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.aod.brightness.cust u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.aod_layer.check u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.bcbc.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.cabc.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.cct.need.check.touch.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.colorpick_adjust u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.df.effect.conflict u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.dfps.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.ai_disp.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.aod_monitor_default_fps u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.benchmark_app u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.default_fps u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.dither u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.dolbyvision.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.dual_builtin_disp u:object_r:vendor_displayfeature_prop:s0
+#ro.vendor.display.dynamic_refresh_rate u:object_r:vendor_promotion_prop:s0
+ro.vendor.display.expert_calib.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.fod_monitor_default_fps u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.hwc_thermal_dimming u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.idle_default_fps u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.idle_default_fps.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.ltpo.idle.switch.powercloud u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.ltpo.powerfull.with.charger.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.ltpo.sync.tp u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.ltpo.tp.idle.lowbrightness.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.mi_calib.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.nature_mode.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.papercontrast.opt u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.primary.fps.limit u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.primary_idle_refresh_rate u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.secondary_idle_refresh_rate u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.set_fps_stat_timer_ms u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.set_sec_idle_timer_ms u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.switch_resolution.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.touch.idle.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.type u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.ultimate.perf.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.video_or_camera_fps.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.displayfeature.dump u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.dualpanel.dfps u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.eyecare.level u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.eyecare.threshold u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.fod.110nit.lux.level u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.fod.dimlayer.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.fps.switch.default u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.fps.switch.thermal u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.gcp.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.hbm_backlight.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.hist.threshold u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.histogram.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.localhbm.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.media.video.style.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.need.check.cup.hbm.coverlayer.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.pcc.dc.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.sdr2hdr.by.layer.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.sf.enable_fb_scaling u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.soft_backlight.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.sre.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.standard.video.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.thermal.dimming.enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.use.partial.brightness u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.video.style.by.layer.support u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.video_box.version u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.whitepoint_calibration_enable u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.xiaomi.bl.poll u:object_r:vendor_displayfeature_prop:s0
+vendor.display.enable_fb_scaling u:object_r:vendor_displayfeature_prop:s0
+vendor.display.hwc_backlight.support u:object_r:vendor_displayfeature_prop:s0
+vendor.displayfeature.entry.enable u:object_r:vendor_displayfeature_prop:s0
+vendor.hbm.enable u:object_r:vendor_displayfeature_prop:s0
+vendor.video.mode.status u:object_r:vendor_displayfeature_prop:s0
+
+# Dolby
+vendor.dolbyv. u:object_r:vendor_dolbyv_prop:s0
+
+# Fingerprint
+persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0
+persist.vendor.sys.fp.info u:object_r:vendor_fp_info_prop:s0
+persist.vendor.sys.fp.uid u:object_r:vendor_fp_info_prop:s0
+vendor.fps_hal. u:object_r:vendor_fp_prop:s0
+vendor.panel.display. u:object_r:vendor_fp_prop:s0
+ro.hardware.fp.udfps u:object_r:vendor_fp_prop:s0
+
+# GNSS
+ro.vendor.gnss.edgnss.downloadQxwzAk u:object_r:vendor_edgnss_qxwz_downloadak_prop:s0
+
+# Panel
+vendor.panel. u:object_r:vendor_panel_info_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay.fido u:object_r:vendor_payment_security_prop:s0
+persist.vendor.sys.pay.fido2 u:object_r:vendor_payment_security_prop:s0
+persist.vendor.sys.pay.ifaa u:object_r:vendor_payment_security_prop:s0
+persist.vendor.sys.pay.soter u:object_r:vendor_payment_security_prop:s0
+persist.vendor.sys.pay.widevine u:object_r:vendor_payment_security_prop:s0
+persist.vendor.sys.provision.status u:object_r:vendor_payment_security_prop:s0
+vendor.sys.feature_state u:object_r:vendor_payment_security_prop:s0
+vendor.sys.rpmb_state u:object_r:vendor_payment_security_prop:s0
+
+# NFC
+ro.vendor.nfc. u:object_r:vendor_nfc_mi_prop:s0
+ro.vendor.se. u:object_r:vendor_nfc_mi_prop:s0
+
+# Sensors
+persist.vendor.sensors.ins. u:object_r:vendor_mi_ins_prop:s0
+persist.vendor.sensors.ins_debug u:object_r:vendor_mi_ins_prop:s0
+
+# SLA
+vendor.sla.enabled u:object_r:vendor_slad_prop:s0
+vendor.sla.ifaces u:object_r:vendor_slad_prop:s0
+vendor.sla.mode u:object_r:vendor_slad_prop:s0
+vendor.sla.uidwhitelist u:object_r:vendor_slad_prop:s0
+vendor.sla.wlan.interface u:object_r:vendor_slad_prop:s0
+vendor.sla.wwan.interface u:object_r:vendor_slad_prop:s0
+
+# Thermal
+vendor.sys.thermal.data.path u:object_r:vendor_thermal_normal_prop:s0

sepolicy/vendor/qrtr.te

@@ -0,0 +1,2 @@
+allow vendor_qrtr vendor_data_file:dir create_dir_perms;
+allow vendor_qrtr vendor_data_file:file create_file_perms;

sepolicy/vendor/rild.te

@@ -0,0 +1,9 @@
+allow rild vendor_radio_smd_device:file { open read write };
+allow rild vendor_radio_smd_device:chr_file { open read write };
+allow rild vendor_modem_data_file:dir create_dir_perms;
+allow rild vendor_modem_data_file:file create_file_perms;
+set_prop(rild, vendor_deviceid_prop)
+set_prop(rild, vendor_sno_prop)
+#set_prop(rild, default_prop)
+allow rild vendor_data_file:dir create_dir_perms;
+allow rild vendor_data_file:file create_file_perms;

sepolicy/vendor/slad.te

@@ -0,0 +1,36 @@
+type slad, domain;
+type slad_exec, exec_type, file_type, vendor_file_type;
+type qti_proc_sla, proc_type;
+allow slad slad_socket:sock_file { getattr read write };
+allow slad slad_socket:sock_file unlink;
+allow slad slad:netlink_socket { bind create read write };
+allow slad proc_net:file { getattr open read };
+allow slad system_file:lnk_file getattr;
+allow slad self:capability { net_admin net_raw setgid setuid };
+allow slad self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow slad self:netlink_generic_socket { bind create read setopt write };
+allow slad self:rawip_socket { create getopt read setopt write };
+allow slad self:udp_socket { connect create getattr };
+allow slad sla_data_file:dir { add_name create read remove_name search unlink write };
+allow slad sla_data_file:dir create_dir_perms;
+allow slad sla_data_file:file create_file_perms;
+allow slad sla_data_file:file rw_file_perms;
+allow slad socket_device:dir write;
+allow slad socket_device:dir remove_name;
+allow slad socket_device:dir add_name;
+allow slad socket_device:sock_file { create setattr unlink };
+allow slad qti_proc_sla:dir search;
+allow slad qti_proc_sla:file { map open read write };
+allow slad vendor_shell_exec:file execute_no_trans;
+dontaudit slad self:capability dac_read_search;
+init_daemon_domain(slad)
+unix_socket_connect(slad, dnsproxyd, slad)
+unix_socket_connect(slad, dnsproxyd, netd)
+unix_socket_connect(slad, dnsproxyd, init)
+unix_socket_connect(slad, fwmarkd, slad)
+unix_socket_connect(slad, fwmarkd, netd)
+unix_socket_connect(slad, fwmarkd, init)
+unix_socket_connect(slad, property, slad)
+unix_socket_connect(slad, property, netd)
+set_prop(slad, vendor_slad_prop)
+net_domain(slad)

sepolicy/vendor/surfaceflinger.te

@@ -0,0 +1,4 @@
+allow surfaceflinger vendor_sysfs_displayfeature:dir r_dir_perms;
+allow surfaceflinger vendor_sysfs_displayfeature:file rw_file_perms;
+allow surfaceflinger vendor_displayfeature_device:chr_file { ioctl open read write };
+allow surfaceflinger vendor_sysfs_graphics:dir { open read search };

sepolicy/vendor/system_server.te

@@ -0,0 +1 @@
+allow system_server vendor_hal_displayfeature_xiaomi_default:binder { call transfer };

sepolicy/vendor/tee.te

@@ -0,0 +1,3 @@
+allow tee vendor_fingerprint_data_file:dir rw_dir_perms;
+allow tee vendor_fingerprint_data_file:file rw_file_perms;
+allow tee vendor_fingerprint_data_file:file create_file_perms;

sepolicy/vendor/vendor_qti_init_shell.te

@@ -0,0 +1,11 @@
+allow vendor_qti_init_shell configfs:dir { add_name create write };
+# NECESSARY?
+allow vendor_qti_init_shell configfs:dir setattr;
+# END
+allow vendor_qti_init_shell sysfs_dm:file rw_file_perms;
+allow vendor_qti_init_shell sysfs_dm:dir r_dir_perms;
+allow vendor_qti_init_shell vendor_sysfs_msm_perf:file w_file_perms;
+allow vendor_qti_init_shell vendor_sysfs_qdss_dev:file { setattr write };
+set_prop(vendor_qti_init_shell, vendor_panel_info_prop)
+
+#get_prop(vendor_qti_init_shell, default_prop)

sepolicy/vendor/vendorcodec.te

@@ -0,0 +1,25 @@
+type vendorcodec, domain;
+type vendorcodec_exec, exec_type, file_type, vendor_file_type;
+allow vendorcodec hal_sensors_hwservice:hwservice_manager find;
+allow vendorcodec fwk_sensor_hwservice:hwservice_manager find;
+allow vendorcodec hal_sensors_default:fd *;
+allow vendorcodec storage_file:lnk_file read;
+allow vendorcodec mnt_user_file:dir search;
+allow vendorcodec mnt_user_file:lnk_file read;
+allow vendorcodec hal_configstore_default:binder call;
+allow vendorcodec media_rw_data_file:file write;
+allow vendorcodec gpu_device:chr_file { getattr ioctl open read write };
+allow vendorcodec gpu_device:chr_file map;
+allow vendorcodec vendor_display_prop:file read;
+allow vendorcodec vendor_display_prop:file open;
+allow vendorcodec vendor_display_prop:file getattr;
+allow vendorcodec vendor_display_prop:file map;
+allow vendorcodec dmabuf_system_heap_device:chr_file { getattr ioctl open read };
+init_daemon_domain(vendorcodec)
+set_prop(vendorcodec, vendor_dolbyv_prop)
+vndbinder_use(vendorcodec)
+hal_server_domain(vendorcodec, hal_codec2)
+hal_client_domain(vendorcodec, hal_allocator)
+hal_client_domain(vendorcodec, hal_codec2)
+hal_client_domain(vendorcodec, hal_graphics_allocator)
+hal_client_domain(vendorcodec, hal_sensors)

sepolicy/vendor/vndservice_contexts

@@ -0,0 +1,2 @@
+display.mistcservice                                  u:object_r:vendor_mistcdisplay_service:s0
+DisplayFeatureControl                          u:object_r:vendor_DisplayFeatureControl_service:s0

sepolicy/vendor/wcnss_service.te

@@ -0,0 +1,16 @@
+#allow vendor_wcnss_service self:netlink_generic_socket ioctl;
+allow vendor_wcnss_service self:capability { net_raw setgid setuid };
+#allow vendor_wcnss_service self:packet_socket { bind create getopt ioctl map read setopt };
+allow vendor_wcnss_service self:packet_socket write;
+allow vendor_wcnss_service sysfs_net:file read;
+allow vendor_wcnss_service vendor_mac_vendor_data_file:dir { add_name open read search setattr write };
+allow vendor_wcnss_service vendor_mac_vendor_data_file:dir rw_dir_perms;
+allow vendor_wcnss_service vendor_mac_vendor_data_file:file { create getattr open read setattr write };
+allow vendor_wcnss_service mnt_vendor_file:dir { add_name create read search write };
+allow vendor_wcnss_service mnt_vendor_file:file { create open read setattr write };
+#allow vendor_wcnss_service vendor_diag_device:chr_file { create ioctl open read write };
+allow vendor_wcnss_service vendor_sysfs_diag:dir search;
+allow vendor_wcnss_service vendor_sysfs_diag:file { open read };
+allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:dir { add_name getattr open read remove_name search setattr write };
+allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:file { append create getattr open read rename setattr unlink write };
+allow vendor_wcnss_service vendor_proc_wifi_dbg:file { create getattr open read setattr write };