sm8250-common: add sepolicies from nio

state: fffc7ba5a6

BoardConfigCommon.mk

@@ -207,6 +207,9 @@ ENABLE_VENDOR_RIL_SERVICE := true
 
 # SELinux
 include device/qcom/sepolicy_vndr/SEPolicy.mk
+BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
+PRODUCT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private
+PRODUCT_PUBLIC_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/public
 
 # Verified Boot
 BOARD_AVB_ENABLE := true

sepolicy/private/permissioncontroller_app.te

@@ -0,0 +1 @@
+allow permissioncontroller_app tethering_service:service_manager find;

sepolicy/private/platform_app.te

@@ -0,0 +1,2 @@
+hal_client_domain(platform_app, hal_ifaa);
+hal_client_domain(platform_app, vendor_hal_soter);

sepolicy/private/radio.te

@@ -0,0 +1,2 @@
+allow radio mot_radio_service:service_manager { add find };
+allow radio mot_system_service:service_manager find;

sepolicy/private/service.te

@@ -0,0 +1,2 @@
+type mot_radio_service, service_manager_type;
+type mot_system_service, service_manager_type;

sepolicy/private/service_contexts

@@ -0,0 +1,2 @@
+motoexttelephony                          u:object_r:mot_radio_service:s0
+moto_ext_telephony.registry               u:object_r:mot_system_service:s0

sepolicy/private/vendor_qtelephony.te

@@ -0,0 +1,2 @@
+allow vendor_qtelephony mot_radio_service:service_manager find;
+allow vendor_qtelephony mot_system_service:service_manager find;

sepolicy/public/attributes

@@ -0,0 +1,2 @@
+hal_attribute_lineage(cameradesktop)
+hal_attribute_lineage(ifaa)

sepolicy/vendor/device.te

@@ -0,0 +1,10 @@
+# Fingerprint
+type etsd_device, dev_type;
+
+# Moto partitions
+type vendor_hw_block_device, dev_type;
+type vendor_prodpersist_block_device, dev_type;
+type vendor_utags_block_device, dev_type;
+
+# Thermal
+type vendor_thermal_device, dev_type;

sepolicy/vendor/domain.te

@@ -0,0 +1 @@
+get_prop({domain -coredomain -appdomain}, vendor_mot_hw_prop)

sepolicy/vendor/file.te

@@ -0,0 +1,26 @@
+# Camera
+type vendor_persist_camera_file, file_type, vendor_persist_type;
+
+# Cutback
+type cutback_data_file, file_type, data_file_type;
+type cutback_socket, file_type;
+
+# Fingerprint
+type vendor_persist_fps_file, file_type, vendor_persist_type;
+
+# Input Devices
+type vendor_sysfs_input, sysfs_type, fs_type;
+
+# Motorola
+type proc_moto_boot, proc_type, fs_type;
+type vendor_motobox_exec, exec_type, vendor_file_type, file_type;
+type vendor_proc_hw, proc_type, fs_type;
+
+# Partitions
+type fsg_file, file_type, contextmount_type, vendor_file_type;
+
+# Power
+type proc_sched_lib_mask_cpuinfo, proc_type, fs_type;
+
+# Touchscreen
+type vendor_sysfs_touchpanel, fs_type, sysfs_type;

sepolicy/vendor/file_contexts

@@ -0,0 +1,80 @@
+# A/B partitions
+/dev/block/platform/soc/1d84000\.ufshc/by-name/fsg_[ab]         u:object_r:vendor_modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/logo_[ab]        u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs3_[ab] u:object_r:vendor_efs_boot_dev:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/prov_[ab]        u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/spss_[ab]        u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/storsec_[ab]     u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/vendor_boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/sd[df]                   u:object_r:vendor_gpt_block_device:s0
+
+# UFS Devices
+/dev/block/platform/soc/1d84000\.ufshc/by-name/hw               u:object_r:vendor_hw_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/prodpersist      u:object_r:vendor_prodpersist_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/utags            u:object_r:vendor_utags_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/utagsBackup      u:object_r:vendor_utags_block_device:s0
+
+# Partition Mountpoints
+/(vendor|system/vendor)/fsg                             u:object_r:fsg_file:s0
+/(vendor|system/vendor)/super_fsg                       u:object_r:fsg_file:s0
+/(vendor|system/vendor)/super_modem                     u:object_r:firmware_file:s0
+
+# Awinic
+/(mnt/vendor/persist|persist)/factory/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0
+
+# Camera
+/(mnt/vendor/persist|persist)/camera(/.*)?              u:object_r:vendor_persist_camera_file:s0
+/(vendor|system/vendor)/bin/hw/motorola\.hardware\.camera\.desktop@2\.0-service u:object_r:hal_cameradesktop_default_exec:s0
+/(vendor|system/vendor)/bin/vl53l1_daemon               u:object_r:vl53l1_exec:s0
+/(vendor|system/vendor)/lib64/libipebpsstriping\.so     u:object_r:same_process_hal_file:s0
+/data/vendor/misc/imager                                u:object_r:vendor_camera_data_file:s0
+/sys/devices/platform/soc/soc:qcom,cam-req-mgr/video4linux/video[0-33]/name(/.*)?       u:object_r:vendor_sysfs_jpeg:s0
+/sys/devices/virtual/input/input[0-9]+/calibration_data u:object_r:vendor_sysfs_laser:s0
+/sys/devices/virtual/input/input[0-9]+/do_flush         u:object_r:vendor_sysfs_laser:s0
+/sys/devices/virtual/input/input[0-9]+/enable_ps_sensor u:object_r:vendor_sysfs_laser:s0
+/sys/devices/virtual/input/input[0-9]+/offset           u:object_r:vendor_sysfs_laser:s0
+/sys/devices/virtual/input/input[0-9]+/xtalk            u:object_r:vendor_sysfs_laser:s0
+
+# Fingerprint
+/(mnt/vendor/persist|persist)/fps(/.*)?                 u:object_r:vendor_persist_fps_file:s0
+/(vendor|system/vendor)/bin/fpc_ident                   u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-ets              u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-fpc              u:object_r:hal_fingerprint_default_exec:s0
+/data/vendor/.fps(/.*)?                                 u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/fpc(/.*)?                                  u:object_r:fingerprint_vendor_data_file:s0
+/dev/esfp0                                              u:object_r:etsd_device:s0
+/sys/devices/soc/0\.et320(/.*)?                         u:object_r:vendor_sysfs_fingerprint:s0
+
+# IFAA
+/(vendor|system/vendor)/bin/hw/vendor\.zui\.hardware\.ifaa@1\.0-service                 u:object_r:hal_ifaa_default_exec:s0
+
+# Lights
+/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.motokona              u:object_r:hal_light_default_exec:s0
+
+# Motobox
+/(vendor|system/vendor)/bin/motobox                     u:object_r:vendor_motobox_exec:s0
+
+#poweropt-service
+/(vendor|system/vendor)/bin/poweropt-service            u:object_r:vendor_poweroptservice_exec:s0
+
+# Radio
+/data/vendor/misc/cutback(/.*)?                         u:object_r:cutback_data_file:s0
+/dev/socket/cutback                                     u:object_r:cutback_socket:s0
+
+# Touch
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.nio			u:object_r:hal_lineage_touch_default_exec:s0
+
+# Thermal
+/dev/mmi_sys_temp                                       u:object_r:vendor_thermal_device:s0
+
+# Vendor init scripts
+/(vendor|system/vendor)/bin/init\.mmi\.laser\.sh                u:object_r:vendor_mmi_laser_exec:s0
+/(vendor|system/vendor)/bin/init\.mmi\.touch\.sh                u:object_r:vendor_init_touch_exec:s0
+/(vendor|system/vendor)/bin/init\.oem\.fingerprint2\.sh         u:object_r:vendor_init_fingerprint_exec:s0
+/(vendor|system/vendor)/bin/init\.oem\.fingerprint\.overlay\.sh u:object_r:vendor_init_fingerprint_exec:s0
+/(vendor|system/vendor)/bin/init\.oem\.hw\.sh                   u:object_r:vendor_init_hw_exec:s0
+
+# Wakeups
+/sys/devices/virtual/input/input[0-9]+/wakeup[0-9]+(/.*)?       u:object_r:sysfs_wakeup:s0
+/sys/devices/platform/soc/[^*]+/wakeup/wakeup[0-9]+(/.*)?       u:object_r:sysfs_wakeup:s0
+/sys/devices/virtual/misc/[^*]+/wakeup[0-9]+(/.*)?              u:object_r:sysfs_wakeup:s0

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,57 @@
+# Camera
+genfscon sysfs /devices/platform/cam_sync/video4linux/video1/name               u:object_r:sysfs_graphics:s0
+
+# Fingerprint
+genfscon sysfs /devices/platform/egis_input                                     u:object_r:vendor_sysfs_fingerprint:s0
+
+# Health
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/battery u:object_r:vendor_sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/mmi_battery u:object_r:vendor_sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5/power_supply/qcom_battery u:object_r:vendor_sysfs_battery_supply:s0
+
+# Input Devices
+genfscon sysfs /devices/virtual/input                                           u:object_r:vendor_sysfs_input:s0
+
+# Lights
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm8150l@5:qcom,leds@d000/leds/charging u:object_r:sysfs_leds:s0
+
+# Motorola
+genfscon proc /bootinfo                                                         u:object_r:proc_moto_boot:s0
+genfscon proc /config                                                           u:object_r:vendor_proc_hw:s0
+genfscon proc /hw                                                               u:object_r:vendor_proc_hw:s0
+
+# PowerHal
+genfscon proc /sys/kernel/sched_lib_name                                        u:object_r:proc_sched_lib_mask_cpuinfo:s0
+genfscon proc /sys/kernel/sched_lib_mask_force                                  u:object_r:proc_sched_lib_mask_cpuinfo:s0
+
+# RTC
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/rtc/rtc0 u:object_r:sysfs_rtc:s0
+
+# Sensors
+genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/panelName              u:object_r:vendor_sysfs_data:s0
+genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/panelRegDA             u:object_r:vendor_sysfs_data:s0
+
+# STM Prox Sensor
+genfscon sysfs /devices/virtual/laser                                           u:object_r:vendor_sysfs_laser:s0
+genfscon sysfs /module/stmvl53l1                                                u:object_r:vendor_sysfs_laser:s0
+
+# Touchscreen
+genfscon sysfs /class/touchscreen                                               u:object_r:vendor_sysfs_touchpanel:s0
+genfscon sysfs /devices/virtual/touchscreen                                     u:object_r:vendor_sysfs_touchpanel:s0
+
+# Vibrator
+genfscon sysfs /devices/platform/soc/884000.i2c/i2c-1/1-005a/leds/vibrator      u:object_r:sysfs_vibrator:s0
+
+# Wakeup
+genfscon sysfs /devices/0306_02.01.00/wakeup/wakeup                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/1101_00.01.00/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1e00000.qcom,ipa/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-0028/wakeup/wakeup      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/mmi_battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5/power_supply/qcom_battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm8150l@4:qcom,power-on@800/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/rx-macro/rx_swr_ctrl/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-npu/wakeup/wakeup           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/diag/diag/wakeup                                u:object_r:sysfs_wakeup:s0

sepolicy/vendor/hal_bootctl_default.te

@@ -0,0 +1,8 @@
+allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr;
+allow hal_bootctl_default {
+    vendor_efs_boot_dev
+    vendor_modem_efs_partition_device
+}:blk_file rw_file_perms;
+
+# We never apply OTAs when GSI is running
+dontaudit hal_bootctl_default gsi_metadata_file:dir search;

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,25 @@
+# Allow hal_camera_default to read to mnt/vendor/persist
+allow hal_camera_default mnt_vendor_file:dir search;
+
+# Allow hal_camera_default to call system_server
+binder_call(hal_camera_default, system_server)
+
+# Camera props
+get_prop(hal_camera_default, exported_radio_prop)
+
+# STM Prox Sensor
+allow hal_camera_default vendor_sysfs_laser:file rw_file_perms;
+allow hal_camera_default input_device:chr_file r_file_perms;
+allow hal_camera_default input_device:dir r_dir_perms;
+
+r_dir_file(hal_camera_default, vendor_sysfs_input)
+r_dir_file(hal_camera_default, vendor_persist_camera_file)
+r_dir_file(hal_camera_default, vendor_sysfs_battery_supply)
+
+# (X)DSP
+allow hal_camera_default vendor_xdsp_device:chr_file r_file_perms;
+
+# QSPM hal service for accessing camera info
+hal_client_domain(hal_camera_default, vendor_hal_qspmhal)
+
+hal_client_domain(hal_camera_default, hal_cameradesktop)

sepolicy/vendor/hal_cameradesktop.te

@@ -0,0 +1,17 @@
+type hal_cameradesktop_default, domain;
+hal_server_domain(hal_cameradesktop_default, hal_cameradesktop)
+
+type hal_cameradesktop_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_cameradesktop_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_cameradesktop_client, hal_cameradesktop_server)
+
+# Add hwservice related rules
+add_hwservice(hal_cameradesktop_server, hal_cameradesktop_hwservice)
+allow hal_cameradesktop_client hal_cameradesktop_hwservice:hwservice_manager find;
+
+allow hal_cameradesktop_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow hal_cameradesktop_server vendor_sysfs_graphics:file r_file_perms;
+allow hal_cameradesktop_server vendor_sysfs_jpeg:file r_file_perms;
+allow hal_cameradesktop_server video_device:chr_file rw_file_perms;

sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,11 @@
+allow hal_fingerprint_default {
+  etsd_device
+  tee_device
+}: chr_file rw_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+r_dir_file(hal_fingerprint_default, firmware_file)
+set_prop(hal_fingerprint_default, vendor_mot_fingerprint_prop)
+allow hal_fingerprint_default vendor_sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_default vendor_sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;

sepolicy/vendor/hal_ifaa.te

@@ -0,0 +1,18 @@
+type hal_ifaa_default, domain;
+hal_server_domain(hal_ifaa_default, hal_ifaa)
+
+type hal_ifaa_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_ifaa_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_ifaa_client, hal_ifaa_server)
+
+# Add hwservice related rules
+add_hwservice(hal_ifaa_server, hal_ifaa_hwservice)
+allow hal_ifaa_client hal_ifaa_hwservice:hwservice_manager find;
+
+#Allow access to tee device
+allow hal_ifaa_server tee_device:chr_file rw_file_perms;
+
+#Allow access to ion device
+allow hal_ifaa_server ion_device:chr_file r_file_perms;

sepolicy/vendor/hal_lineage_touch_default.te

@@ -0,0 +1,2 @@
+allow hal_lineage_touch_default vendor_sysfs_touchpanel:dir search;
+allow hal_lineage_touch_default vendor_sysfs_touchpanel:file rw_file_perms;

sepolicy/vendor/hal_nfc_default.te

@@ -0,0 +1,4 @@
+add_hwservice(hal_nfc_default, nxpese_hwservice)
+add_hwservice(hal_nfc_default, nxpnfc_hwservice)
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;

sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,2 @@
+allow hal_power_default vendor_sysfs_touchpanel:dir search;
+allow hal_power_default vendor_sysfs_touchpanel:file rw_file_perms;

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,5 @@
+allow hal_sensors_default vendor_sysfs_laser:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_laser:file { setattr rw_file_perms };
+
+allow hal_sensors_default vendor_sysfs_input:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_input:file rw_file_perms;

sepolicy/vendor/hwservice.te

@@ -0,0 +1,4 @@
+type hal_cameradesktop_hwservice, hwservice_manager_type;
+type hal_ifaa_hwservice, hwservice_manager_type;
+type nxpese_hwservice, hwservice_manager_type;
+type nxpnfc_hwservice, hwservice_manager_type;

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,13 @@
+# Camera
+motorola.hardware.camera.desktop::ICameraDesktop                        u:object_r:hal_cameradesktop_hwservice:s0
+
+# Fingerprint
+com.motorola.hardware.biometric.fingerprint::IMotoFingerPrint           u:object_r:hal_fingerprint_hwservice:s0
+com.motorola.hardware.biometric.fingerprint::IMotoFingerPrintSensorTest u:object_r:hal_fingerprint_hwservice:s0
+
+# IFAA
+vendor.zui.hardware.ifaa::IIFAADevice 					u:object_r:hal_ifaa_hwservice:s0
+
+# NFC
+vendor.nxp.nxpese::INxpEse                                              u:object_r:nxpese_hwservice:s0
+vendor.nxp.nxpnfc::INxpNfc                                              u:object_r:nxpnfc_hwservice:s0

sepolicy/vendor/init.te

@@ -0,0 +1,23 @@
+# Super modem mounting
+allow fsg_file self:filesystem associate;
+allow init fsg_file:dir mounton;
+allow init fsg_file:filesystem { getattr mount relabelfrom unmount };
+allow init firmware_file:filesystem unmount;
+
+# Allow init to access loop devices
+allow init loop_device:blk_file { create setattr unlink };
+allowxperm init loop_device:blk_file ioctl {
+  LOOP_GET_STATUS64
+  LOOP_GET_STATUS
+  LOOP_SET_STATUS64
+  LOOP_SET_STATUS
+  BLKFLSBUF
+};
+
+# Product persist
+allow init mnt_product_file:dir mounton;
+
+recovery_only(`
+  allow init self:capability sys_module;
+  allow init rootfs:system module_load;
+')

sepolicy/vendor/installd.te

@@ -0,0 +1,3 @@
+allow installd bt_firmware_file:filesystem quotaget;
+allow installd firmware_file:filesystem quotaget;
+allow installd fsg_file:filesystem quotaget;

sepolicy/vendor/kernel.te

@@ -0,0 +1,7 @@
+allow kernel block_device:dir search;
+
+allow kernel kernel:capability kill;
+allow kernel {
+	vendor_hw_block_device
+	vendor_utags_block_device
+}:blk_file rw_file_perms;

sepolicy/vendor/poweroptservice.te

@@ -0,0 +1,47 @@
+# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+#      copyright notice, this list of conditions and the following
+#      disclaimer in the documentation and/or other materials provided
+#      with the distribution.
+#    * Neither the name of The Linux Foundation nor the names of its
+#      contributors may be used to endorse or promote products derived
+#      from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+type vendor_poweroptservice, domain;
+type vendor_poweroptservice_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_poweroptservice)
+
+hwbinder_use(vendor_poweroptservice)
+
+hal_client_domain(vendor_poweroptservice, vendor_hal_perf)
+hal_client_domain(vendor_poweroptservice, hal_graphics_composer)
+
+get_prop(vendor_poweroptservice, vendor_mpctl_prop)
+
+r_dir_file(vendor_poweroptservice, vendor_sysfs_graphics)
+r_dir_file(vendor_poweroptservice, vendor_sysfs_kgsl)
+r_dir_file(vendor_poweroptservice, sysfs_android_usb)
+
+allow vendor_poweroptservice vendor_qdisplay_service:service_manager find;
+allow vendor_poweroptservice input_device:dir r_dir_perms;
+allow vendor_poweroptservice input_device:chr_file rw_file_perms;

sepolicy/vendor/property.te

@@ -0,0 +1,7 @@
+# Motorola
+type vendor_mot_fingerprint_prop, property_type;
+type vendor_mot_hw_prop, property_type;
+type vendor_mot_touch_prop, property_type;
+
+# Power
+type power_prop, property_type;

sepolicy/vendor/property_contexts

@@ -0,0 +1,35 @@
+# Camera
+camera.mot.is.coming.cts   u:object_r:vendor_camera_prop:s0
+
+# Radio
+vendor.ril.                u:object_r:vendor_radio_prop:s0
+gsm.operator.iso-country   u:object_r:exported_radio_prop:s0
+
+# USB
+vendor.rmnet_vnd.rps_mask  u:object_r:vendor_usb_prop:s0
+
+# Motorola
+ro.mot.build.customerid    u:object_r:exported_default_prop:s0
+ro.vendor.hw.              u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.mot.gki.         u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.device   u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.display  u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.hardware.sku.variant          u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.model    u:object_r:vendor_mot_hw_prop:s0
+ro.vendor.product.name     u:object_r:vendor_mot_hw_prop:s0
+vendor.hw.touch.status     u:object_r:vendor_mot_touch_prop:s0
+
+# Motorola fingerprint
+persist.vendor.hardware.fingerprint            u:object_r:vendor_mot_fingerprint_prop:s0
+vendor.hw.fps.ident                            u:object_r:vendor_mot_fingerprint_prop:s0
+vendor.hw.fingerprint.status                   u:object_r:vendor_mot_fingerprint_prop:s0
+
+# Power
+vendor.powerhal.state      u:object_r:power_prop:s0
+vendor.powerhal.audio      u:object_r:power_prop:s0
+vendor.powerhal.lpm        u:object_r:power_prop:s0
+vendor.powerhal.init       u:object_r:power_prop:s0
+vendor.powerhal.rendering  u:object_r:power_prop:s0
+
+# GFX
+ro.gfx.driver.1            u:object_r:exported_default_prop:s0

sepolicy/vendor/rild.te

@@ -0,0 +1,7 @@
+get_prop(rild, vendor_radio_prop)
+allow rild fwk_sensor_hwservice:hwservice_manager find;
+allow rild input_device:chr_file r_file_perms;
+allow rild input_device:dir rw_dir_perms;
+allow rild proc_moto_boot:file r_file_perms;
+allow rild cutback_data_file:dir rw_dir_perms;
+allow rild cutback_data_file:sock_file create_file_perms;

sepolicy/vendor/ueventd.te

@@ -0,0 +1 @@
+allow ueventd vendor_persist_audio_file:file r_file_perms;

sepolicy/vendor/update_engine_common.te

@@ -0,0 +1,5 @@
+allow update_engine_common fsg_file:filesystem getattr;
+allow update_engine_common {
+    vendor_efs_boot_dev
+    vendor_modem_efs_partition_device
+}:blk_file rw_file_perms;

sepolicy/vendor/vendor_hal_perf_default.te

@@ -0,0 +1,2 @@
+allow vendor_hal_perf_default proc_sched_lib_mask_cpuinfo:file rw_file_perms;
+binder_call(vendor_hal_perf_default, vendor_poweroptservice)

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,5 @@
+set_prop(vendor_init, vendor_camera_prop)
+set_prop(vendor_init, vendor_ims_prop)
+set_prop(vendor_init, vendor_mot_hw_prop)
+
+allow vendor_init proc_sched_lib_mask_cpuinfo:file w_file_perms;

sepolicy/vendor/vendor_init_fingerprint.te

@@ -0,0 +1,13 @@
+type vendor_init_fingerprint, domain;
+type vendor_init_fingerprint_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_init_fingerprint)
+
+allow vendor_init_fingerprint self:capability { kill sys_module };
+allow vendor_init_fingerprint vendor_file:system module_load;
+allow vendor_init_fingerprint vendor_toolbox_exec:file rx_file_perms;
+allow vendor_init_fingerprint vendor_persist_fps_file:file create_file_perms;
+allow vendor_init_fingerprint vendor_persist_fps_file:dir rw_dir_perms;
+allow vendor_init_fingerprint mnt_vendor_file:dir search;
+
+set_prop(vendor_init_fingerprint, ctl_start_prop)
+set_prop(vendor_init_fingerprint, vendor_mot_fingerprint_prop)

sepolicy/vendor/vendor_init_hw.te

@@ -0,0 +1,15 @@
+type vendor_init_hw, domain;
+type vendor_init_hw_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_init_hw)
+
+allow vendor_init_hw self:capability sys_module;
+allow vendor_init_hw vendor_file:system module_load;
+
+allow vendor_init_hw vendor_proc_hw:dir r_dir_perms;
+allow vendor_init_hw vendor_proc_hw:file rw_file_perms;
+
+allow vendor_init_hw vendor_motobox_exec:file rx_file_perms;
+allow vendor_init_hw vendor_toolbox_exec:file rx_file_perms;
+
+set_prop(vendor_init_hw, vendor_mot_hw_prop)
+set_prop(vendor_init_hw, vendor_mot_touch_prop)

sepolicy/vendor/vendor_init_touch.te

@@ -0,0 +1,8 @@
+type vendor_init_touch, domain;
+type vendor_init_touch_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_init_touch)
+
+allow vendor_init_touch vendor_toolbox_exec:file rx_file_perms;
+
+r_dir_file(vendor_init_touch , vendor_sysfs_touchpanel)
+set_prop(vendor_init_touch, vendor_mot_touch_prop)

sepolicy/vendor/vendor_mdm_helper.te

@@ -0,0 +1,4 @@
+get_prop(vendor_mdm_helper, vendor_radio_prop)
+
+allow vendor_mdm_helper { mnt_vendor_file vendor_persist_rfs_file }:dir search;
+allow vendor_mdm_helper vendor_persist_rfs_file:file rw_file_perms;

sepolicy/vendor/vendor_mmi_laser.te

@@ -0,0 +1,16 @@
+type vendor_mmi_laser, domain;
+type vendor_mmi_laser_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_mmi_laser)
+
+allow vendor_mmi_laser vendor_sysfs_laser:dir r_dir_perms;
+allow vendor_mmi_laser vendor_sysfs_laser:file { setattr rw_file_perms };
+
+allow vendor_mmi_laser self:capability { chown fsetid };
+
+allow vendor_mmi_laser vendor_sysfs_input:dir r_dir_perms;
+
+allow vendor_mmi_laser mnt_vendor_file:dir search;
+allow vendor_mmi_laser vendor_persist_camera_file:dir search;
+allow vendor_mmi_laser vendor_persist_camera_file:file { setattr r_file_perms };
+
+allow vendor_mmi_laser vendor_toolbox_exec:file rx_file_perms;

sepolicy/vendor/vendor_qti_init_shell.te

@@ -0,0 +1,4 @@
+allow vendor_qti_init_shell configfs:dir create_dir_perms;
+allow vendor_qti_init_shell configfs:file create_file_perms;
+allow vendor_qti_init_shell configfs:lnk_file create_file_perms;
+allow vendor_qti_init_shell proc_page_cluster:file w_file_perms;

sepolicy/vendor/vendor_rmt_storage.te

@@ -0,0 +1 @@
+get_prop(vendor_rmt_storage, vendor_radio_prop)

sepolicy/vendor/vendor_thermal-engine.te

@@ -0,0 +1,2 @@
+allow vendor_thermal-engine { proc_stat proc_loadavg }:file r_file_perms;
+allow vendor_thermal-engine vendor_thermal_device:chr_file rw_file_perms;

sepolicy/vendor/vendor_wcnss_service.te

@@ -0,0 +1 @@
+allow vendor_wcnss_service rootfs:dir r_dir_perms;

sepolicy/vendor/vl53l1.te

@@ -0,0 +1,9 @@
+type vl53l1, domain;
+type vl53l1_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vl53l1)
+
+allow vl53l1 self:netlink_socket { read write create bind };
+allow vl53l1 self:netlink_iscsi_socket { bind create read write };
+allow vl53l1 vendor_sysfs_laser:dir r_dir_perms;
+allow vl53l1 vendor_sysfs_laser:file rw_file_perms;