sepolicy: moving qssi supported legacy target here.
Change-Id: Ife7e851823afc1dcbf2f561c8079795e909544bc
diff --git a/legacy/vendor/common/adbd.te b/legacy/vendor/common/adbd.te
new file mode 100644
index 0000000..54af976
--- /dev/null
+++ b/legacy/vendor/common/adbd.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow adbd tombstone_data_file:dir getattr;
+
+unix_socket_connect(adbd, qdcmsocket, qdcm-ss);
diff --git a/legacy/vendor/common/adpl.te b/legacy/vendor/common/adpl.te
new file mode 100644
index 0000000..ebd1d03
--- /dev/null
+++ b/legacy/vendor/common/adpl.te
@@ -0,0 +1,58 @@
+#Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type adpl, domain;
+type adpl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(adpl)
+net_domain(adpl)
+
+allow adpl {
+ rmnet_device
+ mhi_device
+ ipa_dev
+}:chr_file rw_file_perms;
+
+qmux_socket(adpl)
+
+allow adpl self:{
+ netlink_socket
+ socket
+ udp_socket
+ qipcrtr_socket
+} create_socket_perms_no_ioctl;
+
+allow adpl self:socket ioctl;
+allowxperm adpl self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+allow adpl sysfs_data:file r_file_perms;
+
+set_prop(adpl, vendor_dataadpl_prop)
+
+#diag
+userdebug_or_eng(`
+ diag_use(adpl)
+')
diff --git a/legacy/vendor/common/adsprpcd.te b/legacy/vendor/common/adsprpcd.te
new file mode 100644
index 0000000..7a08ace
--- /dev/null
+++ b/legacy/vendor/common/adsprpcd.te
@@ -0,0 +1,47 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# adsprpcd daemon
+type adsprpcd, domain;
+type adsprpcd_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(adsprpcd)
+
+allow adsprpcd qdsp_device:chr_file r_file_perms;
+allow adsprpcd xdsp_device:chr_file r_file_perms;
+
+# For reading dir/files on /dsp
+r_dir_file(adsprpcd, adsprpcd_file)
+
+# For reading adsprpc_prop
+get_prop(adsprpcd, adsprpc_prop)
+
+allow adsprpcd ion_device:chr_file r_file_perms;
+allow adsprpcd mnt_vendor_file:dir r_dir_perms;
+allow adsprpcd sensors_persist_file:dir create_dir_perms;
+allow adsprpcd sensors_persist_file:file create_file_perms;
diff --git a/legacy/vendor/common/app.te b/legacy/vendor/common/app.te
new file mode 100644
index 0000000..3c8d7b5
--- /dev/null
+++ b/legacy/vendor/common/app.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Allow all apps to open and send ioctl to qdsp device
+allow appdomain qdsp_device:chr_file r_file_perms;
+
+get_prop(appdomain, hwui_prop)
+get_prop(appdomain, bservice_prop)
+get_prop(appdomain, reschedule_service_prop)
+get_prop(appdomain, vendor_iop_prop)
+get_prop(appdomain, vendor_scroll_prop)
+
+# Allow access to qti_logkit
+allow appdomain qti_logkit_pub_socket:dir r_dir_perms;
+
+# Allow all apps to open and send ioctl to npu device
+allow appdomain npu_device:chr_file r_file_perms;
diff --git a/legacy/vendor/common/atfwd.te b/legacy/vendor/common/atfwd.te
new file mode 100644
index 0000000..a937b3c
--- /dev/null
+++ b/legacy/vendor/common/atfwd.te
@@ -0,0 +1,48 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type atfwd, domain;
+type atfwd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(atfwd)
+
+allow atfwd self:{socket qipcrtr_socket } create_socket_perms;
+allowxperm atfwd self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+binder_call(atfwd, system_app);
+
+r_dir_file(atfwd, sysfs_data);
+
+set_prop(atfwd, vendor_radio_prop)
+
+hwbinder_use(atfwd)
+get_prop(atfwd, hwservicemanager_prop)
+
+#diag
+userdebug_or_eng(`
+ diag_use(atfwd)
+')
diff --git a/legacy/vendor/common/attributes b/legacy/vendor/common/attributes
new file mode 100644
index 0000000..f770c1f
--- /dev/null
+++ b/legacy/vendor/common/attributes
@@ -0,0 +1,117 @@
+# Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# HALs
+attribute hal_display_color;
+attribute hal_display_color_client;
+attribute hal_display_color_server;
+
+attribute hal_display_postproc;
+attribute hal_display_postproc_client;
+attribute hal_display_postproc_server;
+
+attribute hal_hbtp;
+attribute hal_hbtp_client;
+attribute hal_hbtp_server;
+
+attribute hal_perf;
+attribute hal_perf_client;
+attribute hal_perf_server;
+
+attribute wifidisplayhalservice;
+attribute wifidisplayhalservice_client;
+attribute wifidisplayhalservice_server;
+
+attribute hal_alarm_qti;
+attribute hal_alarm_qti_client;
+attribute hal_alarm_qti_server;
+
+attribute hal_vpp;
+attribute hal_vpp_client;
+attribute hal_vpp_server;
+
+attribute hal_wigig;
+attribute hal_wigig_client;
+attribute hal_wigig_server;
+
+attribute hal_qteeconnector;
+attribute hal_qteeconnector_client;
+attribute hal_qteeconnector_server;
+
+attribute hal_esepowermanager;
+attribute hal_esepowermanager_client;
+attribute hal_esepowermanager_server;
+
+attribute hal_iop;
+attribute hal_iop_client;
+attribute hal_iop_server;
+
+attribute hal_voiceprint;
+attribute hal_voiceprint_server;
+attribute hal_voiceprint_client;
+
+attribute vendor_hal_factory_qti;
+attribute vendor_hal_factory_qti_client;
+attribute vendor_hal_factory_qti_server;
+
+attribute hal_wigig_npt;
+attribute hal_wigig_npt_client;
+attribute hal_wigig_npt_server;
+
+attribute hal_qdutils_disp;
+attribute hal_qdutils_disp_client;
+attribute hal_qdutils_disp_server;
+
+attribute hal_tui_comm;
+attribute hal_tui_comm_client;
+attribute hal_tui_comm_server;
+
+attribute hal_soter;
+attribute hal_soter_client;
+attribute hal_soter_server;
+
+attribute hal_sensorscalibrate_qti;
+attribute hal_sensorscalibrate_qti_client;
+attribute hal_sensorscalibrate_qti_server;
+# All types in /mnt/vendor/persist
+attribute vendor_persist_type;
+
+attribute hal_scve;
+attribute hal_scve_client;
+attribute hal_scve_server;
+
+attribute hal_mirrorlink;
+attribute hal_mirrorlink_client;
+attribute hal_mirrorlink_server;
+
+attribute hal_pasrmanager;
+attribute hal_pasrmanager_client;
+attribute hal_pasrmanager_server;
+
+attribute hal_wifilearner;
+attribute hal_wifilearner_client;
+attribute hal_wifilearner_server;
diff --git a/legacy/vendor/common/audiod.te b/legacy/vendor/common/audiod.te
new file mode 100644
index 0000000..5e50ff9
--- /dev/null
+++ b/legacy/vendor/common/audiod.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# audio daemon
+type audiod, domain;
+type audiod_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(audiod)
+allow audiod proc_audiod:file r_file_perms;
+allow audiod audio_device:chr_file rw_file_perms;
+
+binder_call(audiod, audioserver)
diff --git a/legacy/vendor/common/bluetooth.te b/legacy/vendor/common/bluetooth.te
new file mode 100644
index 0000000..cf4d41e
--- /dev/null
+++ b/legacy/vendor/common/bluetooth.te
@@ -0,0 +1,84 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Adding all bt related service to bt domains
+type sapd, bluetoothdomain;
+type sapd_exec, exec_type, vendor_file_type, file_type;
+
+type btsnoop, bluetoothdomain;
+type btsnoop_exec, exec_type, vendor_file_type, file_type;
+
+type btnvtool, bluetoothdomain;
+type btnvtool_exec, exec_type, vendor_file_type, file_type;
+
+type fmhal_service, bluetoothdomain;
+type fmhal_service_exec, exec_type, vendor_file_type, file_type;
+
+allow bluetooth sysfs_bluetooth_writable:file w_file_perms;
+
+#Access to /data/media
+allow bluetooth media_rw_data_file:dir create_dir_perms;
+allow bluetooth media_rw_data_file:file create_file_perms;
+#allow proc_sysrq access for crash dump
+userdebug_or_eng(`
+ allow bluetooth proc_sysrq:file w_file_perms;
+ allow bluetooth qti_debugfs:file r_file_perms;
+')
+
+allow bluetooth {
+ uhid_device
+ serial_device
+ #BT needes read and write on smd device node
+ smd_device
+ bt_device
+}:chr_file rw_file_perms;
+
+
+allow bluetooth self:socket { create write getopt read };
+
+#dun-server requires binding with system_app and servicemanager
+binder_use(bluetooth);
+binder_call(bluetooth, system_app);
+binder_call(bluetooth, servicemanager);
+allow bluetooth dun_service:service_manager find;
+
+
+# for finding wbc_service
+allow bluetooth wbc_service:service_manager find;
+
+# ioctlcmd=c302
+allow bluetooth self:socket ioctl;
+allowxperm bluetooth self:socket ioctl msm_sock_ipc_ioctls;
+
+#SplitA2dp bluetooth requires binding with audio hal
+binder_call(bluetooth, hal_audio);
+allow bluetooth hal_audio_hwservice:hwservice_manager find;
+
+# suppress denials for services, which should not be accessed by bluetooth
+dontaudit bluetooth {
+ netd_service
+}:service_manager find;
diff --git a/legacy/vendor/common/bootanim.te b/legacy/vendor/common/bootanim.te
new file mode 100644
index 0000000..ee1340b
--- /dev/null
+++ b/legacy/vendor/common/bootanim.te
@@ -0,0 +1,32 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# allow bootanim to binder mediaserver
+typeattribute bootanim system_writes_vendor_properties_violators;
+binder_call(bootanim, mediaserver);
+allow bootanim mediaserver_service:service_manager find;
+userdebug_or_eng(`allow bootanim self:process execmem;')
diff --git a/legacy/vendor/common/cameraserver.te b/legacy/vendor/common/cameraserver.te
new file mode 100644
index 0000000..e3f0c26
--- /dev/null
+++ b/legacy/vendor/common/cameraserver.te
@@ -0,0 +1,63 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow cameraserver camera_data_file:sock_file write;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+#allow cameraserver mm-qcamerad:unix_dgram_socket sendto;
+#changes to access laser device
+r_dir_file(cameraserver, input_device);
+#Allow surfaceflinger access for camera preview
+allow cameraserver surfaceflinger:unix_stream_socket { read write };
+
+# allow cameraserver to communicate with sensors
+allow cameraserver sensors_device:chr_file rw_file_perms;
+#unix_socket_connect(cameraserver, sensors, sensors);
+allow cameraserver system_server:unix_stream_socket { read write };
+
+get_prop(cameraserver, vendor_camera_prop)
+
+get_prop(cameraserver, camera_prop)
+allow cameraserver self:socket create_socket_perms_no_ioctl;
+allow cameraserver graphics_device:dir r_dir_perms;
+allow cameraserver sensorservice_service:service_manager find;
+allow cameraserver system_file:dir r_dir_perms;
+
+#Allows camera to call ADSP QDSP6 functionality
+allow cameraserver qdsp_device:chr_file r_file_perms;
+allow cameraserver xdsp_device:chr_file r_file_perms;
+get_prop(cameraserver, camera_prop)
+
+#allow cameraserver to read adsprpc_prop
+get_prop(cameraserver, adsprpc_prop)
+
+#need this in full_treble for camera perview
+allow cameraserver hal_allocator:fd use;
+
+# added now for camcorder functionality. need to use HIDL
+userdebug_or_eng(`
+binder_call(cameraserver, hal_graphics_composer)
+')
diff --git a/legacy/vendor/common/cdsprpcd.te b/legacy/vendor/common/cdsprpcd.te
new file mode 100644
index 0000000..5504381
--- /dev/null
+++ b/legacy/vendor/common/cdsprpcd.te
@@ -0,0 +1,46 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# cdsprpcd daemon
+type cdsprpcd, domain;
+type cdsprpcd_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(cdsprpcd)
+
+# For reading dir/files on /dsp
+r_dir_file(cdsprpcd, adsprpcd_file)
+
+# For reading adsprpc_prop
+get_prop(cdsprpcd, adsprpc_prop)
+
+allow cdsprpcd qdsp_device:chr_file r_file_perms;
+allow cdsprpcd ion_device:chr_file r_file_perms;
+
+r_dir_file(cdsprpcd, sysfs_devfreq)
+allow cdsprpcd sysfs_devfreq_l3cdsp:dir r_dir_perms;
+allow cdsprpcd sysfs_devfreq_l3cdsp:file rw_file_perms;
diff --git a/legacy/vendor/common/charger_monitor.te b/legacy/vendor/common/charger_monitor.te
new file mode 100644
index 0000000..d265277
--- /dev/null
+++ b/legacy/vendor/common/charger_monitor.te
@@ -0,0 +1,43 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#integrated process
+type charger_monitor, domain;
+type charger_monitor_exec, exec_type, vendor_file_type, file_type;
+
+#started by init
+init_daemon_domain(charger_monitor)
+
+#charger monitor will use uevent, visit sysfs and use the wake lock
+allow charger_monitor self:netlink_kobject_uevent_socket { read create setopt bind };
+allow charger_monitor{
+ sysfs_wake_lock
+ sysfs_battery_supply
+}:file rw_file_perms;
+
+allow charger_monitor sysfs_battery_supply:dir r_dir_perms;
+r_dir_file(charger_monitor, sysfs_usb_supply)
diff --git a/legacy/vendor/common/chre.te b/legacy/vendor/common/chre.te
new file mode 100644
index 0000000..c4bb5c4
--- /dev/null
+++ b/legacy/vendor/common/chre.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# This daemon loads the Context Hub Runtime Environment (CHRE) dynamic modules
+# onto the SLPI using FastRPC, and exposes a sockets interface for clients on
+# the applications processor to interact CHRE
+type chre, domain;
+type chre_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(chre)
+r_dir_file(chre, adsprpcd_file)
+get_prop(chre, adsprpc_prop)
+
+allow chre ion_device:chr_file r_file_perms;
+allow chre qdsp_device:chr_file r_file_perms;
+allow chre xdsp_device:chr_file r_file_perms;
+allow chre dsp_device:chr_file r_file_perms;
diff --git a/legacy/vendor/common/clatd.te b/legacy/vendor/common/clatd.te
new file mode 100644
index 0000000..4951e81
--- /dev/null
+++ b/legacy/vendor/common/clatd.te
@@ -0,0 +1,28 @@
+#Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow clatd clatd:packet_socket map;
diff --git a/legacy/vendor/common/cnd.te b/legacy/vendor/common/cnd.te
new file mode 100644
index 0000000..5b699d1
--- /dev/null
+++ b/legacy/vendor/common/cnd.te
@@ -0,0 +1,128 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type cnd, domain, mlstrustedsubject;
+type cnd_exec, exec_type, vendor_file_type, file_type;
+file_type_auto_trans(cnd, socket_device, cnd_socket);
+
+# cnd is started by init, type transit from init domain to cnd domain
+init_daemon_domain(cnd)
+
+# associate netdomain as an attribute of cnd domain
+net_domain(cnd)
+
+allow cnd smem_log_device:chr_file rw_file_perms;
+
+# allow cnd the following capability
+allow cnd self:capability {
+ net_admin
+ sys_module
+ net_bind_service
+};
+
+allow cnd self:capability2 block_suspend;
+
+# socket used to communicate with kernel via the netlink syscall
+allow cnd self:{
+ netlink_tcpdiag_socket
+ netlink_route_socket
+ netlink_socket
+ netlink_generic_socket
+ # allow cnd to perform socket operation on itself
+ socket
+ qipcrtr_socket
+} create_socket_perms_no_ioctl;
+
+# allow cnd to read tcp diagnostics through netlink
+allow cnd self:netlink_tcpdiag_socket nlmsg_read;
+
+# allow cnd to set cnd property
+set_prop(cnd, cnd_vendor_prop)
+
+# allow cnd to access cnd_data_file
+allow cnd cnd_data_file:file create_file_perms;
+allow cnd cnd_data_file:sock_file { unlink create setattr };
+allow cnd cnd_data_file:dir rw_dir_perms;
+
+# allow cnd to access qmux_radio_socket
+qmux_socket(cnd)
+
+# allow cnd to access wpa_socket
+unix_socket_send(cnd, wpa, hal_wifi_supplicant)
+allow cnd wifi_vendor_data_file:dir r_dir_perms;
+allow cnd wifi_vendor_wpa_socket:sock_file write;
+allow cnd wpa_data_file:dir w_dir_perms;
+allow cnd wpa_data_file:sock_file create_file_perms;
+
+# allow cnd to obtain wakelock
+wakelock_use(cnd)
+
+# allow access to nims
+allow cnd socket_device:dir remove_name;
+
+# explicitly allow udp socket permissions for appdomain
+#allow cnd appdomain:udp_socket rw_socket_perms;
+
+#allow cnd daemon to invoke hostapd_cli
+allow cnd vendor_shell_exec:file rx_file_perms;
+domain_auto_trans(cnd, hostapd_exec, hostapd)
+allow cnd hostapd_socket:dir r_dir_perms;
+unix_socket_send(cnd, hostapd, hostapd)
+
+# only allow getopt for appdomain
+allow appdomain zygote:unix_dgram_socket getopt;
+dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt;
+
+#diag
+userdebug_or_eng(`
+ diag_use(cnd)
+')
+
+allow cnd proc_meminfo:file r_file_perms;
+allow cnd self:socket ioctl;
+allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;
+
+allow cnd self:udp_socket ioctl;
+allowxperm cnd self:udp_socket ioctl wlan_sock_ioctls;
+
+allow cnd sysfs_data:file r_file_perms;
+
+add_hwservice(cnd, hal_latency_hwservice)
+add_hwservice(cnd, hal_datafactory_hwservice)
+hwbinder_use(cnd)
+get_prop(cnd, hwservicemanager_prop)
+binder_call(cnd, dataservice_app)
+binder_call(cnd, ims)
+binder_call(cnd, location)
+
+##############################################################
+#for using public interface vendor.qti.data.factory
+#client should add their domain to cnd.te
+##############################################################
+userdebug_or_eng(`
+ binder_call(cnd, radio)
+')
diff --git a/legacy/vendor/common/dataservice_app.te b/legacy/vendor/common/dataservice_app.te
new file mode 100644
index 0000000..6248288
--- /dev/null
+++ b/legacy/vendor/common/dataservice_app.te
@@ -0,0 +1,44 @@
+# Copyright (c) 2015-2016, 2018 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+get_prop(dataservice_app, cnd_vendor_prop)
+
+allow dataservice_app sysfs_data:file r_file_perms;
+
+userdebug_or_eng(`
+ diag_use(dataservice_app)
+')
+
+allow dataservice_app hal_datafactory_hwservice:hwservice_manager find;
+binder_call(dataservice_app, cnd)
+
+allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find;
+binder_call(dataservice_app, hal_rcsservice)
+
+r_dir_file(dataservice_app, cnd_data_file)
+
+allow dataservice_app app_api_service:service_manager find;
diff --git a/legacy/vendor/common/device.te b/legacy/vendor/common/device.te
new file mode 100644
index 0000000..5b780a4
--- /dev/null
+++ b/legacy/vendor/common/device.te
@@ -0,0 +1,191 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Define the logging device type
+type diag_device, dev_type, mlstrustedobject;
+type smem_log_device, dev_type;
+
+#Define the hsic device
+type hsic_device, dev_type;
+
+#Define the mhi device
+type mhi_device, dev_type;
+
+#Define the bhi device
+type bhi_device, dev_type;
+
+#device type for smd device nodes, ie /dev/smd*
+type smd_device, dev_type;
+
+#device type for rmnet device nodes, ie /dev/rmnet_ctrl*
+type rmnet_device, dev_type;
+
+#Define thermal-engine devices
+type thermal_device, dev_type;
+
+#Define vm_bms devices
+type vm_bms_device, dev_type;
+type battery_data_device, dev_type;
+
+#Add qdsp_device type
+type qdsp_device, dev_type, mlstrustedobject;
+type dsp_device, dev_type;
+type xdsp_device, dev_type;
+#Define hvdcp/quickcharge device
+type hvdcp_device, dev_type;
+
+#Define mpdecision device
+type device_latency, dev_type;
+
+#Added for fm_radio device
+type fm_radio_device, dev_type;
+
+#Add for storage pertitions for EFS partitions
+type modem_efs_partition_device, dev_type;
+
+#Define device for partition links
+type ssd_device, dev_type;
+type rpmb_device, dev_type;
+type sg_device, dev_type;
+type dip_device, dev_type;
+type mdtp_device, dev_type;
+type sd_device, dev_type;
+
+#ESOC device
+type esoc_device, dev_type;
+
+#SSR device
+type ssr_device, dev_type;
+
+#Ramdump device
+type ramdump_device, dev_type;
+
+#Kickstart bridge devices
+type ksbridgehsic_device, dev_type;
+
+#EFS sync bridge devices
+type efsbridgehsic_device, dev_type;
+
+#EFS sync block devices
+type efs_boot_dev, dev_type;
+
+#MBA debug image partition
+type mba_debug_dev, dev_type;
+
+#logdump partition
+type logdump_partition, dev_type;
+
+#Bootselect partition
+type bootselect_device, dev_type;
+
+# Define IPA devices
+type ipa_dev, dev_type;
+
+type wcnss_device, dev_type;
+
+# Define spcom device
+type spcom_device, dev_type;
+
+# Define skp device
+type skp_device, dev_type;
+
+# Define sp_ssr device
+type sp_ssr_device, dev_type;
+
+# Define sp_keymaster device
+type sp_keymaster_device, dev_type;
+
+# Define sec_nvm devices
+type sec_nvm_device, dev_type;
+
+# Define cryptoapp device
+type cryptoapp_device, dev_type;
+
+# Define spdaemon_ssr device
+type spdaemon_ssr_device, dev_type;
+
+# Define qsee_ipc_irq_spss device
+type qsee_ipc_irq_spss_device, dev_type;
+
+# Define QDSS devices
+type qdss_device, dev_type;
+
+#Define Gadget serial device
+type gadget_serial_device, dev_type;
+
+#energy-awareness device
+type pta_device, dev_type;
+
+#Added for hbtp
+type bu21150_device, dev_type;
+type hbtp_device, dev_type;
+
+#Define qfintverify device
+type qce_device, dev_type;
+type rng_device, dev_type;
+
+#Define system health monitor devices
+type system_health_monitor_device, dev_type;
+
+#Define usf device
+type usf_device, dev_type;
+
+#Define qbt1000 device - ultrasonic fingperprint sensor
+type qbt1000_device, dev_type;
+
+#Define avtimer device
+type avtimer_device, dev_type;
+
+#define AT device
+type at_device, dev_type;
+
+#define Bluetooth device
+type bt_device, dev_type;
+
+#define Wlan device
+type wlan_device, dev_type;
+
+#Define rawdump block device
+type rawdump_block_device, dev_type;
+
+#Block device for A/B partitions
+type custom_ab_block_device, dev_type;
+type xbl_block_device, dev_type;
+type gpt_block_device, dev_type;
+type modem_block_device, dev_type;
+type uefi_block_device, dev_type;
+
+#define bgcom char device
+type bg_daemon_device, dev_type;
+
+type persist_block_device, dev_type;
+
+#Define npu device
+type npu_device, dev_type;
+
+#define qg char device
+type qg_device, dev_type;
diff --git a/legacy/vendor/common/diag.te b/legacy/vendor/common/diag.te
new file mode 100644
index 0000000..f0f2c70
--- /dev/null
+++ b/legacy/vendor/common/diag.te
@@ -0,0 +1,71 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type diag, domain;
+type diag_exec, exec_type, vendor_file_type, file_type;
+userdebug_or_eng(`
+ domain_auto_trans(shell, diag_exec, diag)
+ #domain_auto_trans(adbd, diag_exec, diag)
+ allow diag {
+ diag_device
+ devpts
+ console_device
+ # allow access to qseecom for drmdiagapp
+ tee_device
+ }:chr_file rw_file_perms;
+ allow diag {
+ shell
+ su
+ }:fd use;
+
+ allow diag {
+ cgroup
+ fuse
+ persist_drm_file
+ }:dir create_dir_perms;
+
+ allow diag port:tcp_socket name_connect;
+ allow diag self:capability { setuid net_raw sys_admin setgid };
+ allow diag self:capability2 syslog;
+ allow diag self:tcp_socket { create connect setopt};
+ wakelock_use(diag)
+ allow diag kernel:system syslog_mod;
+ # allow drmdiagapp access to drm related paths
+ allow diag mnt_vendor_file:dir r_dir_perms;
+ r_dir_file(diag, persist_data_file)
+ # Write to drm related pieces of persist partition
+ allow diag persist_drm_file:file create_file_perms;
+
+ # For DiagExample daemon
+ init_daemon_domain(diag)
+ net_domain(diag)
+
+ allow diag fuse:dir r_dir_perms;
+ allow diag fuse:file r_file_perms;
+ r_dir_file(diag, storage_file)
+ r_dir_file(diag, mnt_user_file)
+')
diff --git a/legacy/vendor/common/dnsmasq.te b/legacy/vendor/common/dnsmasq.te
new file mode 100644
index 0000000..bb8ce55
--- /dev/null
+++ b/legacy/vendor/common/dnsmasq.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# allow dnsmasq access to netd fifo_file
+allow dnsmasq netd:fifo_file getattr;
diff --git a/legacy/vendor/common/domain.te b/legacy/vendor/common/domain.te
new file mode 100644
index 0000000..665529e
--- /dev/null
+++ b/legacy/vendor/common/domain.te
@@ -0,0 +1,67 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+r_dir_file({domain - isolated_app}, sysfs_socinfo);
+r_dir_file({domain - isolated_app}, sysfs_esoc);
+r_dir_file({domain - isolated_app}, sysfs_ssr);
+
+dontaudit domain kernel:system module_request;
+
+# Allow all domains read access to sysfs_thermal
+r_dir_file({domain - isolated_app}, sysfs_thermal);
+
+# Allow domain to read /vendor -> /system/vendor
+allow domain system_file:lnk_file getattr;
+
+get_prop(domain, vendor_gralloc_prop)
+
+allow domain vendor_configs_file:file r_file_perms;
+
+# Added now for smoother UI
+# Remove this after HIDL implementation
+userdebug_or_eng(`
+allow domain hal_graphics_composer:fd use;
+')
+dontaudit domain persist_dpm_prop:file r_file_perms;
+
+neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ } vendor_persist_type: { dir file } *;
+
+allow { domain - coredomain } mnt_vendor_file:lnk_file r_file_perms;
+
+allowxperm domain domain:icmp_socket ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# For compliance testing test suite reads vendor_security_path_level
+# Which is the public readable property “ ro.vendor.build.security_patch
+get_prop(domain, vendor_security_patch_level_prop)
+get_prop(domain, public_vendor_default_prop)
+
+allow domain qti_debugfs:dir search;
diff --git a/legacy/vendor/common/dpmd.te b/legacy/vendor/common/dpmd.te
new file mode 100644
index 0000000..99bc998
--- /dev/null
+++ b/legacy/vendor/common/dpmd.te
@@ -0,0 +1,55 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Add netutils support to install iptables
+use_netutils(dpmd)
+
+get_prop(dpmd, persist_dpm_prop)
+
+allow dpmd sysfs_wake_lock:file rw_file_perms;
+
+allow dpmd sysfs_data:dir r_dir_perms;
+
+allow dpmd sysfs_data:file r_file_perms;
+
+
+#socket, self
+allow dpmd smem_log_device:chr_file rw_file_perms;
+
+#Allow dpmd to acquire lock for iptables
+allow dpmd system_file:file lock;
+
+#Allow dpmd to connect to hal_dpmQMiMgr
+allow dpmd hal_dpmqmi_hwservice:hwservice_manager find;
+get_prop(dpmd, hwservicemanager_prop)
+binder_call(dpmd,hal_dpmQmiMgr)
+hwbinder_use(dpmd)
+
+#diag
+userdebug_or_eng(`
+ diag_use(dpmd)
+')
diff --git a/legacy/vendor/common/drmserver.te b/legacy/vendor/common/drmserver.te
new file mode 100644
index 0000000..1c29447
--- /dev/null
+++ b/legacy/vendor/common/drmserver.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Address denial logs for drm server accessing qseecom driver
+allow drmserver tee_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/dtsconfigurator.te b/legacy/vendor/common/dtsconfigurator.te
new file mode 100644
index 0000000..c75d4ac
--- /dev/null
+++ b/legacy/vendor/common/dtsconfigurator.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type dtsconfigurator, domain;
+type dtsconfigurator_exec, exec_type, vendor_file_type, file_type;
+
+#started by init
+init_daemon_domain(dtsconfigurator)
+
+allow dtsconfigurator audio_device:dir r_dir_perms;
+allow dtsconfigurator audio_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/dtseagleservice.te b/legacy/vendor/common/dtseagleservice.te
new file mode 100644
index 0000000..1f4f876
--- /dev/null
+++ b/legacy/vendor/common/dtseagleservice.te
@@ -0,0 +1,49 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type dtseagleservice, domain;
+type dtseagleservice_exec, exec_type, vendor_file_type, file_type;
+
+#Allow for transition from init domain to dtseagleservice
+init_daemon_domain(dtseagleservice)
+
+#Allow dtseagleservice to use Binder IPC
+#binder_use(dtseagleservice)
+
+#Allow dtseagleservice to interact with apps
+binder_call(dtseagleservice, platform_app)
+binder_call(dtseagleservice, system_app)
+
+# Mark dtseagleservice as a Binder service domain
+#binder_service(dtseagleservice)
+
+#Allow dtseagleservice to be registered with service manager
+allow dtseagleservice dtseagleservice_service:service_manager add;
+
+#Allow access to audio drivers
+allow dtseagleservice audio_device:dir r_dir_perms;
+allow dtseagleservice audio_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/energyawareness.te b/legacy/vendor/common/energyawareness.te
new file mode 100644
index 0000000..ca77fc0
--- /dev/null
+++ b/legacy/vendor/common/energyawareness.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type energyawareness, domain;
+type energyawareness_exec, exec_type, vendor_file_type, file_type;
+
+#started by init
+init_daemon_domain(energyawareness)
+
+#allow access to pta and uio interface
+allow energyawareness { pta_device uio_device }:chr_file rw_file_perms;
+
+allow energyawareness self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+allow energyawareness sysfs_ea:file w_file_perms;
+
+r_dir_file(energyawareness, sysfs_ea)
diff --git a/legacy/vendor/common/esepmdaemon.te b/legacy/vendor/common/esepmdaemon.te
new file mode 100644
index 0000000..445f0ba
--- /dev/null
+++ b/legacy/vendor/common/esepmdaemon.te
@@ -0,0 +1,56 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type esepmdaemon, domain;
+type esepmdaemon_exec, exec_type, vendor_file_type, file_type;
+
+#Allow for transition from init domain to esepmdaemon
+init_daemon_domain(esepmdaemon)
+
+#Allow esepmdaemon to use Binder IPC
+vndbinder_use(esepmdaemon)
+
+#Allow apps to interact with esepmdaemon
+binder_call(esepmdaemon, system_app)
+
+#Mark esepmdaemon as a Binder service domain
+#binder_service(esepmdaemon)
+
+#Allow esepmdaemon to be registered with service manager
+allow esepmdaemon esepmdaemon_service:service_manager add;
+
+#Allow access to nfc device
+allow esepmdaemon nfc_device:chr_file rw_file_perms;
+
+# Allow esepmdaemon to load firmware images
+r_dir_file(esepmdaemon, firmware_file);
+
+# Allow esepmdaemon to interract with ion_device
+allow esepmdaemon ion_device:chr_file r_file_perms;
+
+# Allow esepmdaemon to interract with qseecom
+allow esepmdaemon tee_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/fidodaemon.te b/legacy/vendor/common/fidodaemon.te
new file mode 100644
index 0000000..762b60b
--- /dev/null
+++ b/legacy/vendor/common/fidodaemon.te
@@ -0,0 +1,54 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type fidodaemon, domain;
+type fidodaemon_exec, exec_type, vendor_file_type, file_type;
+
+#Allow for transition from init domain to fidodaemon
+init_daemon_domain(fidodaemon)
+
+#Allow fidodaemon to use Binder IPC
+#binder_use(fidodaemon)
+
+#Allow apps to interact with fidodaemon
+binder_call(fidodaemon, platform_app)
+binder_call(fidodaemon, system_app)
+
+#Mark fidodaemon as a Binder service domain
+#binder_service(fidodaemon)
+
+#Allow fidodaemon to be registered with service manager
+allow fidodaemon fidodaemon_service:service_manager add;
+
+#Allow communication with init over property server
+unix_socket_connect(fidodaemon, property, init);
+
+#Allow access to tee device
+allow fidodaemon tee_device:chr_file rw_file_perms;
+
+#Allow access to firmware
+r_dir_file(fidodaemon, firmware_file)
diff --git a/legacy/vendor/common/file.te b/legacy/vendor/common/file.te
new file mode 100644
index 0000000..f3e8cd5
--- /dev/null
+++ b/legacy/vendor/common/file.te
@@ -0,0 +1,399 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Default type for anything under /firmware.
+type firmware_file, system_file_type, file_type, contextmount_type, vendor_file_type;
+
+# All files under /vendor/firmware
+type vendor_firmware_file, vendor_file_type, file_type;
+
+#Define the qmux socket type
+type qmuxd_socket, file_type;
+
+#Define the netmgrd socket type
+type netmgrd_socket, file_type;
+
+#QTI file types
+type vendor_qti_data_file, file_type, data_file_type;
+
+type proc_wifi_dbg, proc_type, fs_type;
+#Define the pps socket type
+type pps_socket, file_type;
+
+#Define the qdcmss socket type
+type qdcmsocket_socket, file_type;
+
+# Define cnd socket and data file type
+type cnd_socket, file_type, mlstrustedobject;
+type cnd_data_file, file_type, data_file_type;
+type chre_socket, file_type;
+
+# Define dpmd data file type
+#type dpmd_socket, file_type;
+#type dpmwrapper_socket, file_type, mlstrustedobject;
+#type dpmd_data_file, file_type, data_file_type;
+#typealias system_app_data_file alias dpmd_app_data_file;
+#typealias system_app_data_file alias qtitetherservice_app_data_file;
+
+#Define the timeout for platform specific transports
+type sysfs_hsic_modem_wait, sysfs_type, fs_type;
+type sysfs_smd_open_timeout, sysfs_type, fs_type;
+
+#Define the files written during the operation of netmgrd and qmuxd
+type netmgrd_data_file, file_type, data_file_type;
+type sysrq_trigger_proc, fs_type, mlstrustedobject;
+# Persist file types
+type persist_file, file_type, vendor_persist_type;
+type persist_bluetooth_file, file_type , vendor_persist_type;
+type persist_data_file, file_type , vendor_persist_type;
+type persist_drm_file, file_type , vendor_persist_type;
+type data_qtee_file, file_type, data_file_type;
+type vendor_persist_mmi_file, file_type, vendor_persist_type;
+type persist_misc_file, file_type , vendor_persist_type;
+type persist_bms_file, file_type , vendor_persist_type;
+type persist_secnvm_file, file_type , vendor_persist_type;
+type persist_hvdcp_file, file_type , vendor_persist_type;
+
+#file type for restricting proc read by audiod
+type proc_audiod, fs_type, proc_type;
+
+#file type for irqbalance socket
+type msm_irqbalance_socket, file_type;
+
+# Sensor file types
+type sensors_socket, file_type;
+type sensors_persist_file, file_type, vendor_persist_type;
+type sysfs_sensors, sysfs_type, fs_type;
+
+#Memory offlining file types
+type sysfs_memory_offline, sysfs_type, fs_type;
+
+#VirtualKeys file type
+type sysfs_virtualkeys, sysfs_type, fs_type;
+
+#type for thermal-engine
+type thermal_socket, file_type;
+#type for uart
+type sysfs_msmuart_file, sysfs_type, fs_type;
+
+# Storage RFS file types
+type rfs_system_file, system_file_type, file_type;
+type rfs_file, file_type, data_file_type;
+type rfs_shared_hlos_file, file_type, data_file_type;
+type persist_rfs_file, file_type, vendor_persist_type;
+type persist_rfs_shared_hlos_file, file_type, vendor_persist_type;
+
+#mm-pp-daemon file type for sysfs access
+#type sysfs_leds, fs_type, sysfs_type;
+
+#Define the files written during the operation of mm-pp-daemon
+type data_ad_calib_cfg, file_type, data_file_type;
+
+#SurfaceFlinger file type for sysfs access
+type sysfs_graphics, sysfs_type, fs_type;
+
+# USB/battery power supply type for hvdcp/quickcharge
+type sysfs_usb_supply, sysfs_type, fs_type;
+type sysfs_battery_supply, sysfs_type, fs_type;
+type sysfs_usbpd_device, sysfs_type, fs_type;
+# sysfs vadc device for hvdcp/quickcharge
+type sysfs_vadc_dev, sysfs_type, fs_type;
+# sysfs spmi device for hvdcp/quickcharge
+type sysfs_spmi_dev, sysfs_type, fs_type;
+
+# sysfs qdss device for qcomsysd
+type sysfs_qdss_dev, sysfs_type, fs_type;
+
+# sysfs poweron_alarm is used in init.target.rc
+type sysfs_poweron_alarm, sysfs_type, fs_type;
+
+#Define the files written during the operation of mpdecision
+type sysfs_mpdecision, fs_type, sysfs_type;
+type sysfs_rqstats, fs_type, sysfs_type;
+type sysfs_cpu_online, fs_type, sysfs_type;
+type mpctl_socket, file_type, mlstrustedobject;
+type mpctl_data_file, file_type, data_file_type;
+
+#Define the files used by lm
+type lm_data_file, file_type, data_file_type;
+
+type sysfs_devfreq, fs_type, sysfs_type;
+type sysfs_devfreq_l3cdsp, fs_type, sysfs_type;
+type sysfs_mmc_host, fs_type, sysfs_type;
+type sysfs_scsi_host, fs_type, sysfs_type;
+type sysfs_cpu_boost, fs_type, sysfs_type;
+type sysfs_msm_perf, fs_type, sysfs_type;
+type sysfs_memory, fs_type, sysfs_type;
+type sysfs_lib, fs_type, sysfs_type;
+type sysfs_slpi, fs_type, sysfs_type;
+type sysfs_process_reclaim, fs_type, sysfs_type;
+type sysfs_vmpressure, fs_type, sysfs_type;
+
+#define the files writter during the operatio of iop
+type iop_socket, file_type;
+type iop_data_file, file_type, data_file_type;
+
+#Socket node needed by ims_data daemon
+type ims_socket, file_type;
+
+#mink-lowi-interface-daemon (mlid) socket
+type mlid_socket, file_type, mlstrustedobject;
+
+#ssg qmi gateway daemon socket
+type ssgqmig_socket, file_type, mlstrustedobject;
+
+#ssg tz daemon socket
+type ssgtzd_socket, file_type, mlstrustedobject;
+
+#location file types
+type location_data_file, file_type, data_file_type;
+type location_socket, file_type, data_file_type;
+type location_app_data_file, file_type, data_file_type;
+
+#File types required by mdm-helper
+type sysfs_esoc, sysfs_type, fs_type;
+type sysfs_ssr, sysfs_type, fs_type;
+type sysfs_ssr_toggle, sysfs_type, fs_type;
+type sysfs_hsic, sysfs_type, fs_type;
+type sysfs_hsic_host_rdy, sysfs_type, fs_type;
+
+# Files accessed by qcom-system-daemon
+type sysfs_socinfo, fs_type, sysfs_type;
+
+type qlogd_socket, file_type, mlstrustedobject;
+#Defines the files (configs, dumps, etc) used by display processes
+type display_vendor_data_file, file_type, data_file_type;
+
+#Define the files for the operation of QDCM
+type persist_display_file, file_type, vendor_persist_type;
+
+# IPA file types
+type ipacm_socket, file_type;
+type ipa_vendor_data_file, file_type, data_file_type;
+
+# vendor audio data file
+type vendor_audio_data_file, file_type, data_file_type;
+
+# Tombstone vendor data
+type vendor_tombstone_data_file, file_type, data_file_type;
+
+# Port-bridge file types
+type port_bridge_data_file, file_type, data_file_type;
+
+#bluetooth firmware file types
+type bt_firmware_file, file_type, contextmount_type, vendor_file_type;
+
+#needed by vold
+type proc_dirty_ratio, fs_type, proc_type;
+
+#File types by mmi
+type vendor_mmi_socket, file_type;
+
+# hbtp config file
+type hbtp_cfg_file, file_type, vendor_file_type;
+type hbtp_log_file, file_type, data_file_type;
+type hbtp_kernel_sysfs, fs_type, sysfs_type;
+
+type persist_usf_file, file_type, vendor_persist_type;
+
+#qfp-daemon
+type qfp-daemon_data_file, file_type, data_file_type;
+type persist_qti_fp_file, file_type, vendor_persist_type;
+
+# imshelper_app file types
+type imshelper_app_data_file, file_type, data_file_type;
+
+# RIDL data files
+type RIDL_data_file, file_type, data_file_type;
+type RIDL_socket, file_type, data_file_type;
+
+# qti_logkit data files (privileged and public)
+type qti_logkit_priv_data_file, file_type, data_file_type;
+type qti_logkit_pub_data_file, file_type, data_file_type;
+type qti_logkit_priv_socket, file_type, data_file_type;
+type qti_logkit_pub_socket, file_type, mlstrustedobject, data_file_type;
+
+# used for /dsp files
+type adsprpcd_file, file_type, mlstrustedobject, vendor_file_type;
+
+#mdtp_svc_app file types
+type mdtp_svc_app_data_file, file_type, data_file_type;
+
+# Regionalization files
+type regionalization_file, file_type , vendor_persist_type;
+type vendor_carrier_file, file_type, vendor_file_type;
+
+# /data/system/swap/swapfile - swapfile
+type swap_data_file, file_type, data_file_type;
+
+# dynamic nv files
+type dynamic_nv_data_file, file_type, data_file_type;
+
+# Wifi Data file
+type wifi_vendor_data_file, file_type, data_file_type;
+type wifi_vendor_wpa_socket, file_type, data_file_type;
+type wifi_vendor_hostapd_socket, file_type, data_file_type;
+type hostapd_socket, file_type, data_file_type;
+
+#widevine data file
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
+# wififtmd socket file
+type wififtmd_socket, file_type;
+
+type persist_alarm_file, file_type, vendor_persist_type;
+
+type persist_time_file, file_type, vendor_persist_type;
+
+# nfc file type for data vendor access
+type nfc_vendor_data_file, file_type, data_file_type;
+
+# kgsl file type for sysfs access
+type sysfs_kgsl, sysfs_type, fs_type;
+type sysfs_kgsl_proc, sysfs_type, fs_type;
+# kgsl snapshot file type for sysfs access
+type sysfs_kgsl_snapshot, sysfs_type, fs_type;
+
+# secure touch files
+type sysfs_securetouch, fs_type, sysfs_type;
+
+#data sysfs files
+type sysfs_data, fs_type, sysfs_type;
+
+#diag sysfs files
+type sysfs_diag, fs_type, sysfs_type;
+
+#laser sysfs files
+type sysfs_laser, fs_type, sysfs_type;
+
+# QDMA data files
+type vendor_qdma_data_file, file_type, data_file_type;
+type qdma_socket, file_type, mlstrustedobject;
+
+# path to debugfs use this whic should be only used
+# in debug builds
+type qti_debugfs, fs_type, debugfs_type;
+
+# vendor radio files
+type vendor_radio_data_file, file_type, data_file_type;
+
+# vendor MBN files
+type vendor_mbn_data_file, file_type, data_file_type;
+
+#uio sysfs
+type sysfs_uio_file, fs_type, sysfs_type;
+
+#irq balance sysfs type
+type sysfs_irqbalance , sysfs_type, fs_type;
+
+# vpp files
+type vendor_vpp_data_file, file_type, data_file_type;
+type persist_vpp_file, file_type, vendor_persist_type;
+
+# vendor camera files
+type vendor_camera_data_file, file_type, data_file_type;
+
+# vendor media files
+type vendor_media_data_file, file_type, data_file_type;
+
+# wigig, fstman
+type sysfs_bond0, fs_type, sysfs_type;
+type sysfs_wigig, fs_type, sysfs_type;
+type wigignpt_socket, file_type, data_file_type;
+
+# wigig_hostapd
+type wigig_hostapd_socket, file_type, data_file_type;
+
+# ea sysfs files
+type sysfs_ea, fs_type, sysfs_type;
+
+#audio sysfs files
+type sysfs_audio, fs_type, sysfs_type;
+
+# lpm sysfs files
+type sysfs_msm_stats, fs_type, sysfs_type;
+type sysfs_msm_power, fs_type, sysfs_type;
+
+type sysfs_fm, sysfs_type, fs_type;
+
+# for adsp to load /sys/kernel/b ot_adsp/boot
+type sysfs_boot_adsp, sysfs_type, fs_type;
+
+# SFS listener data file
+type data_tzstorage_file, file_type, data_file_type;
+
+#TLOC Files
+type tlocd_data_file, file_type, data_file_type;
+
+#DRM files
+type data_qsee_file, file_type, data_file_type;
+
+#secure touch
+type sysfs_sectouch, sysfs_type, fs_type;
+
+#TUI Files
+type vendor_tui_data_file, file_type, data_file_type;
+
+#BT Files
+type vendor_bt_data_file, file_type, data_file_type;
+
+#FM Files
+type vendor_fm_data_file, file_type, data_file_type;
+
+#sysfs jpeg
+type sysfs_jpeg, fs_type, sysfs_type;
+
+#SSR Log Files
+type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
+# npu file
+type sysfs_npu, fs_type, sysfs_type;
+
+# subsystem_ramdump files
+type vendor_ramdump_data_file, file_type, data_file_type;
+type vendor_mdmhelperdata_data_file, file_type, data_file_type;
+
+#for mount of /persist
+typeattribute mnt_vendor_file vendor_persist_type;
+
+#NNHAL files
+type hal_neuralnetworks_data_file, file_type, data_file_type;
+
+# vendor scve data file
+type vendor_scve_data_file, file_type, data_file_type;
+
+# usb device controller files
+type sysfs_usb_controller, sysfs_type, fs_type;
+
+# time data files
+type time_data_file, file_type, data_file_type, core_data_file_type;
+
+#qvrservice sysfs files
+type sysfs_qvr_external_sensor, sysfs_type, fs_type;
+
+# /dev/msm_aac_in
+type msm_aac_in_device, dev_type;
diff --git a/legacy/vendor/common/file_contexts b/legacy/vendor/common/file_contexts
new file mode 100644
index 0000000..8eef3bd
--- /dev/null
+++ b/legacy/vendor/common/file_contexts
@@ -0,0 +1,740 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+###################################
+# Dev nodes
+#
+/dev/adsprpc-smd u:object_r:qdsp_device:s0
+/dev/adsprpc-smd-secure u:object_r:xdsp_device:s0
+/dev/cpu_dma_latency u:object_r:device_latency:s0
+/dev/diag u:object_r:diag_device:s0
+/dev/hsicctl.* u:object_r:hsic_device:s0
+/dev/kgsl-3d0 u:object_r:gpu_device:s0
+/dev/mhi_.* u:object_r:mhi_device:s0
+/dev/bhi u:object_r:bhi_device:s0
+/dev/msm_.* u:object_r:audio_device:s0
+/dev/msm_aac_in u:object_r:msm_aac_in_device:s0
+/dev/wcd_dsp0_control u:object_r:audio_device:s0
+/dev/wcd-dsp-glink u:object_r:audio_device:s0
+/dev/usf1 u:object_r:usf_device:s0
+/dev/msm_dsps u:object_r:sensors_device:s0
+/dev/msm_thermal_query u:object_r:thermal_device:s0
+/dev/nfc-nci u:object_r:nfc_device:s0
+/dev/nq-nci u:object_r:nfc_device:s0
+/dev/qseecom u:object_r:tee_device:s0
+/dev/spcom u:object_r:spcom_device:s0
+/dev/sp_kernel u:object_r:skp_device:s0
+/dev/sp_ssr u:object_r:sp_ssr_device:s0
+/dev/sec_nvm_.* u:object_r:sec_nvm_device:s0
+/dev/sp_keymaster u:object_r:sp_keymaster_device:s0
+/dev/cryptoapp u:object_r:cryptoapp_device:s0
+/dev/spdaemon_ssr u:object_r:spdaemon_ssr_device:s0
+/dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0
+/dev/radio0 u:object_r:fm_radio_device:s0
+/dev/btpower u:object_r:bt_device:s0
+/dev/rtc0 u:object_r:rtc_device:s0
+/dev/sdsprpc-smd u:object_r:dsp_device:s0
+/dev/sensors u:object_r:sensors_device:s0
+/dev/smd.* u:object_r:smd_device:s0
+/dev/smem_log u:object_r:smem_log_device:s0
+/dev/ttyHSL0 u:object_r:console_device:s0
+/dev/ttyMSM0 u:object_r:console_device:s0
+/dev/ttyHS[0-9]* u:object_r:serial_device:s0
+/dev/ttyGS0 u:object_r:gadget_serial_device:s0
+/dev/usb_ext_chg u:object_r:hvdcp_device:s0
+/dev/media([0-9])+ u:object_r:video_device:s0
+/dev/jpeg[0-9]* u:object_r:video_device:s0
+/dev/v4l-subdev.* u:object_r:video_device:s0
+/dev/vm_bms u:object_r:vm_bms_device:s0
+/dev/battery_data u:object_r:battery_data_device:s0
+/dev/block/mmcblk1 u:object_r:sd_device:s0
+/dev/block/mmcblk1p1 u:object_r:sd_device:s0
+/dev/subsys_.* u:object_r:ssr_device:s0
+/dev/ramdump_.* u:object_r:ramdump_device:s0
+/dev/esoc.* u:object_r:esoc_device:s0
+/dev/ks_hsic_bridge u:object_r:ksbridgehsic_device:s0
+/dev/efs_hsic_bridge u:object_r:efsbridgehsic_device:s0
+/dev/ipa u:object_r:ipa_dev:s0
+/dev/wwan_ioctl u:object_r:ipa_dev:s0
+/dev/ipaNatTable u:object_r:ipa_dev:s0
+/dev/rmnet_ctrl.* u:object_r:rmnet_device:s0
+/dev/dpl_ctrl u:object_r:rmnet_device:s0
+/dev/wcnss_ctrl u:object_r:wcnss_device:s0
+/dev/wcnss_wlan u:object_r:wcnss_device:s0
+/dev/pta u:object_r:pta_device:s0
+/dev/mdss_rotator u:object_r:graphics_device:s0
+/dev/hbtp_input u:object_r:hbtp_device:s0
+/dev/hbtp_vm u:object_r:hbtp_device:s0
+/dev/jdi-bu21150 u:object_r:bu21150_device:s0
+/dev/avtimer u:object_r:avtimer_device:s0
+/dev/coresight-stm u:object_r:qdss_device:s0
+/dev/coresight-tmc-etf u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0
+/dev/system_health_monitor u:object_r:system_health_monitor_device:s0
+/dev/qce u:object_r:qce_device:s0
+/dev/msm-rng u:object_r:rng_device:s0
+/dev/qbt1000 u:object_r:qbt1000_device:s0
+/dev/at_.* u:object_r:at_device:s0
+/dev/sg.* u:object_r:sg_device:s0
+/dev/dri/card0 u:object_r:graphics_device:s0
+/dev/dri/controlD64 u:object_r:graphics_device:s0
+/dev/dri/renderD128 u:object_r:graphics_device:s0
+/dev/wlan u:object_r:wlan_device:s0
+/dev/bg_com_dev u:object_r:bg_daemon_device:s0
+/dev/msm_npu u:object_r:npu_device:s0
+/dev/qg u:object_r:qg_device:s0
+/dev/qg_battery u:object_r:qg_device:s0
+/dev/ipa_odl_ctl u:object_r:ipa_dev:s0
+/dev/ipa_adpl u:object_r:ipa_dev:s0
+
+###################################
+# Dev block nodes
+#
+/dev/block/zram0 u:object_r:swap_block_device:s0
+/data/vendor/swap(/.*)? u:object_r:swap_data_file:s0
+
+###################################
+# Dev socket nodes
+#
+/dev/socket/chre u:object_r:chre_socket:s0
+/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_nfc(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/netmgr(/.*)? u:object_r:netmgrd_socket:s0
+/dev/socket/sensor_ctl_socket u:object_r:sensors_socket:s0
+/dev/socket/cnd u:object_r:cnd_socket:s0
+/dev/socket/nims u:object_r:cnd_socket:s0
+/dev/socket/thermal-send-client u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-client u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0
+/dev/socket/thermal-send-rule u:object_r:thermal_socket:s0
+/dev/socket/ims_qmid u:object_r:ims_socket:s0
+/dev/socket/ims_datad u:object_r:ims_socket:s0
+/dev/socket/iop u:object_r:iop_socket:s0
+/dev/socket/qlogd u:object_r:qlogd_socket:s0
+/dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0
+/dev/socket/pps u:object_r:pps_socket:s0
+/dev/socket/qdcmsocket u:object_r:qdcmsocket_socket:s0
+/dev/socket/rild2 u:object_r:rild_socket:s0
+/dev/socket/rild2-debug u:object_r:rild_debug_socket:s0
+/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0
+/dev/socket/rild3 u:object_r:rild_socket:s0
+/dev/socket/rild3-debug u:object_r:rild_debug_socket:s0
+/dev/socket/rild-debug3 u:object_r:rild_debug_socket:s0
+/dev/socket/msm_irqbalance u:object_r:msm_irqbalance_socket:s0
+/dev/socket/mlid u:object_r:mlid_socket:s0
+/dev/socket/ssgqmig u:object_r:ssgqmig_socket:s0
+/dev/socket/ssgtzd u:object_r:ssgtzd_socket:s0
+/dev/socket/wififtmd_server u:object_r:wififtmd_socket:s0
+/dev/socket/wpa_wigig[0-9] u:object_r:wifi_vendor_wpa_socket:s0
+/dev/socket/vendor_wpa_wlan[0-9] u:object_r:wifi_vendor_wpa_socket:s0
+/dev/socket/mmi u:object_r:vendor_mmi_socket:s0
+/dev/socket/location(/.*)? u:object_r:location_socket:s0
+/dev/socket/wigignpt u:object_r:wigignpt_socket:s0
+/dev/socket/qdma(/.*)? u:object_r:qdma_socket:s0
+
+###################################
+# System files
+#
+/(vendor|system/vendor)/bin/ATFWD-daemon u:object_r:atfwd_exec:s0
+/(vendor|system/vendor)/bin/PktRspTest u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/audiod u:object_r:audiod_exec:s0
+/(vendor|system/vendor)/bin/nqnfcinfo u:object_r:nqnfcinfo_exec:s0
+/(vendor|system/vendor)/bin/charger_monitor u:object_r:charger_monitor_exec:s0
+/(vendor|system/vendor)/bin/hvdcp_opti u:object_r:hvdcp_exec:s0
+/(vendor|system/vendor)/bin/cnd u:object_r:cnd_exec:s0
+/(vendor|system/vendor)/bin/diag_callback_client u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/diag_dci_sample u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/diag_klog u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/diag_mdlog u:object_r:qlogd_exec:s0
+/(vendor|system/vendor)/bin/drmdiagapp u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/diag_qshrink4_daemon u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/diag_socket_log u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/diag_uart_log u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/diag_buffering_test u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/irsc_util u:object_r:irsc_util_exec:s0
+/(vendor|system/vendor)/bin/qrtr-cfg u:object_r:qrtr_exec:s0
+/(vendor|system/vendor)/bin/qrtr-ns u:object_r:qrtr_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.class_core\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.bt\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.early_boot\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.class_main\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.post_boot\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.sensors\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.usb\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.mdm\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.mdm\.crashdata\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.syspart_fixup\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/hcidump.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/hsic\.control\.bt\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.ath3k\.bt\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.crda\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.coex\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm660\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.debug\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.efs\.sync\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.sdio\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.wifi\.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qti\.ims\.sh u:object_r:init-qti-ims-sh_exec:s0
+/(vendor|system/vendor)/bin/qca6234-service.sh u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/mm-pp-daemon u:object_r:mm-pp-daemon_exec:s0
+/(vendor|system/vendor)/bin/mm-pp-dpps u:object_r:mm-pp-daemon_exec:s0
+/(vendor|system/vendor)/bin/mm-audio-ftm u:object_r:vendor_audioftm_exec:s0
+/(vendor|system/vendor)/bin/mmi u:object_r:vendor_mmi_exec:s0
+/(vendor|system/vendor)/bin/mmid u:object_r:vendor_mmi_exec:s0
+/(vendor|system/vendor)/bin/qdcmss u:object_r:qdcm-ss_exec:s0
+/(vendor|system/vendor)/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0
+/(vendor|system/vendor)/bin/imsdatadaemon u:object_r:ims_exec:s0
+/(vendor|system/vendor)/bin/imsqmidaemon u:object_r:ims_exec:s0
+/(vendor|system/vendor)/bin/ims_rtp_daemon u:object_r:hal_imsrtp_exec:s0
+/(vendor|system/vendor)/bin/netmgrd u:object_r:netmgrd_exec:s0
+/(vendor|system/vendor)/bin/qmuxd u:object_r:qmuxd_exec:s0
+/(vendor|system/vendor)/bin/port-bridge u:object_r:port-bridge_exec:s0
+/(vendor|system/vendor)/bin/sensors.qcom u:object_r:sensors_exec:s0
+/(vendor|system/vendor)/bin/sensors.qti u:object_r:sensors_exec:s0
+/(vendor|system/vendor)/bin/test_diag u:object_r:diag_exec:s0
+/(vendor|system/vendor)/bin/thermal-engine u:object_r:thermal-engine_exec:s0
+/(vendor|system/vendor)/bin/vm_bms u:object_r:vm_bms_exec:s0
+/(vendor|system/vendor)/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
+/(vendor|system/vendor)/bin/qfp-daemon u:object_r:qfp-daemon_exec:s0
+/(vendor|system/vendor)/bin/qvop-daemon u:object_r:qvop-daemon_exec:s0
+/system/rfs.* u:object_r:rfs_system_file:s0
+/(vendor|system/vendor)/bin/time_daemon u:object_r:time_daemon_exec:s0
+/(vendor|system/vendor)/bin/rmt_storage u:object_r:rmt_storage_exec:s0
+/(vendor|system/vendor)/bin/rfs_access u:object_r:rfs_access_exec:s0
+/(vendor|system/vendor)/bin/tftp_server u:object_r:rfs_access_exec:s0
+/(vendor|system/vendor)/bin/hvdcp u:object_r:hvdcp_exec:s0
+/(vendor|system/vendor)/bin/qseecomd u:object_r:tee_exec:s0
+/(vendor|system/vendor)/bin/spdaemon u:object_r:spdaemon_exec:s0
+/(vendor|system/vendor)/bin/sec_nvm u:object_r:sec_nvm_exec:s0
+/(vendor|system/vendor)/bin/cnss-daemon u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/hostapd_cli u:object_r:hostapd_exec:s0
+/(vendor|system/vendor)/bin/adsprpcd u:object_r:adsprpcd_exec:s0
+/(vendor|system/vendor)/bin/cdsprpcd u:object_r:cdsprpcd_exec:s0
+/(vendor|system/vendor)/bin/wpa_cli u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/mdm_helper u:object_r:mdm_helper_exec:s0
+/(vendor|system/vendor)/bin/mdm_helper_proxy u:object_r:mdm_helper_exec:s0
+/(vendor|system/vendor)/bin/ks u:object_r:mdm_helper_exec:s0
+/(vendor|system/vendor)/bin/pm-service u:object_r:vendor_per_mgr_exec:s0
+/(vendor|system/vendor)/bin/pm-proxy u:object_r:vendor_per_mgr_exec:s0
+/(vendor|system/vendor)/bin/pd-mapper u:object_r:vendor_pd_mapper_exec:s0
+/(vendor|system/vendor)/bin/pd-api-test u:object_r:vendor_pd_mapper_exec:s0
+/(vendor|system/vendor)/bin/qcom-system-daemon u:object_r:vendor_qcomsysd_exec:s0
+/(vendor|system/vendor)/bin/poweroffhandler u:object_r:poweroffhandler_exec:s0
+/(vendor|system/vendor)/xbin/qlogd u:object_r:qlogd_exec:s0
+/(vendor|system/vendor)/bin/ipacm u:object_r:ipacm_exec:s0
+/(vendor|system/vendor)/bin/ipacm-diag u:object_r:ipacm-diag_exec:s0
+/(vendor|system/vendor)/bin/dpmQmiMgr u:object_r:hal_dpmQmiMgr_exec:s0
+#/(vendor|system/vendor)/bin/dpmd u:object_r:dpmd_exec:s0
+/(vendor|system/vendor)/bin/ssr_setup u:object_r:vendor_ssr_setup_exec:s0
+/(vendor|system/vendor)/bin/subsystem_ramdump u:object_r:vendor_subsystem_ramdump_exec:s0
+/(vendor|system/vendor)/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0
+/(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.clearkey u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.display\.color@1\.0-service u:object_r:hal_display_color_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.perf@1\.0-service u:object_r:hal_perf_default_exec:s0
+/(vendor|system/vendor)/bin/ssgqmigd u:object_r:ssgqmigd_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.iop@1\.0-service u:object_r:hal_iop_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.iop@2\.0-service u:object_r:hal_iop_default_exec:s0
+/(vendor|system/vendor)/bin/mlid u:object_r:mlid_exec:s0
+/(vendor|system/vendor)/bin/ssgtzd u:object_r:ssgtzd_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.esepowermanager@1\.0-service u:object_r:hal_esepowermanager_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/loc_launcher u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/lowi-server u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/xtwifi-inet-agent u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/xtwifi-client u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/garden_app u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/DR_AP_Service u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/slim_daemon u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/xtra-daemon u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/energy-awareness u:object_r:energyawareness_exec:s0
+/(vendor|system/vendor)/bin/fidodaemon u:object_r:fidodaemon_exec:s0
+/(vendor|system/vendor)/bin/esepmdaemon u:object_r:esepmdaemon_exec:s0
+/(vendor|system/vendor)/bin/secotad u:object_r:secotad_exec:s0
+/(vendor|system/vendor)/bin/qseeproxydaemon u:object_r:qseeproxy_exec:s0
+/(vendor|system/vendor)/bin/dts_configurator u:object_r:dtsconfigurator_exec:s0
+/(vendor|system/vendor)/bin/dts_eagle_service u:object_r:dtseagleservice_exec:s0
+/(vendor|system/vendor)/bin/qti u:object_r:qti_exec:s0
+/(vendor|system/vendor)/bin/adpl u:object_r:adpl_exec:s0
+/(vendor|system/vendor)/bin/wcnss_service u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/hbtp_daemon u:object_r:hbtp_exec:s0
+/(vendor|system/vendor)/bin/touch_fusion u:object_r:touchfusion_exec:s0
+/(vendor|system/vendor)/bin/seemp_healthd u:object_r:seemp_health_daemon_exec:s0
+/(vendor|system/vendor)/bin/sapd u:object_r:sapd_exec:s0
+/(vendor|system/vendor)/bin/btnvtool u:object_r:btnvtool_exec:s0
+/(vendor|system/vendor)/bin/btsnoop u:object_r:btsnoop_exec:s0
+/(vendor|system/vendor)/bin/wifidisplayhalservice u:object_r:wifidisplayhalservice_qti_exec:s0
+/(vendor|system/vendor)/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0
+/(vendor|system/vendor)/bin/fmhal_service u:object_r:fmhal_service_exec:s0
+/(vendor|system/vendor)/bin/usf_epos u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_gesture u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_hovering u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_p2p u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_proximity u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_sync_gesture u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_sw_calib u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_pairing u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/usf_tester u:object_r:usf_exec:s0
+/(vendor|system/vendor)/bin/LKCore u:object_r:qti_logkit_exec:s0
+/(vendor|system/vendor)/bin/tbaseLoader u:object_r:tbaseLoader_exec:s0
+/(vendor|system/vendor)/bin/mcStarter u:object_r:mcStarter_exec:s0
+/(vendor|system/vendor)/bin/fstman u:object_r:fstman_exec:s0
+/(vendor|system/vendor)/bin/wigighalsvc u:object_r:wigighalsvc_exec:s0
+/(vendor|system/vendor)/bin/wigignpt u:object_r:wigignpt_exec:s0
+/(vendor|system/vendor)/bin/mdtpd u:object_r:mdtpdaemon_exec:s0
+/(vendor|system/vendor)/bin/wifi_ftmd u:object_r:wifi_ftmd_exec:s0
+/(vendor|system/vendor)/bin/fingerprint.qcom u:object_r:fps_hal_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.nxp\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.nxp\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/qdmastatsd u:object_r:qdmastatsd_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.alarm@1\.0-service u:object_r:hal_alarm_qti_default_exec:s0
+/(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0
+/(vendor|system/vendor)/bin/vppservice u:object_r:vendor_vppservice_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0
+/(vendor|system/vendor)/bin/fm_qsoc_patches u:object_r:fm_qsoc_patches_exec:s0
+/(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0
+/(vendor|system/vendor)/bin/tloc_daemon u:object_r:tlocd_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.factory@1\.0-service u:object_r:vendor_hal_factory_qti_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.tui_comm@1\.0-service-qti u:object_r:hal_tui_comm_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.soter@1\.0-service u:object_r:hal_soter_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qdutils_disp@1\.0-service-qti u:object_r:hal_qdutils_disp_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.sensorscalibrate@1\.0-service u:object_r:hal_sensorscalibrate_qti_default_exec:s0
+/(vendor|system/vendor)/bin/power_off_alarm u:object_r:power_off_alarm_exec:s0
+/vendor/bin/hw/vendor\.qti\.hardware\.vibrator@1\.[0-2]-service u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.0-service-qti u:object_r:hal_usb_gadget_qti_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.scve\.panorama@1\.0-service u:object_r:vendor_scve_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.scve\.objecttracker@1\.0-service u:object_r:vendor_scve_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.mlshal@1\.0-service u:object_r:hal_mirrorlink_qti_exec:s0
+/(vendor|system/vendor)/bin/hdcp_srm u:object_r:hdcp_srm_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.qti\.power\.pasrmanager\@1\.0-service u:object_r:hal_pasrmanager_qti_exec:s0
+
+###################################
+# sysfs files
+#
+/sys/class/graphics/fb0/mdp/caps u:object_r:sysfs_graphics:s0
+/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/class/sensors(/.*)? u:object_r:sysfs_sensors:s0
+/sys/class/uio(/.*)? u:object_r:sysfs_uio:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,rmtfs_sharedmem/uio/uio[0-9]+(/.*)? u:object_r:sysfs_uio_file:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,rmtfs_sharedmem/uio/uio[0-9]+/maps/map[0-9]+(/.*)? u:object_r:sysfs_uio_file:s0
+/sys/devices(/platform)?/soc.0/[a-z0-9]+.qcom,rmtfs_sharedmem/uio/uio[0-9]+(/.*)? u:object_r:sysfs_uio_file:s0
+/sys/devices(/platform)?/soc.0/[a-z0-9]+.qcom,rmtfs_sharedmem/uio/uio[0-9]+/maps/map[0-9]+(/.*)? u:object_r:sysfs_uio_file:s0
+/sys/devices/[^/]+bcl[^/]+(/.*)? u:object_r:sysfs_thermal:s0
+/sys/devices/f9200000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_dwc3/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_otg/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
+/sys/devices/qpnp-charger.*/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/class/qcom-battery(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/class/charge_pump(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/devices/soc/[a-z0-9]+.ssusb/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/soc/qpnp-vadc-[0-9]+(/.*)? u:object_r:sysfs_vadc_dev:s0
+/sys/bus/spmi/devices(/.*)? u:object_r:sysfs_spmi_dev:s0
+/sys/kernel/irq_helper/irq_blacklist_on u:object_r:sysfs_irqbalance:s0
+/sys/devices/virtual/graphics/fb([0-3])+/idle_time u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/dynamic_fps u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/product_description u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/vendor_name u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hdcp/tp u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_status u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/net/bond0/bonding/queue_id u:object_r:sysfs_bond0:s0
+/sys/devices/virtual/net/bond0/queues/rx-0/rps_cpus u:object_r:sysfs_bond0:s0
+/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/smdpkt/smdcntl[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/module/msm_serial_hs/parameters/debug_mask u:object_r:sysfs_msmuart_file:s0
+/sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_mpdecision:s0
+/sys/devices/f9a55000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hpd u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/res_info u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/s3d_mode u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_info u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_type u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_split u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/show_blank_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/bl_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/ad_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/ad_bl_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hist_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/vsync_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/lineptr_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/idle_notify u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_thermal_level u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/idle_power_collapse u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/mode u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/name u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/connected u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_cmd_autorefresh_en u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/mdp/bw_mode_bitmap u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/edid_modes u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hdcp2p2(/.*) u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/scan_info u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/edid_3d_modes u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_dfps_mode u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_src_split_info u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hdr_stream u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/cec(/.*) u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msmfb_b10(/.*) u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/modes u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/edid_raw_data u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/packpattern u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/dyn_pu u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/ad u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/pp_bl_event u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/config u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/rotator/mdss_rotator/caps u:object_r:sysfs_graphics:s0
+
+/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/modes u:object_r:sysfs_graphics:s0
+/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/mode u:object_r:sysfs_graphics:s0
+/sys/module/drm/parameters/vblankoffdelay u:object_r:sysfs_graphics:s0
+/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/modes u:object_r:sysfs_graphics:s0
+/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/status u:object_r:sysfs_graphics:s0
+
+/sys/devices/virtual/workqueue/kgsl-events/cpumask u:object_r:sysfs_kgsl:s0
+/sys/devices/virtual/workqueue/kgsl-events/nice u:object_r:sysfs_kgsl:s0
+/sys/devices/virtual/workqueue/kgsl-workqueue/cpumask u:object_r:sysfs_kgsl:s0
+/sys/devices/virtual/workqueue/kgsl-workqueue/nice u:object_r:sysfs_kgsl:s0
+/sys/class/graphics/fb([0-3])+/mdp/caps u:object_r:sysfs_graphics:s0
+/sys/class/graphics/fb([0-3])+/ad u:object_r:sysfs_graphics:s0
+/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/switch/hdmi(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_mdp/[a-z0-9]+.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices/soc.0/[a-z0-9]+.qcom,mdss_mdp/qcom,mdss_fb_primary.+[a-z0-9]/leds/lcd-backlight(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_mdp/caps u:object_r:sysfs_graphics:s0
+/sys/devices/soc/[a-z0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:sysfs_graphics:s0
+/sys/devices/soc.0/[a-z0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:sysfs_graphics:s0
+/sys/devices/soc.0/[a-z0-9]+.qcom,mdss_mdp/caps u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_cam/video4linux/video[0-33]/name(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_rotator/video4linux/video[0-33]/name(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_rotator/caps u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,vidc/video4linux/video[0-33]/name(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,cci/[a-z0-9]+.qcom,cci:qcom,camera@[0-2]/video4linux/video[0-33]/name(/.*)? u:object_r:sysfs_graphics:s0
+/sys/bus/platform/drivers/xhci_msm_hsic(/.*)? u:object_r:sysfs_hsic:s0
+/sys/devices/msm_hsic_host/host_ready u:object_r:sysfs_hsic_host_rdy:s0
+/sys/bus/esoc(/.*)? u:object_r:sysfs_esoc:s0
+/sys/bus/msm_subsys(/.*)? u:object_r:sysfs_ssr:s0
+/sys/bus/msm_subsys/devices/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/devices/soc0/.* u:object_r:sysfs_socinfo:s0
+/sys/devices/soc/soc:qcom,ipa_fws@[a-f0-9]+/subsys0/name u:object_r:sysfs_data:s0
+/sys/devices/soc/soc:hbtp/secure_touch u:object_r:hbtp_kernel_sysfs:s0
+/sys/devices/soc/soc:hbtp/secure_touch_enable u:object_r:hbtp_kernel_sysfs:s0
+/sys/devices/soc/soc:hbtp/secure_touch_userspace u:object_r:hbtp_kernel_sysfs:s0
+/sys/kernel/hbtp/display_pwr u:object_r:hbtp_kernel_sysfs:s0
+/sys/firmware/devicetree/base/cpus(/.*)? u:object_r:sysfs_devices_system_cpu:s0
+/sys/devices/vendor/vendor:bt_wcn3990/extldo u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/vendor/vendor:bt_wcn3990/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bt_qca6174/extldo u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bt_qca6174/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+/sys/module/diagchar(/.*)? u:object_r:sysfs_diag:s0
+
+/sys/devices(/platform)?/soc/soc:qcom,gpubw/devfreq/soc:qcom,gpubw(/.*)? u:object_r:sysfs_devfreq:s0
+/sys/devices(/platform)?/soc/soc:qcom,llccbw/devfreq/soc:qcom,llccbw(/.*)? u:object_r:sysfs_devfreq:s0
+/sys/devices(/platform)?/soc/soc:qcom,l3-cpu[0-9]/devfreq/soc:qcom,l3-cpu[0-9](/.*)? u:object_r:sysfs_devfreq:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/clkscale_enable u:object_r:sysfs_scsi_host:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)? u:object_r:sysfs_scsi_host:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/snapshot(/.*)? u:object_r:sysfs_kgsl_snapshot:s0
+
+/sys/devices(/platform)?/soc(.[0-9])?/[a-f0-9]+.sdhci/mmc_host/mmc0/clk_scaling(/.*)? u:object_r:sysfs_mmc_host:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc[0-9]/mmc0:[0-9]+/block/mmcblk[0-9]/bdi/read_ahead_kb u:object_r:sysfs_mmc_host:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc[0-9]/mmc0:[0-9]+/block/mmcblk[0-9]/queue/read_ahead_kb u:object_r:sysfs_mmc_host:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc[0-9]/mmc0:[0-9]+/block/mmcblk[0-9]/mmcblk0rpmb/bdi/read_ahead_kb u:object_r:sysfs_mmc_host:s0
+/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc[0-9]/mmc0:[0-9]+/block/mmcblk[0-9]/mmcblk0rpmb/queue/read_ahead_kb u:object_r:sysfs_mmc_host:s0
+/sys/devices/virtual/bdi/[0-9]+:[0-9]+/read_ahead_kb u:object_r:sysfs_mmc_host:s0
+/sys/devices/virtual/block/dm-[0-9]+/queue/read_ahead_kb u:object_r:sysfs_mmc_host:s0
+
+/sys/module/cpu_boost(/.*)? u:object_r:sysfs_cpu_boost:s0
+/sys/module/msm_performance(/.*)? u:object_r:sysfs_msm_perf:s0
+/sys/kernel/mm/ksm(/.*)? u:object_r:sysfs_memory:s0
+/sys/devices/virtual/input/input[0-9]+/do_flush u:object_r:sysfs_laser:s0
+/sys/devices/virtual/input/input[0-9]+/enable_ps_sensor u:object_r:sysfs_laser:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/wil6210/fst_link_loss u:object_r:sysfs_wigig:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/wil6210/thermal_throttling u:object_r:sysfs_wigig:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/wil6210/snr_thresh u:object_r:sysfs_wigig:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/net/wigig0/queues/rx-0/rps_cpus u:object_r:sysfs_wigig:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/net/wigig0/gro_flush_timeout u:object_r:sysfs_wigig:s0
+/sys/module/msm_core(/.*)? u:object_r:sysfs_ea:s0
+/sys/module/lpm_stats(/.*)? u:object_r:sysfs_msm_stats:s0
+/sys/module/lpm_levels(/.*)? u:object_r:sysfs_msm_power:s0
+/sys/module/radio_iris_transport/parameters/fmsmd_set u:object_r:sysfs_fm:s0
+/sys/module/app_setting/parameters/lib_name u:object_r:sysfs_lib:s0
+/sys/kernel/boot_adsp/boot u:object_r:sysfs_boot_adsp:s0
+/sys/kernel/boot_slpi(/.*)? u:object_r:sysfs_slpi:s0
+/sys/module/process_reclaim(/.*)? u:object_r:sysfs_process_reclaim:s0
+/sys/module/vmpressure(/.*)? u:object_r:sysfs_vmpressure:s0
+/sys/board_properties/virtualkeys.synaptics_dsx u:object_r:sysfs_virtualkeys:s0
+/sys/board_properties/virtualkeys.ft5x06_ts u:object_r:sysfs_virtualkeys:s0
+
+###################################
+# data files
+#
+/data/time(/.*)? u:object_r:time_data_file:s0
+/data/vendor/nfc(/.*)? u:object_r:nfc_vendor_data_file:s0
+/data/vendor/audio(/.*)? u:object_r:vendor_audio_data_file:s0
+/data/vendor/connectivity(/.*)? u:object_r:cnd_data_file:s0
+/data/vendor/misc/qti_fp(/.*)? u:object_r:qfp-daemon_data_file:s0
+/data/vendor/time(/.*)? u:object_r:vendor_time_data_file:s0
+/data/vendor/perfd(/.*)? u:object_r:mpctl_data_file:s0
+/data/vendor/iop(/.*)? u:object_r:iop_data_file:s0
+/data/vendor/lm(/.*)? u:object_r:lm_data_file:s0
+/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0
+/data/vendor/ipa(/.*)? u:object_r:ipa_vendor_data_file:s0
+/data/vendor/qtee(/.*)? u:object_r:data_qtee_file:s0
+/data/vendor/location(/.*)? u:object_r:location_data_file:s0
+/data/vendor/location/mq/location-mq-s u:object_r:location_socket:s0
+/data/vendor/location/mq/alarm_svc u:object_r:location_socket:s0
+/data/vendor/hbtp(/.*)? u:object_r:hbtp_log_file:s0
+/data/vendor/qti-logkit(/.*)? u:object_r:qti_logkit_priv_data_file:s0
+/data/vendor/qti-logkit/shared-public(/.*)? u:object_r:qti_logkit_pub_data_file:s0
+/data/vendor/qti-logkit/logdata(/.*)? u:object_r:qti_logkit_pub_data_file:s0
+/data/vendor/qti-logkit/socket-privileged(/.*)? u:object_r:qti_logkit_priv_socket:s0
+/data/vendor/qti-logkit/socket-public(/.*)? u:object_r:qti_logkit_pub_socket:s0
+/data/vendor/radio(/.*)? u:object_r:vendor_radio_data_file:s0
+/data/vendor/modem_config(/.*)? u:object_r:vendor_mbn_data_file:s0
+/data/vendor/dataqti(/.*)? u:object_r:vendor_qti_data_file:s0
+/data/vendor/netmgr(/.*)? u:object_r:netmgrd_data_file:s0
+/data/vendor/port_bridge(/.*)? u:object_r:port_bridge_data_file:s0
+/data/vendor/rfs.* u:object_r:rfs_file:s0
+/data/vendor/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0
+/data/vendor/wifi(/.*)? u:object_r:wifi_vendor_data_file:s0
+/data/vendor/wifi/sockets(/.*)? u:object_r:wifi_vendor_wpa_socket:s0
+/data/vendor/wifi/wigig_sockets(/.*)? u:object_r:wifi_vendor_wpa_socket:s0
+/data/vendor/wifi/wigig_sockets/wpa_ctrl.* u:object_r:wifi_vendor_wpa_socket:s0
+/data/vendor/qdmastats(/.*)? u:object_r:vendor_qdma_data_file:s0
+/data/vendor/qdma(/.*)? u:object_r:vendor_qdma_data_file:s0
+/data/vendor/vpp(/.*)? u:object_r:vendor_vpp_data_file:s0
+/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0
+/data/vendor/wifi/wigig_hostapd(/.*)? u:object_r:wigig_hostapd_socket:s0
+/data/vendor/tombstones(/.*)? u:object_r:vendor_tombstone_data_file:s0
+/data/vendor/tzstorage(/.*)? u:object_r:data_tzstorage_file:s0
+/data/vendor/tloc(/.*)? u:object_r:tlocd_data_file:s0
+/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0
+/data/vendor/ramdump(/.*)? u:object_r:vendor_ramdump_data_file:s0
+/data/vendor/mdmhelperdata(/.*)? u:object_r:vendor_mdmhelperdata_data_file:s0
+/sys/kernel/debug/ipc_logging(/.*)? u:object_r:qti_debugfs:s0
+/data/vendor/misc/qsee(/.*)? u:object_r:data_qsee_file:s0
+/data/vendor/tui(/.*)? u:object_r:vendor_tui_data_file:s0
+/data/vendor/nnhal(/.*)? u:object_r:hal_neuralnetworks_data_file:s0
+/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
+/data/vendor/scve(/.*)? u:object_r:vendor_scve_data_file:s0
+/data/vendor/fm(/.*)? u:object_r:vendor_fm_data_file:s0
+
+###################################
+# persist files
+#
+/persist(/.*)? u:object_r:mnt_vendor_file:s0
+/mnt/vendor/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0
+/mnt/vendor/persist/drm(/.*)? u:object_r:persist_drm_file:s0
+/mnt/vendor/persist/sensors(/.*)? u:object_r:sensors_persist_file:s0
+/mnt/vendor/persist/alarm(/.*)? u:object_r:persist_alarm_file:s0
+/mnt/vendor/persist/time(/.*)? u:object_r:persist_time_file:s0
+/mnt/vendor/persist/data(/.*)? u:object_r:persist_drm_file:s0
+/mnt/vendor/persist/data/tz(/.*)? u:object_r:persist_drm_file:s0
+/mnt/vendor/persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0
+/mnt/vendor/persist/qti_fp(/.*)? u:object_r:persist_qti_fp_file:s0
+/mnt/vendor/persist/usf(/.*)? u:object_r:persist_usf_file:s0
+/mnt/vendor/persist/hlos_rfs(/.*)? u:object_r:persist_rfs_shared_hlos_file:s0
+/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
+/mnt/vendor/persist/rfs.* u:object_r:persist_rfs_file:s0
+/mnt/vendor/persist/speccfg(/.*)? u:object_r:regionalization_file:s0
+/mnt/vendor/persist/misc(/.*)? u:object_r:persist_misc_file:s0
+/mnt/vendor/persist/bms(/.*)? u:object_r:persist_bms_file:s0
+/mnt/vendor/persist/vpp(/.*)? u:object_r:persist_vpp_file:s0
+/mnt/vendor/persist/secnvm(/.*)? u:object_r:persist_secnvm_file:s0
+/mnt/vendor/persist/FTM_AP(/.*)? u:object_r:vendor_persist_mmi_file:s0
+/mnt/vendor/persist/hvdcp_opti(/.*)? u:object_r:persist_hvdcp_file:s0
+###################################
+# persist changes for backword comptaibily
+# this changes would be removed once tech team make the changes
+#
+/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0
+/persist/drm(/.*)? u:object_r:persist_drm_file:s0
+/persist/sensors(/.*)? u:object_r:sensors_persist_file:s0
+/persist/alarm(/.*)? u:object_r:persist_alarm_file:s0
+/persist/time(/.*)? u:object_r:persist_time_file:s0
+/persist/data(/.*)? u:object_r:persist_drm_file:s0
+/persist/data/tz(/.*)? u:object_r:persist_drm_file:s0
+/persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0
+/persist/qti_fp(/.*)? u:object_r:persist_qti_fp_file:s0
+/persist/usf(/.*)? u:object_r:persist_usf_file:s0
+/persist/hlos_rfs(/.*)? u:object_r:persist_rfs_shared_hlos_file:s0
+/persist/display(/.*)? u:object_r:persist_display_file:s0
+/persist/rfs.* u:object_r:persist_rfs_file:s0
+/persist/speccfg(/.*)? u:object_r:regionalization_file:s0
+/persist/misc(/.*)? u:object_r:persist_misc_file:s0
+/persist/bms(/.*)? u:object_r:persist_bms_file:s0
+/persist/vpp(/.*)? u:object_r:persist_vpp_file:s0
+/persist/secnvm(/.*)? u:object_r:persist_secnvm_file:s0
+/persist/FTM_AP(/.*)? u:object_r:vendor_persist_mmi_file:s0
+
+###################################
+# etc files
+#
+/vendor/etc/hbtp/* u:object_r:hbtp_cfg_file:s0
+
+###################################
+# adsp files
+#
+/(vendor|system/vendor)/dsp(/.*)? u:object_r:adsprpcd_file:s0
+/dsp(/.*)? u:object_r:adsprpcd_file:s0
+
+###################################
+# cache files
+#
+
+###################################
+# vendor files
+#
+/vendor/package(/.*)? u:object_r:vendor_carrier_file:s0
+/vendor/package(/.*)?/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/vendor/package(/.*)?/app(/.*)? u:object_r:vendor_app_file:s0
+
+# same-process HAL files and their dependencies
+#
+/vendor/lib(64)?/hw/gralloc\.msm8998\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.0\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/hw/vulkan\.msm8998\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_adreno\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_adreno\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/libdrmutils\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/libavenhancements\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgrallocutils\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgralloccore\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libExtendedExtractor.so u:object_r:same_process_hal_file:s0
+# RenderScript dependencies.
+# To test: run cts -m CtsRenderscriptTestCases
+/vendor/lib(64)?/libRSDriver_adreno\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libCB\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libllvm-qgl\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libbccQTI\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libllvm-qcom\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/librs_adreno\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/librs_adreno_sha1\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libqti-perfd-client\.so u:object_r:same_process_hal_file:s0
+# perf-hal client lib (included by libqti-perfd-client.so)
+/vendor/lib(64)?/vendor\.qti\.hardware\.perf@1\.0\.so u:object_r:same_process_hal_file:s0
+
+# libGLESv2_adreno depends on this
+/vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0
+
+# libOpenCL and its dependencies
+/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libq3dtools_adreno\.so u:object_r:same_process_hal_file:s0
+
+# hbtp dependencies
+/vendor/lib(64)?/libhbtpitsjni\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libhbtpdbgclientjni\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libhbtpjni\.so u:object_r:same_process_hal_file:s0
+
+#Loaded by native loader (zygote) for all processes
+/vendor/lib(64)?/libhalide_hexagon_host\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libadsprpc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libcdsprpc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libsdsprpc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdiag\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libtime_genoff\.so u:object_r:same_process_hal_file:s0
+
+# libmmi_jni
+/vendor/lib(64)?/libmmi_jni\.so u:object_r:same_process_hal_file:s0
+
+# libqti_vndfwk_detect libs
+/vendor/lib(64)?/libvndfwk_detect_jni\.qti\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libqti_vndfwk_detect\.so u:object_r:same_process_hal_file:s0
+
+# Fastcv libs
+/vendor/lib(64)?/libfastcvdsp_stub\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libfastcvadsp_stub\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libfastcvopt\.so u:object_r:same_process_hal_file:s0
+
+# SVA files
+/vendor/lib(64)?/liblistenjni\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/liblistensoundmodel2\.so u:object_r:same_process_hal_file:s0
+
+# libnpu
+/vendor/lib(64)?/libnpu\.so u:object_r:same_process_hal_file:s0
+###################################
+# firmware images
+#
+/vendor/firmware(/.*)? u:object_r:vendor_firmware_file:s0
+/system/etc/firmware(/.*)? u:object_r:firmware_file:s0
+/system/vendor/firmware(/.*)? u:object_r:firmware_file:s0
+/firmware/image(/.*)? u:object_r:firmware_file:s0
+/vendor/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0
+/vendor/firmware_mnt(/.*)? u:object_r:firmware_file:s0
+
+/bt_firmware/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0
+
+/(vendor|system/vendor)/bin/grep u:object_r:vendor_toolbox_exec:s0
+##################################
+#vendor toolbox
+#
+/(vendor|system/vendor)/bin/toolbox_vendor u:object_r:vendor_toolbox_exec:s0
+
+#Android NN Driver
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.1-service-qti u:object_r:hal_neuralnetworks_default_exec:s0
+
+#wifilearner daemon
+/(vendor|system/vendor)/bin/wifilearner u:object_r:wifilearnersvc_exec:s0
diff --git a/legacy/vendor/common/fingerprintd.te b/legacy/vendor/common/fingerprintd.te
new file mode 100644
index 0000000..f0fe878
--- /dev/null
+++ b/legacy/vendor/common/fingerprintd.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#==========================fingerprintd================================
+allow fingerprintd iqfp_service:service_manager find;
+binder_call(fingerprintd, qfp-daemon);
diff --git a/legacy/vendor/common/fm.te b/legacy/vendor/common/fm.te
new file mode 100644
index 0000000..0256c98
--- /dev/null
+++ b/legacy/vendor/common/fm.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type fm_qsoc_patches, domain;
+type fm_qsoc_patches_exec, exec_type, vendor_file_type, file_type;
diff --git a/legacy/vendor/common/fps_hal.te b/legacy/vendor/common/fps_hal.te
new file mode 100644
index 0000000..0ce6bd1
--- /dev/null
+++ b/legacy/vendor/common/fps_hal.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#==========================fps_hal================================
+type fps_hal, domain;
+type fps_hal_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(fps_hal)
+
+#binder_use(fps_hal)
+
+#allow fps_hal iqfp_service:service_manager find;
+
+binder_call(fps_hal, system_server);
+binder_call(fps_hal, qfp-daemon);
diff --git a/legacy/vendor/common/fsck.te b/legacy/vendor/common/fsck.te
new file mode 100644
index 0000000..9db590f
--- /dev/null
+++ b/legacy/vendor/common/fsck.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+allow fsck persist_block_device:blk_file rw_file_perms;
diff --git a/legacy/vendor/common/fstman.te b/legacy/vendor/common/fstman.te
new file mode 100644
index 0000000..bd258e1
--- /dev/null
+++ b/legacy/vendor/common/fstman.te
@@ -0,0 +1,72 @@
+# Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type fstman, domain;
+type fstman_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(fstman)
+net_domain(fstman)
+
+# fstman requires special network privileges.
+# access traffic control (TC) for marking packets to identify from
+# which slave interface they arrive, drop multicast packets and
+# duplicate packets. This requires the net_raw capability.
+# network admin operations mainly on the bonding driver:
+# interface up/down, add/remove slave interfaces, set queue parameters
+# This requires the net_admin capability.
+allow fstman self:capability { net_admin net_raw };
+
+# netlink socket is used to access traffic control (TC)
+allow fstman self:netlink_route_socket nlmsg_write;
+
+# allow privileged socket operations: interface up/down, bond interface management
+allowxperm fstman self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS SIOCSIFTXQLEN SIOCBONDENSLAVE SIOCBONDRELEASE SIOCETHTOOL};
+
+# need access to bond0 sysfs in order to manage attached interfaces
+allow fstman sysfs_net:dir r_dir_perms;
+allow fstman sysfs_bond0:file rw_file_perms;
+
+# need access to wigig sysfs in order to control fst_link_loss
+allow fstman sysfs_wigig:file rw_file_perms;
+
+#allow fstman to read FST properties
+get_prop(fstman, fst_prop);
+
+# create/read fstman configuration file (/data/vendor/wifi/fstman.ini)
+r_dir_file(fstman, wifi_vendor_data_file)
+allow fstman wifi_vendor_data_file:dir rw_dir_perms;
+allow fstman wifi_vendor_data_file:file create_file_perms;
+
+# fstman needs to communicate with wpa_supplicant and hostapd using socket
+# for managing FST state
+allow fstman { hal_wifi_supplicant hal_wifi_hostapd_default }:unix_dgram_socket sendto;
+# supplicant interface sockets
+allow fstman wifi_vendor_wpa_socket:dir rw_dir_perms;
+allow fstman wifi_vendor_wpa_socket:sock_file create_file_perms;
+# hostapd global socket
+allow fstman hostapd_data_file:dir rw_dir_perms;
+allow fstman hostapd_data_file:sock_file create_file_perms;
diff --git a/legacy/vendor/common/gatekeeper.te b/legacy/vendor/common/gatekeeper.te
new file mode 100644
index 0000000..788d3cb
--- /dev/null
+++ b/legacy/vendor/common/gatekeeper.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# Allow interacting with esepmdaemon
+#allow gatekeeperd esepmdaemon_service:service_manager find;
+
+# Allow gatekeeper to bind to esepmdaemon
+#binder_call(gatekeeperd, esepmdaemon)
diff --git a/legacy/vendor/common/genfs_contexts b/legacy/vendor/common/genfs_contexts
new file mode 100755
index 0000000..dd80633
--- /dev/null
+++ b/legacy/vendor/common/genfs_contexts
@@ -0,0 +1,77 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+genfscon proc /debug/fwdump u:object_r:proc_wifi_dbg:s0
+genfscon proc /debugdriver/driverdump u:object_r:proc_wifi_dbg:s0
+genfscon proc /ath_pktlog/cld u:object_r:proc_wifi_dbg:s0
+genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
+genfscon proc /asound/cards u:object_r:proc_audiod:s0
+genfscon proc /sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0
+genfscon sysfs /module/msm_performance/workload_modes u:object_r:sysfs_msm_perf:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,cpubw/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu0/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu2/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu4/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu6/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,mincpubw/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,llccbw/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /module/big_cluster_min_freq_adjust u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,cpubw/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,mincpubw/devfreq u:object_r:sysfs_devfreq:s0
+genfscon debugfs /kgsl/proc u:object_r:qti_debugfs:s0
+genfscon sysfs /kernel/wcd_cpe0 u:object_r:sysfs_audio:s0
+genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0
+genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/kgsl/kgsl/proc u:object_r:sysfs_kgsl_proc:s0
+
+genfscon sysfs /module/qpnp_rtc/parameters/poweron_alarm u:object_r:sysfs_poweron_alarm:s0
+
+genfscon sysfs /devices/platform/cam_sync/video4linux/video0/name u:object_r:sysfs_graphics:s0
+
+genfscon sysfs /devices/virtual/npu/msm_npu/pwr u:object_r:sysfs_npu:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon0/name u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon0/cable.0/ u:object_r:sysfs_graphics:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,mdm3/esoc0 u:object_r:sysfs_esoc:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon1/name u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon1/cable.0/ u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/system/memory/ u:object_r:sysfs_memory_offline:s0
+
+genfscon sysfs /kernel/qvr_external_sensor u:object_r:sysfs_qvr_external_sensor:s0
+
+genfscon sysfs /devices/virtual/xt_hardidletimer/timers u:object_r:sysfs_data:s0
+genfscon sysfs /devices/virtual/xt_idletimer/timers u:object_r:sysfs_data:s0
+
diff --git a/legacy/vendor/common/hal_alarm_qti.te b/legacy/vendor/common/hal_alarm_qti.te
new file mode 100644
index 0000000..661520f
--- /dev/null
+++ b/legacy/vendor/common/hal_alarm_qti.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+binder_call(hal_alarm_qti_client, hal_alarm_qti_server)
+binder_call(hal_alarm_qti_server, hal_alarm_qti_client)
+
+add_hwservice(hal_alarm_qti_server, hal_alarm_qti_hwservice)
+
+allow hal_alarm_qti_client hal_alarm_qti_hwservice:hwservice_manager find;
diff --git a/legacy/vendor/common/hal_alarm_qti_default.te b/legacy/vendor/common/hal_alarm_qti_default.te
new file mode 100644
index 0000000..d8132a0
--- /dev/null
+++ b/legacy/vendor/common/hal_alarm_qti_default.te
@@ -0,0 +1,34 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_alarm_qti_default, domain;
+hal_server_domain(hal_alarm_qti_default, hal_alarm_qti)
+
+type hal_alarm_qti_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_alarm_qti_default)
+
+allow hal_alarm_qti_default rtc_device:chr_file r_file_perms;
diff --git a/legacy/vendor/common/hal_atfwd.te b/legacy/vendor/common/hal_atfwd.te
new file mode 100644
index 0000000..584c62a
--- /dev/null
+++ b/legacy/vendor/common/hal_atfwd.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+binder_call(atfwd, qtelephony);
+allow atfwd hal_atfwd_hwservice:hwservice_manager find;
\ No newline at end of file
diff --git a/legacy/vendor/common/hal_audio.te b/legacy/vendor/common/hal_audio.te
new file mode 100644
index 0000000..d83e4a4
--- /dev/null
+++ b/legacy/vendor/common/hal_audio.te
@@ -0,0 +1,70 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# Allow hal_audio to read soundcard state under /proc/asound
+allow hal_audio proc_audiod:file r_file_perms;
+
+allow hal_audio_default vendor_audio_data_file:dir rw_dir_perms;
+allow hal_audio_default vendor_audio_data_file:file create_file_perms;
+
+# Allow hal_audio_default to read sysfs_thermal dir/files for speaker protection
+r_dir_file(hal_audio_default, sysfs_thermal)
+
+#Allow hal audio to use Binder IPC
+vndbinder_use(hal_audio)
+
+userdebug_or_eng(`
+ diag_use(hal_audio)
+ #Allow access to debug fs
+ allow hal_audio_default debugfs:dir r_dir_perms;
+ allow hal_audio_default qti_debugfs:dir r_dir_perms;
+ allow hal_audio_default qti_debugfs:file rw_file_perms;
+')
+
+#Allow access to firmware
+allow hal_audio firmware_file:dir r_dir_perms;
+allow hal_audio firmware_file:file r_file_perms;
+#Split A2dp specific
+binder_call(hal_audio,bluetooth)
+
+# audio properties
+get_prop(hal_audio, vendor_audio_prop)
+
+#to read bt props
+get_prop(hal_audio, vendor_bluetooth_prop)
+
+#for perf hal call
+hal_client_domain(hal_audio_default, hal_perf)
+hal_client_domain(hal_audio_default, hal_power)
+
+# Allow audio HAL to get updates from health hal
+hal_client_domain(hal_audio_default, hal_health)
+
+#allow acess to wcd_cpe
+allow hal_audio sysfs_audio:file rw_file_perms;
+allow hal_audio sysfs_audio:dir r_dir_perms ;
diff --git a/legacy/vendor/common/hal_bluetooth.te b/legacy/vendor/common/hal_bluetooth.te
new file mode 100644
index 0000000..106463a
--- /dev/null
+++ b/legacy/vendor/common/hal_bluetooth.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2017 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow hal_bluetooth {
+ smd_device
+}:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/hal_bluetooth_qti.te b/legacy/vendor/common/hal_bluetooth_qti.te
new file mode 100644
index 0000000..670ca01
--- /dev/null
+++ b/legacy/vendor/common/hal_bluetooth_qti.te
@@ -0,0 +1,82 @@
+# Copyright (c) 2017 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_bluetooth_qti, domain;
+hal_server_domain(hal_bluetooth_qti, hal_bluetooth)
+
+type hal_bluetooth_qti_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_bluetooth_qti)
+
+# bluetooth properties
+set_prop(hal_bluetooth, vendor_bluetooth_prop)
+
+r_dir_file(hal_bluetooth_qti, firmware_file)
+
+allow hal_bluetooth {
+ serial_device
+ smd_device
+}:chr_file rw_file_perms;
+
+#For bluetooth firmware
+r_dir_file(hal_bluetooth, bt_firmware_file)
+
+allow hal_bluetooth_qti persist_bluetooth_file:dir r_dir_perms;
+allow hal_bluetooth_qti persist_bluetooth_file:file r_file_perms;
+r_dir_file(hal_bluetooth_qti, mnt_vendor_file)
+allow hal_bluetooth self:socket create_socket_perms;
+allowxperm hal_bluetooth self:socket ioctl msm_sock_ipc_ioctls;
+allow hal_bluetooth_qti vendor_bt_data_file:dir ra_dir_perms;
+allow hal_bluetooth_qti vendor_bt_data_file:file create_file_perms;
+
+#bt power node access
+allow hal_bluetooth {
+ smd_device
+ bt_device
+}:chr_file rw_file_perms;
+
+#diag access
+userdebug_or_eng(`
+ diag_use(hal_bluetooth)
+')
+
+userdebug_or_eng(`
+# Logging for backward compatibility
+allow hal_bluetooth_qti ramdump_vendor_data_file:file create_file_perms;
+allow hal_bluetooth_qti ramdump_vendor_data_file:dir rw_dir_perms;
+
+allow hal_bluetooth proc_sysrq:file w_file_perms;
+allow hal_bluetooth_qti qti_debugfs:file r_file_perms;
+allow hal_bluetooth_qti qti_debugfs:dir rw_dir_perms;
+allow hal_bluetooth_qti self:{ socket qipcrtr_socket } create_socket_perms_no_ioctl;
+')
+
+#Blocked by hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+#allow system_app hal_bluetooth_hwservice :hwservice_manager find;
+
+#FM IPC with BT/FM hal daemon
+binder_call(system_app, hal_bluetooth);
+binder_call(hal_bluetooth, system_app);
diff --git a/legacy/vendor/common/hal_bootctl.te b/legacy/vendor/common/hal_bootctl.te
new file mode 100644
index 0000000..ee576dd
--- /dev/null
+++ b/legacy/vendor/common/hal_bootctl.te
@@ -0,0 +1,62 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# These are the permissions required to use the boot_control HAL implemented
+# here: hardware/qcom/bootctrl/boot_control.c
+
+# Getting and setting GPT attributes for the bootloader iterates over all the
+# partition names in the block_device directory /dev/block/.../by-name
+allow hal_bootctl block_device:dir { open read search };
+
+# Allow boot_control_hal to get attributes on all the A/B partitions.
+allow hal_bootctl {
+ custom_ab_block_device
+ xbl_block_device
+ boot_block_device
+ ssd_device
+ modem_block_device
+ system_block_device
+ mdtp_device
+}:blk_file { getattr };
+
+# Allow the boot_control_hal to edit the attributes stored in the GPT.
+allow hal_bootctl gpt_block_device:blk_file rw_file_perms;
+allow hal_bootctl root_block_device:blk_file rw_file_perms;
+
+# Allow boot_control_hal to access /dev/sgN devices (generic SCSI) to write the
+# A/B slot selection for the XBL partition. Allow also to issue a
+# UFS_IOCTL_QUERY ioctl.
+allow hal_bootctl sg_device:chr_file rw_file_perms;
+allow hal_bootctl sysfs:dir r_dir_perms;
+
+# The sys_rawio denial message is benign, and shows up due to a capability()
+# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this
+# does not result in a error
+dontaudit hal_bootctl self:capability sys_rawio;
+
+# Allow boot_control_hal to write to the XBL devices.
+allow hal_bootctl xbl_block_device:blk_file rw_file_perms;
diff --git a/legacy/vendor/common/hal_camera.te b/legacy/vendor/common/hal_camera.te
new file mode 100644
index 0000000..8bf9d02
--- /dev/null
+++ b/legacy/vendor/common/hal_camera.te
@@ -0,0 +1,87 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow hal_camera qdisplay_service:service_manager find;
+#allow hal_camera surfaceflinger_service:service_manager find;
+# added now for camera functionality. This should be using HIDL
+#userdebug_or_eng(`
+#binder_use(hal_camera)
+#')
+binder_call(hal_camera, surfaceflinger)
+set_prop(hal_camera, camera_prop)
+allow hal_camera gpu_device:chr_file rw_file_perms;
+
+allow hal_camera sysfs_jpeg:file r_file_perms;
+
+#changes to access laser device
+allow hal_camera input_device:chr_file r_file_perms;
+r_dir_file(hal_camera, input_device);
+allow hal_camera sysfs_laser:file w_file_perms;
+r_dir_file(hal_camera, sysfs_laser);
+
+vndbinder_use(hal_camera);
+hal_client_domain(hal_camera_default, hal_perf)
+
+#needed for full_treble
+binder_call(hal_camera, hal_graphics_composer_default)
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+
+allow hal_camera_default mnt_vendor_file:dir r_dir_perms;
+
+r_dir_file(hal_camera_default, sensors_persist_file);
+r_dir_file(hal_camera_default, sysfs_graphics)
+#allow hal_camera to access Isensormanager
+allow hal_camera fwk_sensor_hwservice:hwservice_manager find;
+binder_call(hal_camera, system_server)
+allow hal_camera_default fwk_display_hwservice:hwservice_manager find;
+# from sensors team
+
+allow hal_camera self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm hal_camera self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+allow hal_camera_default sysfs_data:file read;
+allow hal_camera sysfs_data:file r_file_perms;
+
+allow hal_camera vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera vendor_camera_data_file:file create_file_perms;
+allow hal_camera vendor_camera_data_file:sock_file write;
+userdebug_or_eng(`
+allow hal_camera vendor_camera_data_file:file create_file_perms;
+')
+unix_socket_connect(hal_camera, thermal, thermal-engine)
+
+#Allows camera to call ADSP QDSP6 functionality
+allow hal_camera qdsp_device:chr_file r_file_perms;
+
+#allow camera to access /dsp
+r_dir_file(hal_camera, adsprpcd_file);
+#allow camera to access adsprpc_prop
+get_prop(hal_camera, adsprpc_prop)
+
+allow hal_camera_default mm-qcamerad:unix_dgram_socket sendto;
+
+get_prop(hal_camera, mm_video_prop)
diff --git a/legacy/vendor/common/hal_configstore.te b/legacy/vendor/common/hal_configstore.te
new file mode 100644
index 0000000..1a6c2f1
--- /dev/null
+++ b/legacy/vendor/common/hal_configstore.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# allow configstore client to find display config service.
+allow hal_configstore_default hal_display_config_hwservice:hwservice_manager find;
+
+binder_call(hal_configstore_default, hal_graphics_composer_default)
diff --git a/legacy/vendor/common/hal_contexthub.te b/legacy/vendor/common/hal_contexthub.te
new file mode 100644
index 0000000..946ae78
--- /dev/null
+++ b/legacy/vendor/common/hal_contexthub.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow context hub HAL to communicate with daemon via socket
+unix_socket_connect(hal_contexthub, chre, chre)
\ No newline at end of file
diff --git a/legacy/vendor/common/hal_display_color.te b/legacy/vendor/common/hal_display_color.te
new file mode 100644
index 0000000..8efc856
--- /dev/null
+++ b/legacy/vendor/common/hal_display_color.te
@@ -0,0 +1,55 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Define domain
+type hal_display_color_default, domain;
+hal_server_domain(hal_display_color_default, hal_display_color)
+type hal_display_color_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_display_color_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_display_color_client, hal_display_color_server)
+
+# Add hwservice related rules
+add_hwservice(hal_display_color_server, hal_display_color_hwservice)
+allow hal_display_color_client hal_display_color_hwservice:hwservice_manager find;
+
+# Rule for vndbinder usage
+allow hal_display_color qdisplay_service:service_manager find;
+vndbinder_use(hal_display_color);
+binder_call(hal_display_color, hal_graphics_composer)
+
+# Rule for pps socket usage
+unix_socket_connect(hal_display_color, pps, hal_graphics_composer_default)
+unix_socket_connect(hal_display_color, pps, mm-pp-daemon)
+
+#Add rules for postproc hal
+add_hwservice(hal_display_color_server, hal_display_postproc_hwservice)
+allow hal_display_postproc_client hal_display_postproc_hwservice:hwservice_manager find;
+
+# Set vendor_qdcmss property
+set_prop(hal_display_color, vendor_qdcmss_prop);
diff --git a/legacy/vendor/common/hal_dpmQmiMgr.te b/legacy/vendor/common/hal_dpmQmiMgr.te
new file mode 100644
index 0000000..b2d9c81
--- /dev/null
+++ b/legacy/vendor/common/hal_dpmQmiMgr.te
@@ -0,0 +1,67 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#dpmQmiMgr as domain
+type hal_dpmQmiMgr, domain;
+
+type hal_dpmQmiMgr_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_dpmQmiMgr)
+
+net_domain(hal_dpmQmiMgr)
+
+#Add hal_dpmQMiMgr as hwservice
+add_hwservice(hal_dpmQmiMgr, hal_dpmqmi_hwservice)
+
+#Allow hwbinder usage
+hwbinder_use(hal_dpmQmiMgr)
+
+#Allow to get hwservice_prop
+get_prop(hal_dpmQmiMgr, hwservicemanager_prop)
+
+#Allow binder call from dpmd
+binder_call(hal_dpmQmiMgr,dpmd)
+
+#sysfs_data file permissions
+allow hal_dpmQmiMgr sysfs_data:file r_file_perms;
+
+#Allow reading proc/net entries
+r_dir_file(hal_dpmQmiMgr,proc_net)
+r_dir_file(hal_dpmQmiMgr,proc_net_tcp_udp)
+
+#Allow creating socket and IOCTLs
+allow hal_dpmQmiMgr self:{ socket qipcrtr_socket } create_socket_perms;
+
+#Rules below are needed to communicate with IPC_ROUTER for QMI
+allowxperm hal_dpmQmiMgr self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allow hal_dpmQmiMgr self:capability net_bind_service;
+allow hal_dpmQmiMgr self:udp_socket create_socket_perms;
+allowxperm hal_dpmQmiMgr self:udp_socket ioctl priv_sock_ioctls;
+
+userdebug_or_eng(`
+ diag_use(hal_dpmQmiMgr)
+')
diff --git a/legacy/vendor/common/hal_drm.te b/legacy/vendor/common/hal_drm.te
new file mode 100644
index 0000000..3145b7d
--- /dev/null
+++ b/legacy/vendor/common/hal_drm.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+vndbinder_use(hal_drm_default);
+
+#Allow firmware file access
+allow hal_drm firmware_file:dir r_dir_perms;
+allow hal_drm firmware_file:file r_file_perms;
diff --git a/legacy/vendor/common/hal_drm_clearkey.te b/legacy/vendor/common/hal_drm_clearkey.te
new file mode 100644
index 0000000..695efc8
--- /dev/null
+++ b/legacy/vendor/common/hal_drm_clearkey.te
@@ -0,0 +1,38 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)
+
+vndbinder_use(hal_drm_clearkey);
+
+allow hal_drm_clearkey { appdomain -isolated_app }:fd use;
diff --git a/legacy/vendor/common/hal_drm_widevine.te b/legacy/vendor/common/hal_drm_widevine.te
new file mode 100644
index 0000000..3d894f9
--- /dev/null
+++ b/legacy/vendor/common/hal_drm_widevine.te
@@ -0,0 +1,46 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# define SELinux domain
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+allow hal_drm_widevine mediacodec:fd use;
+allow hal_drm_widevine { appdomain -isolated_app }:fd use;
+
+# The QTI DRM-HAL implementation uses a vendor-binder service provided
+# by the HWC HAL.
+vndbinder_use(hal_drm_widevine);
+allow hal_drm_widevine qdisplay_service:service_manager { find };
+#binder_call(hal_drm_widevine, hal_graphics_composer)
+hal_client_domain(hal_drm_widevine, hal_graphics_composer);
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine hal_allocator:fd use;
diff --git a/legacy/vendor/common/hal_esepowermanager_qti.te b/legacy/vendor/common/hal_esepowermanager_qti.te
new file mode 100644
index 0000000..05ca667
--- /dev/null
+++ b/legacy/vendor/common/hal_esepowermanager_qti.te
@@ -0,0 +1,57 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_esepowermanager_qti, domain;
+hal_server_domain(hal_esepowermanager_qti, hal_esepowermanager)
+
+type hal_esepowermanager_qti_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hal_esepowermanager_qti)
+
+hwbinder_use(hal_esepowermanager_qti)
+add_hwservice(hal_esepowermanager_qti, hal_esepowermanager_hwservice)
+
+hal_client_domain(hal_esepowermanager_qti, hal_allocator)
+
+#Allow access to nfc device
+allow hal_esepowermanager_qti {
+ nfc_device
+}:chr_file rw_file_perms;
+
+# allow esepmdaemon to load firmware images
+r_dir_file(hal_esepowermanager_qti, firmware_file)
+
+# Allow esepmdaemon to interract with ion_device
+allow hal_esepowermanager_qti ion_device:chr_file r_file_perms;
+
+# Allow esepmdaemon to interract with qseecom
+allow hal_esepowermanager_qti tee_device:chr_file rw_file_perms;
+
+#Allow hal_esepowermanager_client client domain apps to find hwservice
+binder_call(hal_esepowermanager_client, hal_esepowermanager_server)
+binder_call(hal_esepowermanager_server, hal_esepowermanager_client)
+
+allow hal_esepowermanager_client hal_esepowermanager_hwservice:hwservice_manager find;
diff --git a/legacy/vendor/common/hal_factory_qti.te b/legacy/vendor/common/hal_factory_qti.te
new file mode 100644
index 0000000..db4872d
--- /dev/null
+++ b/legacy/vendor/common/hal_factory_qti.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+binder_call(vendor_hal_factory_qti_client, vendor_hal_factory_qti_server)
+binder_call(vendor_hal_factory_qti_server, vendor_hal_factory_qti_client)
+
+add_hwservice(vendor_hal_factory_qti_server, vendor_hal_factory_qti_hwservice)
+
+allow vendor_hal_factory_qti_client vendor_hal_factory_qti_hwservice:hwservice_manager find;
diff --git a/legacy/vendor/common/hal_factory_qti_default.te b/legacy/vendor/common/hal_factory_qti_default.te
new file mode 100755
index 0000000..d0564dc
--- /dev/null
+++ b/legacy/vendor/common/hal_factory_qti_default.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_hal_factory_qti_default, domain;
+hal_server_domain(vendor_hal_factory_qti_default, vendor_hal_factory_qti)
+
+type vendor_hal_factory_qti_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_hal_factory_qti_default)
+
+set_prop(vendor_hal_factory_qti, ctl_vendor_mmid_prop)
+
+# Allow read/write to mmi socket
+allow vendor_hal_factory_qti vendor_mmi_socket:sock_file rw_file_perms;
+allow vendor_hal_factory_qti vendor_mmi:unix_stream_socket connectto;
+allow vendor_hal_factory_qti_default mnt_vendor_file:dir search;
+allow vendor_hal_factory_qti_default vendor_persist_mmi_file:dir rw_dir_perms;
+allow vendor_hal_factory_qti_default vendor_persist_mmi_file:file create_file_perms;
\ No newline at end of file
diff --git a/legacy/vendor/common/hal_gatekeeper_qti.te b/legacy/vendor/common/hal_gatekeeper_qti.te
new file mode 100644
index 0000000..aba16d6
--- /dev/null
+++ b/legacy/vendor/common/hal_gatekeeper_qti.te
@@ -0,0 +1,48 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+# call into gatekeeperd process (callbacks)
+
+type hal_gatekeeper_qti, domain;
+hal_server_domain(hal_gatekeeper_qti, hal_gatekeeper)
+
+type hal_gatekeeper_qti_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hal_gatekeeper_qti)
+
+# allow tee to load firmware images
+r_dir_file(hal_gatekeeper, firmware_file)
+get_prop(hal_gatekeeper, vendor_tee_listener_prop)
+
+# allow access to /dev/spcom
+allow hal_gatekeeper_qti spcom_device:chr_file rw_file_perms;
+
+# allow access to skp
+allow hal_gatekeeper_qti skp_device:chr_file rw_file_perms;
+
+allow hal_gatekeeper_qti sp_keymaster_device:chr_file rw_file_perms;
+allow hal_gatekeeper_qti sp_ssr_device:chr_file rw_file_perms;
+
+get_prop(hal_gatekeeper_qti, spcomlib_prop)
diff --git a/legacy/vendor/common/hal_gnss_qti.te b/legacy/vendor/common/hal_gnss_qti.te
new file mode 100644
index 0000000..450bd7d
--- /dev/null
+++ b/legacy/vendor/common/hal_gnss_qti.te
@@ -0,0 +1,64 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# hal_gnss_qti - binerized gnss hal
+type hal_gnss_qti, domain;
+type hal_gnss_qti_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_gnss_qti)
+
+hal_server_domain(hal_gnss_qti, hal_gnss)
+
+allow hal_gnss_qti location_data_file:dir r_dir_perms;
+allow hal_gnss location_data_file:file create_file_perms;
+allow hal_gnss location_socket:sock_file create_file_perms;
+allow hal_gnss location_socket:dir rw_dir_perms;
+allow hal_gnss location:unix_stream_socket connectto;
+allow hal_gnss location:unix_dgram_socket sendto;
+
+unix_socket_connect(hal_gnss, location, location)
+
+netmgr_socket(hal_gnss)
+allow hal_gnss self:{
+ socket
+ netlink_socket
+ netlink_generic_socket
+ qipcrtr_socket
+} create_socket_perms_no_ioctl;
+allow hal_gnss self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+
+allow hal_gnss self:{ socket qipcrtr_socket } rw_socket_perms;
+allow hal_gnss sysfs_data:file r_file_perms;
+allow hal_gnss sysfs:dir r_dir_perms;
+
+allow hal_gnss self:socket { create ioctl };
+
+allowxperm hal_gnss self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+userdebug_or_eng(`
+ diag_use(hal_gnss);
+')
+use_vendor_per_mgr(hal_gnss)
diff --git a/legacy/vendor/common/hal_graphics_composer.te b/legacy/vendor/common/hal_graphics_composer.te
new file mode 100644
index 0000000..d70b726
--- /dev/null
+++ b/legacy/vendor/common/hal_graphics_composer.te
@@ -0,0 +1,102 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+userdebug_or_eng(`
+ diag_use(hal_graphics_composer)
+ # Allow read to /sys/kernel/debug/*
+ allow hal_graphics_composer qti_debugfs:dir r_dir_perms;
+ allow hal_graphics_composer qti_debugfs:file r_file_perms;
+')
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator);
+get_prop(hal_graphics_composer, vendor_display_prop)
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow hal_graphics_composer sysfs_graphics:dir r_dir_perms;
+allow hal_graphics_composer sysfs_graphics:file rw_file_perms;
+
+# Rules for brightness change during display calibration
+allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
+allow hal_graphics_composer_default sysfs_leds:lnk_file read;
+
+# Rules for vndbinder
+allow hal_graphics_composer_default qdisplay_service:service_manager { add find };
+#binder_service(hal_graphics_composer_default);
+vndbinder_use(hal_graphics_composer_default);
+
+# Allow video node access
+allow hal_graphics_composer video_device:chr_file rw_file_perms;
+allow hal_graphics_composer video_device:dir r_dir_perms;
+
+# Allow reading/writing to '/data/vendor/display/*'
+allow hal_graphics_composer_default display_vendor_data_file:dir create_dir_perms;
+allow hal_graphics_composer_default display_vendor_data_file:file create_file_perms;
+
+# Allow reading/writing to '/mnt/vendor/persist/display/*'
+allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
+allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+
+# Allow only directory search to '/mnt/vendor/persist/'
+allow hal_graphics_composer_default mnt_vendor_file:dir search;
+
+# Allow dir search in '/oem'
+allow hal_graphics_composer oemfs:dir r_dir_perms;
+
+# Allow pps socket access
+unix_socket_connect(hal_graphics_composer_default, pps, mm-pp-daemon)
+
+# Allow sensor service access
+allow hal_graphics_composer fwk_sensor_hwservice:hwservice_manager find;
+binder_call(hal_graphics_composer, system_server)
+
+# Allow read to sensor device and read/write to sensor socket
+allow hal_graphics_composer sensors_device:chr_file r_file_perms;
+allow hal_graphics_composer_default sensors_socket:sock_file rw_file_perms;
+allow hal_graphics_composer_default sensors:unix_stream_socket connectto;
+
+# Allow qdcmss socket access
+unix_socket_connect(hal_graphics_composer_default, qdcmsocket, qdcm-ss)
+
+# TBD: remove when dependency on libpowermanager is removed
+#allow hal_graphics_composer power_service:service_manager find;
+
+# allow composer client to find display config service.
+allow hal_graphics_composer_client hal_display_config_hwservice:hwservice_manager find;
+
+# Rule for pps socket usage
+unix_socket_connect(hal_graphics_composer_default, pps, mm-pp-daemon)
+
+# allow composer to register display config
+add_hwservice(hal_graphics_composer_server, hal_display_config_hwservice);
+
+# Allow composer access to perf
+hal_client_domain(hal_graphics_composer_default, hal_perf)
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+allow hal_graphics_composer graphics_device:dir r_dir_perms;
+
+allow hal_graphics_composer_default sysfs_jpeg:file r_file_perms;
diff --git a/legacy/vendor/common/hal_health.te b/legacy/vendor/common/hal_health.te
new file mode 100644
index 0000000..7535014
--- /dev/null
+++ b/legacy/vendor/common/hal_health.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+r_dir_file(hal_health, sysfs_battery_supply);
+r_dir_file(hal_health, sysfs_usb_supply);
+
+allow hal_health hal_health_default:dir search;
+
+allow hal_health {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:file rw_file_perms;
diff --git a/legacy/vendor/common/hal_imsrtp.te b/legacy/vendor/common/hal_imsrtp.te
new file mode 100644
index 0000000..51e6f23
--- /dev/null
+++ b/legacy/vendor/common/hal_imsrtp.te
@@ -0,0 +1,63 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#ims rtp service
+type hal_imsrtp, domain;
+type hal_imsrtp_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(hal_imsrtp)
+net_domain(hal_imsrtp)
+
+hwbinder_use(hal_imsrtp)
+get_prop(hal_imsrtp, hwservicemanager_prop)
+add_hwservice(hal_imsrtp, hal_imsrtp_hwservice)
+
+#diag
+userdebug_or_eng(`
+ diag_use(hal_imsrtp)
+')
+
+allow hal_imsrtp self:{ socket qipcrtr_socket } create_socket_perms;
+
+unix_socket_connect(hal_imsrtp, ims, ims)
+
+# ioctlcmd=c302
+allowxperm hal_imsrtp self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+allow hal_imsrtp self:capability net_bind_service;
+
+# IMS needs permission to use avtimer
+allow hal_imsrtp avtimer_device:chr_file r_file_perms;
+
+allow hal_imsrtp ion_device:chr_file r_file_perms;
+
+allow hal_imsrtp sysfs_data:file r_file_perms;
+
+get_prop(hal_imsrtp, qcom_ims_prop)
+
+binder_call(hal_imsrtp, radio)
diff --git a/legacy/vendor/common/hal_iop_default.te b/legacy/vendor/common/hal_iop_default.te
new file mode 100644
index 0000000..939d569
--- /dev/null
+++ b/legacy/vendor/common/hal_iop_default.te
@@ -0,0 +1,50 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_iop_default, domain, mlstrustedsubject;
+hal_server_domain(hal_iop_default, hal_iop)
+
+type hal_iop_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_iop_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_iop_client, hal_iop_server)
+
+# Add hwservice related rules
+add_hwservice(hal_iop_server, hal_iop_hwservice)
+allow hal_iop_client hal_iop_hwservice:hwservice_manager find;
+
+#Allow access for vendor property
+get_prop(hal_iop, vendor_iop_prop)
+get_prop(hal_iop, vendor_mpctl_prop)
+
+# Allow access for /proc
+allow hal_iop_default proc:file rw_file_perms;
+
+#Allow Access for /data/vendor/iop
+allow hal_iop iop_data_file:dir rw_dir_perms;
+allow hal_iop iop_data_file:file create_file_perms;
diff --git a/legacy/vendor/common/hal_keymaster.te b/legacy/vendor/common/hal_keymaster.te
new file mode 100644
index 0000000..ad11c51
--- /dev/null
+++ b/legacy/vendor/common/hal_keymaster.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow keymaster HAL to read listener property
+get_prop(hal_keymaster_default, vendor_tee_listener_prop)
diff --git a/legacy/vendor/common/hal_keymaster_qti.te b/legacy/vendor/common/hal_keymaster_qti.te
new file mode 100644
index 0000000..dfab66f
--- /dev/null
+++ b/legacy/vendor/common/hal_keymaster_qti.te
@@ -0,0 +1,47 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_keymaster_qti, domain;
+hal_server_domain(hal_keymaster_qti, hal_keymaster)
+
+type hal_keymaster_qti_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hal_keymaster_qti)
+
+# allow tee to load firmware images
+r_dir_file(hal_keymaster_qti, firmware_file)
+get_prop(hal_keymaster_qti, vendor_tee_listener_prop)
+
+# allow access to /dev/spcom
+allow hal_keymaster_qti spcom_device:chr_file rw_file_perms;
+
+# allow access to skp
+allow hal_keymaster_qti skp_device:chr_file rw_file_perms;
+
+allow hal_keymaster_qti sp_keymaster_device:chr_file rw_file_perms;
+allow hal_keymaster_qti sp_ssr_device:chr_file rw_file_perms;
+
+get_prop(hal_keymaster_qti, spcomlib_prop)
diff --git a/legacy/vendor/common/hal_light.te b/legacy/vendor/common/hal_light.te
new file mode 100644
index 0000000..943d33f
--- /dev/null
+++ b/legacy/vendor/common/hal_light.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+r_dir_file(hal_light, sysfs_graphics)
+allow hal_light sysfs_graphics:file rw_file_perms;
diff --git a/legacy/vendor/common/hal_light_default.te b/legacy/vendor/common/hal_light_default.te
new file mode 100644
index 0000000..727e721
--- /dev/null
+++ b/legacy/vendor/common/hal_light_default.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow hal_light_default sysfs_graphics:file rw_file_perms;
diff --git a/legacy/vendor/common/hal_memtrack.te b/legacy/vendor/common/hal_memtrack.te
new file mode 100644
index 0000000..aecdcd0
--- /dev/null
+++ b/legacy/vendor/common/hal_memtrack.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# # Redistribution and use in source and binary forms, with or without
+# # modification, are permitted provided that the following conditions are
+# # met:
+# # * Redistributions of source code must retain the above copyright
+# # notice, this list of conditions and the following disclaimer.
+# # * Redistributions in binary form must reproduce the above
+# # copyright notice, this list of conditions and the following
+# # disclaimer in the documentation and/or other materials provided
+# # with the distribution.
+# # * Neither the name of The Linux Foundation nor the names of its
+# # contributors may be used to endorse or promote products derived
+# # from this software without specific prior written permission.
+# #
+# # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#debugfs access to audio
+userdebug_or_eng(`
+allow hal_memtrack_default qti_debugfs:dir r_dir_perms;
+allow hal_memtrack_default qti_debugfs:file rw_file_perms;
+')
+
+#Acess to kgsl memory /sys/class/kgsl/kgsl/proc/<pid>/mtrack
+r_dir_file(hal_memtrack_default, sysfs_kgsl_proc);
diff --git a/legacy/vendor/common/hal_mirrorlink.te b/legacy/vendor/common/hal_mirrorlink.te
new file mode 100644
index 0000000..a1085e8
--- /dev/null
+++ b/legacy/vendor/common/hal_mirrorlink.te
@@ -0,0 +1,56 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Define Domain
+type hal_mirrorlink_qti, domain;
+type hal_mirrorlink_qti_exec, exec_type, vendor_file_type, file_type;
+hal_server_domain(hal_mirrorlink_qti,hal_mirrorlink)
+
+#Allow for transition from init domain to hal_mirrorlink
+init_daemon_domain(hal_mirrorlink_qti)
+
+#Allow hal_mirrorlink to use Vendor Binder IPC
+vndbinder_use(hal_mirrorlink)
+
+#Allow hwbinder call from hal client to server
+binder_call(hal_mirrorlink_client, hal_mirrorlink_server)
+binder_call(hal_mirrorlink_server, hal_mirrorlink_client)
+
+#Add hwservice related rules
+add_hwservice(hal_mirrorlink_server, hal_mirrorlink_hwservice)
+
+#Allow access to tee device
+allow hal_mirrorlink_qti tee_device:chr_file rw_file_perms;
+
+#Allow access to ion device
+allow hal_mirrorlink_qti ion_device:chr_file rw_file_perms;
+
+#Allow access to firmware
+allow hal_mirrorlink_qti firmware_file:dir r_dir_perms;
+allow hal_mirrorlink_qti firmware_file:file r_file_perms;
+
+allow hal_mirrorlink_client hal_mirrorlink_hwservice:hwservice_manager find;
diff --git a/legacy/vendor/common/hal_neuralnetworks.te b/legacy/vendor/common/hal_neuralnetworks.te
new file mode 100644
index 0000000..1427cec
--- /dev/null
+++ b/legacy/vendor/common/hal_neuralnetworks.te
@@ -0,0 +1,45 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_neuralnetworks_default, domain;
+hal_server_domain(hal_neuralnetworks_default, hal_neuralnetworks)
+
+type hal_neuralnetworks_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_default)
+
+allow hal_neuralnetworks_default fwk_sensor_hwservice:hwservice_manager find;
+allow hal_neuralnetworks_default qdsp_device:chr_file r_file_perms;
+allow hal_neuralnetworks_default ion_device:chr_file r_file_perms;
+
+allow hal_neuralnetworks_default app_data_file:file { read getattr };
+allow hal_neuralnetworks_default shell_data_file:file { read getattr };
+allow hal_neuralnetworks_default hal_neuralnetworks_data_file:dir create_dir_perms;
+allow hal_neuralnetworks_default hal_neuralnetworks_data_file:{ file fifo_file } create_file_perms;
+allow hal_neuralnetworks_default gpu_device:chr_file rw_file_perms;
+
+r_dir_file(hal_neuralnetworks_default, adsprpcd_file)
+get_prop(hal_neuralnetworks_default, adsprpc_prop)
diff --git a/legacy/vendor/common/hal_nfc.te b/legacy/vendor/common/hal_nfc.te
new file mode 100644
index 0000000..e4dcada
--- /dev/null
+++ b/legacy/vendor/common/hal_nfc.te
@@ -0,0 +1,34 @@
+#Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Set NFC properties
+set_prop(hal_nfc, nfc_nq_prop)
+
+#Allow access to firmware
+allow hal_nfc firmware_file:dir r_dir_perms;
+allow hal_nfc firmware_file:file r_file_perms;
+allow hal_nfc nfc_vendor_data_file:file rw_file_perms;
diff --git a/legacy/vendor/common/hal_pasrmanager.te b/legacy/vendor/common/hal_pasrmanager.te
new file mode 100644
index 0000000..c0ad515
--- /dev/null
+++ b/legacy/vendor/common/hal_pasrmanager.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Define Domain
+type hal_pasrmanager_qti, domain;
+type hal_pasrmanager_qti_exec, exec_type, vendor_file_type, file_type;
+hal_server_domain(hal_pasrmanager_qti, hal_pasrmanager)
+init_daemon_domain(hal_pasrmanager_qti)
+
+binder_call(hal_pasrmanager_client, hal_pasrmanager_server)
+
+add_hwservice(hal_pasrmanager_server, hal_pasrmanager_hwservice)
+allow hal_pasrmanager_client hal_pasrmanager_hwservice:hwservice_manager find;
+
+allow hal_pasrmanager_qti sysfs:dir r_dir_perms;
+allow hal_pasrmanager_qti sysfs_memory_offline:file rw_file_perms;
+allow hal_pasrmanager_qti sysfs_memory_offline:dir r_dir_perms;
diff --git a/legacy/vendor/common/hal_perf_default.te b/legacy/vendor/common/hal_perf_default.te
new file mode 100644
index 0000000..6b879b2
--- /dev/null
+++ b/legacy/vendor/common/hal_perf_default.te
@@ -0,0 +1,91 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_perf_default, domain, mlstrustedsubject;
+hal_server_domain_bypass(hal_perf_default, hal_perf)
+
+type hal_perf_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_perf_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_perf_client, hal_perf_server)
+
+# Add hwservice related rules
+add_hwservice(hal_perf_server, hal_perf_hwservice)
+allow hal_perf_client hal_perf_hwservice:hwservice_manager find;
+
+allow hal_perf_default cgroup:file r_file_perms;
+allow hal_perf_default proc:file rw_file_perms;
+allow hal_perf device_latency:chr_file rw_file_perms;
+get_prop(hal_perf, freq_prop)
+get_prop(hal_perf, vendor_mpctl_prop)
+allow hal_perf_default mpctl_data_file:dir rw_dir_perms;
+allow hal_perf_default mpctl_data_file:file create_file_perms;
+allow hal_perf_default lm_data_file:dir rw_dir_perms;
+allow hal_perf_default lm_data_file:file create_file_perms;
+allow hal_perf_default sysfs_lib:file w_file_perms;
+r_dir_file(hal_perf_default, appdomain);
+
+allow hal_perf {
+ sysfs_devices_system_cpu
+ sysfs_mpdecision
+ sysfs_devfreq
+ sysfs_mmc_host
+ sysfs_scsi_host
+ sysfs_kgsl
+ sysfs_cpu_boost
+ sysfs_msm_perf
+ sysfs_memory
+ sysfs_graphics
+ sysfs
+ sysfs_msm_power
+ sysfs_battery_supply
+ sysfs_process_reclaim
+}:dir r_dir_perms;
+
+allow hal_perf {
+ sysfs_devices_system_cpu
+ sysfs_mpdecision
+ sysfs_kgsl
+ sysfs_cpu_boost
+ sysfs_msm_perf
+ sysfs_memory
+ sysfs_graphics
+ sysfs_scsi_host
+ sysfs_devfreq
+ sysfs_mmc_host
+ sysfs_msm_power
+ sysfs_battery_supply
+ sysfs_process_reclaim
+}:file rw_file_perms;
+
+allow hal_perf {
+ sysfs_devfreq
+ sysfs_mmc_host
+ sysfs_scsi_host
+ sysfs_kgsl
+}:lnk_file r_file_perms;
diff --git a/legacy/vendor/common/hal_power.te b/legacy/vendor/common/hal_power.te
new file mode 100644
index 0000000..22a418c
--- /dev/null
+++ b/legacy/vendor/common/hal_power.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2017 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+hal_client_domain(hal_power_default, hal_perf)
+allow hal_power {
+ hbtp_kernel_sysfs
+}:file rw_file_perms;
diff --git a/legacy/vendor/common/hal_qdutils_disp_qti.te b/legacy/vendor/common/hal_qdutils_disp_qti.te
new file mode 100644
index 0000000..7b417d4
--- /dev/null
+++ b/legacy/vendor/common/hal_qdutils_disp_qti.te
@@ -0,0 +1,42 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_qdutils_disp_qti, domain;
+hal_server_domain(hal_qdutils_disp_qti, hal_qdutils_disp)
+
+type hal_qdutils_disp_qti_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hal_qdutils_disp_qti)
+
+binder_call(hal_qdutils_disp_client, hal_qdutils_disp_server)
+binder_call(hal_qdutils_disp_server, hal_qdutils_disp_client)
+
+add_hwservice(hal_qdutils_disp_server, hal_qdutils_disp_hwservice)
+allow hal_qdutils_disp_client hal_qdutils_disp_hwservice:hwservice_manager find;
+vndbinder_use(hal_qdutils_disp_qti);
+allow hal_qdutils_disp_qti qdisplay_service:service_manager find;
+#hal_client_domain(hal_qdutils_disp_qti, hal_display_config);
+hal_client_domain(hal_qdutils_disp_qti, hal_graphics_composer);
diff --git a/legacy/vendor/common/hal_qteeconnector_qti.te b/legacy/vendor/common/hal_qteeconnector_qti.te
new file mode 100644
index 0000000..4bfc8f6
--- /dev/null
+++ b/legacy/vendor/common/hal_qteeconnector_qti.te
@@ -0,0 +1,67 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#define the type
+type hal_qteeconnector_qti, domain;
+
+#mark the type as hal_server_domain
+hal_server_domain(hal_qteeconnector_qti, hal_qteeconnector)
+
+#allow the service to be started by init
+type hal_qteeconnector_qti_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hal_qteeconnector_qti)
+
+#allow the service to be added to hwservice list
+add_hwservice(hal_qteeconnector_qti, hal_qteeconnector_hwservice)
+
+#allow access to hal_allocator
+hal_client_domain(hal_qteeconnector_qti, hal_allocator)
+
+#allow access to ion device
+allow hal_qteeconnector ion_device:chr_file rw_file_perms;
+
+#allow access to and use of graphics allocator
+hal_client_domain(hal_qteeconnector_qti, hal_graphics_allocator)
+
+#Allow access to tee device
+allow hal_qteeconnector_qti tee_device:chr_file rw_file_perms;
+
+#Allow access to firmware
+allow hal_qteeconnector firmware_file:dir r_dir_perms;
+allow hal_qteeconnector firmware_file:file r_file_perms;
+
+#Allow access to session files
+allow hal_qteeconnector data_qtee_file:dir create_dir_perms;
+allow hal_qteeconnector data_qtee_file:file create_file_perms;
+
+#Allow access to qp_reqcancel socket
+allow hal_qteeconnector tee:unix_dgram_socket sendto;
+
+#Allow hal_qteeconnector client domain apps to find hwservice
+binder_call(hal_qteeconnector_client, hal_qteeconnector_server)
+binder_call(hal_qteeconnector_server, hal_qteeconnector_client)
+allow hal_qteeconnector_client hal_qteeconnector_hwservice:hwservice_manager find;
diff --git a/legacy/vendor/common/hal_rcsservice.te b/legacy/vendor/common/hal_rcsservice.te
new file mode 100644
index 0000000..be7a3f3
--- /dev/null
+++ b/legacy/vendor/common/hal_rcsservice.te
@@ -0,0 +1,68 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_rcsservice, domain;
+type hal_rcsservice_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(hal_rcsservice)
+net_domain(hal_rcsservice)
+
+# use hwBinder for imsrcsd
+hwbinder_use(hal_rcsservice)
+# add IUceSerive and IService to Hidl interface
+add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice)
+get_prop(hal_rcsservice, hwservicemanager_prop)
+add_hwservice(hal_rcsservice, hal_imscallinfo_hwservice)
+
+# allow read datad property
+get_prop(hal_rcsservice, qcom_ims_prop)
+
+# allow imsrcsd to connect to imsdatad over socket
+allow hal_rcsservice self: { socket qipcrtr_socket } create_socket_perms;
+allowxperm hal_rcsservice self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+unix_socket_connect(hal_rcsservice, ims, ims)
+
+# allow imsrcsd capabilities
+wakelock_use(hal_rcsservice)
+allow hal_rcsservice self:capability net_bind_service;
+
+#diag
+userdebug_or_eng(`
+ diag_use(hal_rcsservice)
+')
+
+allow hal_rcsservice self:capability2 wake_alarm;
+allow hal_rcsservice sysfs_data:file r_file_perms;
+binder_call(hal_rcsservice, dataservice_app)
+userdebug_or_eng(`
+ binder_call(hal_rcsservice, radio)
+')
+
+set_prop(hal_rcsservice, ctl_vendor_imsrcsservice_prop)
+set_prop(hal_rcsservice, qcom_ims_prop)
diff --git a/legacy/vendor/common/hal_scve.te b/legacy/vendor/common/hal_scve.te
new file mode 100644
index 0000000..526cd4d
--- /dev/null
+++ b/legacy/vendor/common/hal_scve.te
@@ -0,0 +1,62 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_scve, domain;
+type vendor_scve_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_scve)
+
+hal_server_domain(vendor_scve, hal_scve)
+
+add_hwservice(hal_scve_server, hal_scve_hwservice)
+
+allow hal_scve_client hal_scve_hwservice:hwservice_manager find;
+
+binder_call(hal_scve_client, hal_scve_server)
+binder_call(hal_scve_server, hal_scve_client)
+
+r_dir_file(vendor_scve, adsprpcd_file)
+
+# Access for ion memory
+allow vendor_scve ion_device:chr_file rw_file_perms;
+
+# Access for DSP/QDSP device
+allow vendor_scve qdsp_device:chr_file rw_file_perms;
+allow vendor_scve dsp_device:chr_file rw_file_perms;
+
+# Access for GPU
+allow vendor_scve gpu_device:chr_file rw_file_perms;
+
+# Access for sdcard
+userdebug_or_eng(`
+allow vendor_scve sdcard_type:dir rw_dir_perms;
+allow vendor_scve sdcard_type:file create_file_perms;
+')
+
+# Access for /data/vendor/scve
+allow vendor_scve vendor_scve_data_file:dir create_dir_perms;
+allow vendor_scve vendor_scve_data_file:file create_file_perms;
diff --git a/legacy/vendor/common/hal_secure_element_default.te b/legacy/vendor/common/hal_secure_element_default.te
new file mode 100644
index 0000000..36f6e97
--- /dev/null
+++ b/legacy/vendor/common/hal_secure_element_default.te
@@ -0,0 +1,32 @@
+#Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Allow access to the esepowermanager
+hal_client_domain(hal_secure_element_default, hal_esepowermanager)
+
+#Allow access to the qteeconnector
+hal_client_domain(hal_secure_element_default, hal_qteeconnector)
\ No newline at end of file
diff --git a/legacy/vendor/common/hal_sensors.te b/legacy/vendor/common/hal_sensors.te
new file mode 100644
index 0000000..f6f79a8
--- /dev/null
+++ b/legacy/vendor/common/hal_sensors.te
@@ -0,0 +1,58 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+userdebug_or_eng(`
+ diag_use(hal_sensors)
+ allow hal_sensors debugfs_tracing:file { open write };
+')
+set_prop(hal_sensors, slpi_prop);
+allow hal_sensors self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm hal_sensors self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+allow hal_sensors sysfs_data:file r_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_sensors ion_device:chr_file rw_file_perms;
+allow hal_sensors hal_graphics_allocator:fd use;
+
+# Allow access to FastRPC
+allow hal_sensors qdsp_device:chr_file r_file_perms;
+allow hal_sensors xdsp_device:chr_file r_file_perms;
+
+allow hal_sensors sysfs_sensors:dir r_dir_perms;
+allow hal_sensors sysfs_sensors:file rw_file_perms;
+allow hal_sensors sysfs_sensors:lnk_file read;
+allow hal_sensors input_device:dir r_dir_perms;
+allow hal_sensors input_device:chr_file r_file_perms;
+#following to set the ssr
+allow hal_sensors_default sysfs_slpi:dir search;
+allow hal_sensors_default sysfs_slpi:file w_file_perms;
+
+allow hal_sensors_default sensors_persist_file:file create_file_perms;
+allow hal_sensors_default sensors_persist_file:dir create_dir_perms;
+allow hal_sensors_default mnt_vendor_file:dir r_dir_perms;
diff --git a/legacy/vendor/common/hal_sensorscalibrate_qti.te b/legacy/vendor/common/hal_sensorscalibrate_qti.te
new file mode 100644
index 0000000..72c7bcb
--- /dev/null
+++ b/legacy/vendor/common/hal_sensorscalibrate_qti.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+binder_call(hal_sensorscalibrate_qti_client, hal_sensorscalibrate_qti_server)
+binder_call(hal_sensorscalibrate_qti_server, hal_sensorscalibrate_qti_client)
+
+add_hwservice(hal_sensorscalibrate_qti_server, hal_sensorscalibrate_qti_hwservice)
+
+allow hal_sensorscalibrate_qti_client hal_sensorscalibrate_qti_hwservice:hwservice_manager find;
diff --git a/legacy/vendor/common/hal_sensorscalibrate_qti_default.te b/legacy/vendor/common/hal_sensorscalibrate_qti_default.te
new file mode 100644
index 0000000..b8cd1d6
--- /dev/null
+++ b/legacy/vendor/common/hal_sensorscalibrate_qti_default.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_sensorscalibrate_qti_default, domain;
+hal_server_domain(hal_sensorscalibrate_qti_default, hal_sensorscalibrate_qti)
+
+type hal_sensorscalibrate_qti_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_sensorscalibrate_qti_default)
+
+allow hal_sensorscalibrate_qti sysfs_data:file r_file_perms;
+allow hal_sensorscalibrate_qti self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm hal_sensorscalibrate_qti self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allow hal_sensorscalibrate_qti_default mnt_vendor_file:dir r_dir_perms;
diff --git a/legacy/vendor/common/hal_soter_qti.te b/legacy/vendor/common/hal_soter_qti.te
new file mode 100755
index 0000000..5f68da9
--- /dev/null
+++ b/legacy/vendor/common/hal_soter_qti.te
@@ -0,0 +1,49 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_soter_qti, domain;
+hal_server_domain(hal_soter_qti, hal_soter)
+
+type hal_soter_qti_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hal_soter_qti)
+
+binder_call(hal_soter_client, hal_soter_server)
+binder_call(hal_soter_server, hal_soter_client)
+
+add_hwservice(hal_soter_server, hal_soter_hwservice)
+allow hal_soter_client hal_soter_hwservice:hwservice_manager find;
+
+#Allow access to tee device
+allow hal_soter_qti tee_device:chr_file rw_file_perms;
+
+#Allow access to load firmware images
+r_dir_file(hal_soter_qti, firmware_file)
+
+#Allow access to interract with ion_device
+allow hal_soter_qti ion_device:chr_file r_file_perms;
+
+get_prop(hal_soter_qti, vendor_tee_listener_prop)
diff --git a/legacy/vendor/common/hal_telephony.te b/legacy/vendor/common/hal_telephony.te
new file mode 100644
index 0000000..b134fad
--- /dev/null
+++ b/legacy/vendor/common/hal_telephony.te
@@ -0,0 +1,28 @@
+#Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+set_prop(hal_telephony_server, vendor_radio_prop);
diff --git a/legacy/vendor/common/hal_thermal_default.te b/legacy/vendor/common/hal_thermal_default.te
new file mode 100755
index 0000000..406a160
--- /dev/null
+++ b/legacy/vendor/common/hal_thermal_default.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# access to /proc/stat
+allow hal_thermal proc_stat:file r_file_perms;
diff --git a/legacy/vendor/common/hal_tui_comm_qti.te b/legacy/vendor/common/hal_tui_comm_qti.te
new file mode 100644
index 0000000..ce8aecd
--- /dev/null
+++ b/legacy/vendor/common/hal_tui_comm_qti.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_tui_comm_qti, domain;
+hal_server_domain(hal_tui_comm_qti, hal_tui_comm)
+
+type hal_tui_comm_qti_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(hal_tui_comm_qti)
+
+binder_call(hal_tui_comm_client, hal_tui_comm_server)
+binder_call(hal_tui_comm_server, hal_tui_comm_client)
+
+add_hwservice(hal_tui_comm_server, hal_tui_comm_hwservice)
+allow hal_tui_comm_client hal_tui_comm_hwservice:hwservice_manager find;
+hal_client_domain(hal_tui_comm_qti, hal_graphics_allocator);
diff --git a/legacy/vendor/common/hal_usb_default.te b/legacy/vendor/common/hal_usb_default.te
new file mode 100644
index 0000000..896b728
--- /dev/null
+++ b/legacy/vendor/common/hal_usb_default.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow hal_usb_default sysfs_usbpd_device:dir r_dir_perms;
+allow hal_usb_default sysfs_usbpd_device:lnk_file r_file_perms;
+allow hal_usb_default sysfs_usbpd_device:file rw_file_perms;
+r_dir_file(hal_usb_default, sysfs_usb_supply);
diff --git a/legacy/vendor/common/hal_usb_gadget_qti.te b/legacy/vendor/common/hal_usb_gadget_qti.te
new file mode 100644
index 0000000..773609f
--- /dev/null
+++ b/legacy/vendor/common/hal_usb_gadget_qti.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_usb_gadget_qti, domain;
+hal_server_domain(hal_usb_gadget_qti, hal_usb_gadget)
+
+type hal_usb_gadget_qti_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_usb_gadget_qti)
+
+get_prop(hal_usb_gadget, vendor_usb_prop)
+set_prop(hal_usb_gadget, vendor_usb_prop)
+
+allow hal_usb_gadget configfs:file create_file_perms;
+allow hal_usb_gadget sysfs_usbpd_device:dir r_dir_perms;
+allow hal_usb_gadget sysfs_usbpd_device:lnk_file r_file_perms;
+allow hal_usb_gadget sysfs_usbpd_device:file rw_file_perms;
diff --git a/legacy/vendor/common/hal_vibrator.te b/legacy/vendor/common/hal_vibrator.te
new file mode 100644
index 0000000..d1fce29
--- /dev/null
+++ b/legacy/vendor/common/hal_vibrator.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2017 - 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+r_dir_file(hal_vibrator, sysfs_leds)
+allow hal_vibrator sysfs_leds:file w_file_perms;
+allow hal_vibrator input_device:dir r_dir_perms;
+allow hal_vibrator input_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/hal_voiceprint.te b/legacy/vendor/common/hal_voiceprint.te
new file mode 100644
index 0000000..bc97f45
--- /dev/null
+++ b/legacy/vendor/common/hal_voiceprint.te
@@ -0,0 +1,38 @@
+# Copyright (c) 2017 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# IPC
+binder_call(hal_voiceprint_client, hal_voiceprint_server)
+binder_call(hal_voiceprint_server, hal_voiceprint_client)
+
+add_hwservice(hal_voiceprint_server, hal_voiceprint_hwservice)
+allow hal_voiceprint_client hal_voiceprint_hwservice:hwservice_manager find;
+
+# memory alloc
+allow hal_voiceprint ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_voiceprint, cgroup)
diff --git a/legacy/vendor/common/hal_vr_default.te b/legacy/vendor/common/hal_vr_default.te
new file mode 100755
index 0000000..ac9009c
--- /dev/null
+++ b/legacy/vendor/common/hal_vr_default.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+unix_socket_connect(hal_vr, thermal, thermal-engine)
diff --git a/legacy/vendor/common/hal_wifi.te b/legacy/vendor/common/hal_wifi.te
new file mode 100644
index 0000000..46039b6
--- /dev/null
+++ b/legacy/vendor/common/hal_wifi.te
@@ -0,0 +1,43 @@
+#Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+
+allow hal_wifi wlan_device:chr_file rw_file_perms;
+allow hal_wifi self:capability sys_module;
+allow hal_wifi kernel:key search;
+allow hal_wifi vendor_file:system module_load;
+allow hal_wifi proc_modules:file r_file_perms;
+# allow hal_wifi to write into /proc/debugdriver/driverdump
+r_dir_file(hal_wifi_default, proc_wifi_dbg)
+get_prop(hal_wifi_default, vendor_softap_prop)
+
+# allow hal_wifi to write into /data/vendor/tombstones/wifi
+userdebug_or_eng(`
+ allow hal_wifi_server vendor_tombstone_data_file:dir rw_dir_perms;
+ allow hal_wifi_server vendor_tombstone_data_file:file create_file_perms;
+')
diff --git a/legacy/vendor/common/hal_wifi_hostapd.te b/legacy/vendor/common/hal_wifi_hostapd.te
new file mode 100644
index 0000000..e2e17b8
--- /dev/null
+++ b/legacy/vendor/common/hal_wifi_hostapd.te
@@ -0,0 +1,46 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow hostapd to access it's data folder
+r_dir_file(hal_wifi_hostapd_default, wifi_vendor_data_file)
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;
+# Allow hostapd to connect to fstman using control socket
+allow hal_wifi_hostapd_default fstman:unix_dgram_socket sendto;
+# Allow hostapd to create control socket under its data folder
+allow hal_wifi_hostapd_default hostapd_data_file:sock_file create_file_perms;
+# wigig_hostapd has its own directory for sockets,
+# in order to prevent conflicts with wifi hostapd
+# allow wigig_hostapd to create the directory holding its control socket
+allow hal_wifi_hostapd_default wigig_hostapd_socket:dir create_dir_perms;
+# wigig_hostapd needs to create, bind to, read and write its control socket
+allow hal_wifi_hostapd_default wigig_hostapd_socket:sock_file create_file_perms;
+# allow wigig_hostapd to send replies to wigighalsvc
+allow hal_wifi_hostapd_default wigighalsvc:unix_dgram_socket sendto;
+# allow hostapd to attach to fstman socket
+allow hal_wifi_hostapd_default wifi_vendor_wpa_socket:dir r_dir_perms;
+allow hal_wifi_hostapd_default wifi_vendor_wpa_socket:sock_file rw_file_perms;
diff --git a/legacy/vendor/common/hal_wifi_supplicant.te b/legacy/vendor/common/hal_wifi_supplicant.te
new file mode 100644
index 0000000..f79ffa7
--- /dev/null
+++ b/legacy/vendor/common/hal_wifi_supplicant.te
@@ -0,0 +1,40 @@
+#Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+
+# Allow access to create socket and ioctl.
+allow hal_wifi_supplicant_default self:socket create_socket_perms;
+# ioctlcmd=c304, c302
+allowxperm hal_wifi_supplicant self:socket ioctl msm_sock_ipc_ioctls;
+# Allow write to proc_net.
+allow hal_wifi_supplicant_default proc_net:file write;
+
+# Permission for wpa socket which IMS use to communicate
+# # Allow wpa_supplicant to send back wifi information to cnd
+allow hal_wifi_supplicant_default { cnd ims }:unix_dgram_socket sendto;
+
diff --git a/legacy/vendor/common/hbtp.te b/legacy/vendor/common/hbtp.te
new file mode 100644
index 0000000..fd1dd21
--- /dev/null
+++ b/legacy/vendor/common/hbtp.te
@@ -0,0 +1,83 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policies for hbtp (host based touch processing)
+type hbtp, domain;
+type hbtp_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hbtp)
+hal_server_domain(hbtp, hal_hbtp)
+# Allow access for /dev/hbtp_input and /dev/jdi-bu21150
+allow hbtp { hbtp_device qdsp_device dsp_device bu21150_device xdsp_device }:chr_file rw_file_perms;
+
+allow hbtp hbtp_log_file:dir rw_dir_perms;
+allow hbtp hbtp_log_file:file create_file_perms;
+
+allow hbtp hbtp_cfg_file:dir r_dir_perms;
+allow hbtp hbtp_cfg_file:file r_file_perms;
+
+allow hbtp firmware_file:dir r_dir_perms;
+allow hbtp firmware_file:file r_file_perms;
+
+allow hbtp vendor_firmware_file:dir r_dir_perms;
+allow hbtp vendor_firmware_file:file r_file_perms;
+
+allow hbtp sysfs_usb_supply:file r_file_perms;
+allow hbtp sysfs_usb_supply:dir r_dir_perms;
+
+allow hbtp hbtp_kernel_sysfs:file rw_file_perms;
+
+allow hbtp sysfs_graphics:file r_file_perms;
+allow hbtp sysfs_graphics:dir r_dir_perms;
+
+allow hbtp sysfs_battery_supply:file r_file_perms;
+allow hbtp sysfs_battery_supply:dir r_dir_perms;
+
+allow hbtp ion_device:chr_file r_file_perms;
+
+allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
+
+# Allow the service to access wakelock sysfs
+allow hbtp sysfs_wake_lock:file r_file_perms;
+
+# Allow the service to change to system from root
+allow hbtp self:capability { setgid setuid };
+
+# Allow load touch driver as touchPD
+r_dir_file(hbtp, adsprpcd_file)
+get_prop(hbtp, adsprpc_prop)
+
+# Allow the service to access wakelock capability
+wakelock_use(hbtp)
+
+# Allow hwbinder call from hal client to server and vice-versa
+binder_call(hal_hbtp_client, hal_hbtp_server)
+binder_call(hal_hbtp_server, hal_hbtp_client)
+
+# Allow hwservice related rules
+add_hwservice(hal_hbtp_server, hal_hbtp_hwservice)
+allow hal_hbtp_client hal_hbtp_hwservice:hwservice_manager find;
+hal_client_domain(hbtp, hal_allocator);
diff --git a/legacy/vendor/common/hdcp_srm.te b/legacy/vendor/common/hdcp_srm.te
new file mode 100644
index 0000000..7ac31cb
--- /dev/null
+++ b/legacy/vendor/common/hdcp_srm.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#hdcp_srm service
+type hdcp_srm, domain;
+
+type hdcp_srm_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hdcp_srm)
+
+# Allow TEE to load firmware images
+r_dir_file(hdcp_srm, firmware_file);
+
+# TEE access
+allow hdcp_srm tee_device:chr_file rw_file_perms;
+allow hdcp_srm ion_device:chr_file r_file_perms;
diff --git a/legacy/vendor/common/healthd.te b/legacy/vendor/common/healthd.te
new file mode 100644
index 0000000..d98a78f
--- /dev/null
+++ b/legacy/vendor/common/healthd.te
@@ -0,0 +1,44 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+r_dir_file(healthd, sysfs_battery_supply)
+r_dir_file(healthd, sysfs_usb_supply)
+r_dir_file(healthd, sysfs_thermal);
+r_dir_file(healthd, sysfs_graphics);
+
+#allow healthd read rtc device file
+allow healthd rtc_device:chr_file r_file_perms;
+
+allow healthd {
+ sysfs_battery_supply
+ sysfs_usb_supply
+ sysfs_graphics
+}:file rw_file_perms;
+
+allow healthd self:capability2 wake_alarm;
+allow healthd sysfs_graphics:dir r_dir_perms;
+allow healthd sysfs_graphics:file rw_file_perms;
diff --git a/legacy/vendor/common/hostapd.te b/legacy/vendor/common/hostapd.te
new file mode 100644
index 0000000..bb7e9c4
--- /dev/null
+++ b/legacy/vendor/common/hostapd.te
@@ -0,0 +1,71 @@
+# Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow hostapd_cli to work. hostapd_cli creates a socket in
+# /data/misc/wifi/sockets which hostapd communicates with.
+#
+
+# userspace wifi access points
+type hostapd, domain;
+type hostapd_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ unix_socket_send(hostapd, wifi_vendor_wpa, su)
+')
+
+binder_call(hostapd, cnd)
+unix_socket_connect(hostapd, cnd, cnd)
+unix_socket_send(hostapd, cnd, cnd)
+allow hostapd cnd:{
+ fifo_file
+ netlink_route_socket
+ netlink_tcpdiag_socket
+ unix_stream_socket
+ unix_dgram_socket} { read write };
+allow hostapd cnd:fifo_file r_file_perms;
+allow hostapd smem_log_device:chr_file rw_file_perms;
+allow hostapd fstman:unix_dgram_socket sendto;
+allow hostapd wifi_vendor_data_file:dir w_dir_perms;
+allow hostapd wifi_vendor_data_file:file create_file_perms;
+allow hostapd hostapd_data_file:dir w_dir_perms;
+allow hostapd hostapd_data_file:sock_file create_file_perms;
+# wigig_hostapd has its own directory for sockets,
+# in order to prevent conflicts with wifi hostapd
+# allow wigig_hostapd to create the directory holding its control socket
+allow hostapd wigig_hostapd_socket:dir create_dir_perms;
+# wigig_hostapd needs to create, bind to, read and write its control socket
+allow hostapd wigig_hostapd_socket:sock_file create_file_perms;
+# allow wigig_hostapd to send replies to wigighalsvc
+allow hostapd wigighalsvc:unix_dgram_socket sendto;
+# allow hostapd to attach to fstman socket
+allow hostapd wifi_vendor_wpa_socket:dir r_dir_perms;
+allow hostapd wifi_vendor_wpa_socket:sock_file rw_file_perms;
+
+#diag
+userdebug_or_eng(`
+ diag_use(hostapd)
+')
diff --git a/legacy/vendor/common/hvdcp.te b/legacy/vendor/common/hvdcp.te
new file mode 100644
index 0000000..d00cbc8
--- /dev/null
+++ b/legacy/vendor/common/hvdcp.te
@@ -0,0 +1,76 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# HVDVP quickcharge
+type hvdcp, domain;
+type hvdcp_exec, exec_type, vendor_file_type, file_type;
+
+# Make transition to its own HVDCP domain from init
+init_daemon_domain(hvdcp)
+
+# Add rules for access permissions
+allow hvdcp hvdcp_device:chr_file rw_file_perms;
+allow hvdcp qg_device:chr_file rw_file_perms;
+allow hvdcp {
+ sysfs_battery_supply
+ sysfs_usb_supply
+ sysfs_usbpd_device
+ sysfs_vadc_dev
+ sysfs_spmi_dev
+}:dir r_dir_perms;
+
+allow hvdcp {
+ sysfs_battery_supply
+ sysfs_usb_supply
+ sysfs_usbpd_device
+ sysfs_vadc_dev
+ sysfs_spmi_dev
+}:file rw_file_perms;
+
+allow hvdcp {
+ sysfs_battery_supply
+ sysfs_usb_supply
+ sysfs_vadc_dev
+ sysfs_spmi_dev
+}:lnk_file r_file_perms;
+
+allow hvdcp self:capability { setgid setuid };
+allow hvdcp self:capability2 wake_alarm;
+allow hvdcp kmsg_device:chr_file rw_file_perms;
+allow hvdcp cgroup:dir { create add_name };
+allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow hvdcp sysfs_battery_supply:file setattr;
+allow hvdcp sysfs_usb_supply:file setattr;
+allow hvdcp sysfs_usbpd_device:file setattr;
+
+allow hvdcp mnt_vendor_file:dir search;
+allow hvdcp persist_hvdcp_file:dir rw_dir_perms;
+allow hvdcp persist_hvdcp_file:file create_file_perms;
+
+get_prop(hvdcp, hvdcp_opti_prop)
+
+wakelock_use(hvdcp)
diff --git a/legacy/vendor/common/hwservice.te b/legacy/vendor/common/hwservice.te
new file mode 100644
index 0000000..e8ce328
--- /dev/null
+++ b/legacy/vendor/common/hwservice.te
@@ -0,0 +1,60 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type hal_display_color_hwservice, hwservice_manager_type;
+type hal_display_config_hwservice, hwservice_manager_type;
+type hal_display_postproc_hwservice, hwservice_manager_type;
+type hal_hbtp_hwservice, hwservice_manager_type;
+type hal_dpmqmi_hwservice, hwservice_manager_type;
+type hal_imsrtp_hwservice, hwservice_manager_type;
+type hal_imscallinfo_hwservice, hwservice_manager_type;
+type hal_perf_hwservice, hwservice_manager_type;
+type wifidisplayhalservice_hwservice, hwservice_manager_type;
+type hal_iop_hwservice, hwservice_manager_type;
+type hal_alarm_qti_hwservice, hwservice_manager_type;
+type hal_datafactory_hwservice, hwservice_manager_type;
+type hal_dataconnection_hwservice, hwservice_manager_type;
+type hal_latency_hwservice, hwservice_manager_type;
+type hal_iwlan_hwservice, hwservice_manager_type;
+type hal_cacert_hwservice, hwservice_manager_type;
+type hal_imsrcsd_hwservice, hwservice_manager_type;
+type hal_ipacm_hwservice, hwservice_manager_type;
+type hal_vpp_hwservice, hwservice_manager_type;
+type hal_wigig_hwservice, hwservice_manager_type;
+type hal_qteeconnector_hwservice, hwservice_manager_type;
+type hal_esepowermanager_hwservice, hwservice_manager_type;
+type hal_voiceprint_hwservice, hwservice_manager_type;
+type vendor_hal_factory_qti_hwservice, hwservice_manager_type;
+type hal_wigig_npt_hwservice, hwservice_manager_type;
+type hal_soter_hwservice, hwservice_manager_type;
+type hal_tui_comm_hwservice, hwservice_manager_type;
+type hal_qdutils_disp_hwservice, hwservice_manager_type;
+type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type;
+type hal_scve_hwservice, hwservice_manager_type;
+type hal_mirrorlink_hwservice, hwservice_manager_type;
+type hal_pasrmanager_hwservice, hwservice_manager_type;
+type hal_wifilearner_hwservice, hwservice_manager_type;
diff --git a/legacy/vendor/common/hwservice_contexts b/legacy/vendor/common/hwservice_contexts
new file mode 100644
index 0000000..bab9882
--- /dev/null
+++ b/legacy/vendor/common/hwservice_contexts
@@ -0,0 +1,93 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0
+vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.config::IConfig u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.ims::IImsRadio u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.uim_remote_client::IUimRemoteServiceClient u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.uim_remote_server::IUimRemoteServiceServer u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.uim::IUim u:object_r:hal_telephony_hwservice:s0
+vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:hal_atfwd_hwservice:s0
+vendor.display.color::IDisplayColor u:object_r:hal_display_color_hwservice:s0
+vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0
+vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0
+vendor.qti.gnss::ILocHidlGnss u:object_r:hal_gnss_hwservice:s0
+vendor.nxp.hardware.nfc::INqNfc u:object_r:hal_nfc_hwservice:s0
+vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion u:object_r:hal_hbtp_hwservice:s0
+vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager u:object_r:hal_hbtp_hwservice:s0
+vendor.qti.hardware.improvetouch.blobmanager::IBlobManager u:object_r:hal_hbtp_hwservice:s0
+com.qualcomm.qti.dpm.api::IdpmQmi u:object_r:hal_dpmqmi_hwservice:s0
+vendor.qti.imsrtpservice::IRTPService u:object_r:hal_imsrtp_hwservice:s0
+com.qualcomm.qti.bluetooth_audio::IBluetoothAudio u:object_r:hal_audio_hwservice:s0
+com.qualcomm.qti.ant::IAntHci u:object_r:hal_bluetooth_hwservice:s0
+vendor.qti.hardware.fm::IFmHci u:object_r:hal_bluetooth_hwservice:s0
+vendor.qti.hardware.wipower::IWipower u:object_r:hal_bluetooth_hwservice:s0
+vendor.qti.hardware.perf::IPerf u:object_r:hal_perf_hwservice:s0
+com.qualcomm.qti.wifidisplayhal::IHDCPSession u:object_r:wifidisplayhalservice_hwservice:s0
+vendor.qti.hardware.iop::IIop u:object_r:hal_iop_hwservice:s0
+com.qualcomm.qti.wifidisplayhal::IDSManager u:object_r:wifidisplayhalservice_hwservice:s0
+vendor.qti.hardware.alarm::IAlarm u:object_r:hal_alarm_qti_hwservice:s0
+com.qualcomm.qti.uceservice::IUceService u:object_r:hal_imsrcsd_hwservice:s0
+vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0
+com.qualcomm.qti.imscmservice::IImsCmService u:object_r:hal_imsrcsd_hwservice:s0
+vendor.qti.hardware.data.latency::ILinkLatency u:object_r:hal_latency_hwservice:s0
+vendor.qti.hardware.data.iwlan::IIWlan u:object_r:hal_iwlan_hwservice:s0
+vendor.qti.hardware.cacert::IService u:object_r:hal_cacert_hwservice:s0
+vendor.qti.data.factory::IFactory u:object_r:hal_datafactory_hwservice:s0
+vendor.qti.hardware.data.connection::IDataConnection u:object_r:hal_dataconnection_hwservice:s0
+vendor.qti.hardware.vpp::IHidlVppService u:object_r:hal_vpp_hwservice:s0
+vendor.qti.hardware.wigig.supptunnel::ISuppTunnelProvider u:object_r:hal_wigig_hwservice:s0
+vendor.qti.hardware.wigig.netperftuner::INetPerfTuner u:object_r:hal_wigig_npt_hwservice:s0
+vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0
+vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0
+vendor.qti.esepowermanager::IEsePowerManager u:object_r:hal_esepowermanager_hwservice:s0
+vendor.qti.voiceprint::IQtiVoicePrintService u:object_r:hal_voiceprint_hwservice:s0
+vendor.qti.power.pasrmanager::IPasrManager u:object_r:hal_pasrmanager_hwservice:s0
+# Below rules are added to support the devices that are using the HALs before they are moved to
+# vendor.qti.hardware. They are used as it is to maintain the integrity of the software.
+vendor.qti.qcril.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0
+com.qualcomm.qti.ims.radio::IImsRadio u:object_r:hal_telephony_hwservice:s0
+com.qualcomm.qti.qcril.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0
+vendor.qti.atcmdfwd::IAtCmdFwd u:object_r:hal_atfwd_hwservice:s0
+com.qualcomm.qti.imsrtpservice::IRTPService u:object_r:hal_imsrtp_hwservice:s0
+vendor.qti.hardware.factory::IFactory u:object_r:vendor_hal_factory_qti_hwservice:s0
+vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+vendor.qti.hardware.soter::ISoter u:object_r:hal_soter_hwservice:s0
+vendor.qti.hardware.tui_comm::ITuiComm u:object_r:hal_tui_comm_hwservice:s0
+vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:hal_qdutils_disp_hwservice:s0
+vendor.qti.hardware.sensorscalibrate::ISensorsCalibrate u:object_r:hal_sensorscalibrate_qti_hwservice:s0
+vendor.qti.hardware.wifi.supplicant::ISupplicantVendor u:object_r:hal_wifi_supplicant_hwservice:s0
+vendor.qti.hardware.scve.panorama::IPanoramaTracking u:object_r:hal_scve_hwservice:s0
+vendor.qti.hardware.scve.panorama::IPanoramaStitching u:object_r:hal_scve_hwservice:s0
+vendor.qti.hardware.scve.objecttracker::IObjectTracker u:object_r:hal_scve_hwservice:s0
+vendor.qti.hardware.wifi.hostapd::IHostapdVendor u:object_r:hal_wifi_hostapd_hwservice:s0
+vendor.qti.hardware.mlshal::IMlsDap u:object_r:hal_mirrorlink_hwservice:s0
+vendor.qti.hardware.wifi.wifilearner::IWifiStats u:object_r:hal_wifilearner_hwservice:s0
diff --git a/legacy/vendor/common/ims.te b/legacy/vendor/common/ims.te
new file mode 100644
index 0000000..1a845ee
--- /dev/null
+++ b/legacy/vendor/common/ims.te
@@ -0,0 +1,91 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#integrated sensor process
+type ims, domain;
+type ims_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(ims)
+net_domain(ims)
+
+# Talk to qmuxd
+qmux_socket(ims)
+
+allow ims self:capability net_bind_service;
+
+# Use generic netlink socket
+allow ims self:{
+ netlink_socket
+ socket
+ netlink_generic_socket
+ qipcrtr_socket
+} create_socket_perms_no_ioctl;
+
+# To run NDC command
+allow ims {
+ vendor_shell_exec
+ # IMS route installation
+ wcnss_service_exec
+ # for WPA supplicant comment to remove compilation issue
+ #wpa_exec
+}:file rx_file_perms;
+
+# Talk to netd via netd_socket
+unix_socket_connect(ims, netd, netd)
+
+# Talk to qumuxd via ims_socket
+unix_socket_connect(ims, ims, qmuxd)
+
+set_prop(ims, qcom_ims_prop)
+set_prop(ims, ctl_vendor_imsrcsservice_prop)
+
+# permissions for communication with CNE in LBO use case
+unix_socket_connect(ims, cnd, cnd)
+
+#Allow access to netmgrd socket
+netmgr_socket(ims);
+
+# Inherit and use open files from radio.
+allow ims radio:fd use;
+
+#diag
+userdebug_or_eng(`
+ diag_use(ims)
+')
+allow ims self:{ socket udp_socket } ioctl;
+# ioctlcmd=c302
+allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
+# ioctlcmd=89fd
+allowxperm ims self:udp_socket ioctl priv_sock_ioctls;
+allow ims sysfs_data:file r_file_perms;
+hwbinder_use(ims)
+get_prop(ims, hwservicemanager_prop)
+get_prop(ims, qcom_ims_prop)
+get_prop(ims, cnd_vendor_prop)
+allow ims hal_datafactory_hwservice:hwservice_manager find;
+binder_call(ims, cnd)
diff --git a/legacy/vendor/common/imshelper_app.te b/legacy/vendor/common/imshelper_app.te
new file mode 100644
index 0000000..3f7c907
--- /dev/null
+++ b/legacy/vendor/common/imshelper_app.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+type imshelper_app, domain;
+app_domain(imshelper_app);
+unix_socket_connect(imshelper_app, ims, ims)
+allow imshelper_app app_api_service:service_manager find;
+
+allow qsee_svc_app imshelper_app_data_file:dir create_dir_perms;
+allow qsee_svc_app imshelper_app_data_file:file create_file_perms;
+
+allow imshelper_app system_app_data_file:dir { getattr search };
diff --git a/legacy/vendor/common/init-qti-ims-sh.te b/legacy/vendor/common/init-qti-ims-sh.te
new file mode 100644
index 0000000..6ab358a
--- /dev/null
+++ b/legacy/vendor/common/init-qti-ims-sh.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type init-qti-ims-sh, domain;
+type init-qti-ims-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-qti-ims-sh)
+
+allow init-qti-ims-sh vendor_shell_exec:file rx_file_perms;
+allow init-qti-ims-sh vendor_toolbox_exec:file rx_file_perms;
+
+set_prop(init-qti-ims-sh, qcom_ims_prop)
+
+# for ro.build.product
+get_prop(init-qti-ims-sh, exported2_default_prop)
diff --git a/legacy/vendor/common/init.te b/legacy/vendor/common/init.te
new file mode 100644
index 0000000..2d59c5a
--- /dev/null
+++ b/legacy/vendor/common/init.te
@@ -0,0 +1,91 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Adding allow rule for search on /fuse
+allow init fuse:dir { search mounton };
+allow init self:capability sys_module;
+allow init {
+ adsprpcd_file
+ cache_file
+ mnt_vendor_file
+ storage_file
+}:dir mounton;
+allow init kmsg_device:chr_file write;
+
+#Allow triggering IPA FWs loading
+allow init ipa_dev:chr_file write;
+
+#For insmod to search module key for signature verification
+allow init kernel:key search;
+
+#For sdcard
+allow init tmpfs:lnk_file create_file_perms;
+
+#Certain domains needs LD_PRELOAD passed from init
+#allow it for most domain. Do not honor LD_PRELOAD
+#for lmkd
+#allow init { domain -lmkd }:process noatsecure;
+
+#For configfs file permission
+allow init configfs:dir r_dir_perms;
+allow init configfs:file { rw_file_perms link };
+allow init configfs:lnk_file create_file_perms;
+
+#Allow init to mount non-hlos partitions in A/B builds
+allow init { bt_firmware_file vendor_firmware_file firmware_file } :dir mounton;
+
+# Moved to vendor so need relabelfrom and associate permissions
+allow init { bt_firmware_file firmware_file }:filesystem { relabelfrom mount };
+#TODO: This should not be needed and needs to be cleaned.
+allow { bt_firmware_file firmware_file }self:filesystem associate;
+
+allow init sysfs_boot_adsp:file write;
+allow init sysfs_slpi:file write;
+allow init sysfs_graphics:file setattr;
+
+#dontaudit non configfs usb denials
+dontaudit init sysfs:dir write;
+
+#load /vendor/lib/modules/qca_cld3/qca_cld3_wlan.ko
+#load /vendor/lib/modules/wil6210.ko
+allow init vendor_file:system module_load;
+
+#Needed for restorecon. Init already has these permissions
+#for generic block devices, but is unable to access those
+#which have a custom lable added by us.
+allow init {
+ custom_ab_block_device
+ boot_block_device
+ xbl_block_device
+ ssd_device
+ modem_block_device
+ mdtp_device
+}:{ blk_file lnk_file } relabelto;
+
+#Blocked by neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
+#domain_trans(init, vendor_init_exec, vendor_init);
+allow init mnt_vendor_file:lnk_file r_file_perms;
diff --git a/legacy/vendor/common/init_shell.te b/legacy/vendor/common/init_shell.te
new file mode 100644
index 0000000..7d41b91
--- /dev/null
+++ b/legacy/vendor/common/init_shell.te
@@ -0,0 +1,278 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Restricted domain for shell processes spawned by init.
+# Normally these are shell commands or scripts invoked via sh
+# from an init*.rc file. No service should ever run in this domain.
+type qti_init_shell, domain;
+type qti_init_shell_exec, exec_type, vendor_file_type,file_type;
+
+init_daemon_domain(qti_init_shell)
+
+domain_auto_trans(init, vendor_shell_exec, qti_init_shell)
+
+# For executing init shell scripts (init.qcom.early_boot.sh)
+allow qti_init_shell qti_init_shell_exec:file { rx_file_perms entrypoint };
+#execute init scripts
+allow qti_init_shell vendor_shell_exec:file {rx_file_perms entrypoint };
+allow qti_init_shell vendor_toolbox_exec:file rx_file_perms;
+
+# For getting idle_time value
+# this is needed for dynamic_fps and bw_mode_bitmap
+allow qti_init_shell sysfs_graphics:file {rw_file_perms setattr};
+
+allow qti_init_shell mnt_vendor_file:dir w_dir_perms;
+allow qti_init_shell mnt_vendor_file:file create_file_perms;
+allow qti_init_shell smd_device:chr_file rw_file_perms;
+
+# Run helpers from / or /system without changing domain.
+allow qti_init_shell { rootfs vendor_shell_exec }:file execute_no_trans;
+
+# For accessing fmradio device node
+allow qti_init_shell fm_radio_device:chr_file r_file_perms;
+
+#allow shell to access /dev/vm_bms
+allow qti_init_shell vm_bms_device:chr_file getattr;
+
+allow qti_init_shell gpu_device:chr_file getattr;
+
+# for insmod of iris ko, this is needed.
+# needed by most of the services
+# fowner and fsetid are needed for chmod display nodes.
+allow qti_init_shell self:capability {
+ sys_module
+ net_admin
+ chown
+ fowner
+ fsetid
+ sys_admin
+};
+
+# For property starting with hw
+# freq_prop - for setting frequency from postboot script
+# vendor_mpctl_prop - for setting ctl.mpdecision property from postboot script
+# vendor_bluetooth_prop - for setting bt related properties from postboot script
+# ctl_vendor_qmuxd_prop/ctl_vendor_netmgrd_prop - Needed in order to set properties on qmuxd and netmgrd processes
+set_prop(qti_init_shell, freq_prop)
+set_prop(qti_init_shell, vendor_mpctl_prop)
+set_prop(qti_init_shell, vendor_bluetooth_prop)
+set_prop(qti_init_shell, sensors_prop)
+set_prop(qti_init_shell, msm_irqbalance_prop)
+set_prop(qti_init_shell, msm_irqbl_sdm630_prop)
+set_prop(qti_init_shell, vendor_ipacm_prop)
+set_prop(qti_init_shell, vendor_ipacm-diag_prop)
+set_prop(qti_init_shell, vendor_dataqti_prop)
+set_prop(qti_init_shell, vendor_dataadpl_prop)
+set_prop(qti_init_shell, ctl_rildaemon_prop)
+set_prop(qti_init_shell, ctl_qcrild_prop)
+set_prop(qti_init_shell, ctl_vendor_rild_prop)
+set_prop(qti_init_shell, ctl_vendor_qmuxd_prop)
+set_prop(qti_init_shell, ctl_vendor_netmgrd_prop)
+set_prop(qti_init_shell, ctl_vendor_port-bridge_prop)
+set_prop(qti_init_shell, vendor_display_prop)
+set_prop(qti_init_shell, scr_enabled_prop)
+set_prop(qti_init_shell, vendor_opengles_prop)
+set_prop(qti_init_shell, vendor_mdm_helper_prop)
+set_prop(qti_init_shell, fm_prop)
+set_prop(qti_init_shell, usf_prop)
+set_prop(qti_init_shell, vendor_alarm_boot_prop)
+set_prop(qti_init_shell, vendor_gralloc_prop)
+set_prop(qti_init_shell, vendor_audio_prop)
+userdebug_or_eng(`
+# Needed for starting console in userdebug mode
+set_prop(qti_init_shell, ctl_console_prop)
+set_prop(qti_init_shell, vendor_coresight_prop)
+set_prop(qti_init_shell, vendor_audio_debug_prop)
+')
+#Needed for starting vm_bms executable post-boot
+set_prop(qti_init_shell, vm_bms_prop)
+set_prop(qti_init_shell, vendor_usb_prop)
+#Needed for setting hwui properties in post_boot
+set_prop(qti_init_shell, hwui_prop)
+set_prop(qti_init_shell, graphics_vulkan_prop)
+#Needed for setting vendor_cgroup_follow properties from post_boot
+set_prop(qti_init_shell, vendor_cgroup_follow_prop)
+#Needed for setting bservice properties from post_boot
+set_prop(qti_init_shell, bservice_prop)
+#Needed for setting DSR properties from post_boot
+set_prop(qti_init_shell, reschedule_service_prop)
+#Needed for setting hvdcp properties from post_boot
+set_prop(qti_init_shell, hvdcp_opti_prop)
+
+get_prop(qti_init_shell, exported3_radio_prop)
+set_prop(qti_init_shell, vendor_gpu_prop)
+
+allow qti_init_shell efs_boot_dev:blk_file r_file_perms;
+
+# For hci_comm_init
+allow qti_init_shell { serial_device userdebug_or_eng(`qdss_device') }:chr_file rw_file_perms;
+
+allow qti_init_shell {
+ sysfs_devices_system_cpu
+ sysfs_thermal
+ sysfs_lowmemorykiller
+ sysfs_mmc_host
+ sysfs_process_reclaim
+}:file w_file_perms;
+
+allow qti_init_shell sysfs_vmpressure:file write;
+r_dir_file(qti_init_shell, sysfs_thermal)
+r_dir_file(qti_init_shell, sysfs_type)
+allow qti_init_shell sysfs_socinfo:file write;
+allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
+allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;
+allow qti_init_shell sensors_device:chr_file r_file_perms;
+
+# To start sensors for DSPS enabled platforms
+r_dir_file(qti_init_shell, mnt_vendor_file)
+r_dir_file(qti_init_shell, sensors_persist_file)
+r_dir_file(qti_init_shell, persist_bluetooth_file)
+allow qti_init_shell sensors_persist_file:file setattr;
+allow qti_init_shell sensors_persist_file:dir setattr;
+
+# To start of selected USF based calculators
+r_dir_file(qti_init_shell, persist_usf_file)
+allow qti_init_shell persist_usf_file:dir w_dir_perms;
+
+# To check if /system/bin/msm_irqbalance is persent in the device
+allow qti_init_shell msm_irqbalanced_exec:file getattr;
+
+# To write to /data/vendor/perfd
+allow qti_init_shell mpctl_data_file:dir w_dir_perms;
+allow qti_init_shell mpctl_data_file:file { write getattr unlink };
+
+allow qti_init_shell { proc proc_net}:file write;
+allow qti_init_shell proc_net:file r_file_perms;
+
+allow qti_init_shell graphics_device:dir create_dir_perms;
+allow qti_init_shell graphics_device:lnk_file create_file_perms;
+
+#insmod of ko from scripts need kernel key search
+allow qti_init_shell kernel:key search;
+
+# To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
+allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };
+
+# To change owner/permissions of secure touch sysfs files
+r_dir_file(qti_init_shell, sysfs_securetouch)
+
+# core-ctl
+allow qti_init_shell cgroup:dir add_name;
+
+# To allow copy for mbn files
+r_dir_file(qti_init_shell, firmware_file)
+
+# /dev/block/zram0
+allow qti_init_shell block_device:dir r_dir_perms;
+allow qti_init_shell swap_block_device:blk_file rw_file_perms;
+
+# /data/vendor/swap/swapfile
+allow qti_init_shell swap_data_file:dir rw_dir_perms;
+allow qti_init_shell swap_data_file:file create_file_perms;
+
+#For configfs permission
+allow qti_init_shell configfs:dir r_dir_perms;
+allow qti_init_shell configfs:file rw_file_perms;
+
+#Allow read permissions to read adj
+allow qti_init_shell sysfs_lowmemorykiller:file read;
+
+allow qti_init_shell persist_alarm_file:dir r_dir_perms;
+allow qti_init_shell persist_alarm_file:file r_file_perms;
+
+#Allow /sys access to write zram disksize
+allow qti_init_shell sysfs_zram:dir r_dir_perms;
+allow qti_init_shell sysfs_zram:file w_file_perms;
+
+# To get GPU frequencies and set attributes
+allow qti_init_shell sysfs_kgsl:file { r_file_perms setattr };
+
+allow qti_init_shell proc:file r_file_perms;
+allow qti_init_shell rootfs:file r_file_perms;
+
+r_dir_file(qti_init_shell, sysfs_devfreq)
+allow qti_init_shell sysfs_devfreq:file w_file_perms;
+
+r_dir_file(qti_init_shell, sysfs_cpu_boost)
+allow qti_init_shell sysfs_cpu_boost:file w_file_perms;
+
+allow qti_init_shell vendor_mbn_data_file:dir create_dir_perms;
+allow qti_init_shell vendor_mbn_data_file:file create_file_perms;
+
+set_prop(qti_init_shell, vendor_rild_libpath_prop);
+set_prop(qti_init_shell, ctl_vendor_hbtp_prop)
+set_prop(qti_init_shell, vendor_radio_prop)
+
+allow qti_init_shell fm_qsoc_patches_exec:file rx_file_perms;
+
+# rules for vm_bms
+allow qti_init_shell {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:dir r_dir_perms;
+
+allow qti_init_shell {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:file rw_file_perms;
+
+allow qti_init_shell sysfs_battery_supply:file setattr;
+allow qti_init_shell sysfs_usb_supply:file setattr;
+
+allow qti_init_shell sysfs_fm:file rw_file_perms;
+
+# To read /proc/meminfo
+allow qti_init_shell proc_meminfo:file r_file_perms;
+
+# cpu_boost during touch input
+allow qti_init_shell sysfs_cpu_boost:dir r_dir_perms;
+allow qti_init_shell sysfs_cpu_boost:file rw_file_perms;
+
+allow qti_init_shell sysfs_msm_power:file rw_file_perms;
+allow qti_init_shell sysfs_devices_system_cpu:file rw_file_perms;
+
+# For IO Cgroups
+allow qti_init_shell cgroup:dir { mounton create_dir_perms };
+allow qti_init_shell cgroup:file { rw_file_perms };
+
+set_prop(qti_init_shell, vendor_mmi_prop)
+
+# allow rw access to sysfs_npu
+allow qti_init_shell sysfs_npu:file rw_file_perms;
+
+set_prop(qti_init_shell, vendor_alarm_boot_prop)
+
+# allow rw create file access to fm patchdownloader
+allow qti_init_shell vendor_fm_data_file:file create_file_perms;
+allow qti_init_shell vendor_fm_data_file:dir ra_dir_perms;
+
+# For USB RNDIS configuration
+allow qti_init_shell sysfs_android_usb:dir r_dir_perms;
+allow qti_init_shell sysfs_android_usb:file rw_file_perms;
+
+# allow read permisison for hvdcp_opti properties
+get_prop(qti_init_shell, hvdcp_opti_prop)
diff --git a/legacy/vendor/common/installd.te b/legacy/vendor/common/installd.te
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/legacy/vendor/common/installd.te
diff --git a/legacy/vendor/common/ioctl_defines b/legacy/vendor/common/ioctl_defines
new file mode 100644
index 0000000..957ef7e
--- /dev/null
+++ b/legacy/vendor/common/ioctl_defines
@@ -0,0 +1,82 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# gpu_device ioctls defined in the kernel in include/uapi/linux/msm_kgsl.h
+define(`IOCTL_KGSL_DEVICE_GETPROPERTY', `0x00000902')
+define(`IOCTL_KGSL_DEVICE_WAITTIMESTAMP', `0x00000906')
+define(`IOCTL_KGSL_DEVICE_WAITTIMESTAMP_CTXTID', `0x00000907')
+define(`IOCTL_KGSL_RINGBUFFER_ISSUEIBCMDS', `0x00000910')
+define(`IOCTL_KGSL_CMDSTREAM_READTIMESTAMP', `0x00000911')
+define(`IOCTL_KGSL_CMDSTREAM_FREEMEMONTIMESTAMP', `0x00000912')
+define(`IOCTL_KGSL_DRAWCTXT_CREATE', `0x00000913')
+define(`IOCTL_KGSL_DRAWCTXT_DESTROY', `0x00000914')
+define(`IOCTL_KGSL_MAP_USER_MEM', `0x00000915')
+define(`IOCTL_KGSL_CMDSTREAM_READTIMESTAMP_CTXTID', `0x00000916')
+define(`IOCTL_KGSL_CMDSTREAM_FREEMEMONTIMESTAMP_CTXTID', `0x00000917')
+define(`IOCTL_KGSL_SHAREDMEM_FROM_PMEM', `0x00000920')
+define(`IOCTL_KGSL_SHAREDMEM_FREE', `0x00000921')
+define(`IOCTL_KGSL_DRAWCTXT_BIND_GMEM_SHADOW', `0x00000922')
+define(`IOCTL_KGSL_SHAREDMEM_FROM_VMALLOC', `0x00000923')
+define(`IOCTL_KGSL_SHAREDMEM_FLUSH_CACHE', `0x00000924')
+define(`IOCTL_KGSL_DRAWCTXT_SET_BIN_BASE_OFFSET', `0x00000925')
+define(`IOCTL_KGSL_CMDWINDOW_WRITE', `0x0000092e')
+define(`IOCTL_KGSL_GPUMEM_ALLOC', `0x0000092f')
+define(`IOCTL_KGSL_CFF_SYNCMEM', `0x00000930')
+define(`IOCTL_KGSL_CFF_USER_EVENT', `0x00000931')
+define(`IOCTL_KGSL_SETPROPERTY', `0x00000932')
+define(`IOCTL_KGSL_TIMESTAMP_EVENT', `0x00000933')
+define(`IOCTL_KGSL_GPUMEM_ALLOC_ID', `0x00000934')
+define(`IOCTL_KGSL_GPUMEM_FREE_ID', `0x00000935')
+define(`IOCTL_KGSL_GPUMEM_GET_INFO', `0x00000936')
+define(`IOCTL_KGSL_GPUMEM_SYNC_CACHE', `0x00000937')
+define(`IOCTL_KGSL_PERFCOUNTER_GET', `0x00000938')
+define(`IOCTL_KGSL_PERFCOUNTER_PUT', `0x00000939')
+define(`IOCTL_KGSL_PERFCOUNTER_QUERY', `0x0000093a')
+define(`IOCTL_KGSL_PERFCOUNTER_READ', `0x0000093b')
+define(`IOCTL_KGSL_GPUMEM_SYNC_CACHE_BULK', `0x0000093c')
+define(`IOCTL_KGSL_SUBMIT_COMMANDS', `0x0000093d')
+define(`IOCTL_KGSL_SYNCSOURCE_CREATE', `0x00000940')
+define(`IOCTL_KGSL_SYNCSOURCE_DESTROY', `0x00000941')
+define(`IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE', `0x00000942')
+define(`IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE', `0x00000943')
+define(`IOCTL_KGSL_CFF_SYNC_GPUOBJ', `0x00000944')
+define(`IOCTL_KGSL_GPUOBJ_ALLOC', `0x00000945')
+define(`IOCTL_KGSL_GPUOBJ_FREE', `0x00000946')
+define(`IOCTL_KGSL_GPUOBJ_INFO', `0x00000947')
+define(`IOCTL_KGSL_GPUOBJ_IMPORT', `0x00000948')
+define(`IOCTL_KGSL_GPUOBJ_SYNC', `0x00000949')
+define(`IOCTL_KGSL_GPU_COMMAND', `0x0000094a')
+define(`IOCTL_KGSL_PREEMPTIONCOUNTER_QUERY', `0x0000094b')
+define(`IOCTL_KGSL_GPUOBJ_SET_INFO', `0x0000094c')
+
+# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
+define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
+define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
+define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
+define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
+define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
+define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
diff --git a/legacy/vendor/common/ioctl_macros b/legacy/vendor/common/ioctl_macros
new file mode 100644
index 0000000..8c4e049
--- /dev/null
+++ b/legacy/vendor/common/ioctl_macros
@@ -0,0 +1,83 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+define(`gpu_ioctls', `{
+IOCTL_KGSL_DEVICE_GETPROPERTY
+IOCTL_KGSL_DEVICE_WAITTIMESTAMP_CTXTID
+IOCTL_KGSL_DRAWCTXT_CREATE
+IOCTL_KGSL_DRAWCTXT_DESTROY
+IOCTL_KGSL_MAP_USER_MEM
+IOCTL_KGSL_SHAREDMEM_FREE
+IOCTL_KGSL_SETPROPERTY
+IOCTL_KGSL_TIMESTAMP_EVENT
+IOCTL_KGSL_PERFCOUNTER_GET
+IOCTL_KGSL_PERFCOUNTER_PUT
+IOCTL_KGSL_SYNCSOURCE_CREATE
+IOCTL_KGSL_SYNCSOURCE_DESTROY
+IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE
+IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE
+IOCTL_KGSL_GPUOBJ_ALLOC
+IOCTL_KGSL_GPUOBJ_FREE
+IOCTL_KGSL_GPUOBJ_INFO
+IOCTL_KGSL_GPUOBJ_IMPORT
+IOCTL_KGSL_GPUOBJ_SYNC
+IOCTL_KGSL_GPU_COMMAND
+}')
+
+define(`msm_sock_ipc_ioctls', `{
+IPC_ROUTER_IOCTL_GET_VERSION
+IPC_ROUTER_IOCTL_GET_MTU
+IPC_ROUTER_IOCTL_LOOKUP_SERVER
+IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
+IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
+IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
+}')
+
+define(`msm_sock_qrtr_ioctls', `{
+TIOCOUTQ
+}')
+
+define(`rmnet_sock_ioctls', `{
+SIOCDEVPRIVATE_1
+SIOCDEVPRIVATE_2
+SIOCDEVPRIVATE_3
+SIOCDEVPRIVATE_4
+SIOCDEVPRIVATE_5
+SIOCDEVPRIVATE_6
+SIOCDEVPRIVATE_7
+SIOCDEVPRIVATE_8
+SIOCDEVPRIVATE_9
+SIOCDEVPRIVATE_A
+SIOCDEVPRIVATE_B
+SIOCDEVPRIVATE_C
+SIOCDEVPRIVATE_D
+}')
+
+define(`wlan_sock_ioctls', `{
+SIOCSIWPRIV
+SIOCIWFIRSTPRIV_15
+}')
diff --git a/legacy/vendor/common/ipacm.te b/legacy/vendor/common/ipacm.te
new file mode 100644
index 0000000..42e74aa
--- /dev/null
+++ b/legacy/vendor/common/ipacm.te
@@ -0,0 +1,61 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# General definitions
+type ipacm, domain;
+type ipacm-diag, domain;
+type ipacm_exec, exec_type, vendor_file_type, file_type;
+type ipacm-diag_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(ipacm)
+init_daemon_domain(ipacm-diag)
+
+# associate netdomain to use for accessing internet sockets
+net_domain(ipacm)
+# ipacm to become hal_tetheroffload_server
+hal_server_domain(ipacm, hal_tetheroffload)
+
+userdebug_or_eng(`
+ # Allow using the logging file between ipacm and ipacm-diag
+ unix_socket_send(ipacm, ipacm, ipacm-diag)
+ diag_use(ipacm-diag)
+')
+
+# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
+allow ipacm ipa_dev:chr_file rw_file_perms;
+
+# Allow receiving NETLINK messages
+allow ipacm ipacm:{
+ netlink_route_socket
+ netlink_socket
+ # Allow querying the network stack via IOCTLs
+ udp_socket
+ netlink_generic_socket
+} create_socket_perms_no_ioctl;
+
+# Allow creating and modifying the PID file
+allow ipacm ipa_vendor_data_file:dir w_dir_perms;
+allow ipacm ipa_vendor_data_file:file create_file_perms;
diff --git a/legacy/vendor/common/irsc_util.te b/legacy/vendor/common/irsc_util.te
new file mode 100644
index 0000000..6ffab81
--- /dev/null
+++ b/legacy/vendor/common/irsc_util.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type irsc_util, domain;
+type irsc_util_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(irsc_util)
+
+userdebug_or_eng(`
+ #domain_auto_trans(vendor_shell, irsc_util_exec, irsc_util)
+ #domain_auto_trans(adbd, irsc_util_exec, irsc_util)
+')
+
+allow irsc_util irsc_util:socket { create ioctl };
+allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
+allow irsc_util devpts:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/kernel.te b/legacy/vendor/common/kernel.te
new file mode 100755
index 0000000..ffbbea1
--- /dev/null
+++ b/legacy/vendor/common/kernel.te
@@ -0,0 +1,44 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow kernel block_device:blk_file rw_file_perms;
+
+userdebug_or_eng(`
+ allow kernel self:{ socket qipcrtr_socket } create_socket_perms_no_ioctl;
+ r_dir_file(kernel, qti_debugfs);
+ allow kernel debugfs_mmc:dir search;
+')
+
+# Access firmware_file
+r_dir_file(kernel, firmware_file)
+
+# access vendor_firmware_file
+r_dir_file(kernel, vendor_firmware_file)
+
+# Allow kernel to schedule process to different cpuset
+# when the current cpu is hotplugged out
+allow kernel domain:process setsched;
diff --git a/legacy/vendor/common/keystore.te b/legacy/vendor/common/keystore.te
new file mode 100644
index 0000000..686db78
--- /dev/null
+++ b/legacy/vendor/common/keystore.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow keystore to operate using qseecom_device
+allow keystore tee_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/location.te b/legacy/vendor/common/location.te
new file mode 100644
index 0000000..681a64c
--- /dev/null
+++ b/legacy/vendor/common/location.te
@@ -0,0 +1,121 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# location - Location daemon
+type location, domain;
+type location_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(location)
+net_domain(location)
+
+# Socket is created by the daemon, not by init, and under /data/gps,
+# not under /dev/socket.
+type_transition location location_data_file:sock_file location_socket;
+
+qmux_socket(location)
+#binder_use(location)
+binder_call(location, system_server)
+wakelock_use(location)
+
+allow location location_data_file:dir create_dir_perms;
+allow location location_data_file:{ file fifo_file } create_file_perms;
+allow location location_data_file:sock_file write;
+allow location location_exec:file x_file_perms;
+allow location location_socket:sock_file create_file_perms;
+allow location location_socket:dir rw_dir_perms;
+allow location self:capability { setuid setgid net_admin net_bind_service };
+allow location self:{
+ socket
+ netlink_socket
+ netlink_generic_socket
+ qipcrtr_socket
+} create_socket_perms_no_ioctl;
+
+unix_socket_connect(location, sensors, sensors)
+allow location sensors_device:chr_file r_file_perms;
+allow location sensors_socket:sock_file rw_file_perms;
+allow location vendor_shell_exec:file rx_file_perms;
+
+#allow location system_server:unix_stream_socket { read write connectto};
+
+# For interfacing with the device sensorservice
+# permission check for slim daemon
+#allow location { sensorservice_service permission_service }:service_manager find;
+
+hwbinder_use(location)
+get_prop(location, hwservicemanager_prop)
+
+allow location fwk_sensor_hwservice:hwservice_manager find;
+
+allow location sensors_persist_file:dir r_dir_perms;
+allow location sensors_persist_file:file r_file_perms;
+
+#wifi
+userdebug_or_eng(`
+allow location su:unix_dgram_socket sendto;
+')
+
+dontaudit location domain:dir r_dir_perms;
+r_dir_file(location, netmgrd)
+allow location mnt_vendor_file:dir r_dir_perms;
+allow location persist_rfs_shared_hlos_file:dir r_dir_perms;
+allow location persist_rfs_shared_hlos_file:file rw_file_perms;
+
+allow location hal_gnss_qti:unix_dgram_socket sendto;
+
+#Allow access to netmgrd socket
+netmgr_socket(location);
+
+#Allow access to properties
+set_prop(location, location_prop);
+
+#diag
+userdebug_or_eng(`
+ diag_use(location)
+')
+
+allow location sysfs_data:file r_file_perms;
+allow location self:socket ioctl;
+
+# ioctlcmd=c304
+allowxperm location self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allow location self:udp_socket ioctl;
+# Replace this with macro
+allowxperm location self:udp_socket ioctl priv_sock_ioctls;
+
+#access to qdma socket
+qdma_file_socket(location);
+
+allow location hal_datafactory_hwservice:hwservice_manager find;
+binder_call(location, cnd)
+get_prop(location, cnd_vendor_prop)
+
+#Allow access to wake alarm
+allow location self:capability2 wake_alarm;
+
+#allow qdma prop
+get_prop(location, vendor_qdma_prop);
diff --git a/legacy/vendor/common/location_app.te b/legacy/vendor/common/location_app.te
new file mode 100644
index 0000000..a205650
--- /dev/null
+++ b/legacy/vendor/common/location_app.te
@@ -0,0 +1,61 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type location_app, domain;
+app_domain(location_app)
+binder_use(location_app)
+hal_client_domain(location_app, hal_gnss)
+hal_client_domain(location_app, hal_perf)
+
+qmux_socket(location_app)
+
+net_domain(location_app)
+
+#Permissions for JDWP
+userdebug_or_eng(`
+ allow location_app { adbd su }:unix_stream_socket connectto;
+ allow location_app mediaserver_service:service_manager find;
+ allow location_app audioserver_service:service_manager find;
+ diag_use(location_app)
+')
+
+get_prop(location_app, vendor_mpctl_prop)
+get_prop(location_app, vendor_iop_prop)
+allow location_app mediametrics_service:service_manager find;
+allow location_app system_app_data_file:dir create_dir_perms;
+allow location_app system_app_data_file:file create_file_perms;
+allow location_app surfaceflinger_service:service_manager find;
+allow location_app location_data_file:dir rw_dir_perms;
+allow location_app self:socket create_socket_perms;
+allow location_app anr_data_file:dir rw_dir_perms;
+allow location_app anr_data_file:file rw_file_perms;
+allow location_app { app_api_service activity_service }:service_manager find;
+# ioctlcmd=c302
+allowxperm location_app self:socket ioctl msm_sock_ipc_ioctls;
+allow location_app self:qipcrtr_socket create_socket_perms_no_ioctl;
+allow location_app sysfs_data:file r_file_perms;
+unix_socket_connect(location_app, dpmtcm, dpmd)
diff --git a/legacy/vendor/common/logd.te b/legacy/vendor/common/logd.te
new file mode 100644
index 0000000..b99464d
--- /dev/null
+++ b/legacy/vendor/common/logd.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+r_dir_file(logd, location_app)
diff --git a/legacy/vendor/common/logdumpd.te b/legacy/vendor/common/logdumpd.te
new file mode 100644
index 0000000..415dcca
--- /dev/null
+++ b/legacy/vendor/common/logdumpd.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type logdumpd, domain;
+type logdumpd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(logdumpd)
+
+
+userdebug_or_eng(`
+#logcat
+#allow logdumpd logcat_exec:file entrypoint;
+#read_logd( logdumpd );
+#logdump partition access
+allow logdumpd block_device:dir r_dir_perms;
+allow logdumpd logdump_partition:blk_file rw_file_perms;
+')
diff --git a/legacy/vendor/common/mcStarter.te b/legacy/vendor/common/mcStarter.te
new file mode 100644
index 0000000..33f0516
--- /dev/null
+++ b/legacy/vendor/common/mcStarter.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# mobicore daemon
+type mcStarter, domain;
+type mcStarter_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mcStarter)
+
+# Allow Mobicore to use qseecom services for loading the app
+allow mcStarter tee_device:chr_file rw_file_perms;
+
+# Allow Mobicore to access the firmware files
+r_dir_file(mcStarter, firmware_file)
diff --git a/legacy/vendor/common/mdm_helper.te b/legacy/vendor/common/mdm_helper.te
new file mode 100644
index 0000000..d7a4910
--- /dev/null
+++ b/legacy/vendor/common/mdm_helper.te
@@ -0,0 +1,72 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Policy for mdm_helper
+#mdm_helper - mdm_helper domain
+type mdm_helper, domain;
+type mdm_helper_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mdm_helper);
+
+#block_suspend capability is needed by kickstart(ks)
+wakelock_use(mdm_helper)
+
+#Needed to access the esoc device to control the mdm
+allow mdm_helper esoc_device:dir r_dir_perms;
+allow mdm_helper esoc_device:chr_file rw_file_perms;
+
+#Needed to detect presence of hsic bridge and to xfer images
+allow mdm_helper ksbridgehsic_device:chr_file rw_file_perms;
+
+#Needed to detect efs sync and for kickstart to run the efs sync server
+allow mdm_helper efsbridgehsic_device:chr_file rw_file_perms;
+
+#Needed for communication with the HSIC driver
+r_dir_file(mdm_helper, sysfs_hsic)
+allow mdm_helper sysfs_hsic:file w_file_perms;
+
+#Needed by libmdmdetect to get system information regarding subsystems and to check their states
+r_dir_file(mdm_helper, sysfs_ssr)
+
+#Needed in order to run kickstart
+allow mdm_helper shell:fd use;
+allow mdm_helper vendor_shell_exec:file rx_file_perms;
+allow mdm_helper mdm_helper_exec:file x_file_perms;
+
+#Needed for ram dump storage
+allow mdm_helper vendor_tombstone_data_file:dir create_dir_perms;
+allow mdm_helper vendor_tombstone_data_file:file create_file_perms;
+
+#Needed by ks in order to access the efs sync partitions.
+allow mdm_helper block_device:dir rw_dir_perms;
+allow mdm_helper efs_boot_dev:blk_file rw_file_perms;
+
+#Needed in order to access the firmware partition
+r_dir_file(mdm_helper, firmware_file)
+
+#Needed to allow boot over PCIe
+allow mdm_helper bhi_device:chr_file rw_file_perms;
+allow mdm_helper mhi_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/mdtp.te b/legacy/vendor/common/mdtp.te
new file mode 100644
index 0000000..4d7dbae
--- /dev/null
+++ b/legacy/vendor/common/mdtp.te
@@ -0,0 +1,74 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type mdtpdaemon, domain;
+type mdtpdaemon_exec, exec_type, vendor_file_type, file_type;
+
+allow mdtpdaemon self:capability {
+ setuid
+ setgid
+};
+
+userdebug_or_eng(`
+ #Needed for kill(pid, 0) existance test
+ allow mdtpdaemon su:process signull;
+ allow mdtpdaemon self:capability kill;
+ diag_use(mdtpdaemon)
+')
+
+#Allow for transition from init domain to mdtpdaemon
+init_daemon_domain(mdtpdaemon)
+
+#Allow apps to interact with mdtpdaemon
+binder_call(mdtpdaemon, platform_app)
+
+#Allow access to firmware
+r_dir_file(mdtpdaemon, firmware_file)
+
+#Allow access to tee device
+allow mdtpdaemon tee_device:chr_file rw_file_perms;
+
+# Provide access to block devices
+allow mdtpdaemon block_device:dir r_dir_perms;
+allow mdtpdaemon mdtp_device:blk_file rw_file_perms;
+allow mdtpdaemon system_block_device:blk_file r_file_perms;
+
+# Provide access to QTI Crypto driver for MDTP
+# allow mdtpdaemon qce_device:chr_file rw_file_perms;
+
+# Provide read access to all /system files for MDTP file-to-block-mapping
+r_dir_file(mdtpdaemon, exec_type)
+
+# Provide mdtpd ability to access QMUXD/IPCRouter for QMI
+qmux_socket(mdtpdaemon);
+allow mdtpdaemon self:socket create_socket_perms;
+allowxperm mdtpdaemon self:socket ioctl msm_sock_ipc_ioctls;
+
+# Provide tee ability to run executables in rootfs for MDTP
+allow mdtpdaemon rootfs:file x_file_perms;
+allow mdtpdaemon ion_device:chr_file r_file_perms;
+allow mdtpdaemon sysfs_data:file r_file_perms;
diff --git a/legacy/vendor/common/mdtpservice_app.te b/legacy/vendor/common/mdtpservice_app.te
new file mode 100644
index 0000000..99ca61f
--- /dev/null
+++ b/legacy/vendor/common/mdtpservice_app.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type mdtpservice_app, domain;
+app_domain(mdtpservice_app)
+binder_use(mdtpservice_app)
+
+# allow mdtpservice_app to interact with proxy daemon
+binder_call(mdtpservice_app, mdtpdaemon_service)
+
+# file permissions
+allow mdtpservice_app mdtp_svc_app_data_file:dir create_dir_perms;
+allow mdtpservice_app mdtp_svc_app_data_file:file create_file_perms;
diff --git a/legacy/vendor/common/mediaextractor.te b/legacy/vendor/common/mediaextractor.te
new file mode 100755
index 0000000..5e9fec2
--- /dev/null
+++ b/legacy/vendor/common/mediaextractor.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow mediaextractor sdcard_type:file { getattr read };
+get_prop(mediaextractor, vendor_audio_prop)
+get_prop(mediaextractor, mm_parser_prop)
diff --git a/legacy/vendor/common/mediaserver.te b/legacy/vendor/common/mediaserver.te
new file mode 100644
index 0000000..2da65c8
--- /dev/null
+++ b/legacy/vendor/common/mediaserver.te
@@ -0,0 +1,65 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow mediaserver tee_device:chr_file rw_file_perms;
+allow mediaserver qdsp_device:chr_file r_file_perms;
+allow mediaserver xdsp_device:chr_file r_file_perms;
+
+allow mediaserver self:socket create_socket_perms_no_ioctl;
+
+binder_call(mediaserver, rild)
+
+#qmux_socket(mediaserver)
+allow mediaserver camera_data_file:sock_file w_file_perms;
+
+userdebug_or_eng(`
+ allow mediaserver camera_data_file:dir rw_dir_perms;
+ allow mediaserver camera_data_file:file create_file_perms;
+ # Access to audio
+ allow mediaserver qti_debugfs:file rw_file_perms;
+')
+
+# allow poweroffhandler to binder mediaserver
+binder_call(mediaserver, poweroffhandler);
+
+#This is required for thermal sysfs access
+r_dir_file(mediaserver, sysfs_thermal);
+
+binder_call(mediaserver, wfdservice)
+
+#allow mediaserver to access adsprpc_prop
+get_prop(mediaserver, adsprpc_prop)
+
+binder_call(mediaserver, bootanim);
+
+get_prop(mediaserver, vendor_audio_prop)
+
+allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms;
+
+hal_client_domain(mediaserver, hal_graphics_composer)
+get_prop(mediaserver, mm_video_prop)
+#binder_call(mediaserver, hal_display_config);
diff --git a/legacy/vendor/common/mirrorlink.te b/legacy/vendor/common/mirrorlink.te
new file mode 100644
index 0000000..85c13ac
--- /dev/null
+++ b/legacy/vendor/common/mirrorlink.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow read access to mirrorlink specific property type.
+get_prop(mirrorlink, vendor_mirrorlink_prop);
+
+# Allow read access to udc connection state
+allow mirrorlink sysfs_usb_controller:dir r_dir_perms;
+allow mirrorlink sysfs_usb_controller:file r_file_perms;
+
+hal_client_domain(mirrorlink, hal_mirrorlink)
diff --git a/legacy/vendor/common/mlid.te b/legacy/vendor/common/mlid.te
new file mode 100644
index 0000000..8d83fa8
--- /dev/null
+++ b/legacy/vendor/common/mlid.te
@@ -0,0 +1,38 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# mlid - Mink-Lowi Interface daemon
+type mlid, domain, mlstrustedsubject;
+type mlid_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mlid)
+
+# Allow access to location socket
+allow mlid location_data_file:dir r_dir_perms;
+allow mlid self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow mlid location_socket:dir rw_dir_perms;
+unix_socket_connect(mlid, location, location)
diff --git a/legacy/vendor/common/mm-pp-daemon.te b/legacy/vendor/common/mm-pp-daemon.te
new file mode 100644
index 0000000..0653433
--- /dev/null
+++ b/legacy/vendor/common/mm-pp-daemon.te
@@ -0,0 +1,101 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type mm-pp-daemon, domain;
+type mm-pp-daemon_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mm-pp-daemon)
+
+#Need to use fb ioctls to communicate with kernel
+allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
+allow mm-pp-daemon graphics_device:dir r_dir_perms;
+
+# Allow reading/writing to '/persist/display/*'
+# The color config file is dynamically created
+allow mm-pp-daemon persist_display_file:dir rw_dir_perms;
+allow mm-pp-daemon persist_display_file:file create_file_perms;
+
+# Allow for directory search only to '/persist'
+allow mm-pp-daemon mnt_vendor_file:dir search;
+
+# Allow reading/writing data config files
+allow mm-pp-daemon display_vendor_data_file:dir create_dir_perms;
+allow mm-pp-daemon display_vendor_data_file:file create_file_perms;
+
+# Allow read to sensor device and read/write to sensor socket
+allow mm-pp-daemon sensors_device:chr_file r_file_perms;
+allow mm-pp-daemon sensors_socket:sock_file rw_file_perms;
+allow mm-pp-daemon sensors:unix_stream_socket connectto;
+
+# Allow read to display vendor properties
+get_prop(mm-pp-daemon, vendor_display_prop)
+
+# Rule for IPC communication
+allow mm-pp-daemon qdisplay_service:service_manager find;
+vndbinder_use(mm-pp-daemon)
+hal_client_domain(mm-pp-daemon, hal_graphics_composer)
+allow mm-pp-daemon fwk_sensor_hwservice:hwservice_manager find;
+# Allow service manager to find surface flinger service,
+# sensorservice service, permission_service, and power service (for
+# acquire wakelock)
+#allow mm-pp-daemon { surfaceflinger_service sensorservice_service
+# permission_service power_service }:service_manager find;
+# Allow mm-pp-daemon to call binder for screen refresh
+#binder_use(mm-pp-daemon)
+binder_call(mm-pp-daemon, system_server)
+
+userdebug_or_eng(`
+ # This allows pp-daemon to use shell commands to blank
+ # the display - it uses input keyevent to do this
+ allow mm-pp-daemon { vendor_shell_exec
+ #zygote_exec
+ }:file rx_file_perms;
+ allow mm-pp-daemon self:process ptrace;
+
+
+ # This allow pp-daemon access to diag
+ diag_use(mm-pp-daemon)
+')
+
+# Allow mm-pp-daemon to change the brightness
+allow mm-pp-daemon sysfs_leds:dir r_dir_perms;
+allow mm-pp-daemon sysfs_leds:file rw_file_perms;
+allow mm-pp-daemon sysfs_leds:lnk_file read;
+allow mm-pp-daemon sysfs_graphics:dir r_dir_perms;
+allow mm-pp-daemon sysfs_graphics:file rw_file_perms;
+allow mm-pp-daemon sysfs_data:file r_file_perms;
+
+# Allow socket calls in pp-daemon
+unix_socket_connect(mm-pp-daemon, pps, init)
+
+allow mm-pp-daemon init:unix_stream_socket { listen accept };
+
+# Allow connections between sensor manager and mm-pp-daemon
+#allow mm-pp-daemon system_server:unix_stream_socket rw_socket_perms;
+
+# access lcd-backlight
+r_dir_file(mm-pp-daemon, sysfs_leds)
diff --git a/legacy/vendor/common/mm-qcamerad.te b/legacy/vendor/common/mm-qcamerad.te
new file mode 100644
index 0000000..992f198
--- /dev/null
+++ b/legacy/vendor/common/mm-qcamerad.te
@@ -0,0 +1,106 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type mm-qcamerad, domain;
+type mm-qcamerad_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mm-qcamerad)
+
+#added to support EZTune for camera
+userdebug_or_eng(`
+ allow mm-qcamerad qti_debugfs:dir r_dir_perms;
+ allow mm-qcamerad qti_debugfs:file read;
+ #allow mm-qcamerad self:tcp_socket create_stream_socket_perms;
+ allow mm-qcamerad node:tcp_socket node_bind;
+
+ # IMS use camera daemon to make VT call
+ allow mm-qcamerad port:tcp_socket name_bind;
+ allow mm-qcamerad self:tcp_socket { accept listen };
+
+ # mm-qcamerad needs to set persist.camera. property
+ set_prop(mm-qcamerad, camera_prop)
+')
+
+#Communicate with user land process through domain socket
+unix_socket_connect(mm-qcamerad, sensors, sensors)
+
+#Allow connections between sensor manager and mm-qcamerad
+#allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
+binder_call(mm-qcamerad, system_server);
+#binder_use(mm-qcamerad);
+
+allow mm-qcamerad self:socket create_socket_perms_no_ioctl;
+allow mm-qcamerad mnt_vendor_file:dir r_dir_perms;
+allow mm-qcamerad sensors_persist_file:dir r_dir_perms;
+allow mm-qcamerad sensors_persist_file:file r_file_perms;
+
+allow mm-qcamerad self:process execmem;
+
+# Interact with other media devices
+allow mm-qcamerad video_device:dir r_dir_perms;
+allow mm-qcamerad { gpu_device video_device sensors_device }:chr_file rw_file_perms;
+
+allow mm-qcamerad { surfaceflinger mediaserver cameraserver hal_camera }:fd use;
+
+#allow mm-qcamerad camera_data_file:sock_file { create unlink };
+
+allow mm-qcamerad vendor_camera_data_file:dir w_dir_perms;
+allow mm-qcamerad vendor_camera_data_file:sock_file { create unlink };
+
+#Allows camera to call ADSP QDSP6 functionality
+allow mm-qcamerad qdsp_device:chr_file rw_file_perms;
+allow mm-qcamerad xdsp_device:chr_file rw_file_perms;
+
+#Allows sensor service(running in camera daemon) to invoke service manager API
+#allow mm-qcamerad sensorservice_service:service_manager find;
+
+#allow mm-qcamerad to access /dsp
+r_dir_file(mm-qcamerad, adsprpcd_file);
+#allow mm-qcamerad to access adsprpc_prop
+get_prop(mm-qcamerad, adsprpc_prop)
+
+r_dir_file(mm-qcamerad, firmware_file)
+allow mm-qcamerad graphics_device:dir r_dir_perms;
+
+#Allow access to /dev/graphics/fb* for screen capture
+allow mm-qcamerad graphics_device:chr_file rw_file_perms;
+
+#Allow camera work normally in FFBM
+binder_call(mm-qcamerad, vendor_mmi);
+
+#Allow camera to access laser nodes
+allow mm-qcamerad input_device:dir r_dir_perms;
+allow mm-qcamerad input_device:chr_file r_file_perms;
+
+hal_client_domain(mm-qcamerad, hal_graphics_allocator)
+allow mm-qcamerad ion_device:chr_file rw_file_perms;
+
+# from sensors team
+
+allow mm-qcamerad self:socket create_socket_perms;
+allowxperm mm-qcamerad self:socket ioctl msm_sock_ipc_ioctls;
+
+allow mm-qcamerad sysfs_data:file r_file_perms;
diff --git a/legacy/vendor/common/mmi.te b/legacy/vendor/common/mmi.te
new file mode 100755
index 0000000..e9847e7
--- /dev/null
+++ b/legacy/vendor/common/mmi.te
@@ -0,0 +1,79 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_mmi, domain;
+type vendor_mmi_exec, exec_type, vendor_file_type, file_type;
+typeattribute vendor_mmi system_writes_vendor_properties_violators;
+#started by init
+init_daemon_domain(vendor_mmi)
+
+#self capability
+allow vendor_mmi self:{ socket udp_socket } create_socket_perms_no_ioctl;
+allow vendor_mmi self:capability { fowner fsetid kill };
+
+#For various devices
+allow vendor_mmi {
+ sysfs_devices_system_cpu
+ sysfs_usb_supply
+ sysfs_battery_supply
+ sysfs_power
+ sysfs_graphics
+ sysfs_wake_lock
+}:file rw_file_perms;
+
+#socket
+allow vendor_mmi socket_device:dir w_dir_perms;
+allow vendor_mmi vendor_mmi_socket:sock_file create_file_perms;
+type_transition vendor_mmi socket_device:sock_file vendor_mmi_socket;
+
+#allow mmi set system prop
+set_prop(vendor_mmi, powerctl_prop)
+allow vendor_mmi mnt_vendor_file:dir r_dir_perms;
+
+#Allow mmi operate on graphics
+hal_client_domain(vendor_mmi, hal_graphics_allocator);
+
+#Allow mmi to use IPC
+binder_call(vendor_mmi,surfaceflinger)
+
+#access kmsg device for logging
+allow vendor_mmi kmsg_device:chr_file rw_file_perms;
+
+#mmi test case
+unix_socket_connect(vendor_mmi, cnd, cnd);
+unix_socket_connect(vendor_mmi, netmgrd, netmgrd);
+net_domain(vendor_mmi);
+allow vendor_mmi vendor_mmi_exec:file execute_no_trans;
+allow vendor_mmi proc:file r_file_perms;
+
+#allow mmi access boot mode switch
+set_prop(vendor_mmi, vendor_boot_mode_prop)
+
+#diag
+userdebug_or_eng(`
+ diag_use(vendor_mmi)
+')
diff --git a/legacy/vendor/common/mmi_sys.te b/legacy/vendor/common/mmi_sys.te
new file mode 100755
index 0000000..0ae67eb
--- /dev/null
+++ b/legacy/vendor/common/mmi_sys.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#mmi_sys basic
+r_dir_file(vendor_mmi_sys, sysfs_graphics)
+
+#boot mode switch
+#set_prop(vendor_mmi_sys, vendor_boot_mode_prop)
+
+allow vendor_mmi_sys vendor_hal_factory_qti_hwservice:hwservice_manager find;
+hal_client_domain(vendor_mmi_sys, vendor_hal_factory_qti);
+
+#diag
+userdebug_or_eng(`
+ diag_use(vendor_mmi_sys)
+')
diff --git a/legacy/vendor/common/modprobe.te b/legacy/vendor/common/modprobe.te
new file mode 100644
index 0000000..1ec7a82
--- /dev/null
+++ b/legacy/vendor/common/modprobe.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+# #
+# # Redistribution and use in source and binary forms, with or without
+# # modification, are permitted provided that the following conditions are
+# # met:
+# # * Redistributions of source code must retain the above copyright
+# # notice, this list of conditions and the following disclaimer.
+# # * Redistributions in binary form must reproduce the above
+# # copyright notice, this list of conditions and the following
+# # disclaimer in the documentation and/or other materials provided
+# # with the distribution.
+# # * Neither the name of The Linux Foundation nor the names of its
+# # contributors may be used to endorse or promote products derived
+# # from this software without specific prior written permission.
+# #
+# # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# loading modules
+allow modprobe kernel:key search;
diff --git a/legacy/vendor/common/msm_irqbalanced.te b/legacy/vendor/common/msm_irqbalanced.te
new file mode 100644
index 0000000..d140891
--- /dev/null
+++ b/legacy/vendor/common/msm_irqbalanced.te
@@ -0,0 +1,42 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type msm_irqbalanced, domain;
+type msm_irqbalanced_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(msm_irqbalanced)
+
+allow msm_irqbalanced cgroup:dir { create add_name };
+allow msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
+r_dir_file(msm_irqbalanced, sysfs_rqstats);
+
+# access smp_affinity
+allow msm_irqbalanced proc:file r_file_perms;
+allow msm_irqbalanced proc_interrupts:file r_file_perms;
+allow msm_irqbalanced proc_stat:file r_file_perms;
+# irq_blacklist_on
+allow msm_irqbalanced sysfs_irqbalance:file r_file_perms;
diff --git a/legacy/vendor/common/net.te b/legacy/vendor/common/net.te
new file mode 100644
index 0000000..f22a4a8
--- /dev/null
+++ b/legacy/vendor/common/net.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow netdomain self:icmp_socket create_socket_perms;
diff --git a/legacy/vendor/common/netd.te b/legacy/vendor/common/netd.te
new file mode 100644
index 0000000..aa9253b
--- /dev/null
+++ b/legacy/vendor/common/netd.te
@@ -0,0 +1,57 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Policies for IPv6 tethering
+allow netd netd:capability { setgid setuid };
+dontaudit netd self:capability sys_module;
+binder_use(netd);
+allow netd qtitetherservice_service:service_manager find;
+
+allow netd netd:packet_socket create_socket_perms_no_ioctl;
+
+#unix_socket_connect(netd, cnd, cnd)
+
+allow netd wfdservice:fd use;
+#allow netd wfdservice:tcp_socket rw_socket_perms;
+hal_client_domain(netd, wifidisplayhalservice);
+
+#allow netd to use privileged sock ioctls
+allowxperm netd self: { unix_stream_socket } ioctl priv_sock_ioctls;
+
+allow netd self:capability fsetid;
+#allow netd hostapd:unix_dgram_socket sendto;
+
+# Allow netd to chmod dir /data/misc/dhcp
+allow netd dhcp_data_file:dir create_dir_perms;
+
+type_transition netd wifi_data_file:dir wpa_socket "sockets";
+#allow netd wpa_socket:sock_file create_file_perms;
+
+# If an already existing file is opened with O_CREAT,
+# the kernel might generate a false report of a create
+# denial. Silence these denials
+dontaudit netd system_file:dir write;
diff --git a/legacy/vendor/common/netmgrd.te b/legacy/vendor/common/netmgrd.te
new file mode 100644
index 0000000..aa3c8bf
--- /dev/null
+++ b/legacy/vendor/common/netmgrd.te
@@ -0,0 +1,114 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type netmgrd, domain;
+type netmgrd_exec, exec_type, vendor_file_type, file_type;
+net_domain(netmgrd)
+init_daemon_domain(netmgrd)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, netmgrd_exec, netmgrd)
+ #domain_auto_trans(adbd, netmgrd_exec, netmgrd)
+ diag_use(netmgrd)
+ diag_use(netutils_wrapper)
+')
+
+#Allow netmgrd operations
+allow netmgrd netmgrd:capability {
+ net_raw
+ net_admin
+ sys_module
+ fsetid
+ setgid
+ setuid
+ setpcap
+};
+
+#Allow logging
+allow netmgrd smem_log_device:chr_file rw_file_perms;
+allow netmgrd netmgrd_data_file:file create_file_perms;
+allow netmgrd netmgrd_data_file:dir w_dir_perms;
+
+#Allow netutils usage
+use_netutils(netmgrd)
+allow netmgrd netutils_wrapper:process sigkill;
+
+#Allow operations on different types of sockets
+allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
+allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+allow netmgrd netmgrd:netlink_socket { write read create bind };
+allow netmgrd netmgrd:socket { create };
+allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
+allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netmgrd self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+unix_socket_connect(netmgrd, cnd, cnd);
+
+qmux_socket(netmgrd);
+
+#Allow writing of ipv6 network properties
+allow netmgrd { proc_net }:file rw_file_perms;
+
+allow netmgrd self:socket create_socket_perms;
+
+#Allow communication with netd
+#allow netmgrd netd_socket:sock_file w_file_perms;
+#r_dir_file(netmgrd, net_data_file)
+
+allow netmgrd sysfs_data:file r_file_perms;
+
+#Acquire lock on /system/etc/xtables.lock
+#Required till netutils wrappers are available
+not_full_treble(`allow netmgrd system_file:file lock;')
+
+#Allow netmgrd to create netmgrd socket
+allow netmgrd netmgrd_socket:dir create_dir_perms;
+allow netmgrd netmgrd_socket:sock_file create_file_perms;
+
+allow netmgrd { wcnss_service_exec vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
+
+#Allow netmgrd to use wakelock
+wakelock_use(netmgrd)
+
+allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
+allowxperm netmgrd self:udp_socket ioctl rmnet_sock_ioctls;
+allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
+
+#Allow netmgrd to use netd HAL via HIDL
+get_prop(netmgrd, hwservicemanager_prop)
+hwbinder_use(netmgrd)
+binder_call(netmgrd, netd)
+allow netmgrd system_net_netd_hwservice:hwservice_manager find;
+
+allow netmgrd sysfs_net:dir r_dir_perms;
+allow netmgrd sysfs_net:file rw_file_perms;
+
+#Allow diag logging
+userdebug_or_eng(`
+ r_dir_file(netmgrd, sysfs_diag)
+')
diff --git a/legacy/vendor/common/netutils_wrapper.te b/legacy/vendor/common/netutils_wrapper.te
new file mode 100644
index 0000000..d3bbbf8
--- /dev/null
+++ b/legacy/vendor/common/netutils_wrapper.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+dontaudit netutils_wrapper self:capability sys_module;
+dontaudit netutils_wrapper system_file:dir write;
diff --git a/legacy/vendor/common/nfc.te b/legacy/vendor/common/nfc.te
new file mode 100644
index 0000000..5404611
--- /dev/null
+++ b/legacy/vendor/common/nfc.te
@@ -0,0 +1,32 @@
+#Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Set NFC properties
+get_prop(nfc, nfc_nq_prop)
+#qmux_socket(nfc);
+#allow nfc nfc_data_file:file x_file_perms;
+allow nfc self:socket create_socket_perms_no_ioctl;
diff --git a/legacy/vendor/common/nqnfcinfo.te b/legacy/vendor/common/nqnfcinfo.te
new file mode 100644
index 0000000..66ed75d
--- /dev/null
+++ b/legacy/vendor/common/nqnfcinfo.te
@@ -0,0 +1,37 @@
+#Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type nqnfcinfo, domain;
+type nqnfcinfo_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(nqnfcinfo)
+
+set_prop(nqnfcinfo, nfc_nq_prop);
+
+# Access device nodes inside /dev/nq-nci
+allow nqnfcinfo nfc_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/pd_services.te b/legacy/vendor/common/pd_services.te
new file mode 100644
index 0000000..04b4185
--- /dev/null
+++ b/legacy/vendor/common/pd_services.te
@@ -0,0 +1,50 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_pd_mapper, domain;
+
+type vendor_pd_mapper_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_pd_mapper);
+
+#Needed to read the json files from /firmware
+allow vendor_pd_mapper firmware_file:dir r_dir_perms;
+allow vendor_pd_mapper firmware_file:file r_file_perms;
+
+#Needed to use qmi
+allow vendor_pd_mapper self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm vendor_pd_mapper self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allow vendor_pd_mapper self:capability { setpcap setuid setgid net_bind_service };
+allow vendor_pd_mapper smem_log_device:chr_file rw_file_perms;
+qmux_socket(vendor_pd_mapper);
+
+allow vendor_pd_mapper sysfs:file r_file_perms;
+allow vendor_pd_mapper sysfs_data:file r_file_perms;
+
+#Allow pd-mapper to write error strings from non-hlos side to kmsg
+allow vendor_pd_mapper kmsg_device:chr_file w_file_perms;
+
+get_prop(vendor_pd_mapper, vendor_pd_locater_dbg_prop)
diff --git a/legacy/vendor/common/perfdump_app.te b/legacy/vendor/common/perfdump_app.te
new file mode 100644
index 0000000..1762bea
--- /dev/null
+++ b/legacy/vendor/common/perfdump_app.te
@@ -0,0 +1,63 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type perfdump_app, domain;
+app_domain(perfdump_app)
+
+allow perfdump_app system_app_data_file:dir create_dir_perms;
+allow perfdump_app system_app_data_file:file create_file_perms;
+
+# systrace support
+allow perfdump_app debugfs_tracing:dir r_dir_perms;
+allow perfdump_app debugfs_tracing:file rw_file_perms;
+
+userdebug_or_eng(`
+ allow perfdump_app debugfs_tracing_debug:dir r_dir_perms;
+ allow perfdump_app debugfs_tracing_debug:file rw_file_perms;
+')
+
+allow perfdump_app debugfs_trace_marker:file getattr;
+
+# perfdump sets debug.atrace.* properties
+set_prop(perfdump_app, debug_prop)
+
+# pokes binder-enabled processes
+binder_use(perfdump_app)
+allow perfdump_app servicemanager:service_manager list;
+allow perfdump_app hwservicemanager:hwservice_manager list;
+allow perfdump_app app_api_service:service_manager find;
+allow perfdump_app surfaceflinger_service:service_manager find;
+allow perfdump_app audioserver_service:service_manager find;
+allow perfdump_app mediaserver_service:service_manager find;
+binder_call(perfdump_app, system_server)
+
+# dumpstate
+set_prop(perfdump_app, ctl_dumpstate_prop)
+unix_socket_connect(perfdump_app, dumpstate, dumpstate)
+
+dontaudit perfdump_app service_manager_type:service_manager *;
+dontaudit perfdump_app hwservice_manager_type:hwservice_manager *;
diff --git a/legacy/vendor/common/perfservice.te b/legacy/vendor/common/perfservice.te
new file mode 100755
index 0000000..5ab151a
--- /dev/null
+++ b/legacy/vendor/common/perfservice.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+hal_client_domain(perfservice, hal_perf)
+hal_client_domain(perfservice, hal_iop)
+get_prop(perfservice, vendor_iop_prop)
diff --git a/legacy/vendor/common/peripheral_manager.te b/legacy/vendor/common/peripheral_manager.te
new file mode 100644
index 0000000..06721a5
--- /dev/null
+++ b/legacy/vendor/common/peripheral_manager.te
@@ -0,0 +1,54 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policy for peripheral_manager
+# per_mgr - peripheral_manager domain
+type vendor_per_mgr, domain;
+
+type vendor_per_mgr_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_per_mgr);
+
+# Needed for binder transactions
+use_vendor_per_mgr(vendor_per_mgr)
+allow vendor_per_mgr vendor_per_mgr_service:service_manager { add };
+
+allow vendor_per_mgr self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm vendor_per_mgr self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+# Needed by ipc_router
+allow vendor_per_mgr self:capability net_bind_service;
+
+# Needed to power on the peripheral
+allow vendor_per_mgr ssr_device:chr_file r_file_perms;
+
+# Needed by libmdmdetect to get subsystem info and to check their states
+r_dir_file(vendor_per_mgr, firmware_file)
+r_dir_file(vendor_per_mgr, sysfs)
+allow vendor_per_mgr sysfs_data:file r_file_perms;
+
+# Set the peripheral state property
+set_prop(vendor_per_mgr, vendor_per_mgr_state_prop);
diff --git a/legacy/vendor/common/platform_app.te b/legacy/vendor/common/platform_app.te
new file mode 100644
index 0000000..6144dbb
--- /dev/null
+++ b/legacy/vendor/common/platform_app.te
@@ -0,0 +1,65 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow platform apps to interact with dtseagleservice
+binder_call(platform_app, dtseagleservice)
+
+# Allow platform apps to interact with fido daemon
+binder_call(platform_app, fidodaemon)
+
+# Allow platform apps to interact with secota daemon
+allow platform_app secotad_service:service_manager find;
+binder_call(platform_app, secotad)
+
+allow platform_app imsrcs_service:service_manager find;
+
+# Allow NFC service to be found
+allow platform_app nfc_service:service_manager find;
+
+#Allow platform apps to interact with seemp health daemon
+binder_call(platform_app, seemp_health_daemon)
+
+# Allow gba_auth_service to be found
+allow platform_app gba_auth_service:service_manager find;
+
+# Allow hbtp hal Service to be found
+hal_client_domain(platform_app, hal_hbtp)
+
+#get_prop(platform_app, vendor_bluetooth_prop)
+get_prop(platform_app, wigig_prop)
+
+#for perf-hal call
+hal_client_domain(platform_app, hal_perf)
+
+#allow embms app to access vendor radio property
+get_prop(platform_app, vendor_radio_prop)
+
+get_prop(platform_app, vendor_camera_prop)
+
+#allow scve hw service
+#allow platform_app hal_scve_hwservice:hwservice_manager find;
+hal_client_domain(platform_app, hal_scve)
diff --git a/legacy/vendor/common/port-bridge.te b/legacy/vendor/common/port-bridge.te
new file mode 100644
index 0000000..b9e0741
--- /dev/null
+++ b/legacy/vendor/common/port-bridge.te
@@ -0,0 +1,55 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type port-bridge, domain;
+type port-bridge_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(port-bridge)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, port-bridge_exec, netmgrd)
+ #domain_auto_trans(adbd, port-bridge_exec, netmgrd)
+ diag_use(port-bridge)
+')
+
+# Allow operations on different types of sockets
+allow port-bridge port-bridge:netlink_kobject_uevent_socket { create bind read };
+
+allow port-bridge {
+ # Allow operations on mhi transport
+ mhi_device
+ # Allow operations on gadget serial device
+ gadget_serial_device
+ # Allow operations on ATCoP g-link transport
+ at_device
+}:chr_file rw_file_perms;
+
+# Allow write permissions for log file
+allow port-bridge port_bridge_data_file:file create_file_perms;
+allow port-bridge port_bridge_data_file:dir w_dir_perms;
+
+#access ipa sysfs node
+allow port-bridge sysfs_data:file r_file_perms;
diff --git a/legacy/vendor/common/power_off_alarm.te b/legacy/vendor/common/power_off_alarm.te
new file mode 100644
index 0000000..c0f6132
--- /dev/null
+++ b/legacy/vendor/common/power_off_alarm.te
@@ -0,0 +1,38 @@
+# Copyright (c) 2017-2018 Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type power_off_alarm, domain;
+type power_off_alarm_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(power_off_alarm)
+
+allow power_off_alarm rtc_device:chr_file r_file_perms;
+allow power_off_alarm kmsg_device:chr_file w_file_perms;
+
+allow power_off_alarm self:capability2 wake_alarm;
+
+set_prop(power_off_alarm, powerctl_prop)
diff --git a/legacy/vendor/common/poweroffalarm_app.te b/legacy/vendor/common/poweroffalarm_app.te
new file mode 100644
index 0000000..2401d98
--- /dev/null
+++ b/legacy/vendor/common/poweroffalarm_app.te
@@ -0,0 +1,50 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type poweroffalarm_app, domain;
+app_domain(poweroffalarm_app);
+
+allow poweroffalarm_app app_api_service:service_manager find;
+
+allow poweroffalarm_app mnt_vendor_file:dir r_dir_perms;
+allow poweroffalarm_app persist_alarm_file:dir rw_dir_perms;
+allow poweroffalarm_app persist_alarm_file:file create_file_perms;
+
+hal_client_domain(poweroffalarm_app, hal_alarm_qti);
+
+allow poweroffalarm_app hal_alarm_qti_default:binder call;
+
+allow poweroffalarm_app system_app_data_file:dir create_dir_perms;
+allow poweroffalarm_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+allow poweroffalarm_app surfaceflinger_service:service_manager find;
+allow poweroffalarm_app audioserver_service:service_manager find;
+allow poweroffalarm_app mediaserver_service:service_manager find;
+
+get_prop(poweroffalarm_app, vendor_alarm_boot_prop);
+
+get_prop(poweroffalarm_app, vendor_iop_prop)
diff --git a/legacy/vendor/common/poweroffhandler.te b/legacy/vendor/common/poweroffhandler.te
new file mode 100644
index 0000000..c273ce4
--- /dev/null
+++ b/legacy/vendor/common/poweroffhandler.te
@@ -0,0 +1,50 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# poweroffhandler oneshot service
+type poweroffhandler, domain;
+type poweroffhandler_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(poweroffhandler)
+#binder_use(poweroffhandler)
+binder_call(poweroffhandler, surfaceflinger)
+allow poweroffhandler gpu_device:chr_file rw_file_perms;
+# /oem access
+allow poweroffhandler oemfs:dir r_dir_perms;
+allow poweroffhandler oemfs:file r_file_perms;
+
+allow poweroffhandler audio_device:dir r_dir_perms;
+allow poweroffhandler audio_device:chr_file rw_file_perms;
+
+# For regionalization
+allow poweroffhandler mnt_vendor_file:dir r_dir_perms;
+allow poweroffhandler regionalization_file:dir r_dir_perms;
+allow poweroffhandler regionalization_file:file r_file_perms;
+
+#allow poweroffhandler {surfaceflinger_service mediaserver_service}:service_manager find;
+
+binder_call(poweroffhandler, mediaserver);
diff --git a/legacy/vendor/common/ppp.te b/legacy/vendor/common/ppp.te
new file mode 100644
index 0000000..d5bb363
--- /dev/null
+++ b/legacy/vendor/common/ppp.te
@@ -0,0 +1,29 @@
+#Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+#* Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#* Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+#* Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# allow VPN connection via L2TP
+allow ppp mtp:unix_stream_socket rw_socket_perms;
diff --git a/legacy/vendor/common/priv_app.te b/legacy/vendor/common/priv_app.te
new file mode 100644
index 0000000..860f385
--- /dev/null
+++ b/legacy/vendor/common/priv_app.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+hal_client_domain(priv_app, hal_perf)
+get_prop(priv_app, vendor_camera_prop)
+
+# TODO(b/123050471): this grants renderscript exec permissions to the
+# priv_app domain
+allow priv_app rs_exec:file rx_file_perms;
diff --git a/legacy/vendor/common/qcomsysd.te b/legacy/vendor/common/qcomsysd.te
new file mode 100755
index 0000000..9e0ed42
--- /dev/null
+++ b/legacy/vendor/common/qcomsysd.te
@@ -0,0 +1,60 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Policy file for qcom-system-daemon
+#qcomsysd = qcom-system-daemon domain
+type vendor_qcomsysd, domain;
+type vendor_qcomsysd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_qcomsysd);
+
+#Needed for logging
+allow vendor_qcomsysd smem_log_device:chr_file rw_file_perms;
+
+#Needed to read/write cookies to the misc partition
+allow vendor_qcomsysd block_device:dir r_dir_perms;
+allow vendor_qcomsysd {
+ #Needed to access the bootselect partition
+ bootselect_device
+}:blk_file rw_file_perms;
+
+#Needed to get image info from socinfo
+allow vendor_qcomsysd sysfs_socinfo:file w_file_perms;
+
+allow vendor_qcomsysd self:capability { sys_boot };
+allow vendor_qcomsysd self:qipcrtr_socket create_socket_perms_no_ioctl;
+use_vendor_per_mgr(vendor_qcomsysd);
+#allow qcomsysd access boot mode switch
+set_prop(vendor_qcomsysd, vendor_boot_mode_prop);
+
+#diag
+userdebug_or_eng(`
+ diag_use(vendor_qcomsysd)
+ set_prop(vendor_qcomsysd, powerctl_prop)
+ allow vendor_qcomsysd sysfs_qdss_dev:dir r_dir_perms;
+ allow vendor_qcomsysd sysfs_qdss_dev:file rw_file_perms;
+ allow vendor_qcomsysd sysfs_data:file r_file_perms;
+')
diff --git a/legacy/vendor/common/qdcm-ss.te b/legacy/vendor/common/qdcm-ss.te
new file mode 100644
index 0000000..779ee2d
--- /dev/null
+++ b/legacy/vendor/common/qdcm-ss.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qdcm-ss, domain;
+type qdcm-ss_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(qdcm-ss)
+
+# Rule for IPC communication
+allow qdcm-ss qdisplay_service:service_manager find;
+vndbinder_use(qdcm-ss)
+hal_client_domain(qdcm-ss, hal_graphics_composer)
diff --git a/legacy/vendor/common/qdma_app.te b/legacy/vendor/common/qdma_app.te
new file mode 100644
index 0000000..983ee44
--- /dev/null
+++ b/legacy/vendor/common/qdma_app.te
@@ -0,0 +1,76 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qdma_app, domain, mlstrustedsubject;
+app_domain(qdma_app)
+net_domain(qdma_app)
+binder_use(qdma_app)
+
+# allow invoking activity and access app content to qdma_app
+allow qdma_app { activity_service content_service }:service_manager find;
+# allow display service to qdma_app
+allow qdma_app { display_service }:service_manager find;
+# allow access to wifi and data network to qdma_app
+allow qdma_app { connectivity_service network_management_service }:service_manager find;
+# allow access telephony service info to qdma_app
+allow qdma_app { radio_service registry_service }:service_manager find;
+# allow acquire wakelock to qdma_app
+allow qdma_app { power_service }:service_manager find;
+# allow to load native library
+allow qdma_app { mount_service }:service_manager find;
+# for vendor_perf_service
+allow qdma_app app_api_service:service_manager find;
+
+# allow access to qdma dropbox
+allow qdma_app vendor_qdma_data_file:dir create_dir_perms;
+allow qdma_app vendor_qdma_data_file:file create_file_perms;
+
+allow qdma_app user_service:service_manager find;
+
+# allow access to socket
+unix_socket_connect(qdma_app, dpmtcm, dpmd)
+
+# allow qdma_socket
+allow qdma_app qdma_socket:dir w_dir_perms;
+allow qdma_app qdma_socket:sock_file create_file_perms;
+
+# for /dev/socket/qdma/qdma-campmgr-s
+unix_socket_connect(qdma_app, qdma, qdmastatsd)
+
+# allow access to mediadrmserver for qdmastats/wvstats
+allow qdma_app mediadrmserver_service:service_manager find;
+
+# allow qdma_app to access system_app_data_file
+# necessary for read and write /data/data subdirectory.
+allow qdma_app system_app_data_file:dir create_dir_perms;
+allow qdma_app system_app_data_file:file create_file_perms;
+
+# allow qdma_prop
+set_prop(qdma_app, vendor_qdma_prop);
+
+# allow cgroup access
+allow qdma_app cgroup:file rw_file_perms;
diff --git a/legacy/vendor/common/qdmastatsd.te b/legacy/vendor/common/qdmastatsd.te
new file mode 100644
index 0000000..33005ab
--- /dev/null
+++ b/legacy/vendor/common/qdmastatsd.te
@@ -0,0 +1,111 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qdmastatsd, domain, mlstrustedsubject;
+type qdmastatsd_exec, file_type, vendor_file_type, exec_type;
+
+init_daemon_domain(qdmastatsd)
+
+allow qdmastatsd vendor_qdma_data_file:file create_file_perms;
+allow qdmastatsd vendor_qdma_data_file:dir create_dir_perms;
+
+# access to /dev/ramdump_microdump_modem
+allow qdmastatsd ramdump_device:chr_file r_file_perms;
+
+# access to /sys/class/power_supply/bms/charge_counter
+# access to /sys/class/power_supply/battery/capacity
+# access to /sys/class/power_supply/battery/status
+allow qdmastatsd sysfs_battery_supply:{file lnk_file} r_file_perms;
+allow qdmastatsd sysfs_battery_supply:dir r_dir_perms;
+
+# /sys/class/kgsl/kgsl-3d0/gpu_busy_percentage
+# /sys/class/kgsl/kgsl-3d0/gpuclk
+# /sys/class/kgsl/kgsl-3d0/gpu_clock_stats
+# /sys/class/kgsl/kgsl-3d0/num_pwrlevels
+# /sys/class/kgsl/kgsl-3d0/gpu_available_frequencies
+allow qdmastatsd sysfs_kgsl:{file lnk_file} r_file_perms;
+allow qdmastatsd sysfs_kgsl:dir r_dir_perms;
+
+# /sys/class/leds/lcd-backlight/brightness
+allow qdmastatsd sysfs_leds:{file lnk_file} r_file_perms;
+allow qdmastatsd sysfs_leds:dir r_dir_perms;
+allow qdmastatsd sysfs_graphics:{file lnk_file} r_file_perms;
+allow qdmastatsd sysfs_graphics:dir r_dir_perms;
+
+# access to /sys/devices/system/cpu/possible
+allow qdmastatsd sysfs_devices_system_cpu:file r_file_perms;
+allow qdmastatsd sysfs_devices_system_cpu:dir r_dir_perms;
+
+# access to /sys/module/lpm_stats/cpu%d/total_sleep_time_secs
+#allow qdmastatsd sysfs_lpm_stats:{file lnk_file} r_file_perms;
+#allow qdmastatsd sysfs_lpm_stats:dir r_dir_perms;
+
+# access to /sys/class/thermal/thermal_zone%d
+allow qdmastatsd sysfs_thermal:{file lnk_file} r_file_perms;
+allow qdmastatsd sysfs_thermal:dir r_dir_perms;
+
+# access to /sys/power/wake_lock, wake_unlock
+allow qdmastatsd sysfs_wake_lock:file r_file_perms;
+allow qdmastatsd sysfs_wake_lock:dir r_dir_perms;
+
+# access to /proc/stat
+allow qdmastatsd proc_stat:file r_file_perms;
+allow qdmastatsd proc_stat:dir r_dir_perms;
+
+# access to /proc/net/xt_qtaguid/stats
+allow qdmastatsd proc_qtaguid_stat:file r_file_perms;
+
+# access to /proc/<pid>/
+r_dir_file(qdmastatsd, domain);
+
+# qmi
+qmux_socket(qdmastatsd);
+allow qdmastatsd self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm qdmastatsd self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+#access to qdma_socket
+allow qdmastatsd qdma_socket:dir rw_dir_perms;
+allow qdmastatsd qdma_socket:sock_file create_file_perms;
+
+# access to /persist/hlos_rfs/shared
+allow qdmastatsd mnt_vendor_file:dir r_dir_perms;
+allow qdmastatsd persist_rfs_shared_hlos_file:dir rw_dir_perms;
+allow qdmastatsd persist_rfs_shared_hlos_file:file create_file_perms;
+
+# diag
+userdebug_or_eng(`
+ diag_use(qdmastatsd)
+')
+
+# for logcat
+unix_socket_connect(qdmastatsd, logdr, logd);
+
+# for dmesg
+#read_logd(qdmastatsd);
+
+# allow qdma_prop
+set_prop(qdmastatsd, vendor_qdma_prop);
diff --git a/legacy/vendor/common/qfp-daemon.te b/legacy/vendor/common/qfp-daemon.te
new file mode 100644
index 0000000..a48b33e
--- /dev/null
+++ b/legacy/vendor/common/qfp-daemon.te
@@ -0,0 +1,69 @@
+# Copyright (c) 2017 Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#qfp daemon for ultrasonic fingerprint sensor
+type qfp-daemon, domain;
+type qfp-daemon_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(qfp-daemon, hal_fingerprint)
+init_daemon_domain(qfp-daemon)
+
+#binder_call(qfp-daemon, servicemanager)
+binder_call(qfp-daemon, system_app)
+binder_call(qfp-daemon, fps_hal)
+#binder_use(qfp-daemon)
+
+allow qfp-daemon qfp-daemon_data_file:dir { rw_dir_perms setattr };
+allow qfp-daemon qfp-daemon_data_file:file create_file_perms;
+
+# Access to tee_device
+allow qfp-daemon tee_device:chr_file rw_file_perms;
+
+# Access QFP Android Proxy
+#allow qfp-daemon qfp_proxy_service:service_manager find;
+
+# Read system property
+allow qfp-daemon property_socket:sock_file write;
+
+# RW to device driver
+allow qfp-daemon qbt1000_device:chr_file rw_file_perms;
+
+# R dir perms for firmware dir
+r_dir_file(qfp-daemon, firmware_file)
+
+# R dir perms for persist qc_senseid dir
+r_dir_file(qfp-daemon, mnt_vendor_file)
+r_dir_file(qfp-daemon, persist_qti_fp_file)
+
+# Allow listing input devices and sending input events
+allow qfp-daemon input_device:chr_file rw_file_perms;
+allow qfp-daemon input_device:dir r_dir_perms;
+
+#diag
+userdebug_or_eng(`
+ diag_use(qfp-daemon)
+')
diff --git a/legacy/vendor/common/qlogd.te b/legacy/vendor/common/qlogd.te
new file mode 100644
index 0000000..fdf08e2
--- /dev/null
+++ b/legacy/vendor/common/qlogd.te
@@ -0,0 +1,84 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# qlogd
+type qlogd, domain;
+type qlogd_exec, exec_type, vendor_file_type, file_type;
+
+# make transition from init to its domain
+init_daemon_domain(qlogd)
+
+# need to access sharemem log device for smem logs
+allow qlogd smem_log_device:chr_file rw_file_perms;
+
+# need to add more capabilities for qlogd
+allow qlogd self:capability {
+ setuid
+ setgid
+ sys_admin
+ net_raw
+ net_admin
+ fowner
+ fsetid
+ kill
+ sys_module
+};
+allow qlogd self:capability2 syslog;
+allow qlogd self:packet_socket { create bind getopt setopt };
+
+# need to create and listen socket
+allow qlogd qlogd_socket:sock_file create_file_perms;
+
+# need to start shell execute files
+allow qlogd vendor_shell_exec:file rx_file_perms;
+
+# need to create and write files in fuse partition
+allow qlogd fuse:dir create_dir_perms;
+allow qlogd fuse:file create_file_perms;
+
+# need to capture kmsg
+allow qlogd kernel:system syslog_mod;
+
+# need for qdss log and odl from UI
+userdebug_or_eng(`
+ allow qlogd { debugfs_tracing qdss_device }:file r_file_perms;
+ allow qlogd { qdss_device }:file r_file_perms;
+ r_dir_file(qlogd, storage_file)
+ r_dir_file(qlogd, mnt_user_file)
+ diag_use(qlogd)
+')
+
+# need for capture adb logs
+unix_socket_connect(qlogd, logdr, logd)
+
+# need for subsystem ramdump
+allow qlogd device:dir r_dir_perms;
+allow qlogd ramdump_device:chr_file { setattr rw_file_perms };
+
+# need for qxdm log
+allow qlogd diag_exec:file rx_file_perms;
+wakelock_use(qlogd)
diff --git a/legacy/vendor/common/qmuxd.te b/legacy/vendor/common/qmuxd.te
new file mode 100644
index 0000000..5fd8ca4
--- /dev/null
+++ b/legacy/vendor/common/qmuxd.te
@@ -0,0 +1,76 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qmuxd, domain;
+type qmuxd_exec, exec_type, vendor_file_type, file_type;
+net_domain(qmuxd)
+init_daemon_domain(qmuxd)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, qmuxd_exec, qmuxd)
+ #domain_auto_trans(adbd, qmuxd_exec, qmuxd)
+')
+
+#Allow qmuxd to operate on various qmux device sockets
+#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
+
+qmux_socket(qmuxd);
+
+#Allow logging
+allow qmuxd {
+ #Allow operation in platform specific transports
+ smd_device
+ hsic_device
+ mhi_device
+ smem_log_device
+}:chr_file rw_file_perms;
+
+#Allow qmuxd to operate in platform specific transports
+allow qmuxd {
+ sysfs_smd_open_timeout
+ #Allow qmuxd to write in hsic specific transport
+ sysfs
+ sysfs_hsic_modem_wait
+}:file w_file_perms;
+
+allow qmuxd self:capability { setuid setgid setpcap };
+
+#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability
+wakelock_use(qmuxd)
+
+allow qmuxd mhi_device:chr_file rw_file_perms;
+
+#Allow qmuxd to access to IPC router
+allow qmuxd smem_log_device:chr_file rw_file_perms;
+allow qmuxd qmuxd:socket create_socket_perms_no_ioctl;
diff --git a/legacy/vendor/common/qrtr.te b/legacy/vendor/common/qrtr.te
new file mode 100644
index 0000000..4a5f82f
--- /dev/null
+++ b/legacy/vendor/common/qrtr.te
@@ -0,0 +1,44 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qrtr, domain;
+type qrtr_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(qrtr)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, qrtr_exec, qrtr)
+')
+
+allow qrtr self:{
+ socket
+ qipcrtr_socket
+} create_socket_perms;
+
+allowxperm qrtr self:{ socket qipcrtr_socket } ioctl msm_sock_qrtr_ioctls;
+allow qrtr devpts:chr_file rw_file_perms;
+
+allow qrtr self:capability { net_bind_service };
diff --git a/legacy/vendor/common/qsee_svc_app.te b/legacy/vendor/common/qsee_svc_app.te
new file mode 100644
index 0000000..6b3fa93
--- /dev/null
+++ b/legacy/vendor/common/qsee_svc_app.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qsee_svc_app, domain;
+app_domain(qsee_svc_app)
+
+# allow qsee_svc_app to interact with qteeconnector
+hal_client_domain(qsee_svc_app, hal_qteeconnector)
+
+# file permission
+allow qsee_svc_app system_app_data_file:dir create_dir_perms;
+allow qsee_svc_app system_app_data_file:file create_file_perms;
+
+# allow service manager find
+allow qsee_svc_app app_api_service:service_manager find;
diff --git a/legacy/vendor/common/qseecomd.te b/legacy/vendor/common/qseecomd.te
new file mode 100644
index 0000000..6459668
--- /dev/null
+++ b/legacy/vendor/common/qseecomd.te
@@ -0,0 +1,120 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# tee starts as root, and drops privileges
+allow tee self:capability {
+ setuid
+ setgid
+ sys_admin
+ chown
+ sys_rawio
+};
+
+# Need to directly manipulate certain block devices
+# for anti-rollback protection
+allow tee block_device:dir r_dir_perms;
+allow tee rpmb_device:blk_file rw_file_perms;
+
+#For Wakelocks
+wakelock_use(tee)
+
+# Need to figure out how many scsi generic devices are preset
+# before being able to identify which one is rpmb device
+allow tee device:dir r_dir_perms;
+allow tee sg_device:chr_file { rw_file_perms setattr };
+
+allow tee mnt_vendor_file:dir r_dir_perms;
+r_dir_file(tee, persist_data_file)
+
+# Write to drm related pieces of persist partition
+allow tee persist_drm_file:dir create_dir_perms;
+allow tee persist_drm_file:file create_file_perms;
+
+# Provide tee access to ssd partition for HW FDE
+allow tee ssd_device:blk_file rw_file_perms;
+
+# allow tee to operate tee device
+allow tee tee_device:chr_file rw_file_perms;
+
+# Allow SFS to write to data partition
+allow tee data_tzstorage_file:dir create_dir_perms;
+allow tee data_tzstorage_file:file create_file_perms;
+
+# allow tee to load firmware images
+r_dir_file(tee, firmware_file)
+
+# allow qseecom access to time domain
+allow tee time_daemon:unix_stream_socket connectto;
+
+# allow tee access for secure UI to work
+allow tee graphics_device:dir r_dir_perms;
+allow tee graphics_device:chr_file r_file_perms;
+
+#allow tee access for secure touch to work
+allow tee sysfs_securetouch:file rw_file_perms;
+
+#allow tee surfaceflinger_service : service_manager find;
+
+binder_call(tee, surfaceflinger)
+#binder_use(tee)
+
+#allow tee system_app:unix_dgram_socket sendto;
+unix_socket_connect(tee, property, init)
+
+userdebug_or_eng(`
+ allow tee su:unix_dgram_socket sendto;
+')
+
+
+#allow access to qfp-daemon
+allow tee qfp-daemon_data_file:dir create_dir_perms;
+allow tee qfp-daemon_data_file:file create_file_perms;
+allow tee persist_qti_fp_file:dir create_dir_perms;
+allow tee persist_qti_fp_file:file create_file_perms;
+
+# Allow access to qsee_ipc_irq_spss device
+allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms;
+
+set_prop(tee, vendor_tee_listener_prop)
+
+# SOTER
+hal_client_domain(tee, hal_soter);
+
+#secureUI
+hal_client_domain(tee, hal_tui_comm);
+hal_client_domain(tee, hal_qdutils_disp);
+hal_client_domain(tee, hal_graphics_allocator);
+vndbinder_use(tee);
+allow tee qdisplay_service:service_manager find;
+hal_client_domain(tee, hal_graphics_composer);
+allow tee sysfs_sectouch:file rw_file_perms;
+allow tee vendor_tui_data_file:file rw_file_perms;
+allow tee vendor_tui_data_file:dir search;
+
+# Allow access to qsee data file
+allow tee data_qsee_file:dir create_dir_perms;
+allow tee data_qsee_file:file create_file_perms;
diff --git a/legacy/vendor/common/qseeproxy.te b/legacy/vendor/common/qseeproxy.te
new file mode 100644
index 0000000..12517fb
--- /dev/null
+++ b/legacy/vendor/common/qseeproxy.te
@@ -0,0 +1,54 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qseeproxy, domain;
+type qseeproxy_exec, exec_type, vendor_file_type, file_type;
+
+#Allow for transition from init domain to qseeproxy
+init_daemon_domain(qseeproxy)
+
+#Allow qseeproxy to use Binder IPC
+vndbinder_use(qseeproxy)
+
+#Allow apps to interact with qseeproxy
+binder_call(qseeproxy, qsee_svc_app)
+
+#Allow qseeproxy to be registered with service manager
+allow qseeproxy qseeproxy_service:service_manager add;
+
+#Allow qseeproxy to use system_server via binder to check caller identity
+binder_call(qseeproxy, system_server)
+
+#Allow communication with init over property server
+unix_socket_connect(qseeproxy, property, init);
+
+#Allow access to tee device
+allow qseeproxy tee_device:chr_file rw_file_perms;
+
+#Allow access to firmware
+allow qseeproxy firmware_file:dir r_dir_perms;
+allow qseeproxy firmware_file:file r_file_perms;
diff --git a/legacy/vendor/common/qti-logkit.te b/legacy/vendor/common/qti-logkit.te
new file mode 100644
index 0000000..2d0483d
--- /dev/null
+++ b/legacy/vendor/common/qti-logkit.te
@@ -0,0 +1,75 @@
+# Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# qti_logkit
+type qti_logkit, domain, mlstrustedsubject;
+init_daemon_domain(qti_logkit)
+type qti_logkit_exec, exec_type, vendor_file_type, file_type;
+
+# self file access
+allow qti_logkit qti_logkit_priv_data_file:dir create_dir_perms;
+allow qti_logkit qti_logkit_priv_data_file:file create_file_perms;
+allow qti_logkit qti_logkit_pub_data_file:dir create_dir_perms;
+allow qti_logkit qti_logkit_pub_data_file:file create_file_perms;
+
+# self socket access
+allow qti_logkit qti_logkit_priv_socket:sock_file create_file_perms;
+allow qti_logkit qti_logkit_pub_socket:sock_file create_file_perms;
+allow qti_logkit qti_logkit_pub_socket:dir create_dir_perms;
+allow qti_logkit qti_logkit_priv_socket:dir create_dir_perms;
+
+# allow socket connections to us
+net_domain(qti_logkit)
+
+# ver_info.txt
+r_dir_file(qti_logkit, firmware_file)
+
+# dmesg
+allow qti_logkit kernel:system syslog_read;
+
+# QMUX
+qmux_socket(qti_logkit)
+
+userdebug_or_eng(`
+ # ramdumps
+ allow qti_logkit ramdump_device:chr_file rw_file_perms;
+
+ # drop root privs
+ allow qti_logkit self:capability { setuid setgid };
+
+ # tcpdump
+ allow qti_logkit self:packet_socket create_socket_perms_no_ioctl;
+ allow qti_logkit self:capability net_raw;
+ diag_use(qti_logkit)
+')
+
+#binder_use(qti_logkit)
+allow qti_logkit vendor_shell_exec:file { rx_file_perms };
+binder_call(qti_logkit, system_server)
+
+# allow logcat access
+#read_logd( qti_logkit );
diff --git a/legacy/vendor/common/qti.te b/legacy/vendor/common/qti.te
new file mode 100644
index 0000000..5bdfeb7
--- /dev/null
+++ b/legacy/vendor/common/qti.te
@@ -0,0 +1,63 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qti, domain;
+type qti_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(qti)
+net_domain(qti)
+
+allow qti {
+ rmnet_device
+ smem_log_device
+ mhi_device
+ smd_device
+ userdebug_or_eng(`kmsg_device')
+}:chr_file rw_file_perms;
+
+qmux_socket(qti)
+
+allow qti self:{
+ netlink_socket
+ socket
+ udp_socket
+ qipcrtr_socket
+} create_socket_perms_no_ioctl;
+
+allow qti self:socket ioctl;
+allowxperm qti self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allow qti vendor_shell_exec:file rx_file_perms;
+
+allow qti sysfs_data:file r_file_perms;
+
+# Allow write permissions for log file
+allow qti vendor_qti_data_file:file create_file_perms;
+allow qti vendor_qti_data_file:dir rw_dir_perms;
+
+#diag
+userdebug_or_eng(`
+ diag_use(qti)
+')
diff --git a/legacy/vendor/common/qti_logkit_app.te b/legacy/vendor/common/qti_logkit_app.te
new file mode 100644
index 0000000..f94c280
--- /dev/null
+++ b/legacy/vendor/common/qti_logkit_app.te
@@ -0,0 +1,91 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# new qti_logkit_app domain
+type qti_logkit_app, domain;
+app_domain(qti_logkit_app)
+binder_use(qti_logkit_app)
+
+# allow set prop to start lkcore
+set_prop(qti_logkit_app, ctl_LKCore_prop)
+set_prop(qti_logkit_app, fm_prop)
+set_prop(qti_logkit_app, usf_prop)
+allow qti_logkit_app app_api_service:service_manager find;
+allow qti_logkit_app surfaceflinger_service:service_manager find;
+
+net_domain(qti_logkit_app)
+
+userdebug_or_eng(`
+ # allow qti_logkit_app debugfs:file r_file_perms;
+ allow qti_logkit_app su:unix_dgram_socket sendto;
+ allow qti_logkit_app mnt_vendor_file:dir r_dir_perms;
+ allow qti_logkit_app sensors_persist_file:dir r_dir_perms;
+ allow qti_logkit_app sensors_persist_file:file rw_file_perms;
+ # access to firmware file
+ r_dir_file(qti_logkit_app, firmware_file);
+
+ # Access to tombstone segfaults
+ allow qti_logkit_app tombstone_data_file:dir r_dir_perms;
+ allow qti_logkit_app tombstone_data_file:file r_file_perms;
+ diag_use(qti_logkit_app)
+')
+
+# allow access to qti_logkit
+allow qti_logkit_app qti_logkit_priv_data_file:dir create_dir_perms;
+allow qti_logkit_app qti_logkit_priv_data_file:file create_file_perms;
+allow qti_logkit_app qti_logkit_priv_socket:dir r_dir_perms;
+unix_socket_connect(qti_logkit_app, qti_logkit_priv, qti_logkit)
+allow qti_logkit_app qti_logkit_priv_socket:sock_file r_file_perms;
+allow qti_logkit_app system_app_data_file:dir create_dir_perms;
+allow qti_logkit_app system_app_data_file:file create_file_perms;
+
+# allow access for pub files
+allow qti_logkit_app qti_logkit_pub_data_file:dir create_dir_perms;
+allow qti_logkit_app qti_logkit_pub_data_file:file create_file_perms;
+
+# iwconfig
+allow qti_logkit_app wcnss_service_exec:file rx_file_perms;
+
+# bugreport
+allow qti_logkit_app ctl_dumpstate_prop:property_service set;
+unix_socket_connect(qti_logkit_app, dumpstate, dumpstate)
+
+# ANR
+allow qti_logkit_app anr_data_file:dir r_dir_perms;
+allow qti_logkit_app anr_data_file:file r_file_perms;
+
+# detect /data/anr directory is created
+allow qti_logkit_app system_data_file:dir read;
+
+# allow access to cache recovery for LK3
+allow qti_logkit_app cache_file:dir create_dir_perms;
+allow qti_logkit_app cache_file:file create_file_perms;
+allow qti_logkit_app cache_recovery_file:dir rw_dir_perms;
+allow qti_logkit_app cache_recovery_file:file create_file_perms;
+
+# update engine
+binder_call(qti_logkit_app, update_engine)
diff --git a/legacy/vendor/common/qtidataservices_app.te b/legacy/vendor/common/qtidataservices_app.te
new file mode 100644
index 0000000..f23a120
--- /dev/null
+++ b/legacy/vendor/common/qtidataservices_app.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qtidataservices_app, domain;
+app_domain(qtidataservices_app);
+
+add_hwservice(qtidataservices_app, hal_cacert_hwservice)
+hwbinder_use(qtidataservices_app)
+
+allow qtidataservices_app { app_api_service activity_service }:service_manager find;
+allow qtidataservices_app self:qipcrtr_socket create_socket_perms_no_ioctl;
+allow qtidataservices_app radio_data_file:dir r_dir_perms;
diff --git a/legacy/vendor/common/qvop.te b/legacy/vendor/common/qvop.te
new file mode 100644
index 0000000..9dd324c
--- /dev/null
+++ b/legacy/vendor/common/qvop.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2015,2017 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#qvop-daemon for ultrasonic fingerprint sensor
+type qvop-daemon, domain;
+type qvop-daemon_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(qvop-daemon, hal_voiceprint)
+init_daemon_domain(qvop-daemon)
+
+allow qvop-daemon tee_device:chr_file rw_file_perms;
+r_dir_file(qvop-daemon, firmware_file)
diff --git a/legacy/vendor/common/qvrd.te b/legacy/vendor/common/qvrd.te
new file mode 100644
index 0000000..1203578
--- /dev/null
+++ b/legacy/vendor/common/qvrd.te
@@ -0,0 +1,85 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#
+# General
+#
+
+userdebug_or_eng(` allow qvrd diag_device:chr_file rw_file_perms');
+#r_dir_file(qvrd, vendor_file)
+r_dir_file(qvrd, sysfs_kgsl)
+
+#
+# Sensors
+#
+
+# Allow access to ADSP & SLPI
+allow qvrd { ion_device qdsp_device dsp_device xdsp_device }:chr_file r_file_perms;
+
+get_prop(qvrd, adsprpc_prop)
+
+#
+# Display
+#
+
+# Allow access to /sys/devices/virtual/graphics/fb* for lineptr interrupts
+allow qvrd sysfs_graphics:file rw_file_perms;
+
+#
+# Camera
+#
+
+hal_client_domain(qvrd, hal_camera);
+#set_prop(qvrd, camera_prop)
+
+# Allow access to camera HAL and UVC nodes
+allow qvrd device:dir r_dir_perms;
+allow qvrd { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms;
+
+
+#
+# Perfd
+#
+
+hal_client_domain(qvrd, hal_perf)
+
+allow qvrd fwk_sensor_hwservice:hwservice_manager find;
+hal_client_domain(qvrd, hal_sensors)
+
+# QVRD
+userdebug_or_eng(`
+allow qvrd debugfs:dir r_dir_perms;
+allow qvrd qti_debugfs:dir r_dir_perms;
+allow qvrd qti_debugfs:file rw_file_perms;
+')
+
+# Allow access to kgsl sysfs nodes for performance optimization
+allow qvrd sysfs_kgsl:file rw_file_perms;
+
+# Allow access to qvr_external_sensor sysfs nodes for external viewers
+allow qvrd sysfs_qvr_external_sensor:dir r_dir_perms;
+allow qvrd sysfs_qvr_external_sensor:file rw_file_perms;
diff --git a/legacy/vendor/common/radio.te b/legacy/vendor/common/radio.te
new file mode 100644
index 0000000..a5a6cff
--- /dev/null
+++ b/legacy/vendor/common/radio.te
@@ -0,0 +1,51 @@
+#Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# IMS needs permission to use avtimer
+allow radio avtimer_device:chr_file r_file_perms;
+
+allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find;
+#diag
+userdebug_or_eng(`
+ diag_use(radio)
+')
+
+get_prop(radio, vendor_radio_prop)
+
+binder_call(radio, hal_imsrtp)
+allow radio hal_imsrtp_hwservice:hwservice_manager find;
+# permissions for IMS-ConnectionmanagerTestApp
+userdebug_or_eng(`
+ allow radio hal_imsrcsd_hwservice:hwservice_manager find;
+ binder_call(radio, hal_rcsservice);
+
+ allow radio vendor_mbn_data_file:dir r_dir_perms;
+ allow radio vendor_mbn_data_file:file r_file_perms;
+')
+hal_client_domain(radio, hal_perf)
+
+get_prop(radio, qcom_ims_prop)
diff --git a/legacy/vendor/common/recovery.te b/legacy/vendor/common/recovery.te
new file mode 100755
index 0000000..dac308e
--- /dev/null
+++ b/legacy/vendor/common/recovery.te
@@ -0,0 +1,52 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+recovery_only(`
+ # Read files on /sdcard
+ allow recovery sdcard_type:dir r_dir_perms;
+ allow recovery sdcard_type:file r_file_perms;
+ allow recovery vfat:dir r_dir_perms;
+ allow recovery vfat:file create_file_perms;
+ allow recovery vfat:file rw_file_perms;
+ allow recovery system_data_file:file r_file_perms;
+ allow recovery system_data_file:dir r_dir_perms;
+ allow recovery RIDL_data_file:file r_file_perms;
+ allow recovery RIDL_data_file:dir r_dir_perms;
+ allow recovery qti_logkit_priv_data_file:file r_file_perms;
+ allow recovery qti_logkit_priv_data_file:dir r_dir_perms;
+ allow recovery cache_file:dir mounton;
+ allow recovery qce_device:chr_file rw_file_perms;
+ allow recovery tee_device:chr_file rw_file_perms;
+ allow recovery sg_device:chr_file rw_file_perms;
+ allow recovery self:capability sys_rawio;
+ allow recovery sg_device:chr_file ioctl;
+ # Enable adb on configfs devices
+ allow recovery configfs:file rw_file_perms;
+ allow recovery configfs:dir rw_dir_perms;
+ set_prop(recovery, ffs_prop);
+ get_prop(recovery, vendor_boot_mode_prop)
+')
diff --git a/legacy/vendor/common/rfs_access.te b/legacy/vendor/common/rfs_access.te
new file mode 100644
index 0000000..ded9611
--- /dev/null
+++ b/legacy/vendor/common/rfs_access.te
@@ -0,0 +1,92 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# rfs_access - rfs_access daemon
+type rfs_access, domain;
+type rfs_access_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(rfs_access)
+
+#The files created by rfs_access process in the /data folder will have type rfs_file
+type_transition rfs_access vendor_data_file:dir rfs_shared_hlos_file "hlos_rfs";
+
+type_transition rfs_access mnt_vendor_file:{ dir file } persist_rfs_file;
+type_transition rfs_access mnt_vendor_file:dir persist_rfs_shared_hlos_file "hlos_rfs";
+
+allow rfs_access {
+ #To read the uio char device
+ uio_device
+ #To read the smem log char device
+ smem_log_device
+}:chr_file rw_file_perms;
+
+#For QMI sockets and IPCR Sockets
+allow rfs_access self:{ socket qipcrtr_socket } create_socket_perms_no_ioctl;
+
+#For Wakelocks
+wakelock_use(rfs_access)
+
+#To create the folders in /persist
+allow rfs_access mnt_vendor_file:dir create_dir_perms;
+
+allow rfs_access persist_rfs_file:dir create_dir_perms;
+allow rfs_access persist_rfs_file:file create_file_perms;
+allow rfs_access persist_rfs_shared_hlos_file:dir create_dir_perms;
+allow rfs_access persist_rfs_shared_hlos_file:file create_file_perms;
+
+#For system folder entries
+r_dir_file(rfs_access, rfs_system_file)
+allow rfs_access rfs_system_file:lnk_file r_file_perms;
+
+# RFS vendor data
+allow rfs_access rfs_file:dir create_dir_perms;
+allow rfs_access rfs_file:file create_file_perms;
+allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
+allow rfs_access rfs_shared_hlos_file:file create_file_perms;
+
+# For ramdump entries in /data/vendor/tombstones.
+allow rfs_access vendor_tombstone_data_file:dir create_dir_perms;
+allow rfs_access vendor_tombstone_data_file:file create_file_perms;
+
+#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
+r_dir_file(rfs_access, firmware_file)
+
+#For dropping permisions from root and wakelock
+allow rfs_access self:capability {
+ setuid
+ setgid
+ setpcap
+ net_bind_service
+};
+
+# RFS UID and GIDs were changed and moved from old values to new ones OEM range.
+# The below permissions are required to recursively update the folder ownership
+# to the new values in the OEM range.
+
+allow rfs_access self:capability { chown };
+
+#For access to the kmsg device
+allow rfs_access kmsg_device:chr_file w_file_perms;
diff --git a/legacy/vendor/common/ridl.te b/legacy/vendor/common/ridl.te
new file mode 100644
index 0000000..31f2255
--- /dev/null
+++ b/legacy/vendor/common/ridl.te
@@ -0,0 +1,101 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# RIDL
+type RIDL, domain;
+type RIDL_exec, exec_type, vendor_file_type, file_type;
+
+allow RIDL RIDL_socket:sock_file create_file_perms;
+allow RIDL RIDL_socket:dir create_dir_perms;
+
+# make transition from init to its domain
+init_daemon_domain(RIDL)
+
+# allow socket connections to us
+net_domain(RIDL)
+
+allow RIDL RIDL_data_file:dir create_dir_perms;
+allow RIDL RIDL_data_file:file create_file_perms;
+allow RIDL RIDL_data_file:lnk_file { create read unlink };
+userdebug_or_eng(`
+allow RIDL qti_debugfs:file read;
+')
+
+# ver_info.txt
+r_dir_file(RIDL, firmware_file)
+
+# sdcard0/1
+allow RIDL fuse:dir create_dir_perms;
+allow RIDL fuse:file create_file_perms;
+
+# dmesg
+allow RIDL kernel:system syslog_read;
+
+# QMUX
+qmux_socket(RIDL)
+
+# ramdumps
+allow RIDL ramdump_device:chr_file rw_file_perms;
+
+# logcat
+unix_socket_connect(RIDL, logdr, logd)
+
+#binder_use(RIDL)
+allow RIDL vendor_shell_exec:file { rx_file_perms };
+binder_call(RIDL, system_server)
+
+# reboot recovery
+set_prop(RIDL, powerctl_prop)
+
+userdebug_or_eng(`
+ # tcpdump
+ allow RIDL self:packet_socket create_socket_perms_no_ioctl;
+ allow RIDL self:capability net_raw;
+ diag_use( RIDL )
+
+ # allow location
+ #allow RIDL app_api_service:service_manager find;
+')
+
+# drop root caps
+allow RIDL self:capability { setuid setgid };
+
+# access to /proc/kmsg
+allow RIDL self:capability2 syslog;
+allow RIDL kernel:system syslog_mod;
+
+# allow access to /storage/ for sdcard
+allow RIDL storage_file:dir r_dir_perms;
+
+# allow logcat access
+#read_logd( RIDL );
+
+# allow netstats
+#allow RIDL system_api_service:service_manager find;
+
+# allow toybox execution for getprop on OS 24 and later
+allow RIDL vendor_toolbox_exec:file rx_file_perms;
diff --git a/legacy/vendor/common/rild.te b/legacy/vendor/common/rild.te
new file mode 100644
index 0000000..7cddb89
--- /dev/null
+++ b/legacy/vendor/common/rild.te
@@ -0,0 +1,85 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+qmux_socket(rild);
+#binder_use(rild)
+
+allow rild ssr_device:chr_file r_file_perms;
+
+allow rild sysfs_esoc:file w_file_perms;
+
+binder_call(rild, mediaserver)
+binder_call(rild, audioserver)
+binder_call(audioserver, rild)
+
+#Rule for RILD to talk to peripheral manager
+use_vendor_per_mgr(rild);
+
+allow rild rild_socket:chr_file r_file_perms;
+unix_socket_connect(rild, rild, time_daemon)
+allow rild system_health_monitor_device:chr_file r_file_perms;
+
+dontaudit rild domain:dir r_dir_perms;
+allow rild time_daemon:unix_stream_socket connectto;
+r_dir_file(rild, netmgrd)
+
+#Allow access to netmgrd socket
+netmgr_socket(rild);
+
+#allow rild { mediaserver_service audioserver_service }:service_manager find;
+
+# Rule for RILD to talk to peripheral manager
+use_vendor_per_mgr(rild);
+
+#diag
+userdebug_or_eng(`
+ diag_use(rild)
+ get_prop(rild, vendor_pd_locater_dbg_prop)
+')
+
+allow rild self:qipcrtr_socket create_socket_perms_no_ioctl;;
+allow rild self:{ socket qipcrtr_socket } ioctl;
+allowxperm rild self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+allow rild vendor_radio_data_file:dir rw_dir_perms;
+allow rild vendor_radio_data_file:file create_file_perms;
+
+allow rild vendor_mbn_data_file:dir r_dir_perms;
+allow rild vendor_mbn_data_file:file r_file_perms;
+
+# qcril.so needs access to /vendor/radio/qcril_database/qcril.db
+allow rild vendor_file:file lock;
+
+hal_server_domain(rild, hal_secure_element)
+add_hwservice(rild, hal_iwlan_hwservice)
+
+add_hwservice(rild, hal_dataconnection_hwservice)
+
+get_prop(rild, exported3_radio_prop)
+set_prop(rild, vendor_xlat_prop)
+get_prop(rild, vendor_rild_libpath_prop)
+get_prop(rild, vendor_dataqdp_prop)
diff --git a/legacy/vendor/common/rmt_storage.te b/legacy/vendor/common/rmt_storage.te
new file mode 100644
index 0000000..178901d
--- /dev/null
+++ b/legacy/vendor/common/rmt_storage.te
@@ -0,0 +1,64 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# rmt_storage - rmt_storage daemon
+type rmt_storage, domain;
+type rmt_storage_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(rmt_storage)
+
+allow rmt_storage {
+ modem_efs_partition_device
+ root_block_device
+ ssd_device
+}:blk_file rw_file_perms;
+allow rmt_storage block_device:dir r_dir_perms;
+allow rmt_storage cgroup:dir create_dir_perms;
+allow rmt_storage { smem_log_device uio_device }:chr_file rw_file_perms;
+
+# sys_admin is needed for ioprio_set
+allow rmt_storage self:capability {
+ setuid
+ setgid
+ net_bind_service
+ setpcap
+};
+
+set_prop(rmt_storage, ctl_vendor_rmt_storage_prop)
+
+#For Wakelocks
+wakelock_use(rmt_storage)
+
+allow rmt_storage self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm rmt_storage self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allow rmt_storage uio_device:chr_file rw_file_perms;
+
+#For access to the kmsg device
+allow rmt_storage kmsg_device:chr_file w_file_perms;
+
+#sysfs_uio
+r_dir_file(rmt_storage, sysfs_uio)
+r_dir_file(rmt_storage, sysfs_uio_file)
diff --git a/legacy/vendor/common/seapp_contexts b/legacy/vendor/common/seapp_contexts
new file mode 100644
index 0000000..18cdfb6
--- /dev/null
+++ b/legacy/vendor/common/seapp_contexts
@@ -0,0 +1,60 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Add new domain for Location services
+user=system seinfo=platform name=com.qualcomm.location.XT isPrivApp=true domain=location_app type=system_app_data_file
+
+#Add new domain for QSEE services
+user=system seinfo=platform name=com.qualcomm.qti.auth.fidocryptoservice domain=qsee_svc_app type=system_app_data_file
+
+#Add new domain for MDTP services
+user=system seinfo=platform name=com.qualcomm.qti.securemsm.mdtp.MdtpService domain=mdtpservice_app type=mdtp_svc_app_data_file
+
+
+# AtFwd app
+user=_app seinfo=platform name=com.qualcomm.telephony domain=qtelephony type=app_data_file levelFrom=all
+
+#Add new domain for QDMA
+user=system seinfo=platform name=com.qualcomm.qti.qdma domain=qdma_app type=system_app_data_file
+
+# Add time service app
+user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file levelFrom=all
+
+#Add new domain for logkit services
+user=system seinfo=platform name=com.qualcomm.qti.logkit domain=qti_logkit_app type=system_app_data_file
+
+#Add new domain for imshelper service
+user=system seinfo=platform name=.imshelperservice domain=imshelper_app type=imshelper_app_data_file
+
+#Add new domain for perfdump app
+user=system seinfo=platform name=com.qualcomm.qti.perfdump domain=perfdump_app type=system_app_data_file
+
+#Add new domain for power off alarm app
+user=system seinfo=platform name=com.qualcomm.qti.poweroffalarm domain=poweroffalarm_app type=system_app_data_file
+
+#add new domain for qtidataservices
+user=radio seinfo=platform name=.qtidataservices domain=qtidataservices_app type=radio_data_file
diff --git a/legacy/vendor/common/sec_nvm.te b/legacy/vendor/common/sec_nvm.te
new file mode 100644
index 0000000..a7cf1cd
--- /dev/null
+++ b/legacy/vendor/common/sec_nvm.te
@@ -0,0 +1,57 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# sec_nvm service
+type sec_nvm, domain;
+
+type sec_nvm_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(sec_nvm)
+
+# Allow access to spcom device
+allow sec_nvm spcom_device:chr_file rw_file_perms;
+
+# Allow access to skp device
+allow sec_nvm skp_device:chr_file rw_file_perms;
+
+# Allow access to sp_ssr device
+allow sec_nvm sp_ssr_device:chr_file rw_file_perms;
+
+# Allow access to spcom channel sec_nvm device
+allow sec_nvm sec_nvm_device:chr_file rw_file_perms;
+
+# Allow to rw secnvm files
+allow sec_nvm mnt_vendor_file:dir search;
+allow sec_nvm persist_secnvm_file:dir rw_dir_perms;
+allow sec_nvm persist_secnvm_file:file create_file_perms;
+
+# Allow access to ion device
+allow sec_nvm ion_device:chr_file rw_file_perms;
+
+# Allow set/get prop to set/check if app is loaded
+set_prop(sec_nvm, spcomlib_prop)
+allow sec_nvm sysfs_data:file r_file_perms;
diff --git a/legacy/vendor/common/secotad.te b/legacy/vendor/common/secotad.te
new file mode 100644
index 0000000..bbd062d
--- /dev/null
+++ b/legacy/vendor/common/secotad.te
@@ -0,0 +1,51 @@
+#Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type secotad, domain;
+type secotad_exec, exec_type, vendor_file_type, file_type;
+
+#Allow for transition from init domain to secota daemon
+init_daemon_domain(secotad)
+
+#Allow secotad to use Binder IPC
+#binder_use(secotad)
+
+#Allow apps to interact with secotad
+binder_call(secotad, platform_app)
+binder_call(secotad, system_app)
+
+#Mark secotad as a Binder service domain
+#binder_service(secotad)
+
+#Allow secotad to be registered with service manager
+allow secotad secotad_service:service_manager add;
+
+#Allow access to tee device
+allow secotad tee_device:chr_file rw_file_perms;
+
+#Allow access to firmware
+r_dir_file(secotad, firmware_file)
\ No newline at end of file
diff --git a/legacy/vendor/common/seemp_health_daemon.te b/legacy/vendor/common/seemp_health_daemon.te
new file mode 100644
index 0000000..839e577
--- /dev/null
+++ b/legacy/vendor/common/seemp_health_daemon.te
@@ -0,0 +1,55 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type seemp_health_daemon, domain;
+type seemp_health_daemon_exec, exec_type, vendor_file_type, file_type;
+
+#Allow for transition from init domain to seemp_health_daemon
+init_daemon_domain(seemp_health_daemon)
+
+#Allow seemp_health_daemon to use Binder IPC
+#binder_use(seemp_health_daemon)
+
+#Allow apps to interact with seemp_health_daemon
+binder_call(seemp_health_daemon, platform_app)
+binder_call(seemp_health_daemon, system_app)
+
+#Mark seemp_health_daemon as a Binder service domain
+#binder_service(seemp_health_daemon)
+
+#Allow seemp_health_daemon to be registered with service manager
+allow seemp_health_daemon seemp_health_daemon_service:service_manager add;
+
+#Allow access to tee device
+allow seemp_health_daemon tee_device:chr_file rw_file_perms;
+
+#Allow access to firmware
+allow seemp_health_daemon firmware_file:dir r_dir_perms;
+allow seemp_health_daemon firmware_file:file r_file_perms;
+
+allow seemp_health_daemon ion_device:chr_file r_file_perms;
+allow seemp_health_daemon proc:file r_file_perms;
diff --git a/legacy/vendor/common/sensors.te b/legacy/vendor/common/sensors.te
new file mode 100644
index 0000000..c7bdd45
--- /dev/null
+++ b/legacy/vendor/common/sensors.te
@@ -0,0 +1,111 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policy for sensor daemon
+type sensors, domain;
+type sensors_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(sensors)
+
+allow sensors self:capability {
+ # Change own perms to (nobody,nobody)
+ setuid
+ setgid
+ # Chown /data/misc/sensors/debug/ to nobody
+ chown
+ # Access /data/misc/sensors/debug and /data/system/sensors/settings
+ net_bind_service
+};
+
+dontaudit sensors self:capability { fsetid net_raw };
+
+# Sensors socket
+allow sensors sensors_socket:sock_file create_file_perms;
+type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket";
+allow sensors socket_device:dir rw_dir_perms;
+
+# Create directories and files under /data/misc/sensors
+# and /data/system/sensors. Allow generic r/w file access.
+
+# Access sensor nodes (/dev/msm_dsps, /dev/sensors)
+allow sensors sensors_device:chr_file rw_file_perms;
+
+# Access to /persist/sensors
+allow sensors mnt_vendor_file:dir r_dir_perms;
+allow sensors sensors_persist_file:dir create_dir_perms;
+allow sensors sensors_persist_file:file create_file_perms;
+
+# Access to execmem
+allow sensors self:process execmem;
+
+# Wake lock access
+wakelock_use(sensors)
+
+allow sensors cgroup:dir { create add_name };
+
+allow sensors self:{ socket qipcrtr_socket } create_socket_perms;
+# ioctlcmd=c304
+allowxperm sensors self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+# Access to other devices
+allow sensors smd_device:chr_file rw_file_perms;
+allow sensors smem_log_device:chr_file rw_file_perms;
+allow sensors device_latency:chr_file w_file_perms;
+
+# Access to tests from userdebug/eng builds
+userdebug_or_eng(`
+ domain_auto_trans(shell, sensors_exec, sensors)
+ diag_use(sensors)
+
+ # For starting diag_mdlog
+ allow sensors vendor_shell_exec:file execute_no_trans;
+ allow sensors qlogd_exec:file execute_no_trans;
+ allow sensors storage_file:lnk_file read;
+
+ # For Reading/creating/opening named pipe for diag flush
+ allow sensors sensors_persist_file:fifo_file { create open read };
+')
+
+#binder_use(sensors)
+#binder_call(sensors, servicemanager)
+binder_call(sensors, vendor_per_mgr)
+
+allow sensors sysfs:dir r_dir_perms;
+allow sensors sysfs_socinfo:file w_file_perms;
+allow sensors sysfs_data:file r_file_perms;
+
+allow sensors dsp_device:chr_file r_file_perms;
+allow sensors ion_device:chr_file r_file_perms;
+allow sensors qdsp_device:chr_file r_file_perms;
+allow sensors xdsp_device:chr_file r_file_perms;
+
+
+# For reading dir/files on /dsp
+r_dir_file(sensors, adsprpcd_file)
+# For reading adsprpc_prop
+get_prop(sensors, adsprpc_prop)
diff --git a/legacy/vendor/common/service.te b/legacy/vendor/common/service.te
new file mode 100644
index 0000000..5a0ffe9
--- /dev/null
+++ b/legacy/vendor/common/service.te
@@ -0,0 +1,42 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type iqfp_service, service_manager_type;
+type qfp_proxy_service, service_manager_type;
+type atfwd_service, service_manager_type;
+type fidodaemon_service, service_manager_type;
+type seemp_health_daemon_service, service_manager_type;
+type secotad_service, service_manager_type;
+type wbc_service, service_manager_type;
+type dun_service, service_manager_type;
+type imsrcs_service, service_manager_type;
+type improve_touch_service, service_manager_type;
+type usf_service, service_manager_type;
+type dtseagleservice_service, service_manager_type;
+type gba_auth_service, service_manager_type;
+type mdtpdaemon_service, service_manager_type;
+type qtitetherservice_service, service_manager_type;
diff --git a/legacy/vendor/common/shell.te b/legacy/vendor/common/shell.te
new file mode 100644
index 0000000..e083d54
--- /dev/null
+++ b/legacy/vendor/common/shell.te
@@ -0,0 +1,34 @@
+# Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# allow read access for shell
+r_dir_file(shell, RIDL_data_file)
+
+# allow read access for shell
+r_dir_file(shell, qti_logkit_priv_data_file)
+r_dir_file(shell, qti_logkit_pub_data_file)
diff --git a/legacy/vendor/common/spdaemon.te b/legacy/vendor/common/spdaemon.te
new file mode 100644
index 0000000..a43cd6c
--- /dev/null
+++ b/legacy/vendor/common/spdaemon.te
@@ -0,0 +1,67 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# spdaemon service
+type spdaemon, domain;
+
+type spdaemon_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(spdaemon)
+
+# Allow access to spcom device
+allow spdaemon spcom_device:chr_file rw_file_perms;
+
+# Allow access to skp device
+allow spdaemon skp_device:chr_file rw_file_perms;
+
+# Allow access to sp_ssr device
+allow spdaemon spdaemon_ssr_device:chr_file rw_file_perms;
+allow spdaemon sp_ssr_device:chr_file rw_file_perms;
+
+# Allow access to sp_keymaster device
+allow spdaemon sp_keymaster_device:chr_file rw_file_perms;
+
+# Allow access to cryptoapp device
+allow spdaemon cryptoapp_device:chr_file rw_file_perms;
+
+# Allow access to ion device
+allow spdaemon ion_device:chr_file rw_file_perms;
+
+# Allow to load SPSS firmware images
+r_dir_file(spdaemon, firmware_file);
+
+# Allow get system info
+r_dir_file(spdaemon, sysfs)
+
+# Allow SPSS-PIL via Peripheral Manager
+#binder_use(spdaemon)
+use_vendor_per_mgr(spdaemon)
+
+# Allow set/get prop to set/check if app is loaded
+set_prop(spdaemon, spcomlib_prop)
+
+allow spdaemon sysfs_data:file r_file_perms;
diff --git a/legacy/vendor/common/ssgqmigd.te b/legacy/vendor/common/ssgqmigd.te
new file mode 100644
index 0000000..fc41914
--- /dev/null
+++ b/legacy/vendor/common/ssgqmigd.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# ssgqmigd - SSG QMI Gateway Daemon
+type ssgqmigd, domain, mlstrustedsubject;
+type ssgqmigd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(ssgqmigd)
+
+allow ssgqmigd self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm ssgqmigd self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
diff --git a/legacy/vendor/common/ssgtzd.te b/legacy/vendor/common/ssgtzd.te
new file mode 100644
index 0000000..b917d9e
--- /dev/null
+++ b/legacy/vendor/common/ssgtzd.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# ssgtzd - SSG TZ Daemon
+type ssgtzd, domain, mlstrustedsubject;
+type ssgtzd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(ssgtzd)
+
+#Allow access to smcinvoke device
+allow ssgtzd smcinvoke_device:chr_file rw_file_perms;
+
+allow ssgtzd ssg_app:unix_stream_socket connectto;
+#Allow access to firmware/image
+allow ssgtzd vendor_firmware_file:dir r_dir_perms;
+allow ssgtzd vendor_firmware_file:file r_file_perms;
diff --git a/legacy/vendor/common/ssr_diag.te b/legacy/vendor/common/ssr_diag.te
new file mode 100644
index 0000000..85527ee
--- /dev/null
+++ b/legacy/vendor/common/ssr_diag.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_ssr_diag, domain;
+type vendor_ssr_diag_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_ssr_diag);
+
+userdebug_or_eng(`
+ allow vendor_ssr_diag sysfs:file w_file_perms;
+ diag_use(vendor_ssr_diag)
+')
diff --git a/legacy/vendor/common/ssr_setup.te b/legacy/vendor/common/ssr_setup.te
new file mode 100644
index 0000000..eee173f
--- /dev/null
+++ b/legacy/vendor/common/ssr_setup.te
@@ -0,0 +1,44 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policy for ssr_setup
+# ssr_setup - ssr_setup domain
+type vendor_ssr_setup, domain;
+type vendor_ssr_setup_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_ssr_setup);
+
+# Required to enable/disable ssr
+r_dir_file(vendor_ssr_setup, sysfs_ssr)
+allow vendor_ssr_setup sysfs_ssr:lnk_file w_file_perms;
+allow vendor_ssr_setup sysfs_ssr_toggle:file rw_file_perms;
+
+# Keeping this here till sysfs labeling is resolved
+allow vendor_ssr_setup sysfs_data:file r_file_perms;
+allow vendor_ssr_setup sysfs:file w_file_perms;
+allow vendor_ssr_setup sysfs_data:file r_file_perms;
+
+get_prop(vendor_ssr_setup, vendor_ssr_prop)
diff --git a/legacy/vendor/common/subsystem_ramdump.te b/legacy/vendor/common/subsystem_ramdump.te
new file mode 100644
index 0000000..16276ce
--- /dev/null
+++ b/legacy/vendor/common/subsystem_ramdump.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_subsystem_ramdump, domain;
+type vendor_subsystem_ramdump_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_subsystem_ramdump);
+
+userdebug_or_eng(`
+ allow vendor_subsystem_ramdump ramdump_device:chr_file r_file_perms;
+ allow vendor_subsystem_ramdump device:dir r_dir_perms;
+
+ allow vendor_subsystem_ramdump vendor_ramdump_data_file:file create_file_perms;
+ allow vendor_subsystem_ramdump vendor_ramdump_data_file:dir rw_dir_perms;
+ allow vendor_subsystem_ramdump vendor_mdmhelperdata_data_file:dir r_dir_perms;
+ allow vendor_subsystem_ramdump vendor_mdmhelperdata_data_file:file r_file_perms;
+')
diff --git a/legacy/vendor/common/surfaceflinger.te b/legacy/vendor/common/surfaceflinger.te
new file mode 100644
index 0000000..0ffa765
--- /dev/null
+++ b/legacy/vendor/common/surfaceflinger.te
@@ -0,0 +1,52 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute surfaceflinger system_writes_vendor_properties_violators;
+allow surfaceflinger sysfs_graphics:file rw_file_perms;
+
+# Use open file provided by poweroffhandler
+binder_call(surfaceflinger, poweroffhandler);
+
+binder_call(surfaceflinger, location)
+binder_call(surfaceflinger, tee)
+
+#Allow access to fastmmi
+binder_call(surfaceflinger, vendor_mmi)
+
+#Allow access to cameraserver service
+allow surfaceflinger cameraserver_service:service_manager find;
+
+#Allow access to binder callback's to camera hal
+hal_client_domain(surfaceflinger, hal_camera)
+
+#diag
+userdebug_or_eng(`
+ diag_use(surfaceflinger)
+')
+
+get_prop(surfaceflinger, vendor_gralloc_prop)
+get_prop(surfaceflinger, vendor_display_prop)
diff --git a/legacy/vendor/common/sysmonapp/keys.conf b/legacy/vendor/common/sysmonapp/keys.conf
new file mode 100644
index 0000000..4c650c8
--- /dev/null
+++ b/legacy/vendor/common/sysmonapp/keys.conf
@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+[@SYSMONAPP]
+ALL : device/qcom/sepolicy/legacy/vendor/common/sysmonapp/sysmonapp_app_cert.x509.pem
diff --git a/legacy/vendor/common/sysmonapp/mac_permissions.xml b/legacy/vendor/common/sysmonapp/mac_permissions.xml
new file mode 100644
index 0000000..1b87982
--- /dev/null
+++ b/legacy/vendor/common/sysmonapp/mac_permissions.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+ * Neither the name of The Linux Foundation nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+
+<policy>
+ <signer signature="@SYSMONAPP" >
+ <seinfo value="sysmonapp" />
+ </signer>
+</policy>
diff --git a/legacy/vendor/common/sysmonapp/seapp_contexts b/legacy/vendor/common/sysmonapp/seapp_contexts
new file mode 100644
index 0000000..f974b9e
--- /dev/null
+++ b/legacy/vendor/common/sysmonapp/seapp_contexts
@@ -0,0 +1,30 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# sysmonapp applications
+user=_app seinfo=sysmonapp domain=sysmonapp_app name=com.qualcomm.sysmonappInternal type=app_data_file levelFrom=all
+user=_app seinfo=sysmonapp domain=sysmonapp_app name=com.qualcomm.qti.sysmonappExternal type=app_data_file levelFrom=all
diff --git a/legacy/vendor/common/sysmonapp/sysmonapp_app.te b/legacy/vendor/common/sysmonapp/sysmonapp_app.te
new file mode 100644
index 0000000..f2d1482
--- /dev/null
+++ b/legacy/vendor/common/sysmonapp/sysmonapp_app.te
@@ -0,0 +1,43 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## sysmonapp_app
+## This file defines permissions that sysmonapp_app can carry
+
+type sysmonapp_app, domain;
+app_domain(sysmonapp_app);
+
+# For service manager access
+allow sysmonapp_app app_api_service:service_manager find;
+
+# For access to camera and media
+allow sysmonapp_app cameraserver_service:service_manager find;
+allow sysmonapp_app mediaserver_service:service_manager find;
+
+# To access FastRPC devices
+allow sysmonapp_app qdsp_device:chr_file r_file_perms;
+allow sysmonapp_app xdsp_device:chr_file r_file_perms;
diff --git a/legacy/vendor/common/sysmonapp/sysmonapp_app_cert.x509.pem b/legacy/vendor/common/sysmonapp/sysmonapp_app_cert.x509.pem
new file mode 100644
index 0000000..0dc0867
--- /dev/null
+++ b/legacy/vendor/common/sysmonapp/sysmonapp_app_cert.x509.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID+zCCAuOgAwIBAgIJAI6ZXMpc0lvVMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
+VQQGEwJJTjESMBAGA1UECAwJVGVsYW5nYW5hMRIwEAYDVQQHDAlIeWRlcmFiYWQx
+FjAUBgNVBAoMDVF1YWxjb21tLEluYy4xDDAKBgNVBAsMA1FDVDEPMA0GA1UEAwwG
+c2dhbmRlMSYwJAYJKoZIhvcNAQkBFhdzZ2FuZGVAcXRpLnF1YWxjb21tLmNvbTAe
+Fw0xODA2MTgwNTM0MTVaFw00NTExMDMwNTM0MTVaMIGUMQswCQYDVQQGEwJJTjES
+MBAGA1UECAwJVGVsYW5nYW5hMRIwEAYDVQQHDAlIeWRlcmFiYWQxFjAUBgNVBAoM
+DVF1YWxjb21tLEluYy4xDDAKBgNVBAsMA1FDVDEPMA0GA1UEAwwGc2dhbmRlMSYw
+JAYJKoZIhvcNAQkBFhdzZ2FuZGVAcXRpLnF1YWxjb21tLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBAJf2rCxstFL2XNWAfKOfDYDkIBXDR5hIQgki
+TlO3gOt7HuQ2VJXwiE7u9DxuBo2Z/bjqA0jsTyoVPUv4L0ZzV5sJHTyNmGtZbE8Y
+1HaXopIWTTM3rACZc/flhDUilEwLwhwSnaPLb+ZfBAziJfB4zlVFTqtW9ppyHTuK
+LtyZ/T3d0IbpKsQveuUrRi2C7D+DLw4ma8jLxZxB74SIrJDHAwO2fBfVYdr1zomV
+2Xw3yByP9LtH1iZn0mazK2iwLc0jwMA0MkP9vXy0AgU/K05fK2NGA1ohYGE+VylP
+2/xdOoTGYG9o+rQ4E4aRHLhUm0rrYJ+gMr5dNfAYKrYkNhYAFQ8CAQOjUDBOMB0G
+A1UdDgQWBBTmhWIosfZ4boEKTQfYpXyEEKWJczAfBgNVHSMEGDAWgBTmhWIosfZ4
+boEKTQfYpXyEEKWJczAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA5
+60hYg8NV88l1vIJm67f2ZNOdRRcdN9cfRZcvQJ+5b6Fi5y3OWrAZZUoq809GwVzM
+BLD39kW7FeD7SGoXEn0aEiNPW7Ow0wEyNIKcnbL1BSCqNbuFpoDuTm8WA81NG3jV
+I3seJtbJBlOH800udMsuq1HlR2Bf0gG7CrCqSAoWupu6wFT9bvjRH92xd/nx9f5H
+vKdLHuCavy9woAp+pAZG06QYQ3r5xghUrSFzeBwRZyCvEdoPNMKRnAsLSPDVNPKh
+mrvpzBOuFpFrMikMTniOua0O7u1Mozb9JUCVJ3gKg6XDjkOggUZz4YOnjZTYCt+U
+M4A7lXTNwu+o0hww8cEB
+-----END CERTIFICATE-----
diff --git a/legacy/vendor/common/system_server.te b/legacy/vendor/common/system_server.te
new file mode 100644
index 0000000..e88c36f
--- /dev/null
+++ b/legacy/vendor/common/system_server.te
@@ -0,0 +1,212 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute system_server system_writes_vendor_properties_violators;
+allow system_server self:capability sys_module;
+
+# allow system_server to communicate with cnd process over cnd_socket
+#unix_socket_connect(system_server, cnd, cnd)
+
+# Access to sensors socket
+#unix_socket_connect(system_server, sensors, sensors)
+#unix_socket_send(system_server, sensors, sensors)
+#allow system_server sensors:unix_stream_socket sendto;
+#allow system_server sensors_socket:sock_file r_file_perms;
+#qmux_socket(system_server);
+
+allow system_server self:socket create_socket_perms;
+allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls;
+allow system_server sysfs_sensors:dir search;
+allow system_server sysfs_sensors:file rw_file_perms;
+
+allow system_server {
+ # For wifistatemachine
+ wbc_service
+ # Allow system_server to add digital pen system service
+ usf_service
+ #dpmservice
+}:service_manager add;
+
+allow system_server qtitetherservice_service:service_manager find;
+
+#For ANT tty communication and to set wc_transport prop
+allow system_server {
+ vendor_bluetooth_prop
+ usf_prop
+}:property_service set;
+
+# required for ANT App to connectto wcnss_filter sockets
+allow system_server bluetooth:unix_stream_socket connectto;
+# access to iop
+unix_socket_send(system_server, iop, dumpstate)
+unix_socket_connect(system_server, iop, dumpstate)
+
+# allow system/framework applications to update the dpmd configuration files
+#unix_socket_connect(system_server, dpmd, dpmd);
+#allow system_server { dpmd_socket socket_device }:sock_file w_file_perms;
+#allow system_server dpmd_data_file:dir create_dir_perms;
+#allow system_server dpmd_data_file:file create_file_perms;
+
+# For location
+binder_call(system_server, location);
+type_transition system_server location_data_file:sock_file location_socket "location-mq-s";
+type_transition system_server location_data_file:sock_file location_socket "alarm_svc";
+#allow system_server location:unix_stream_socket connectto;
+#allow system_server location_socket:sock_file create_file_perms;
+
+#For wifistatemachine
+allow system_server kernel:key search;
+allow system_server wlan_device:chr_file rw_file_perms;
+set_prop(system_server, vendor_softap_prop)
+get_prop(system_server, vendor_softap_prop)
+
+#For ssr
+allow system_server ssr_device:chr_file r_file_perms;
+
+allow system_server { fuse }:dir search;
+
+allow system_server proc_audiod:file r_file_perms;
+
+allow system_server {
+ serial_device
+ smd_device
+ # graphics_device, audio_device, tee_device is for WFD
+ graphics_device
+ audio_device
+ tee_device
+ #allow access to power control ANT chip
+ bt_device
+}:chr_file rw_file_perms;
+
+# Allow system server access to usf resources
+allow system_server usf:process signal;
+#allow system_server usf:unix_stream_socket connectto;
+
+get_prop(system_server, vendor_xlat_prop)
+
+# For WFD
+allow system_server graphics_device:dir r_dir_perms;
+userdebug_or_eng(`
+get_prop(system_server, wfd_debug_prop)
+')
+
+#Allow access to netmgrd socket
+#netmgr_socket(system_server);
+# So init can manage our process
+allow system_server RIDL:fd use;
+allow system_server RIDL:fifo_file write;
+
+# So init can manage our process
+allow system_server qti_logkit:fd use;
+allow system_server qti_logkit:fifo_file write;
+
+#Rules for system server to talk to peripheral manager
+get_prop(system_server, vendor_per_mgr_state_prop);
+
+# Allow system server access to qfp daemon
+binder_call(system_server, qfp-daemon);
+binder_call(system_server, fps_hal)
+allow system_server iqfp_service:service_manager find;
+
+# For shutdown animation
+allow system_server ctl_bootanim_prop:property_service set;
+
+# allow tethering to access dhcp leases
+r_dir_file(system_server, dhcp_data_file)
+
+# Allow system server to access fst,wigig system properties
+set_prop(system_server, fst_prop)
+get_prop(system_server, fst_prop)
+set_prop(system_server, wigig_prop)
+
+#allow access to fingerprintd data file
+allow system_server fingerprintd_data_file:file { r_file_perms unlink };
+allow system_server fingerprintd_data_file:dir { rw_dir_perms rmdir };
+
+#for Wifi module this is needed
+allow system_server system_file:system module_load;
+
+userdebug_or_eng(`
+ diag_use(system_server)
+')
+
+# allow access to low persistence mode sysfs node
+allow system_server sysfs_graphics:file rw_file_perms;
+
+# timerslack_ns
+allow system_server { location_app system_app } :file write;
+
+#OpenGLES version
+get_prop(system_server, vendor_opengles_prop)
+#get_prop(system_server, qemu_hw_mainkeys_prop)
+
+get_prop(system_server, hwui_prop)
+get_prop(system_server, bservice_prop)
+get_prop(system_server, reschedule_service_prop)
+allow system_server appdomain:file w_file_perms;
+get_prop(system_server, vendor_cgroup_follow_prop)
+
+# Allow system_server to access ActivityManager tuning properties from vendor
+get_prop(system_server, vendor_am_prop)
+get_prop(system_server, vendor_mpctl_prop)
+
+# IPC call for sensor feed
+binder_call(system_server, hal_graphics_composer)
+binder_call(system_server, hal_camera)
+binder_call(system_server, mm-pp-daemon)
+
+# Ant ipc
+hal_client_domain(system_server,hal_bluetooth);
+
+hal_client_domain(system_server, hal_perf)
+hal_client_domain(system_server, hal_sensors)
+
+# allow WIGIG framework hosted in system_server to access wigig_hal
+hal_client_domain(system_server, hal_wigig)
+# allow WIGIG framework to access network performance tuner
+hal_client_domain(system_server, hal_wigig_npt)
+# allow WIGIG framework access to wil6210 sysfs files like thermal_throttling
+allow system_server sysfs_wigig:file rw_file_perms;
+
+# allow system_server to access IOP HAL service
+hal_client_domain(system_server, hal_iop)
+
+# Allow Gesture based boost from System Server
+get_prop(system_server, vendor_scroll_prop)
+
+# allow system_server to access vendor display property.
+get_prop(system_server, vendor_display_prop)
+get_prop(system_server, vendor_iop_prop)
+
+# allow system server to get mirrorlink connection status prop
+get_prop(system_server, vendor_mirrorlink_prop)
+
+# allow system server to get vendor_audio_prop
+get_prop(system_server, vendor_audio_prop)
+
+# allow system_server to access IWifiStats HAL service
+hal_client_domain(system_server, hal_wifilearner)
diff --git a/legacy/vendor/common/tbaseLoader.te b/legacy/vendor/common/tbaseLoader.te
new file mode 100644
index 0000000..79ec00b
--- /dev/null
+++ b/legacy/vendor/common/tbaseLoader.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# tbase loader
+type tbaseLoader, domain;
+type tbaseLoader_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(tbaseLoader)
+
+# Allow tbaseLoader to use qseecom services for loading the app
+allow tbaseLoader tee_device:chr_file rw_file_perms;
+
+# Allow tbaseLoader to access the firmware files
+r_dir_file(tbaseLoader, firmware_file)
diff --git a/legacy/vendor/common/te_macros b/legacy/vendor/common/te_macros
new file mode 100644
index 0000000..a110eeb
--- /dev/null
+++ b/legacy/vendor/common/te_macros
@@ -0,0 +1,151 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#####################################
+# qmux_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`qmux_socket', `
+allow $1 qmuxd_socket:dir create_dir_perms;
+unix_socket_connect($1, qmuxd, qmuxd)
+allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink };
+')
+
+#####################################
+# netmgr_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the netmgrd domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`netmgr_socket', `
+allow $1 netmgrd_socket:dir r_dir_perms;
+unix_socket_connect($1, netmgrd, netmgrd)
+allow $1 netmgrd_socket:sock_file { read getattr write };
+')
+
+########################################
+# peripheral_manager
+# Allow clients to interact with peripheral
+# manager
+define(`use_vendor_per_mgr', `
+vndbinder_use($1);
+binder_call(vendor_per_mgr, $1);
+binder_call($1, vendor_per_mgr);
+allow $1 vendor_per_mgr_service:service_manager find;
+get_prop($1, vendor_per_mgr_state_prop);
+')
+
+#####################################
+# cnd_nims_socket_perm(clientdomain)
+# allow cnd to read /proc/pid/cmdline to get appname
+# allow cnd to use inet socket created by app.
+define(`cnd_nims_socket_perm', `
+allow cnd $1:dir r_dir_perms;
+allow cnd $1:file r_file_perms;
+allow cnd $1:fd use;
+allow cnd $1:tcp_socket rw_socket_perms;
+')
+
+#####################################
+# diag_use(clientdomain)
+# allow clientdomain to read/write to diag
+define(`diag_use', `
+r_dir_file($1, sysfs_diag)
+allow $1 diag_device:chr_file rw_file_perms;
+')
+
+#####################################
+# use_netutils(clientdomain)
+# allow access to netutils from vendor
+define(`use_netutils', `
+domain_auto_trans($1, netutils_wrapper_exec, netutils_wrapper)
+allow netutils_wrapper $1:fd use;
+allow netutils_wrapper $1:fifo_file { read write getattr };
+allow netutils_wrapper $1:netlink_route_socket { read write };
+allow netutils_wrapper $1:unix_stream_socket { read write };
+allow netutils_wrapper $1:netlink_generic_socket { read write };
+allow netutils_wrapper $1:netlink_xfrm_socket { read write };
+allow netutils_wrapper $1:udp_socket { read write };
+allow netutils_wrapper $1:tcp_socket { read write };
+')
+
+#####################################
+## hal_server_domain_bypass(domain, hal_type)
+## Allow a base set of permissions required for a domain to offer a
+## HAL implementation of the specified type over HwBinder without
+## halserverdomain attribute
+##
+## For example, default implementation of Foo HAL:
+## type hal_foo_default, domain;
+## hal_server_domain_bypass(hal_foo_default, hal_foo)
+##
+define(`hal_server_domain_bypass', `
+hwbinder_use($1)
+allow $1 system_file:dir r_dir_perms;
+get_prop($1, hwservicemanager_prop)
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# qdma_file_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qdma domain.
+define(`qdma_file_socket', `
+allow $1 qdma_socket:dir r_dir_perms;
+allow $1 qdma_socket:sock_file { read getattr write };
+allow $1 qdma_app:unix_stream_socket { connectto };
+')
+
+#####################################
+# coredata_datavendor_migration(domain, old_data_label, data_vendor_label)
+# Allow a base set of permissions required for a sh to copy data from /data to /data/vendor
+#
+# For example, make nfc-sh copy data from /data/nfc to /data/vendor/nfc:
+# coredata_datavendor_migration(nfc-sh, nfc_data_file, data_vendor_nfc_file)
+# script that moves the data should be in /system/bin and should be using the
+# /system/bin/sh.
+#
+define(`coredata_datavendor_migration', `
+type $1, domain;
+type $1_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain($1);
+typeattribute $1 data_between_core_and_vendor_violators;
+typeattribute $1 coredomain;
+allow $1 shell_exec:file rx_file_perms;
+allow $1 toolbox_exec:file rx_file_perms;
+allow $1 file_contexts_file:file { read getattr open };
+allow $1 $2:file { getattr setattr relabelfrom rename };
+allow $1 $2:dir { reparent rename rmdir setattr rw_dir_perms relabelfrom };
+allow $1 $3:dir { create_dir_perms relabelto };
+
+# for writing files_moved so we only execute the move once
+allow $1 $3:file { create open write getattr relabelto };
+')
diff --git a/legacy/vendor/common/thermal-engine.te b/legacy/vendor/common/thermal-engine.te
new file mode 100644
index 0000000..34debc1
--- /dev/null
+++ b/legacy/vendor/common/thermal-engine.te
@@ -0,0 +1,103 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Thermal-engine daemon
+type thermal-engine, domain;
+type thermal-engine_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(thermal-engine)
+
+# Allow to read and write cpufreq sysfs
+allow thermal-engine sysfs_devices_system_cpu:file rw_file_perms;
+
+# This is to access thermal query device and smem log device
+allow thermal-engine { thermal_device smem_log_device }:chr_file rw_file_perms;
+
+allow thermal-engine self:capability {
+ fsetid
+ sys_boot
+};
+
+allow thermal-engine self:{ socket qipcrtr_socket } create_socket_perms;
+# ioctlcmd=c304
+allowxperm thermal-engine self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+# This is required to access thermal sockets
+allow thermal-engine thermal_socket:dir w_dir_perms;
+allow thermal-engine thermal_socket:sock_file create_file_perms;
+allow thermal-engine socket_device:dir w_dir_perms;
+
+# This is required for thermal sysfs access
+r_dir_file(thermal-engine, sysfs_thermal)
+allow thermal-engine { sysfs_thermal sysfs }:file w_file_perms;
+
+# This is required for qmi access
+qmux_socket(thermal-engine);
+allow thermal-engine sysfs_mpdecision:file rw_file_perms;
+
+r_dir_file(thermal-engine, sysfs)
+r_dir_file(thermal-engine, sysfs_leds)
+
+# This is required for wake alarm access
+allow thermal-engine self:capability2 wake_alarm;
+
+#This is to allow access to uio device
+allow thermal-engine uio_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`
+ diag_use(thermal-engine)
+')
+
+# To search, read and write kgsl sysfs
+allow thermal-engine sysfs_kgsl:dir r_dir_perms;
+allow thermal-engine sysfs_kgsl:file rw_file_perms;
+allow thermal-engine sysfs_kgsl:lnk_file r_file_perms;
+
+allow thermal-engine sysfs_data:file r_file_perms;
+
+# netlink access
+allow thermal-engine self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# This is required read and write battery power supply sysfs
+allow thermal-engine sysfs_battery_supply:dir r_dir_perms;
+allow thermal-engine sysfs_battery_supply:file rw_file_perms;
+allow thermal-engine sysfs_battery_supply:lnk_file r_file_perms;
+
+# This is required to read and write lcd-backlight sysfs
+allow thermal-engine sysfs_graphics:dir r_dir_perms;
+allow thermal-engine sysfs_graphics:file rw_file_perms;
+allow thermal-engine sysfs_graphics:lnk_file r_file_perms;
+
+#sysfs_uio
+r_dir_file(thermal-engine, sysfs_uio)
+r_dir_file(thermal-engine, sysfs_uio_file)
+
+#This is required to enable thermal-engine dsprpc communication
+r_dir_file(thermal-engine, adsprpcd_file);
+allow thermal-engine qdsp_device:chr_file r_file_perms;
+allow thermal-engine ion_device:chr_file r_file_perms;
diff --git a/legacy/vendor/common/time_daemon.te b/legacy/vendor/common/time_daemon.te
new file mode 100644
index 0000000..08cbfa5
--- /dev/null
+++ b/legacy/vendor/common/time_daemon.te
@@ -0,0 +1,59 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policies for time daemon
+type time_daemon, domain, mlstrustedsubject;
+type time_daemon_exec, exec_type, vendor_file_type, file_type;
+type vendor_time_data_file, file_type, data_file_type;
+
+# Make transition to its own time_daemon domain from init
+init_daemon_domain(time_daemon)
+allow time_daemon smem_log_device:chr_file rw_file_perms;
+
+# Add rules for access permissions
+allow time_daemon rtc_device:chr_file r_file_perms;
+
+allow time_daemon vendor_time_data_file:file create_file_perms;
+allow time_daemon vendor_time_data_file:dir w_dir_perms;
+allow time_daemon self:{ socket qipcrtr_socket } create_socket_perms_no_ioctl;
+allow time_daemon self:capability { setuid setgid sys_time };
+
+allow time_daemon persist_time_file:file create_file_perms;
+allow time_daemon persist_time_file:dir w_dir_perms;
+
+allow time_daemon mnt_vendor_file:dir search;
+
+userdebug_or_eng(`
+ diag_use(time_daemon)
+')
+
+allow time_daemon sysfs_data:file r_file_perms;
+
+allow time_daemon self:socket ioctl;
+allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;
+
+get_prop(time_daemon, vendor_time_service_prop);
diff --git a/legacy/vendor/common/timeservice_app.te b/legacy/vendor/common/timeservice_app.te
new file mode 100644
index 0000000..6c820a3
--- /dev/null
+++ b/legacy/vendor/common/timeservice_app.te
@@ -0,0 +1,34 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type timeservice_app, domain;
+app_domain(timeservice_app);
+
+allow timeservice_app app_api_service:service_manager find;
+allow timeservice_app time_daemon:unix_stream_socket connectto;
+
+get_prop(timeservice_app, vendor_mpctl_prop)
diff --git a/legacy/vendor/common/tlocd.te b/legacy/vendor/common/tlocd.te
new file mode 100644
index 0000000..2daa759
--- /dev/null
+++ b/legacy/vendor/common/tlocd.te
@@ -0,0 +1,50 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type tlocd, domain;
+type tlocd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(tlocd)
+
+# Allow interracting with tlocd directory
+allow tlocd tlocd_data_file:dir create_dir_perms;
+allow tlocd tlocd_data_file:file create_file_perms;
+
+# Allow interracting with qseecom
+allow tlocd tee_device:chr_file rw_file_perms;
+
+# Allow interracting with trust-zone
+r_dir_file(tlocd, firmware_file)
+
+# Allow interracting with nqs fifos
+allow tlocd tlocd_data_file:fifo_file create_file_perms;
+
+#Allow access MODEM
+allow tlocd self:{ socket qipcrtr_socket } create_socket_perms;
+allowxperm tlocd self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+
+allow tlocd ion_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/touchfusion.te b/legacy/vendor/common/touchfusion.te
new file mode 100644
index 0000000..231959d
--- /dev/null
+++ b/legacy/vendor/common/touchfusion.te
@@ -0,0 +1,47 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policies for touchfusion
+type touchfusion, domain;
+
+type touchfusion_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(touchfusion)
+
+allow touchfusion kmsg_device:chr_file rw_file_perms;
+
+allow touchfusion graphics_device:dir r_dir_perms;
+
+allow touchfusion self: { netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
+
+allow touchfusion graphics_device:chr_file rw_file_perms;
+
+allow touchfusion self:capability { setgid setuid };
+
+userdebug_or_eng(`
+allow touchfusion self:capability { sys_nice net_admin };
+')
diff --git a/legacy/vendor/common/ueventd.te b/legacy/vendor/common/ueventd.te
new file mode 100644
index 0000000..d5385b6
--- /dev/null
+++ b/legacy/vendor/common/ueventd.te
@@ -0,0 +1,50 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow firmware_file access to load Non-HLOS images
+r_dir_file(ueventd, firmware_file)
+
+# For wifi to access wifi_data_file
+r_dir_file(ueventd, wifi_data_file)
+
+# For wifi to access mnt_vendor_file
+r_dir_file(ueventd, mnt_vendor_file)
+
+allow ueventd {
+ { sysfs_type - usermodehelper }
+ sysfs_battery_supply
+ sysfs_thermal
+ sysfs_usb_supply
+ sysfs_socinfo
+ sysfs_data
+ sysfs_kgsl
+}:file w_file_perms;
+
+#allow ueventd mba_debug_dev:blk_file r_file_perms;
+
+# For setting up various WIGIG files
+allow ueventd sysfs_bond0:file rw_file_perms;
diff --git a/legacy/vendor/common/uncrypt.te b/legacy/vendor/common/uncrypt.te
new file mode 100644
index 0000000..038e386
--- /dev/null
+++ b/legacy/vendor/common/uncrypt.te
@@ -0,0 +1,26 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/legacy/vendor/common/untrusted_app.te b/legacy/vendor/common/untrusted_app.te
new file mode 100644
index 0000000..ef85192
--- /dev/null
+++ b/legacy/vendor/common/untrusted_app.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# diag device node access is restricted to untrusted_app
+neverallow untrusted_app diag_device:chr_file rw_file_perms;
+
+# for finding wbc_service
+allow untrusted_app wbc_service:service_manager find;
+
+# for finding gba_auth_service
+allow untrusted_app gba_auth_service:service_manager find;
+
+#TODO: this are been commeted as there is a new
+# neverallow resctiction which may need
+# some addtional change.
+# allow untrusted apps to access hal_perf
+# hal_client_domain(untrusted_app, hal_perf);
diff --git a/legacy/vendor/common/update_engine.te b/legacy/vendor/common/update_engine.te
new file mode 100644
index 0000000..a43dcab
--- /dev/null
+++ b/legacy/vendor/common/update_engine.te
@@ -0,0 +1,34 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow gotaab of RIDL and qti-logkit
+allow update_engine storage_file:file r_file_perms;
+allow update_engine storage_file:dir r_dir_perms;
+allow update_engine fuse:dir r_dir_perms;
+allow update_engine sdcard_type:dir r_dir_perms;
+allow update_engine sdcard_type:file r_file_perms;
+binder_call( update_engine, system_app )
diff --git a/legacy/vendor/common/usf.te b/legacy/vendor/common/usf.te
new file mode 100644
index 0000000..6a8013c
--- /dev/null
+++ b/legacy/vendor/common/usf.te
@@ -0,0 +1,50 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policy for usf daemons
+type usf, domain;
+type usf_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(usf)
+net_domain(usf)
+
+# Ultrasound device
+allow usf usf_device:chr_file rw_file_perms;
+
+# Audio
+#allow usf mediaserver:unix_stream_socket connectto;
+allow usf audio_device:chr_file rw_file_perms;
+allow usf proc_audiod:file r_file_perms;
+allow usf audio_device:dir r_dir_perms;
+
+# Data files and persist storage
+r_dir_file(usf, mnt_vendor_file)
+r_dir_file(usf, persist_usf_file)
+
+# Properties
+set_prop(usf, usf_prop)
diff --git a/legacy/vendor/common/vendor_audioftm.te b/legacy/vendor/common/vendor_audioftm.te
new file mode 100644
index 0000000..6e8cf2e
--- /dev/null
+++ b/legacy/vendor/common/vendor_audioftm.te
@@ -0,0 +1,46 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+type vendor_audioftm, domain;
+type vendor_audioftm_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_audioftm)
+domain_auto_trans(vendor_mmi, vendor_audioftm_exec, vendor_audioftm)
+
+allow vendor_audioftm vendor_audioftm_exec:file { rx_file_perms entrypoint };
+
+allow vendor_audioftm proc_audiod:file r_file_perms;
+allow vendor_audioftm proc_audiod:dir search;
+allow vendor_audioftm proc_asound:dir search;
+
+allow vendor_audioftm devpts:chr_file rw_file_perms;
+
+allow vendor_audioftm vendor_audio_data_file:dir create_dir_perms;
+allow vendor_audioftm vendor_audio_data_file:file create_file_perms;
+
+allow vendor_audioftm audio_device:dir r_dir_perms;
+allow vendor_audioftm audio_device:chr_file rw_file_perms;
diff --git a/legacy/vendor/common/vendor_init.te b/legacy/vendor/common/vendor_init.te
new file mode 100755
index 0000000..6aa9285
--- /dev/null
+++ b/legacy/vendor/common/vendor_init.te
@@ -0,0 +1,105 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+
+# allow vendor toolbox usage
+type vendor_init_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_init persist_block_device:{ blk_file lnk_file } relabelto;
+allow vendor_init unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vendor_init unlabeled:file { r_file_perms setattr relabelfrom };
+allow vendor_init ipa_dev:chr_file w_file_perms;
+allow vendor_init proc:file write;
+
+# write from init.target.rc
+allow vendor_init sysfs_poweron_alarm:file w_file_perms;
+
+# vendor init needs permissions for sepolicy files
+allow vendor_init file_contexts_file:file r_file_perms;
+
+allow vendor_init {
+ vendor_camera_data_file
+ vendor_media_data_file
+ vendor_tui_data_file
+ vendor_media_data_file
+ vendor_tombstone_data_file
+ vendor_fm_data_file
+}:dir create_dir_perms;
+
+allow vendor_init self:capability sys_module;
+#For insmod to search module key for signature verification
+allow vendor_init kernel:key search;
+allow vendor_init vendor_file:system module_load;
+allow vendor_init kernel:key search;
+allow vendor_init kernel:system module_request;
+
+userdebug_or_eng(`
+ allow vendor_init misc_block_device:blk_file w_file_perms;
+ set_prop(vendor_init, vendor_audio_debug_prop)
+')
+get_prop(vendor_init, vendor_boot_mode_prop)
+get_prop(vendor_init, vendor_mmi_prop)
+
+#Access persist.sys.usb.config
+set_prop(vendor_init, system_prop)
+set_prop(vendor_init, vendor_usb_prop)
+set_prop(vendor_init, vendor_ipacm_prop)
+set_prop(vendor_init, vendor_ipacm-diag_prop)
+set_prop(vendor_init, vendor_radio_prop)
+set_prop(vendor_init, vendor_am_prop)
+set_prop(vendor_init, vendor_mpctl_prop)
+
+#Access vendor display properties
+set_prop(vendor_init, vendor_display_prop)
+
+#Access vendor gralloc properties
+set_prop(vendor_init, vendor_gralloc_prop)
+
+set_prop(vendor_init, vendor_audio_prop)
+
+set_prop(vendor_init, vendor_rild_libpath_prop)
+
+# allow vendor toolbox usage
+#Blocked by neverallow vendor_init { file_type fs_type }:file execute_no_trans;
+#allow vendor_init vendor_toolbox_exec:file rx_file_perms;
+
+set_prop(vendor_init, cnd_vendor_prop)
+set_prop(vendor_init, mm_video_prop)
+
+#Access vendor gpu freq properties
+set_prop(vendor_init, vendor_gpu_prop)
+set_prop(vendor_init, public_vendor_default_prop)
+
+#allow vendor GPU property
+set_prop(vendor_init, vendor_opengles_prop)
+
+#Acess vendor hvdcp properties
+set_prop(vendor_init, hvdcp_opti_prop)
+
+# Allow timezone to be overrided by vendor
+set_prop(vendor_init, exported_system_prop)
diff --git a/legacy/vendor/common/vm_bms.te b/legacy/vendor/common/vm_bms.te
new file mode 100644
index 0000000..77d4f97
--- /dev/null
+++ b/legacy/vendor/common/vm_bms.te
@@ -0,0 +1,56 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#integrated process
+type vm_bms, domain;
+type vm_bms_exec, exec_type, vendor_file_type, file_type;
+
+#started by init
+init_daemon_domain(vm_bms)
+
+#allow vm_bms to visit chr_file
+allow vm_bms {
+ tmpfs
+ vm_bms_device
+ battery_data_device
+}:chr_file rw_file_perms;
+
+allow vm_bms {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:dir r_dir_perms;
+
+allow vm_bms {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:file rw_file_perms;
+
+#allow vm_bms to drop down to system service
+allow vm_bms self:capability { setpcap setgid setuid };
+
+#allow vm_bms to block the system suspend and get wake lock
+wakelock_use(vm_bms)
diff --git a/legacy/vendor/common/vndservice.te b/legacy/vendor/common/vndservice.te
new file mode 100644
index 0000000..5dfda70
--- /dev/null
+++ b/legacy/vendor/common/vndservice.te
@@ -0,0 +1,32 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type vendor_per_mgr_service, vndservice_manager_type;
+type qdisplay_service, vndservice_manager_type;
+type qseeproxy_service, vndservice_manager_type;
+type esepmdaemon_service, vndservice_manager_type;
+type wfdnativemm_service, vndservice_manager_type;
diff --git a/legacy/vendor/common/vndservice_contexts b/legacy/vendor/common/vndservice_contexts
new file mode 100644
index 0000000..a426119
--- /dev/null
+++ b/legacy/vendor/common/vndservice_contexts
@@ -0,0 +1,32 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+vendor.qcom.PeripheralManager u:object_r:vendor_per_mgr_service:s0
+display.qservice u:object_r:qdisplay_service:s0
+com.qualcomm.qti.qseeproxy u:object_r:qseeproxy_service:s0
+eSEPowerManagerService u:object_r:esepmdaemon_service:s0
+wfd.native.mm.service u:object_r:wfdnativemm_service:s0
diff --git a/legacy/vendor/common/vold.te b/legacy/vendor/common/vold.te
new file mode 100755
index 0000000..a049d97
--- /dev/null
+++ b/legacy/vendor/common/vold.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow vold tee_device:chr_file rw_file_perms;
+allow vold self:capability sys_boot;
+allow vold cache_file:dir w_dir_perms;
+allow vold { fscklogs cache_file }:file create_file_perms;
+
+# Read and write /cache/recovery/command
+allow vold cache_recovery_file:dir rw_dir_perms;
+allow vold cache_recovery_file:file create_file_perms;
+
+allow vold { proc_sysrq proc_dirty_ratio }:file rw_file_perms;
+wakelock_use(vold)
+allow vold swap_block_device:blk_file r_file_perms;
diff --git a/legacy/vendor/common/vppservice.te b/legacy/vendor/common/vppservice.te
new file mode 100755
index 0000000..96c0435
--- /dev/null
+++ b/legacy/vendor/common/vppservice.te
@@ -0,0 +1,61 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Define domain
+type vendor_vppservice, domain;
+type vendor_vppservice_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_vppservice)
+
+hal_server_domain(vendor_vppservice, hal_vpp)
+
+add_hwservice(vendor_vppservice, hal_vpp_hwservice)
+
+allow hal_vpp_client hal_vpp_hwservice:hwservice_manager find;
+binder_call(hal_vpp_client, hal_vpp_server)
+binder_call(hal_vpp_server, hal_vpp_client)
+
+# allow vppservice to access adsprpcd
+r_dir_file(vendor_vppservice, adsprpcd_file);
+get_prop(vendor_vppservice, adsprpc_prop)
+r_dir_file(vendor_vppservice, firmware_file);
+
+#allow access to vppservice (/data/vendor/vpp)
+allow vendor_vppservice vendor_vpp_data_file:dir create_dir_perms;
+allow vendor_vppservice vendor_vpp_data_file:file create_file_perms;
+
+#allow access to vppservice (/persist/vpp)
+r_dir_file(vendor_vppservice, persist_vpp_file)
+allow vendor_vppservice mnt_vendor_file:dir search;
+
+# allow vppservice to access ion, video device & qdsp_device
+allow vendor_vppservice ion_device:chr_file rw_file_perms;
+allow vendor_vppservice video_device:chr_file rw_file_perms;
+allow vendor_vppservice qdsp_device:chr_file r_file_perms;
+allow vendor_vppservice xdsp_device:chr_file r_file_perms;
+
+hal_client_domain(vendor_vppservice, hal_graphics_allocator)
diff --git a/legacy/vendor/common/wcnss_filter.te b/legacy/vendor/common/wcnss_filter.te
new file mode 100644
index 0000000..fae70de
--- /dev/null
+++ b/legacy/vendor/common/wcnss_filter.te
@@ -0,0 +1,56 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type wcnss_filter, domain;
+type wcnss_filter_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wcnss_filter)
+net_domain(wcnss_filter)
+
+userdebug_or_eng(`
+allow wcnss_filter proc_sysrq:file { open write };
+')
+allow wcnss_filter sysfs_msmuart_file:file rw_file_perms;
+allow wcnss_filter {
+ serial_device
+}:chr_file rw_file_perms;
+
+#wakelock policy
+wakelock_use(wcnss_filter);
+set_prop(wcnss_filter, vendor_bluetooth_prop);
+
+#For bluetooth firmware
+r_dir_file(wcnss_filter, bt_firmware_file)
+
+allow wcnss_filter persist_bluetooth_file:dir r_dir_perms;
+allow wcnss_filter persist_bluetooth_file:file r_file_perms;
+allow wcnss_filter mnt_vendor_file:dir r_dir_perms;
+
+#diag
+userdebug_or_eng(`
+ diag_use(wcnss_filter)
+')
diff --git a/legacy/vendor/common/wcnss_service.te b/legacy/vendor/common/wcnss_service.te
new file mode 100644
index 0000000..d38d7a0
--- /dev/null
+++ b/legacy/vendor/common/wcnss_service.te
@@ -0,0 +1,99 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type wcnss_service, domain;
+type wcnss_service_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wcnss_service)
+net_domain(wcnss_service)
+
+allow wcnss_service wcnss_device:chr_file rw_file_perms;
+
+qmux_socket(wcnss_service);
+
+allow wcnss_service wifi_vendor_data_file:dir create_dir_perms;
+allow wcnss_service wifi_vendor_data_file:file create_file_perms;
+
+allow wcnss_service wpa_data_file:dir create_dir_perms;
+allow wcnss_service wpa_data_file:file create_file_perms;
+
+allow wcnss_service mnt_vendor_file:dir r_dir_perms;
+qmux_socket(wcnss_service);
+
+allow wcnss_service self:{ socket qipcrtr_socket } create_socket_perms;
+# ioctlcmd=c304
+allowxperm wcnss_service self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+allowxperm wcnss_service self:udp_socket ioctl SIOCIWFIRSTPRIV_05;
+allow wcnss_service smem_log_device:chr_file rw_file_perms;
+allow wcnss_service proc_net:file rw_file_perms;
+
+# allow wpa_supplicant to send back wifi information to cnd
+allow wcnss_service cnd:unix_dgram_socket sendto;
+allow wcnss_service self:capability {
+ net_admin
+ net_bind_service
+};
+
+allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl;
+allow wcnss_service self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wcnss_service firmware_file:dir r_dir_perms;
+allow wcnss_service firmware_file:file r_file_perms;
+allow wcnss_service sysfs_data:file r_file_perms;
+
+# allow access to network performance tuner
+unix_socket_connect(wcnss_service, wigignpt, wigignpt)
+
+userdebug_or_eng(`
+allow wcnss_service fuse:dir create_dir_perms;
+allow wcnss_service fuse:file create_file_perms;
+allow wcnss_service vfat:dir create_dir_perms;
+allow wcnss_service vfat:file create_file_perms;
+allow wcnss_service sdcardfs:dir create_dir_perms;
+allow wcnss_service sdcardfs:file create_file_perms;
+allow wcnss_service mnt_vendor_file:file rw_file_perms;
+
+# This is needed for ptt_socket app to write logs file collected to sdcard
+r_dir_file(wcnss_service, proc_wifi_dbg)
+r_dir_file(wcnss_service, storage_file)
+r_dir_file(wcnss_service, mnt_user_file)
+diag_use(wcnss_service)
+')
+
+#binder_use(wcnss_service)
+use_vendor_per_mgr(wcnss_service)
+
+hwbinder_use(wcnss_service)
+get_prop(wcnss_service, hwservicemanager_prop)
+
+#access to perflock
+hal_client_domain(wcnss_service, hal_perf)
+
+# read persist.vendor.wigig.npt.enable
+get_prop(wcnss_service, wigig_prop);
+
+# allow to read /sys/class/net file
+r_dir_file(wcnss_service, sysfs_net);
diff --git a/legacy/vendor/common/wfdservice.te b/legacy/vendor/common/wfdservice.te
new file mode 100644
index 0000000..fd0fca1
--- /dev/null
+++ b/legacy/vendor/common/wfdservice.te
@@ -0,0 +1,59 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#allow access to sysfs to know HDMI repeater state
+allow wfdservice sysfs_graphics:file rw_file_perms;
+allow wfdservice sysfs_graphics:dir r_dir_perms;
+
+#Allow hardware binder use
+hwbinder_use(wfdservice)
+get_prop(wfdservice, hwservicemanager_prop)
+
+#Allow hal graphics mapper permissions
+hal_client_domain(wfdservice, hal_graphics_composer);
+
+#Allow hal graphics allocator permissions
+hal_client_domain(wfdservice, hal_graphics_allocator);
+
+hal_client_domain(wfdservice, wifidisplayhalservice);
+
+#Denial seen - SELinux : avc: denied { find } for interface=com.qualcomm.qti.wifidisplayhal::IHDCPSession
+#pid=3530 scontext=u:r:wfdservice:s0 tcontext=u:object_r:wifidisplayhalservice_hwservice:s0 tclass=hwservice_manager
+allow wfdservice wifidisplayhalservice_hwservice:hwservice_manager find;
+
+#Allow for property access
+userdebug_or_eng(`
+get_prop(wfdservice, wfd_debug_prop)
+')
+get_prop(wfdservice, vendor_gralloc_prop)
+get_prop(wfdservice, mm_video_prop)
+
+# Add the rule for wfd to access /proc/asound/pcm file
+r_dir_file(wfdservice, proc_asound)
+
+# Add the rule for wfd to access /proc/asound/card0/state file
+r_dir_file(wfdservice, proc_audiod)
diff --git a/legacy/vendor/common/wifi_ftmd.te b/legacy/vendor/common/wifi_ftmd.te
new file mode 100644
index 0000000..2f61c08
--- /dev/null
+++ b/legacy/vendor/common/wifi_ftmd.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type wifi_ftmd, domain;
+type wifi_ftmd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wifi_ftmd)
+
+net_domain(wifi_ftmd)
+
+set_prop(wifi_ftmd,vendor_wifi_ftmd_prop);
+allow wifi_ftmd self:capability net_admin;
+allow wifi_ftmd vendor_wifi_ftmd_prop:property_service set;
diff --git a/legacy/vendor/common/wificond.te b/legacy/vendor/common/wificond.te
new file mode 100644
index 0000000..7a22d3c
--- /dev/null
+++ b/legacy/vendor/common/wificond.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# allow wificond proc:file r_file_perms;
+# allow create/remove bridge interface and read mac addr ioctl privilege
+allowxperm wificond self:udp_socket ioctl { SIOCBRADDBR SIOCBRDELBR SIOCGIFHWADDR };
+
+#allow wificond to read FST properties
+get_prop(wificond, fst_prop);
diff --git a/legacy/vendor/common/wifidisplayhalservice.te b/legacy/vendor/common/wifidisplayhalservice.te
new file mode 100644
index 0000000..8360d2d
--- /dev/null
+++ b/legacy/vendor/common/wifidisplayhalservice.te
@@ -0,0 +1,59 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Define Domain
+type wifidisplayhalservice_qti, domain;
+type wifidisplayhalservice_qti_exec, exec_type, vendor_file_type, file_type;
+net_domain(wifidisplayhalservice_qti)
+
+hal_server_domain_bypass(wifidisplayhalservice_qti,wifidisplayhalservice)
+
+#Allow for transition from init domain to wifidisplayhalservice
+init_daemon_domain(wifidisplayhalservice_qti)
+
+#Allow wifidisplayhalservice to use Vendor Binder IPC
+vndbinder_use(wifidisplayhalservice)
+
+# Allow hwbinder call from hal client to server
+binder_call(wifidisplayhalservice_client, wifidisplayhalservice_server)
+binder_call(wifidisplayhalservice_server, wifidisplayhalservice_client)
+
+# Add hwservice related rules
+add_hwservice(wifidisplayhalservice_server, wifidisplayhalservice_hwservice)
+
+#Direct streaming native service
+add_service(wifidisplayhalservice, wfdnativemm_service)
+
+#Allow access to firmware files for HDCP session
+r_dir_file(wifidisplayhalservice, vendor_firmware_file)
+r_dir_file(wifidisplayhalservice, firmware_file)
+
+#Allow access to tee/ion device and tcp socket for HDCP sessions
+allow wifidisplayhalservice tee_device:chr_file rw_file_perms;
+allow wifidisplayhalservice ion_device:chr_file r_file_perms;
+
+allow wifidisplayhalservice qdisplay_service:service_manager { find };
diff --git a/legacy/vendor/common/wifilearnersvc.te b/legacy/vendor/common/wifilearnersvc.te
new file mode 100644
index 0000000..d578cae
--- /dev/null
+++ b/legacy/vendor/common/wifilearnersvc.te
@@ -0,0 +1,44 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type wifilearnersvc, domain;
+type wifilearnersvc_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wifilearnersvc)
+hal_server_domain(wifilearnersvc, hal_wifilearner)
+
+#allows calls between client and server and vice-versa
+binder_call(hal_wifilearner_client, hal_wifilearner_server)
+binder_call(hal_wifilearner_server, hal_wifilearner_client)
+
+#allow hal clients to find the service
+allow hal_wifilearner_client hal_wifilearner_hwservice:hwservice_manager find;
+
+#register hal service
+add_hwservice(hal_wifilearner, hal_wifilearner_hwservice)
+
+allow hal_wifilearner self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/legacy/vendor/common/wigighalsvc.te b/legacy/vendor/common/wigighalsvc.te
new file mode 100644
index 0000000..b978fbf
--- /dev/null
+++ b/legacy/vendor/common/wigighalsvc.te
@@ -0,0 +1,73 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type wigighalsvc, domain;
+type wigighalsvc_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wigighalsvc)
+hal_server_domain(wigighalsvc, hal_wigig)
+
+#allows calls between client and server and vice-versa
+binder_call(hal_wigig_client, hal_wigig_server)
+binder_call(hal_wigig_server, hal_wigig_client)
+
+#allow hal clients to find the service
+allow hal_wigig_client hal_wigig_hwservice:hwservice_manager find;
+
+#register hal service
+add_hwservice(hal_wigig, hal_wigig_hwservice)
+
+# allow start/stop services via ctl.start and ctl.stop
+set_prop(hal_wigig, ctl_vendor_wigigsvc_prop)
+
+# access wigig properties
+# need to write vendor.wigig.driver.status
+set_prop(hal_wigig, wigig_prop);
+
+# access wifi vendor data files
+r_dir_file(hal_wigig, wifi_vendor_data_file)
+allow hal_wigig wifi_vendor_data_file:dir rw_dir_perms;
+allow hal_wigig wifi_vendor_data_file:file create_file_perms;
+
+# dynamically create hostapd configuration file
+allow hal_wigig hostapd_data_file:dir rw_dir_perms;
+allow hal_wigig hostapd_data_file:file create_file_perms;
+
+# connect to supplicant by socket
+allow hal_wigig { hal_wifi_supplicant hal_wifi_hostapd_default }:unix_dgram_socket sendto;
+allow hal_wigig wifi_vendor_wpa_socket:dir rw_dir_perms;
+allow hal_wigig wifi_vendor_wpa_socket:sock_file create_file_perms;
+
+# connect to wigig_hostapd by socket
+allow hal_wigig wigig_hostapd_socket:dir rw_dir_perms;
+allow hal_wigig wigig_hostapd_socket:sock_file create_file_perms;
+
+# insmod /vendor/lib/modules/wil6210.ko
+allow hal_wigig self:capability sys_module;
+allow hal_wigig kernel:key search;
+allow hal_wigig vendor_file:system module_load;
+allow hal_wigig proc_modules:file r_file_perms;
diff --git a/legacy/vendor/common/wigignpt.te b/legacy/vendor/common/wigignpt.te
new file mode 100644
index 0000000..27e409a
--- /dev/null
+++ b/legacy/vendor/common/wigignpt.te
@@ -0,0 +1,61 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type wigignpt, domain;
+type wigignpt_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wigignpt)
+#use bypass because net_admin capability is needed
+hal_server_domain_bypass(wigignpt, hal_wigig_npt)
+
+#allows calls between client and server and vice-versa
+binder_call(hal_wigig_npt_client, hal_wigig_npt_server)
+binder_call(hal_wigig_npt_server, hal_wigig_npt_client)
+
+#allow hal clients to find the service
+allow hal_wigig_npt_client hal_wigig_npt_hwservice:hwservice_manager find;
+
+#register hal service
+add_hwservice(hal_wigig_npt, hal_wigig_npt_hwservice)
+
+# read wigig properties
+get_prop(hal_wigig_npt, wigig_prop);
+
+#allow updating network stack parameters under /proc/sys/net
+#this also requires net_admin capability
+allow hal_wigig_npt proc_net:file rw_file_perms;
+allow hal_wigig_npt self:capability net_admin;
+
+#update wigig0 network parameters like rps_cpus and gro_flush_timeout
+allow hal_wigig_npt sysfs_net:dir search;
+allow hal_wigig_npt sysfs_wigig:file rw_file_perms;
+
+#update bond0 rps_cpus (FST)
+allow hal_wigig_npt sysfs_bond0:file rw_file_perms;
+
+#listen on /dev/socket/wigignpt
+allow hal_wigig_npt hal_wigig_npt:unix_stream_socket { listen accept read write };
diff --git a/legacy/vendor/common/wpa.te b/legacy/vendor/common/wpa.te
new file mode 100644
index 0000000..cc82253
--- /dev/null
+++ b/legacy/vendor/common/wpa.te
@@ -0,0 +1,47 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# AOSP replaced wpa with new definition. this file to be
+# deleted once we have new definition and existing rules are modified
+
+#allow wpa persist_file:dir search;
+#qmux_socket(wpa);
+
+allow hal_wifi_supplicant wifi_vendor_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_vendor_data_file:dir w_dir_perms;
+allow hal_wifi_supplicant wifi_vendor_data_file:file create_file_perms;
+allow hal_wifi_supplicant wifi_vendor_wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_vendor_wpa_socket:sock_file create_file_perms;
+
+# Permission for wpa socket which IMS use to communicate
+# Allow wpa_supplicant to send back wifi information to cnd
+allow hal_wifi_supplicant { cnd ims }:unix_dgram_socket sendto;
+
+allow hal_wifi_supplicant fstman:unix_dgram_socket sendto;
+allow hal_wifi_supplicant wigighalsvc:unix_dgram_socket sendto;
+
+type_transition hal_wifi_supplicant wifi_vendor_data_file:dir wifi_vendor_wpa_socket "wigig_sockets";
diff --git a/legacy/vendor/common/zygote.te b/legacy/vendor/common/zygote.te
new file mode 100644
index 0000000..5cc8dd6
--- /dev/null
+++ b/legacy/vendor/common/zygote.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute zygote system_writes_vendor_properties_violators;
+# persist.service.bdroid.bdaddr hw.cabl.level
+allow zygote { vendor_bluetooth_prop system_prop } :property_service set;
+get_prop(zygote, vendor_mpctl_prop)
diff --git a/legacy/vendor/sdm710/device.te b/legacy/vendor/sdm710/device.te
new file mode 100644
index 0000000..647d226
--- /dev/null
+++ b/legacy/vendor/sdm710/device.te
@@ -0,0 +1,26 @@
+# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/legacy/vendor/sdm710/file_contexts b/legacy/vendor/sdm710/file_contexts
new file mode 100644
index 0000000..01275d5
--- /dev/null
+++ b/legacy/vendor/sdm710/file_contexts
@@ -0,0 +1,159 @@
+# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+###################################
+# Dev block nodes
+
+#for rpmb block
+/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
+
+# UFS Devices
+/dev/block/platform/soc/1d84000.ufshc/by-name/system u:object_r:system_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/boot u:object_r:boot_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/logdump u:object_r:logdump_partition:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/fsg u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/ssd u:object_r:ssd_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/rpm u:object_r:rpmb_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/mdtp u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dip u:object_r:dip_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/storsec u:object_r:boot_block_device:s0
+
+#rawdump partition
+/dev/block/platform/soc/1d84000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0
+
+# A/B partitions.
+/dev/block/platform/soc/1d84000.ufshc/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/apdp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/cmnlib_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/cmnlib64_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/devcfg_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/hyp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/keymaster_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/modem_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/bluetooth_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/msadp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/pmic_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/system_[ab] u:object_r:system_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/vendor_[ab] u:object_r:system_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/xbl_[ab] u:object_r:xbl_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/aop_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dsp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/mdtp_[ab] u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0
+
+#for eMMC
+# A/B partitions.
+/dev/block/platform/soc/7c4000.sdhci/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/apdp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/cmnlib_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/cmnlib64_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/devcfg_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/hyp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/keymaster_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/modem_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/bluetooth_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/msadp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/pmic_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/system_[ab] u:object_r:system_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/vendor_[ab] u:object_r:system_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/xbl_[ab] u:object_r:xbl_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/aop_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/dsp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/mdtp_[ab] u:object_r:mdtp_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0
+
+#non A/B
+/dev/block/platform/soc/7c4000.sdhci/by-name/system u:object_r:system_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/boot u:object_r:boot_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/logdump u:object_r:logdump_partition:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/fsc u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/fsg u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/ssd u:object_r:ssd_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/rpm u:object_r:rpmb_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/msadp u:object_r:mba_debug_dev:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/recovery u:object_r:recovery_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/mdtp u:object_r:mdtp_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/dip u:object_r:dip_device:s0
+/dev/block/platform/soc/7c4000.sdhci/by-name/storsec u:object_r:boot_block_device:s0
+
+#rawdump partition
+/dev/block/platform/soc/7c4000.sdhci/by-name/rawdump u:object_r:rawdump_block_device:s0
+
+# Block device holding the GPT, where the A/B attributes are stored.
+/dev/block/mmcblk0 u:object_r:root_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/sd[ade] u:object_r:gpt_block_device:s0
+
+# Block devices for the drive that holds the xbl_a and xbl_b partitions.
+/dev/block/platform/soc/1d84000.ufshc/sd[bc] u:object_r:xbl_block_device:s0
+
+##################################
+# non-hlos mount points
+/firmware u:object_r:firmware_file:s0
+/bt_firmware u:object_r:bt_firmware_file:s0
+
+# FBE
+/(vendor|system/vendor)/bin/init.qti.qseecomd.sh u:object_r:init-qti-fbe-sh_exec:s0
+
+##################################
+# same process HAL libs
+/vendor/lib(64)?/hw/gralloc\.sdm710\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.sdm710\.so u:object_r:same_process_hal_file:s0
+
+#TODO : need to remove regexp
+/sys/devices(/platform)?/soc/[a-z0-9\.:]+,[a-z0-9\-\_]+/subsys[0-9]+/name u:object_r:sysfs_ssr:s0
diff --git a/legacy/vendor/sdm710/genfs_contexts b/legacy/vendor/sdm710/genfs_contexts
new file mode 100644
index 0000000..88768e5
--- /dev/null
+++ b/legacy/vendor/sdm710/genfs_contexts
@@ -0,0 +1,57 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+###################################
+
+#secure touch sysfs-node
+genfscon sysfs /devices/platform/soc/a84000.i2c/i2c-2/2-0020 u:object_r:sysfs_sectouch:s0
+
+#qdss sysfs-node
+genfscon sysfs /devices/platform/soc/6047000.tmc/coresight-tmc-etf u:object_r:sysfs_qdss_dev:s0
+genfscon sysfs /devices/platform/soc/6048000.tmc/coresight-tmc-etr u:object_r:sysfs_qdss_dev:s0
+genfscon sysfs /devices/platform/soc/6002000.stm/coresight-stm u:object_r:sysfs_qdss_dev:s0
+genfscon sysfs /devices/platform/soc/14066f0.hwevent/coresight-hwevent u:object_r:sysfs_qdss_dev:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq/soc:qcom,l3-cdsp/userspace u:object_r:sysfs_devfreq_l3cdsp:s0
+
+#pmic sysfs_nodes
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/battery u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/dc u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/pc_port u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/usb u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm660@0:qpnp,fg/power_supply/bms u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm660@0:qcom,usb-pdphy@1700/usbpd/usbpd0 u:object_r:sysfs_usbpd_device:s0
+genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-0008/a88000.i2c:qcom,smb1355@8:qcom,smb1355-charger@1000/power_supply/parallel u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-000c/a88000.i2c:qcom,smb1355@c:qcom,smb1355-charger@1000/power_supply/parallel u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /class/qcom-battery u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /class/charge_pump u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/red u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/green u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/blue u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pm660l@3:qcom,leds@d300/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pm660l@3:qcom,leds@d800/leds/wled u:object_r:sysfs_leds:s0
diff --git a/legacy/vendor/sdm710/idmap.te b/legacy/vendor/sdm710/idmap.te
new file mode 100755
index 0000000..4b7fb5a
--- /dev/null
+++ b/legacy/vendor/sdm710/idmap.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+r_dir_file(idmap, oemfs);
+r_dir_file(idmap, vendor_carrier_file);
diff --git a/legacy/vendor/sdm710/init-qti-fbe-sh.te b/legacy/vendor/sdm710/init-qti-fbe-sh.te
new file mode 100644
index 0000000..05bb8dc
--- /dev/null
+++ b/legacy/vendor/sdm710/init-qti-fbe-sh.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type init-qti-fbe-sh, domain;
+type init-qti-fbe-sh_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(init-qti-fbe-sh)
+
+allow init-qti-fbe-sh vendor_shell_exec:file rx_file_perms;
+
+# execute toybox/toolbox
+allow init-qti-fbe-sh vendor_toolbox_exec:file rx_file_perms;
+get_prop(init-qti-fbe-sh, vendor_tee_listener_prop)
diff --git a/legacy/vendor/sdm710/init_shell.te b/legacy/vendor/sdm710/init_shell.te
new file mode 100644
index 0000000..413d6a1
--- /dev/null
+++ b/legacy/vendor/sdm710/init_shell.te
@@ -0,0 +1,38 @@
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# media_sdm710_version_prop - to choose target version specific media_codecs.xml
+allow qti_init_shell {
+ vendor_media_sdm710_version_prop
+}:property_service set;
+
+# For regionalization
+allow qti_init_shell regionalization_file:dir r_dir_perms;
+allow qti_init_shell regionalization_file:file create_file_perms;
+
+r_dir_file(qti_init_shell, sysfs_devfreq_l3cdsp)
+allow qti_init_shell sysfs_devfreq_l3cdsp:file setattr;
diff --git a/legacy/vendor/sdm710/mediacodec.te b/legacy/vendor/sdm710/mediacodec.te
new file mode 100644
index 0000000..448eae9
--- /dev/null
+++ b/legacy/vendor/sdm710/mediacodec.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+get_prop(mediacodec, vendor_media_sdm710_version_prop)
diff --git a/legacy/vendor/sdm710/mediaserver.te b/legacy/vendor/sdm710/mediaserver.te
new file mode 100644
index 0000000..24315d3
--- /dev/null
+++ b/legacy/vendor/sdm710/mediaserver.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+get_prop(mediaserver, vendor_media_sdm710_version_prop)
diff --git a/legacy/vendor/sdm710/platform_app.te b/legacy/vendor/sdm710/platform_app.te
new file mode 100755
index 0000000..9e0a50d
--- /dev/null
+++ b/legacy/vendor/sdm710/platform_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow platform_app oemfs:lnk_file { read getattr };
diff --git a/legacy/vendor/sdm710/priv_app.te b/legacy/vendor/sdm710/priv_app.te
new file mode 100755
index 0000000..144af71
--- /dev/null
+++ b/legacy/vendor/sdm710/priv_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow priv_app oemfs:lnk_file { read getattr };
diff --git a/legacy/vendor/sdm710/property.te b/legacy/vendor/sdm710/property.te
new file mode 100644
index 0000000..b7ddb79
--- /dev/null
+++ b/legacy/vendor/sdm710/property.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#properites for init.qcom.sh script
+type vendor_media_sdm710_version_prop, property_type;
diff --git a/legacy/vendor/sdm710/property_contexts b/legacy/vendor/sdm710/property_contexts
new file mode 100644
index 0000000..d8d8824
--- /dev/null
+++ b/legacy/vendor/sdm710/property_contexts
@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+vendor.media.sdm710.version u:object_r:vendor_media_sdm710_version_prop:s0
diff --git a/legacy/vendor/sdm710/system_app.te b/legacy/vendor/sdm710/system_app.te
new file mode 100755
index 0000000..c60fbfc
--- /dev/null
+++ b/legacy/vendor/sdm710/system_app.te
@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+r_dir_file(system_app, vendor_carrier_file);
diff --git a/legacy/vendor/sdm710/system_server.te b/legacy/vendor/sdm710/system_server.te
new file mode 100755
index 0000000..87b7234
--- /dev/null
+++ b/legacy/vendor/sdm710/system_server.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow system_server resourcecache_data_file:dir create_dir_perms;
+allow system_server resourcecache_data_file:file create_file_perms;
diff --git a/legacy/vendor/sdm710/untrusted_app.te b/legacy/vendor/sdm710/untrusted_app.te
new file mode 100644
index 0000000..1d3ae48
--- /dev/null
+++ b/legacy/vendor/sdm710/untrusted_app.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# for oemfs
+allow untrusted_app oemfs:lnk_file { read getattr };
diff --git a/legacy/vendor/sdm710/update_engine_common.te b/legacy/vendor/sdm710/update_engine_common.te
new file mode 100644
index 0000000..b91a7ac
--- /dev/null
+++ b/legacy/vendor/sdm710/update_engine_common.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow update_engine and update_engine_sideload (recovery) read/write on the
+# device-specific partitions it should update.
+allow update_engine_common {
+ custom_ab_block_device
+ xbl_block_device
+ ssd_device
+ modem_block_device
+ root_block_device
+ system_block_device
+ boot_block_device
+ mdtp_device
+}:blk_file rw_file_perms;
+
diff --git a/legacy/vendor/sdm710/wfdservice.te b/legacy/vendor/sdm710/wfdservice.te
new file mode 100644
index 0000000..6aca061
--- /dev/null
+++ b/legacy/vendor/sdm710/wfdservice.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+#Allow access to read property file
+get_prop(wfdservice,vendor_media_sdm710_version_prop)
diff --git a/legacy/vendor/sdm710/zygote.te b/legacy/vendor/sdm710/zygote.te
new file mode 100644
index 0000000..b769d60
--- /dev/null
+++ b/legacy/vendor/sdm710/zygote.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# For regionalization
+r_dir_file(zygote, oemfs);
diff --git a/legacy/vendor/sdm845/device.te b/legacy/vendor/sdm845/device.te
new file mode 100644
index 0000000..647d226
--- /dev/null
+++ b/legacy/vendor/sdm845/device.te
@@ -0,0 +1,26 @@
+# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/legacy/vendor/sdm845/file_contexts b/legacy/vendor/sdm845/file_contexts
new file mode 100644
index 0000000..c6fb987
--- /dev/null
+++ b/legacy/vendor/sdm845/file_contexts
@@ -0,0 +1,100 @@
+# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+###################################
+# Dev block nodes
+
+# UFS Devices
+/dev/block/platform/soc/1d84000.ufshc/by-name/system u:object_r:system_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/boot u:object_r:boot_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/logdump u:object_r:logdump_partition:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/fsg u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/ssd u:object_r:ssd_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/rpm u:object_r:rpmb_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/mdtp u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dip u:object_r:dip_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/storsec u:object_r:boot_block_device:s0
+
+#rawdump partition
+/dev/block/platform/soc/1d84000.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0
+
+# A/B partitions.
+/dev/block/platform/soc/1d84000.ufshc/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/apdp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/cmnlib_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/cmnlib64_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/devcfg_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/hyp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/keymaster_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/modem_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/bluetooth_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/msadp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/pmic_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/system_[ab] u:object_r:system_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/vendor_[ab] u:object_r:system_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/xbl_[ab] u:object_r:xbl_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/aop_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/dsp_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/mdtp_[ab] u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/ImageFv_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/persist u:object_r:persist_block_device:s0
+
+# Block device holding the GPT, where the A/B attributes are stored.
+/dev/block/platform/soc/1d84000.ufshc/sd[ade] u:object_r:gpt_block_device:s0
+
+# Block devices for the drive that holds the xbl_a and xbl_b partitions.
+/dev/block/platform/soc/1d84000.ufshc/sd[bc] u:object_r:xbl_block_device:s0
+
+##################################
+# non-hlos mount points
+/firmware u:object_r:firmware_file:s0
+/bt_firmware u:object_r:bt_firmware_file:s0
+
+# FBE
+/(vendor|system/vendor)/bin/init.qti.qseecomd.sh u:object_r:init-qti-fbe-sh_exec:s0
+
+# Same process file
+/vendor/lib(64)?/hw/gralloc\.sdm845\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.sdm845\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/bin/sscrpcd u:object_r:sensors_exec:s0
diff --git a/legacy/vendor/sdm845/genfs_contexts b/legacy/vendor/sdm845/genfs_contexts
new file mode 100644
index 0000000..44ffbd5
--- /dev/null
+++ b/legacy/vendor/sdm845/genfs_contexts
@@ -0,0 +1,72 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+###################################
+
+#secure touch sysfs node
+genfscon sysfs /devices/platform/soc/a98000.i2c/i2c-2/2-0020 u:object_r:sysfs_sectouch:s0
+
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8998@0:qcom,pm8998_rtc/rtc u:object_r:sysfs_rtc:s0
+
+#qdss sysfs-node
+genfscon sysfs /devices/platform/soc/6047000.tmc/coresight-tmc-etf u:object_r:sysfs_qdss_dev:s0
+genfscon sysfs /devices/platform/soc/6048000.tmc/coresight-tmc-etr u:object_r:sysfs_qdss_dev:s0
+genfscon sysfs /devices/platform/soc/6002000.stm/coresight-stm u:object_r:sysfs_qdss_dev:s0
+genfscon sysfs /devices/platform/soc/14066f0.hwevent/coresight-hwevent u:object_r:sysfs_qdss_dev:s0
+genfscon sysfs /devices/platform/soc/6b0e000.csr/coresight-swao-csr u:object_r:sysfs_qdss_dev:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq/soc:qcom,l3-cdsp/userspace u:object_r:sysfs_devfreq_l3cdsp:s0
+
+# sdm845 specific sysfs
+genfscon sysfs /devices/platform/soc/17d41000.qcom,cpucc/17d41000.qcom,cpucc:qcom,wil6210/subsys8/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys0/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/aae0000.qcom,venus/subsys1/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys2/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys3/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys4/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys5/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys6/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys7/name u:object_r:sysfs_ssr:s0
+
+#pmic sysfs_nodes
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/battery u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/dc u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/pc_port u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/usb u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qpnp,fg/power_supply/bms u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,usb-pdphy@1700/usbpd/usbpd0 u:object_r:sysfs_usbpd_device:s0
+genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-0008/a88000.i2c:qcom,smb1355@8:qcom,smb1355-charger@1000/power_supply/parallel u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-000c/a88000.i2c:qcom,smb1355@c:qcom,smb1355-charger@1000/power_supply/parallel u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /class/qcom-battery u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /class/charge_pump u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds/red u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds/green u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds/blue u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d300/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d800/leds/wled u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,haptics@c000/leds/vibrator u:object_r:sysfs_leds:s0
diff --git a/legacy/vendor/sdm845/idmap.te b/legacy/vendor/sdm845/idmap.te
new file mode 100755
index 0000000..5a17b25
--- /dev/null
+++ b/legacy/vendor/sdm845/idmap.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, 2018 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+r_dir_file(idmap, oemfs);
diff --git a/legacy/vendor/sdm845/init-qti-fbe-sh.te b/legacy/vendor/sdm845/init-qti-fbe-sh.te
new file mode 100644
index 0000000..aff8576
--- /dev/null
+++ b/legacy/vendor/sdm845/init-qti-fbe-sh.te
@@ -0,0 +1,38 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type init-qti-fbe-sh, domain;
+type init-qti-fbe-sh_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(init-qti-fbe-sh)
+
+not_full_treble(`allow init-qti-fbe-sh shell_exec:file rx_file_perms;')
+full_treble_only(`allow init-qti-fbe-sh vendor_shell_exec:file rx_file_perms;')
+# execute toybox/toolbox
+not_full_treble(`allow init-qti-fbe-sh toolbox_exec:file rx_file_perms;')
+full_treble_only(`allow init-qti-fbe-sh vendor_toolbox_exec:file rx_file_perms;')
+get_prop(init-qti-fbe-sh, vendor_tee_listener_prop)
diff --git a/legacy/vendor/sdm845/init_shell.te b/legacy/vendor/sdm845/init_shell.te
new file mode 100755
index 0000000..7896ffe
--- /dev/null
+++ b/legacy/vendor/sdm845/init_shell.te
@@ -0,0 +1,34 @@
+# Copyright (c) 2016, 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# For regionalization
+allow qti_init_shell regionalization_file:dir r_dir_perms;
+allow qti_init_shell regionalization_file:file create_file_perms;
+
+r_dir_file(qti_init_shell, sysfs_devfreq_l3cdsp)
+allow qti_init_shell sysfs_devfreq_l3cdsp:file setattr;
diff --git a/legacy/vendor/sdm845/platform_app.te b/legacy/vendor/sdm845/platform_app.te
new file mode 100755
index 0000000..bc02a19
--- /dev/null
+++ b/legacy/vendor/sdm845/platform_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow platform_app oemfs:lnk_file { read getattr };
diff --git a/legacy/vendor/sdm845/priv_app.te b/legacy/vendor/sdm845/priv_app.te
new file mode 100755
index 0000000..e0a8fa3
--- /dev/null
+++ b/legacy/vendor/sdm845/priv_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow priv_app oemfs:lnk_file { read getattr };
diff --git a/legacy/vendor/sdm845/system_server.te b/legacy/vendor/sdm845/system_server.te
new file mode 100755
index 0000000..d2cb28e
--- /dev/null
+++ b/legacy/vendor/sdm845/system_server.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow system_server resourcecache_data_file:dir create_dir_perms;
+allow system_server resourcecache_data_file:file create_file_perms;
diff --git a/legacy/vendor/sdm845/update_engine_common.te b/legacy/vendor/sdm845/update_engine_common.te
new file mode 100644
index 0000000..75f6767
--- /dev/null
+++ b/legacy/vendor/sdm845/update_engine_common.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow update_engine and update_engine_sideload (recovery) read/write on the
+# device-specific partitions it should update.
+allow update_engine_common {
+ custom_ab_block_device
+ xbl_block_device
+ ssd_device
+ modem_block_device
+}:blk_file rw_file_perms;
+
diff --git a/legacy/vendor/ssg/keys.conf b/legacy/vendor/ssg/keys.conf
new file mode 100644
index 0000000..3448a87
--- /dev/null
+++ b/legacy/vendor/ssg/keys.conf
@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+[@SSG]
+ALL : device/qcom/sepolicy/legacy/vendor/ssg/ssg_app_cert.x509.pem
diff --git a/legacy/vendor/ssg/mac_permissions.xml b/legacy/vendor/ssg/mac_permissions.xml
new file mode 100644
index 0000000..cc78572
--- /dev/null
+++ b/legacy/vendor/ssg/mac_permissions.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Copyright (c) 2019, The Linux Foundation. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+ * Neither the name of The Linux Foundation nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+ IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ -->
+<policy>
+
+<!--
+See /system/sepolicy/private/mac_permissions.xml
+-->
+
+ <signer signature="@SSG" >
+ <seinfo value="ssgapp" />
+ </signer>
+
+</policy>
diff --git a/legacy/vendor/ssg/seapp_contexts b/legacy/vendor/ssg/seapp_contexts
new file mode 100644
index 0000000..06356ef
--- /dev/null
+++ b/legacy/vendor/ssg/seapp_contexts
@@ -0,0 +1,31 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# SSG apps for Connection Security
+user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.connectionsecurity type=app_data_file levelFrom=all
+user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.telemetry type=app_data_file levelFrom=all
+user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.trustzoneaccess type=app_data_file levelFrom=all
diff --git a/legacy/vendor/ssg/ssg_app.te b/legacy/vendor/ssg/ssg_app.te
new file mode 100644
index 0000000..7e5cfd7
--- /dev/null
+++ b/legacy/vendor/ssg/ssg_app.te
@@ -0,0 +1,58 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## ssg_app
+##
+## This file defines the permissions that ssg_apps can carry
+
+type ssg_app, domain;
+
+app_domain(ssg_app)
+net_domain(ssg_app)
+
+# Allow access to sockets
+unix_socket_connect(ssg_app, mlid, mlid)
+unix_socket_connect(ssg_app, ssgqmig, ssgqmigd)
+unix_socket_connect(ssg_app, ssgtzd, ssgtzd)
+
+#access to qdma socket
+qdma_file_socket(ssg_app)
+
+allow ssg_app radio_service:service_manager find;
+allow ssg_app surfaceflinger_service:service_manager find;
+allow ssg_app app_api_service:service_manager find;
+
+# access to qipcrtr socket
+allow ssg_app self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+# To get uuid and device info
+allow ssg_app proc_cpuinfo:file r_file_perms;
+allow ssg_app proc_meminfo:file r_file_perms;
+
+unix_socket_connect(ssg_app,dpmtcm, dpmd);
+
+r_dir_file(ssg_app, proc)
diff --git a/legacy/vendor/ssg/ssg_app_cert.x509.pem b/legacy/vendor/ssg/ssg_app_cert.x509.pem
new file mode 100644
index 0000000..70ad39f
--- /dev/null
+++ b/legacy/vendor/ssg/ssg_app_cert.x509.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpzCCAo+gAwIBAgIELmaGwzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMC
+VVMxEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xJDAiBgNVBAoT
+G1F1YWxjb21tIFRlY2hub2xvZ2llcywgSW5jLjEMMAoGA1UECxMDU1NHMRwwGgYD
+VQQDExNTU0cgUHJpdmlsZWdlZCBBcHBzMB4XDTE3MDYxOTIxMDAxNloXDTQ0MTEw
+NDIxMDAxNlowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYD
+VQQHEwdVbmtub3duMSQwIgYDVQQKExtRdWFsY29tbSBUZWNobm9sb2dpZXMsIElu
+Yy4xDDAKBgNVBAsTA1NTRzEcMBoGA1UEAxMTU1NHIFByaXZpbGVnZWQgQXBwczCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwaT66u+2CUj44EYbOTeKFy
+7EAmj35UI02ifnJZg+voMHGrp4OII411Gwtx15oPt+Dg7kymqu8urcqDnIS1sEGZ
+TCsgqFnVqvGWk0aLG4PwaKmLo5kU365xIWmVHv/eH4Zu7OW2dvfVkirzc/p6pNS4
+mUbKr52do66B/BWyGOQ6ocxkMap54i+JJsPFl4ejIoAb4VuQKsDzCrgWFJoLwbAJ
+TMvwVjer3KIEsoD3rlftfmWJA8u2OcwhR9L0Z8gTVWdIUEj+BPo3hpA8lNg4OKGb
+F5Nez/MDvagp3TAYk6E+ake+/uWiPPdoZLpu0WvZU0mLIwj+FOAayHk+GfQSQKsC
+AwEAAaMhMB8wHQYDVR0OBBYEFFac8wwmHfDY9GZoPKgY7bzzZApSMA0GCSqGSIb3
+DQEBCwUAA4IBAQA7BZpaBmj5WCTbNCYlZmIWONui89XVjxGmD/43ipFLaXuvG6PV
+8WDIt0kkZTnAi1e7NE1yk7MnQSa37gXf5eYWM7rMxX90gae+/P5P8RT8Gp4OhZT7
+ITNpWKYZEIumxvnHcK/nAWAPgInzBDkNksUawc3ACU0kgoOiJiXfXWuHgjnwWDdA
+YS/MjlXyIju8x+1PkzyXbE2PNOuaQdlaZWXtzsdKVfxk4RK9Um3+9i1Xr6yPNIqR
+suBjThaMw740u4wg2oOZITY6b7RBfn9nxYu8zHzmIWE2xiLB6Rg2c5a3fKiOWXiL
+xhSlrs1uuE+54290ZDtOpCRA0M411ClkyjLU
+-----END CERTIFICATE-----
diff --git a/legacy/vendor/test/diag_test.te b/legacy/vendor/test/diag_test.te
new file mode 100644
index 0000000..e43c9c2
--- /dev/null
+++ b/legacy/vendor/test/diag_test.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type diagdciclient_exec, exec_type, vendor_file_type, file_type;
+userdebug_or_eng(`
+ type diag_test, domain;
+ domain_auto_trans(shell, diagdciclient_exec, diag_test)
+ #domain_auto_trans(adbd, diagdciclient_exec, diag_test)
+ allow diag_test devpts:chr_file getattr;
+ allow diag_test devpts:chr_file {ioctl read write open};
+')
+
diff --git a/legacy/vendor/test/domain.te b/legacy/vendor/test/domain.te
new file mode 100644
index 0000000..1e2ee65
--- /dev/null
+++ b/legacy/vendor/test/domain.te
@@ -0,0 +1,67 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#allow all gpu clients to access configuration settings
+userdebug_or_eng(`
+allow {domain - coredomain - hal_configstore_default} sysfs_kgsl:dir search;
+r_dir_file({domain - coredomain - hal_configstore_default}, sysfs_kgsl_snapshot);
+r_dir_file({domain - coredomain - hal_configstore_default}, vendor_gles_data_file);
+allow {domain - coredomain - hal_configstore_default} vendor_gles_data_file:dir create_dir_perms;
+allow {domain - coredomain - hal_configstore_default} vendor_gles_data_file:file create_file_perms;
+')
+
+userdebug_or_eng(`
+allow {system_server
+ system_app
+ mediaserver
+ cameraserver
+ surfaceflinger} sysfs_kgsl:dir search;
+
+r_dir_file({system_server
+ system_app
+ mediaserver
+ cameraserver
+ surfaceflinger}, sysfs_kgsl_snapshot);
+
+r_dir_file({system_server
+ system_app
+ mediaserver
+ cameraserver
+ surfaceflinger}, system_gles_data_file);
+
+allow {system_server
+ system_app
+ mediaserver
+ cameraserver
+ surfaceflinger} system_gles_data_file:dir create_dir_perms;
+
+allow {system_server
+ system_app
+ mediaserver
+ cameraserver
+ surfaceflinger} system_gles_data_file:file create_file_perms;
+')
\ No newline at end of file
diff --git a/legacy/vendor/test/drmserver.te b/legacy/vendor/test/drmserver.te
new file mode 100644
index 0000000..4e1cb20
--- /dev/null
+++ b/legacy/vendor/test/drmserver.te
@@ -0,0 +1,27 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
diff --git a/legacy/vendor/test/energyawareness.te b/legacy/vendor/test/energyawareness.te
new file mode 100644
index 0000000..0ef47fa
--- /dev/null
+++ b/legacy/vendor/test/energyawareness.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Access to power costs for testing
+
+userdebug_or_eng(`
+allow energyawareness qti_debugfs:dir r_dir_perms;
+allow energyawareness qti_debugfs:file rw_file_perms;
+')
diff --git a/legacy/vendor/test/fidotest.te b/legacy/vendor/test/fidotest.te
new file mode 100644
index 0000000..d4bb8c4
--- /dev/null
+++ b/legacy/vendor/test/fidotest.te
@@ -0,0 +1,59 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type fidotest, domain;
+type fidotest_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(fidotest)
+userdebug_or_eng(`
+ #Allow fido test daemons to use Binder IPC
+ #binder_use(fidotest)
+
+ #Allow apps to interact with fido test daemons
+ binder_call(fidotest, platform_app)
+ binder_call(platform_app, fidotest)
+ binder_call(fidotest, system_app)
+ binder_call(system_app, fidotest)
+
+ # Mark fido test daemons as a Binder service domain
+ #binder_service(fidotest)
+
+ #Allow fido test daemons to be registered with service manager
+ allow fidotest fidotest_service:service_manager add;
+
+ # Allow communication with init over property server
+ unix_socket_connect(fidotest, property, init);
+
+ # Allow access to tee device
+ allow fidotest tee_device:chr_file rw_file_perms;
+
+ # Allow access to firmware
+ allow fidotest firmware_file:dir r_dir_perms;
+ allow fidotest firmware_file:file r_file_perms;
+
+ # Allow service manager to find
+ #allow qsee_svc_app fidotest_service:service_manager find;
+')
diff --git a/legacy/vendor/test/file.te b/legacy/vendor/test/file.te
new file mode 100644
index 0000000..2d2eb25
--- /dev/null
+++ b/legacy/vendor/test/file.te
@@ -0,0 +1,32 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# To allow GPU application to write "/data/vendor/gpu" path
+type vendor_gles_data_file, file_type, data_file_type;
+
+# To allow GPU application to read "/data/misc/gpu" path
+type system_gles_data_file, core_data_file_type, file_type, data_file_type;
diff --git a/legacy/vendor/test/file_contexts b/legacy/vendor/test/file_contexts
new file mode 100644
index 0000000..4122313
--- /dev/null
+++ b/legacy/vendor/test/file_contexts
@@ -0,0 +1,102 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+/(vendor|system/vendor)/bin/kernel-tests/smd.* u:object_r:smd_test_exec:s0
+/(vendor|system/vendor)/bin/qmi-framework-tests/qmi_ping.* u:object_r:qmi_ping_exec:s0
+/(vendor|system/vendor)/bin/qmi-framework-tests/qmi_test.* u:object_r:qmi_test_service_exec:s0
+
+/(vendor|system/vendor)/bin/diag_dci_client u:object_r:diagdciclient_exec:s0
+
+/(vendor|system/vendor)/bin/ptt_socket_app u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/athdiag u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/cld-fwlog-netlink u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/cld-fwlog-record u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/cld-fwlog-parser u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/cnss_diag u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/iwpriv u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/iwconfig u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/iw u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/iwlist u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/iwss_test u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/pktlogconf u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/iperf u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/mboxping u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/sigma_dut u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/pktlog u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/hal_proxy_daemon u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/Wifilogger_app u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/hs20-osu-client u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/ndc u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/icm u:object_r:wcnss_service_exec:s0
+/(vendor|system/vendor)/bin/playreadygtest(.*) u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/oem(.*)test u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/widevine(.*) u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/qseecom_sample_client u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/isdbtmmtest u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/secure_ui_sample_client u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/qseecom_security_test u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/qfipsverify u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/qseecom_assurance_test u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/drm_generic_prov_test u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/ParserApp u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/StoreKeybox u:object_r:sectest_exec:s0
+/(vendor|system/vendor)/bin/InstallKeybox u:object_r:sectest_exec:s0
+
+#Authentication and FIDO
+/(vendor|system/vendor)/bin/sampleauthdaemon u:object_r:fidotest_exec:s0
+/(vendor|system/vendor)/bin/qseeproxysampledaemon u:object_r:qseeproxysample_exec:s0
+
+#Context for location features
+/(vendor|system/vendor)/bin/sdp_test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/icm_test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/pf_test_app u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/quipc_ipe_test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/ipead_test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/quipc_iwmm_test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/slimcw_test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/lowi_test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/test-lowi-client u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/quipc_os_api_test_1 u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/quipc_os_api_test_2 u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/loc_api_v02_utt u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/test-version u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/test-pos-tx u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/xtwifi-upload-test u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/test-fake-ap u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/loc_api_app u:object_r:location_exec:s0
+/(vendor|system/vendor)/bin/test_loc_api_client u:object_r:location_exec:s0
+
+/(vendor|system/vendor)/bin/sns.* u:object_r:sensors_test_exec:s0
+#for testscripts support
+/(vendor|system/vendor)/bin/init\.qcom\.vendor\.testscripts\.sh u:object_r:vendor-qti-testscripts_exec:s0
+/sys/kernel/debug/dsi_dual_samsung_cmd(/.*)? u:object_r:qti_debugfs:s0
+
+#Context for GPU applications
+/data/vendor/gpu(/.*)? u:object_r:vendor_gles_data_file:s0
+
+#Used only in debug build to enable gpu config settings
+/data/misc/gpu(/.*)? u:object_r:system_gles_data_file:s0
diff --git a/legacy/vendor/test/genfs_contexts b/legacy/vendor/test/genfs_contexts
new file mode 100644
index 0000000..db51472
--- /dev/null
+++ b/legacy/vendor/test/genfs_contexts
@@ -0,0 +1,33 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+genfscon debugfs /regmap u:object_r:qti_debugfs:s0
+genfscon debugfs /asoc u:object_r:qti_debugfs:s0
+genfscon debugfs /dri/0/debug/dump u:object_r:qti_debugfs:s0
+genfscon debugfs /dri/0/debug/recovery_reg u:object_r:qti_debugfs:s0
+genfscon debugfs /dri/0/debug/recovery_dbgbus u:object_r:qti_debugfs:s0
+genfscon debugfs /dri/0/debug/recovery_vbif_dbgbus u:object_r:qti_debugfs:s0
diff --git a/legacy/vendor/test/init_shell.te b/legacy/vendor/test/init_shell.te
new file mode 100755
index 0000000..f0d5a1f
--- /dev/null
+++ b/legacy/vendor/test/init_shell.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+userdebug_or_eng(`
+ allow qti_init_shell fuse:dir create_dir_perms;
+ allow qti_init_shell fuse:file create_file_perms;
+')
diff --git a/legacy/vendor/test/mediaserver_test.te b/legacy/vendor/test/mediaserver_test.te
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/legacy/vendor/test/mediaserver_test.te
diff --git a/legacy/vendor/test/npu_app.te b/legacy/vendor/test/npu_app.te
new file mode 100644
index 0000000..d152a4f
--- /dev/null
+++ b/legacy/vendor/test/npu_app.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## npu_app
+##
+## This file defines the permissions that npu_apps can carry
+type npu_app, domain;
+app_domain(npu_app)
+
+allow npu_app npu_device:chr_file r_file_perms;
+allow npu_app app_api_service:service_manager find;
diff --git a/legacy/vendor/test/pdt_app.te b/legacy/vendor/test/pdt_app.te
new file mode 100644
index 0000000..3476a90
--- /dev/null
+++ b/legacy/vendor/test/pdt_app.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# This domain is for pdt apps and should always be in
+# userdebug_or_eng macro
+
+userdebug_or_eng(`
+type pdt_app, domain;
+app_domain(pdt_app);
+net_domain(pdt_app)
+permissive pdt_app;
+# r_dir_file(pdt_app, domain)
+dontaudit pdt_app service_manager_type:service_manager *;
+dontaudit pdt_app hwservice_manager_type:hwservice_manager *;
+dontaudit pdt_app file_type:dir_file_class_set *;
+')
diff --git a/legacy/vendor/test/priv_app.te b/legacy/vendor/test/priv_app.te
new file mode 100644
index 0000000..fc86941
--- /dev/null
+++ b/legacy/vendor/test/priv_app.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#allow priv_app clients to access configuration settings
+userdebug_or_eng(`
+allow priv_app sysfs_kgsl:dir search;
+r_dir_file(priv_app, sysfs_kgsl_snapshot);
+r_dir_file(priv_app, vendor_gles_data_file);
+allow priv_app vendor_gles_data_file:dir rw_dir_perms;
+allow priv_app vendor_gles_data_file:file rw_file_perms;
+')
diff --git a/legacy/vendor/test/qmi_ping.te b/legacy/vendor/test/qmi_ping.te
new file mode 100644
index 0000000..eb1936d
--- /dev/null
+++ b/legacy/vendor/test/qmi_ping.te
@@ -0,0 +1,48 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#must be defined for file_contexts
+type qmi_ping_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ type qmi_ping, domain;
+ domain_auto_trans(shell, qmi_ping_exec, qmi_ping)
+ #domain_auto_trans(adbd, qmi_ping_exec, qmi_ping)
+ #test launched from pseudo terminal, so output goes there
+ allow qmi_ping devpts:chr_file {read write ioctl getattr};
+ #to access smem logs
+ allow qmi_ping smem_log_device:chr_file {read write open ioctl};
+ #enable accessing the path where qmuxds named sockets are present
+ #to interface with qmuxd through unix sockets
+ #to use socket interface to ipc router
+ allow qmi_ping qmi_ping:socket {create bind read write setopt};
+ #enable running test as root user => privileged process
+ #enable privileged processes to bypass permission checks
+ allow qmi_ping qmi_ping:capability {setgid setuid fsetid};
+ #QCCI calls qmuxd API. The API will internally require this
+ qmux_socket(qmi_ping);
+')
diff --git a/legacy/vendor/test/qmi_test_service.te b/legacy/vendor/test/qmi_test_service.te
new file mode 100644
index 0000000..d67b805
--- /dev/null
+++ b/legacy/vendor/test/qmi_test_service.te
@@ -0,0 +1,53 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#must be defined for file_contexts
+type qmi_test_service_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ type qmi_test_service, domain;
+ domain_auto_trans(shell, qmi_test_service_exec, qmi_test_service)
+ #domain_auto_trans(adbd, qmi_test_service_exec, qmi_test_service)
+ #enable access to loader in 64 bit system
+ allow qmi_test_service shell:fd use;
+ #test is launched from pseudo terminal so output goes there
+ allow qmi_test_service devpts:chr_file {read write getattr ioctl};
+ #to access smem log
+ allow qmi_test_service smem_log_device:chr_file {read write open ioctl};
+ #enable accessing the path where qmuxds named sockets are present
+ #to interface with qmuxd through unix sockets
+ #to access ipc router socket
+ allow qmi_test_service qmi_test_service:socket {create bind read write setopt};
+ #enable running test as root user => privileged process
+ #enable privileged processes to bypass permission checks
+ allow qmi_test_service qmi_test_service:capability {setgid setuid fsetid};
+ #QCCI calls qmuxd API. The API will internally require this
+ qmux_socket(qmi_test_service);
+ #enable accessing the system health monitor to check the system health,
+ #if a request times out
+ allow qmi_test_service system_health_monitor_device:chr_file rw_file_perms;
+')
diff --git a/legacy/vendor/test/qseeproxysample.te b/legacy/vendor/test/qseeproxysample.te
new file mode 100644
index 0000000..1e71b7f
--- /dev/null
+++ b/legacy/vendor/test/qseeproxysample.te
@@ -0,0 +1,60 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qseeproxysample, domain;
+type qseeproxysample_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(qseeproxysample)
+userdebug_or_eng(`
+ #Allow test daemons to use Binder IPC
+ #binder_use(qseeproxysample)
+
+ #Allow services to interact with test daemon
+ binder_call(qseeproxysample, qsee_svc_app)
+ binder_call(qsee_svc_app, qseeproxysample)
+
+ # Mark test daemon as a Binder service domain
+ #binder_service(qseeproxysample)
+
+ #Allow test daemon to be registered with service manager
+ allow qseeproxysample qseeproxysample_service:service_manager add;
+
+ #Allow test daemon to use system_server via binder to check caller identity
+ binder_call(qseeproxysample, system_server)
+
+ # Allow communication with init over property server
+ unix_socket_connect(qseeproxysample, property, init);
+
+ # Allow access to tee device
+ allow qseeproxysample tee_device:chr_file rw_file_perms;
+
+ # Allow access to firmware
+ allow qseeproxysample firmware_file:dir r_dir_perms;
+ allow qseeproxysample firmware_file:file r_file_perms;
+
+ #Allow service manager to find
+ #allow qsee_svc_app qseeproxysample_service:service_manager find;
+')
diff --git a/legacy/vendor/test/seapp_contexts b/legacy/vendor/test/seapp_contexts
new file mode 100644
index 0000000..67733a9
--- /dev/null
+++ b/legacy/vendor/test/seapp_contexts
@@ -0,0 +1,50 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+user=_app seinfo=platform name=com.qualcomm.qct.dlt levelfrom=all domain=location_app type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.qti.qlogcat levelfrom=all domain=location_app type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.qti.pdrtesttool levelfrom=all domain=location_app type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.qti.magcaltool levelfrom=all domain=location_app type=app_data_file
+
+#Add new domain for QSEE sample services
+user=system seinfo=platform name=com.qualcomm.qti.auth.securesampleauthservice domain=qsee_svc_app type=system_app_data_file
+user=system seinfo=platform name=com.qualcomm.qti.auth.secureextauthservice domain=qsee_svc_app type=system_app_data_file
+
+#Add new domain for pdt apps
+user=system seinfo=platform name=.pdtapps domain=pdt_app type=system_app_data_file
+
+#Add new domain for npudemo app
+user=_app seinfo=platform name=com.qti.qualcomm.npudemo domain=npu_app type=app_data_file levelFrom=all
+
+#Add new domain for VT loopback app
+user=_app seinfo=platform name=com.qti.vtloopback domain=vtloopback_app type=app_data_file levelfrom=all
+
+#Add new domain for sysmon app
+user=_app seinfo=platform name=com.qualcomm.qti.sysmonappExternal domain=sysmon_app type=app_data_file levelFrom=all
+
+#Add new domain for usta app
+user=system seinfo=platform name=com.qualcomm.qti.usta domain=usta_app type=system_app_data_file
diff --git a/legacy/vendor/test/sectest.te b/legacy/vendor/test/sectest.te
new file mode 100644
index 0000000..0ceac15
--- /dev/null
+++ b/legacy/vendor/test/sectest.te
@@ -0,0 +1,39 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type sectest, domain;
+type sectest_exec, exec_type, vendor_file_type, file_type;
+userdebug_or_eng(`
+ init_daemon_domain(sectest)
+ # allow sectest access to drm related paths
+ allow sectest mnt_vendor_file:dir r_dir_perms;
+ r_dir_file(sectest, persist_data_file)
+ # Write to drm related pieces of persist partition
+ allow sectest persist_drm_file:dir create_dir_perms;
+ allow sectest persist_drm_file:file create_file_perms;
+ allow sectest tee_device:chr_file rw_file_perms;
+')
diff --git a/legacy/vendor/test/sensors_test.te b/legacy/vendor/test/sensors_test.te
new file mode 100644
index 0000000..001a7e8
--- /dev/null
+++ b/legacy/vendor/test/sensors_test.te
@@ -0,0 +1,43 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Policy for sensor test binaries
+type sensors_test_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ type sensors_test, domain;
+
+ domain_auto_trans(shell, sensors_test_exec, sensors_test)
+ #domain_auto_trans(adbd, sensors_test_exec, sensors_test)
+
+ allow sensors_test devpts:chr_file rw_file_perms;
+ allow sensors_test sensors:unix_stream_socket connectto;
+ allow sensors_test sensors_device:chr_file rw_file_perms;
+ allow sensors_test sensors_socket:sock_file rw_file_perms;
+ allow sensors_test smd_device:chr_file rw_file_perms;
+ allow sensors_test socket_device:dir r_dir_perms;
+')
diff --git a/legacy/vendor/test/service.te b/legacy/vendor/test/service.te
new file mode 100644
index 0000000..f6df536
--- /dev/null
+++ b/legacy/vendor/test/service.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type fidotest_service, service_manager_type;
+type qseeproxysample_service, service_manager_type;
+
diff --git a/legacy/vendor/test/service_contexts b/legacy/vendor/test/service_contexts
new file mode 100644
index 0000000..787c9f5
--- /dev/null
+++ b/legacy/vendor/test/service_contexts
@@ -0,0 +1,30 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+com.qualcomm.qti.auth.securesampleauthdaemon u:object_r:fidotest_service:s0
+com.qualcomm.qti.qseeproxysample u:object_r:qseeproxysample_service:s0
+
diff --git a/legacy/vendor/test/smd_test.te b/legacy/vendor/test/smd_test.te
new file mode 100644
index 0000000..0126b9d
--- /dev/null
+++ b/legacy/vendor/test/smd_test.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#must be defined for file_contexts
+type smd_test_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ type smd_test, domain;
+ domain_auto_trans(shell, smd_test_exec, smd_test)
+ #domain_auto_trans(adbd, smd_test_exec, smd_test)
+ #SMD device node and test file contexts
+ allow smd_test smd_device:chr_file {ioctl read write open getattr append};
+ #tests are launched from pseudo terminal, so output will be directed there
+ #and as such needs adequate allow rules
+ allow smd_test devpts:chr_file {ioctl read write open getattr};
+')
diff --git a/legacy/vendor/test/sysmon_app.te b/legacy/vendor/test/sysmon_app.te
new file mode 100644
index 0000000..0ce1866
--- /dev/null
+++ b/legacy/vendor/test/sysmon_app.te
@@ -0,0 +1,41 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## sysmon_app
+##
+## This file defines the permissions that sysmon_apps can carry
+
+type sysmon_app, domain;
+
+app_domain(sysmon_app)
+
+# display by the com.qualcomm.qti.sysmonappExternal.SysMonApp
+allow sysmon_app app_api_service:service_manager find;
+
+# Allow access to FastRPC
+allow sysmon_app qdsp_device:chr_file r_file_perms;
+allow sysmon_app xdsp_device:chr_file r_file_perms;
diff --git a/legacy/vendor/test/system_app.te b/legacy/vendor/test/system_app.te
new file mode 100644
index 0000000..ba473b0
--- /dev/null
+++ b/legacy/vendor/test/system_app.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#============= system_app ==============
+userdebug_or_eng(`
+ # Rules for QSensors Test Application
+ #allow system_app sensors:unix_stream_socket connectto;
+ allow system_app sensors_device:chr_file getattr;
+ allow system_app sensors_socket:sock_file write;
+ allow system_app socket_device:dir read;
+
+ allow system_app self:socket create_socket_perms_no_ioctl;
+')
diff --git a/legacy/vendor/test/untrusted_app_25.te b/legacy/vendor/test/untrusted_app_25.te
new file mode 100644
index 0000000..46e7a1d
--- /dev/null
+++ b/legacy/vendor/test/untrusted_app_25.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#allow untrusted_app_25 clients to access configuration settings
+userdebug_or_eng(`
+allow untrusted_app_25 sysfs_kgsl:dir search;
+r_dir_file(untrusted_app_25, sysfs_kgsl_snapshot);
+r_dir_file(untrusted_app_25, vendor_gles_data_file);
+allow untrusted_app_25 vendor_gles_data_file:dir rw_dir_perms;
+allow untrusted_app_25 vendor_gles_data_file:file rw_file_perms;
+')
diff --git a/legacy/vendor/test/untrusted_app_27.te b/legacy/vendor/test/untrusted_app_27.te
new file mode 100644
index 0000000..4a07649
--- /dev/null
+++ b/legacy/vendor/test/untrusted_app_27.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#allow untrusted_app_27 clients to access configuration settings
+userdebug_or_eng(`
+allow untrusted_app_27 sysfs_kgsl:dir search;
+r_dir_file(untrusted_app_27, sysfs_kgsl_snapshot);
+r_dir_file(untrusted_app_27, vendor_gles_data_file);
+allow untrusted_app_27 vendor_gles_data_file:dir rw_dir_perms;
+allow untrusted_app_27 vendor_gles_data_file:file rw_file_perms;
+')
diff --git a/legacy/vendor/test/usta_app.te b/legacy/vendor/test/usta_app.te
new file mode 100644
index 0000000..64bcab5
--- /dev/null
+++ b/legacy/vendor/test/usta_app.te
@@ -0,0 +1,51 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## usta_app
+##
+## This file defines the permissions that usta_apps can carry
+
+type usta_app, domain;
+
+app_domain(usta_app)
+hal_client_domain(usta_app, hal_perf)
+
+#allow only usta_app with userdebug to access ioctl
+userdebug_or_eng(`
+ allowxperm usta_app self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
+ allow usta_app self:{ socket qipcrtr_socket } create_socket_perms;
+ allow usta_app xdsp_device:chr_file r_file_perms;
+ allow usta_app ssr_device:chr_file r_file_perms;
+')
+
+allow usta_app {
+ app_api_service
+ surfaceflinger_service
+}:service_manager find;
+
+allow usta_app system_app_data_file:dir create_dir_perms;
+allow usta_app system_app_data_file:file create_file_perms;
diff --git a/legacy/vendor/test/vendor-qti-testscripts.te b/legacy/vendor/test/vendor-qti-testscripts.te
new file mode 100644
index 0000000..3fbd208
--- /dev/null
+++ b/legacy/vendor/test/vendor-qti-testscripts.te
@@ -0,0 +1,84 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+userdebug_or_eng(`
+ type vendor-qti-testscripts, domain, mlstrustedsubject;
+ type vendor-qti-testscripts_exec, exec_type, file_type, vendor_file_type;
+ permissive vendor-qti-testscripts;
+
+ domain_trans(init, vendor_shell_exec, vendor-qti-testscripts)
+
+ #super_user - start
+ # Add vendor-qti-testscripts to various domains
+ net_domain(vendor-qti-testscripts)
+ #app_domain(vendor-qti-testscripts)
+
+ dontaudit vendor-qti-testscripts self:capability_class_set *;
+ dontaudit vendor-qti-testscripts kernel:security *;
+ dontaudit vendor-qti-testscripts kernel:system *;
+ dontaudit vendor-qti-testscripts self:memprotect *;
+ dontaudit vendor-qti-testscripts domain:process *;
+ dontaudit vendor-qti-testscripts domain:fd *;
+ dontaudit vendor-qti-testscripts domain:dir *;
+ dontaudit vendor-qti-testscripts domain:lnk_file *;
+ dontaudit vendor-qti-testscripts domain:{ fifo_file file } *;
+ dontaudit vendor-qti-testscripts domain:socket_class_set *;
+ dontaudit vendor-qti-testscripts domain:ipc_class_set *;
+ dontaudit vendor-qti-testscripts domain:key *;
+ dontaudit vendor-qti-testscripts fs_type:filesystem *;
+ dontaudit vendor-qti-testscripts {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit vendor-qti-testscripts node_type:node *;
+ dontaudit vendor-qti-testscripts node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit vendor-qti-testscripts netif_type:netif *;
+ dontaudit vendor-qti-testscripts port_type:socket_class_set *;
+ dontaudit vendor-qti-testscripts port_type:{ tcp_socket dccp_socket } *;
+ dontaudit vendor-qti-testscripts domain:peer *;
+ dontaudit vendor-qti-testscripts domain:binder *;
+ dontaudit vendor-qti-testscripts property_type:property_service *;
+ dontaudit vendor-qti-testscripts service_manager_type:service_manager *;
+ dontaudit vendor-qti-testscripts keystore:keystore_key *;
+ #dontaudit vendor-qti-testscripts domain:debuggerd *;
+ dontaudit vendor-qti-testscripts domain:drmservice *;
+ dontaudit vendor-qti-testscripts unlabeled:filesystem *;
+ #super_user - end
+
+ #Added below rule in same file to keep all debug policies
+ #under one common file.
+
+ # All domains can read proc enrty of vendor-qti-testscripts
+ # r_dir_file(domain, vendor-qti-testscripts)
+ # r_dir_file(vendor-qti-testscripts, domain)
+
+ # allow adbd vendor-qti-testscripts:process dyntransition;
+ # allow { domain -mediaextractor -mediacodec } vendor-qti-testscripts:unix_stream_socket connectto;
+ allow domain vendor-qti-testscripts:fd use;
+ allow { domain -mediaextractor -mediacodec -hal_configstore_default } vendor-qti-testscripts:unix_stream_socket { getattr getopt read write shutdown };
+ #binder_call({ domain -init -netd }, vendor-qti-testscripts)
+ allow domain vendor-qti-testscripts:fifo_file { write getattr };
+ allow domain vendor-qti-testscripts:process sigchld;
+ diag_use(radio)
+')
diff --git a/legacy/vendor/test/vtloopback_app.te b/legacy/vendor/test/vtloopback_app.te
new file mode 100755
index 0000000..7b40c82
--- /dev/null
+++ b/legacy/vendor/test/vtloopback_app.te
@@ -0,0 +1,40 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+userdebug_or_eng(`
+type vtloopback_app, domain;
+app_domain(vtloopback_app)
+net_domain(vtloopback_app)
+diag_use(vtloopback_app)
+allow vtloopback_app avtimer_device:chr_file r_file_perms;
+binder_call(vtloopback_app, hal_imsrtp)
+allow vtloopback_app hal_imsrtp_hwservice:hwservice_manager find;
+allow vtloopback_app cameraserver_service:service_manager find;
+allow vtloopback_app mediaserver_service:service_manager find;
+get_prop(vtloopback_app, qcom_ims_prop)
+allow vtloopback_app { app_api_service activity_service }:service_manager find;
+')