Merge "netmgrd: Allow to kill processes which are non responsive"
diff --git a/common/bg_daemon.te b/common/bg_daemon.te
index 9a5b31e..b7bd3d1 100644
--- a/common/bg_daemon.te
+++ b/common/bg_daemon.te
@@ -37,3 +37,4 @@
#Needed to pil loading
allow bg_daemon ssr_device:chr_file r_file_perms;
allow bg_daemon self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+set_prop(bg_daemon, bg_daemon_prop)
diff --git a/common/device.te b/common/device.te
index 7ad1690..61a5d83 100644
--- a/common/device.te
+++ b/common/device.te
@@ -94,6 +94,9 @@
# Define sp_keymaster device
type sp_keymaster_device, dev_type;
+# Define sec_nvm devices
+type sec_nvm_device, dev_type;
+
# Define cryptoapp device
type cryptoapp_device, dev_type;
diff --git a/common/file.te b/common/file.te
index 4857466..8b4e24f 100644
--- a/common/file.te
+++ b/common/file.te
@@ -38,6 +38,7 @@
type data_qtee_file, file_type, data_file_type;
type persist_misc_file, file_type;
type persist_bms_file, file_type;
+type persist_secnvm_file, file_type;
type diag_data_file, file_type, data_file_type;
@@ -84,7 +85,6 @@
type mpctl_data_file, file_type, data_file_type;
type sysfs_devfreq, fs_type, sysfs_type;
-type sysfs_lpm, fs_type, sysfs_type;
type sysfs_mmc_host, fs_type, sysfs_type;
type sysfs_scsi_host, fs_type, sysfs_type;
type sysfs_cpu_boost, fs_type, sysfs_type;
@@ -113,6 +113,9 @@
#ssg qmi gateway daemon socket
type ssgqmig_socket, file_type, mlstrustedobject;
+#ssg tz daemon socket
+type ssgtzd_socket, file_type, mlstrustedobject;
+
#location file types
type location_data_file, file_type, data_file_type;
type location_socket, file_type;
diff --git a/common/file_contexts b/common/file_contexts
index 6ddbb52..0a1ee4e 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -20,6 +20,11 @@
/dev/spcom u:object_r:spcom_device:s0
/dev/sp_kernel u:object_r:skp_device:s0
/dev/sp_ssr u:object_r:sp_ssr_device:s0
+/dev/sec_nvm_sp_kernel u:object_r:sec_nvm_device:s0
+/dev/sec_nvm_jcos u:object_r:sec_nvm_device:s0
+/dev/sec_nvm_spiris u:object_r:sec_nvm_device:s0
+/dev/sec_nvm_keymaster u:object_r:sec_nvm_device:s0
+/dev/sec_nvm_iuicc u:object_r:sec_nvm_device:s0
/dev/sp_keymaster u:object_r:sp_keymaster_device:s0
/dev/cryptoapp u:object_r:cryptoapp_device:s0
/dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0
@@ -126,6 +131,7 @@
/dev/socket/msm_irqbalance u:object_r:msm_irqbalance_socket:s0
/dev/socket/mlid u:object_r:mlid_socket:s0
/dev/socket/ssgqmig u:object_r:ssgqmig_socket:s0
+/dev/socket/ssgtzd u:object_r:ssgtzd_socket:s0
/dev/socket/wififtmd_server u:object_r:wififtmd_socket:s0
/dev/socket/wpa_wigig[0-9] u:object_r:wpa_socket:s0
@@ -232,6 +238,7 @@
/(vendor|system/vendor)/bin/ssgqmigd u:object_r:ssgqmigd_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.iop@1\.0-service u:object_r:hal_iop_default_exec:s0
/(vendor|system/vendor)/bin/mlid u:object_r:mlid_exec:s0
+/(vendor|system/vendor)/bin/ssgtzd u:object_r:ssgtzd_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.esepowermanager@1\.0-service u:object_r:hal_esepowermanager_qti_exec:s0
/(vendor|system/vendor)/bin/loc_launcher u:object_r:location_exec:s0
/(vendor|system/vendor)/bin/lowi-server u:object_r:location_exec:s0
@@ -299,20 +306,22 @@
/sys/devices/msm_otg/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/pc_port(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices(/platform)?/soc/[a-z0-9]+.i2c/i2c-[0-9]+/[0-9]+-[0-9]+/[a-z0-9]+.i2c:qcom,[a-z0-9]+@[0-9]:qcom,smb[0-9]+-charger@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,usb-pdphy@[0-9]+/usbpd/usbpd[0-9](/.*)? u:object_r:sysfs_usbpd_device:s0
/sys/devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
/sys/devices/qpnp-charger.*/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qpnp,fg/power_supply/bms(/.*)? u:object_r:sysfs_battery_supply:s0
-/sys/class/qcom-batery(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/class/qcom-battery(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/devices(/platform)?/soc/qpnp-linear-charger-[a-z0-9]+/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/devices(/platform)?/soc/qpnp-vm-bms-[a-z0-9]+/power_supply/bms(/.*)? u:object_r:sysfs_battery_supply:s0
/sys/kernel/irq_helper/irq_blacklist_on u:object_r:sysfs_irqbalance:s0
-/sys/devices/virtual/graphics/fb([0-2])+/idle_time u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-2])+/dynamic_fps u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-2])+/product_description u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-2])+/vendor_name u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-2])+/hdcp/tp u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-9])+/msm_fb_panel_status u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-9])+/msm_fb_panel_info u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/idle_time u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/dynamic_fps u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/product_description u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/vendor_name u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hdcp/tp u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_status u:object_r:sysfs_graphics:s0
/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
/sys/devices/virtual/net/bond0/bonding/queue_id u:object_r:sysfs_bond0:s0
@@ -342,13 +351,27 @@
/sys/devices/virtual/graphics/fb([0-3])+/idle_power_collapse u:object_r:sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/mode u:object_r:sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/name u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/connected u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_cmd_autorefresh_en u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/mdp/bw_mode_bitmap u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/edid_modes u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hdcp2p2(/.*) u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/scan_info u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/edid_3d_modes u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_dfps_mode u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_src_split_info u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/hdr_stream u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/cec(/.*) u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msmfb_b10(/.*) u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/modes u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/edid_raw_data u:object_r:sysfs_graphics:s0
/sys/devices/virtual/rotator/mdss_rotator/caps u:object_r:sysfs_graphics:s0
/sys/devices/virtual/workqueue/kgsl-events/cpumask u:object_r:sysfs_kgsl:s0
/sys/devices/virtual/workqueue/kgsl-events/nice u:object_r:sysfs_kgsl:s0
/sys/devices/virtual/workqueue/kgsl-workqueue/cpumask u:object_r:sysfs_kgsl:s0
/sys/devices/virtual/workqueue/kgsl-workqueue/nice u:object_r:sysfs_kgsl:s0
-/sys/class/graphics/fb([0-2])+/mdp/caps u:object_r:sysfs_graphics:s0
-/sys/class/graphics/fb([0-2])+/ad u:object_r:sysfs_graphics:s0
+/sys/class/graphics/fb([0-3])+/mdp/caps u:object_r:sysfs_graphics:s0
+/sys/class/graphics/fb([0-3])+/ad u:object_r:sysfs_graphics:s0
/sys/devices(/platform)?/soc/[0-9a-z]+.qcom,spmi/spmi-[0-9]+/spmi[0-9]+-[0-9]+/[0-9a-z]+.qcom,spmi:qcom,pmi[0-9]+@[0-9]+:qcom,leds@[a-z0-9]+(/.*)? u:object_r:sysfs_graphics:s0
/sys/devices/platform/soc/[a-z0-9]+.qcom,spmi/spmi-0/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,haptics@c000/leds/vibrator(/.*)? u:object_r:sysfs_leds:s0
/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)? u:object_r:sysfs_graphics:s0
@@ -394,12 +417,9 @@
/sys/devices(/platform)?/soc/soc:qcom,l3-cpu[0-9]/devfreq/soc:qcom,l3-cpu[0-9](/.*)? u:object_r:sysfs_devfreq:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/clkscale_enable u:object_r:sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)? u:object_r:sysfs_scsi_host:s0
-/sys/module/lpm_levels/parameters(/.*)? u:object_r:sysfs_lpm:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
-/sys/devices/virtual/graphics/fb([0-9])+/modes u:object_r:sysfs_graphics:s0
-
/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc0/clk_scaling(/.*)? u:object_r:sysfs_mmc_host:s0
/sys/module/cpu_boost(/.*)? u:object_r:sysfs_cpu_boost:s0
/sys/module/msm_performance(/.*)? u:object_r:sysfs_msm_perf:s0
@@ -412,7 +432,7 @@
/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/net/wigig0/gro_flush_timeout u:object_r:sysfs_wigig:s0
/sys/module/msm_core(/.*)? u:object_r:sysfs_ea:s0
/sys/module/lpm_stats(/.*)? u:object_r:sysfs_msm_stats:s0
-/sys/module/lpm_level(/.*)? u:object_r:sysfs_msm_power:s0
+/sys/module/lpm_levels(/.*)? u:object_r:sysfs_msm_power:s0
###################################
# data files
@@ -471,6 +491,7 @@
/data/vendor/vpp(/.*)? u:object_r:vpp_data_file:s0
/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0
/data/vendor/wifi/wigig_hostapd(/.*)? u:object_r:wigig_hostapd_socket:s0
+/data/vendor/media(/.*)? u:object_r:media_data_file:s0
###################################
# persist files
@@ -493,6 +514,7 @@
/persist/misc(/.*)? u:object_r:persist_misc_file:s0
/persist/bms(/.*)? u:object_r:persist_bms_file:s0
/persist/vpp(/.*)? u:object_r:persist_vpp_file:s0
+/persist/secnvm(/.*)? u:object_r:persist_secnvm_file:s0
###################################
# etc files
diff --git a/common/genfs_contexts b/common/genfs_contexts
index 23da502..c938e6b 100755
--- a/common/genfs_contexts
+++ b/common/genfs_contexts
@@ -4,3 +4,4 @@
genfscon sysfs /devices/soc/soc:qcom,cpubw/devfreq/soc:qcom,cpubw/bw_hwmon u:object_r:sysfs_devfreq:s0
genfscon debugfs /kgsl/proc u:object_r:qti_debugfs:s0
genfscon sysfs /kernel/wcd_cpe0 u:object_r:sysfs_audio:s0
+genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0
diff --git a/common/hal_audio.te b/common/hal_audio.te
index c5172e5..77cc632 100644
--- a/common/hal_audio.te
+++ b/common/hal_audio.te
@@ -32,6 +32,9 @@
allow hal_audio_default audio_data_file:dir rw_dir_perms;
allow hal_audio_default audio_data_file:file create_file_perms;
+# Allow hal_audio_default to read sysfs_thermal dir/files for speaker protection
+r_dir_file(hal_audio_default, sysfs_thermal)
+
userdebug_or_eng(`
diag_use(hal_audio)
#Allow access to debug fs
diff --git a/common/hal_perf_default.te b/common/hal_perf_default.te
index eec7101..1ff4dff 100644
--- a/common/hal_perf_default.te
+++ b/common/hal_perf_default.te
@@ -58,7 +58,7 @@
sysfs_memory
sysfs_graphics
sysfs
- sysfs_lpm
+ sysfs_msm_power
sysfs_battery_supply
}:dir r_dir_perms;
@@ -74,7 +74,7 @@
sysfs_scsi_host
sysfs_devfreq
sysfs_mmc_host
- sysfs_lpm
+ sysfs_msm_power
sysfs_battery_supply
}:file rw_file_perms;
diff --git a/common/hal_wifi_supplicant.te b/common/hal_wifi_supplicant.te
new file mode 100644
index 0000000..a852ede
--- /dev/null
+++ b/common/hal_wifi_supplicant.te
@@ -0,0 +1,33 @@
+#Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+
+# Allow access to create socket and ioctl.
+allow hal_wifi_supplicant_default self:socket create_socket_perms;
+# ioctlcmd=c304, c302
+allowxperm hal_wifi_supplicant self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/common/hwservice_contexts b/common/hwservice_contexts
index 1a5601b..766dfb2 100644
--- a/common/hwservice_contexts
+++ b/common/hwservice_contexts
@@ -52,6 +52,7 @@
vendor.qti.hardware.perf::IPerf u:object_r:hal_perf_hwservice:s0
com.qualcomm.qti.wifidisplayhal::IHDCPSession u:object_r:wifidisplayhalservice_hwservice:s0
vendor.qti.hardware.iop::IIop u:object_r:hal_iop_hwservice:s0
+com.qualcomm.qti.wifidisplayhal::IDSManager u:object_r:wifidisplayhalservice_hwservice:s0
vendor.qti.hardware.alarm::IAlarm u:object_r:hal_alarm_qti_hwservice:s0
android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_ipacm_hwservice:s0
android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_ipacm_hwservice:s0
diff --git a/common/init_shell.te b/common/init_shell.te
index 8f9d4d7..0e5c980 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -224,3 +224,17 @@
set_prop(qti_init_shell, system_radio_prop)
allow qti_init_shell fm_qsoc_patches_exec:file rx_file_perms;
+
+# rules for vm_bms
+allow qti_init_shell {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:dir r_dir_perms;
+
+allow qti_init_shell {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:file rw_file_perms;
+
+allow qti_init_shell sysfs_battery_supply:file setattr;
+allow qti_init_shell sysfs_usb_supply:file setattr;
diff --git a/common/mediacodec.te b/common/mediacodec.te
index b2b6562..29f19ce 100644
--- a/common/mediacodec.te
+++ b/common/mediacodec.te
@@ -62,8 +62,13 @@
allow mediacodec system_file:dir r_dir_perms;
allow mediacodec qdsp_device:chr_file r_file_perms;
-#Allow mediacodec to access service manager wfdservice
-#allow mediacodec wfdservice_service:service_manager find;
+#Allow mediacodec to access service manager wfdnativemm_service
+allow mediacodec wfdnativemm_service:service_manager find;
+hal_client_domain(mediacodec, wifidisplayhalservice)
+
+allow mediacodec media_data_file:dir create_dir_perms;
+allow mediacodec media_data_file:file create_file_perms;
+
# DOLBY_START
#allow mediacodec audioserver_service:service_manager find;
set_prop(mediacodec, dolby_prop)
diff --git a/common/netd.te b/common/netd.te
index 1b39d6c..ed60ec0 100644
--- a/common/netd.te
+++ b/common/netd.te
@@ -10,6 +10,7 @@
allow netd wfdservice:fd use;
#allow netd wfdservice:tcp_socket rw_socket_perms;
+hal_client_domain(netd, wifidisplayhalservice);
# allow to read /data/misc/ipa/tether_stats file
allow netd ipacm_data_file:dir r_dir_perms;
diff --git a/common/property.te b/common/property.te
index 4fda576..c89ff1d 100644
--- a/common/property.te
+++ b/common/property.te
@@ -49,6 +49,7 @@
type sdm_idle_time_prop, property_type;
type sf_lcd_density_prop, property_type;
type scr_enabled_prop, property_type;
+type bg_daemon_prop, property_type;
type opengles_prop, property_type;
type mdm_helper_prop, property_type;
type mpdecision_prop, property_type;
diff --git a/common/property_contexts b/common/property_contexts
index 663d45f..5299071 100644
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -54,6 +54,7 @@
sdm.idle_time u:object_r:sdm_idle_time_prop:s0
ro.sf.lcd_density u:object_r:sf_lcd_density_prop:s0
ro.vendor.scr_enabled u:object_r:scr_enabled_prop:s0
+vendor.bg_reset u:object_r:bg_daemon_prop:s0
ro.opengles.version u:object_r:opengles_prop:s0
ro.qualcomm.bt.hci_transport u:object_r:bluetooth_prop:s0
ctl.mdm_helper u:object_r:mdm_helper_prop:s0
@@ -69,7 +70,7 @@
qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0
ro.dbg.coresight.cfg_file u:object_r:coresight_prop:s0
ctl.hbtp u:object_r:ctl_hbtp_prop:s0
-sys.audio.init u:object_r:audio_prop:s0
+vendor.audio.sys.init u:object_r:audio_prop:s0
ro.alarm_boot u:object_r:alarm_boot_prop:s0
debug.sf.nobootanimation u:object_r:boot_animation_prop:s0
debug.gralloc. u:object_r:debug_gralloc_prop:s0
diff --git a/common/qdma_app.te b/common/qdma_app.te
index a3f884e..90beb71 100644
--- a/common/qdma_app.te
+++ b/common/qdma_app.te
@@ -50,3 +50,6 @@
# allow access to qdma dropbox
allow qdma_app qdma_data_file:dir create_dir_perms;
allow qdma_app qdma_data_file:file create_file_perms;
+
+# allow access to socket
+unix_socket_connect(qdma_app, dpmtcm, dpmd)
diff --git a/common/sec_nvm.te b/common/sec_nvm.te
new file mode 100644
index 0000000..6fa18f1
--- /dev/null
+++ b/common/sec_nvm.te
@@ -0,0 +1,51 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# sec_nvm service
+type sec_nvm, domain;
+
+type sec_nvm_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(sec_nvm)
+
+# Allow access to spcom device
+allow sec_nvm spcom_device:chr_file rw_file_perms;
+
+# Allow access to skp device
+allow sec_nvm skp_device:chr_file rw_file_perms;
+
+# Allow access to sp_ssr device
+allow sec_nvm sp_ssr_device:chr_file rw_file_perms;
+
+# Allow access to spcom channel sec_nvm device
+allow sec_nvm sec_nvm_device:chr_file rw_file_perms;
+
+# Allow to write to SPSS log file
+allow sec_nvm spss_data_file:file rw_file_perms;
+
+# Allow to rw secnvm files
+allow sec_nvm persist_secnvm_file:file create_file_perms;
diff --git a/common/service_contexts b/common/service_contexts
index 28ab96a..0790caa 100644
--- a/common/service_contexts
+++ b/common/service_contexts
@@ -39,7 +39,6 @@
wfdservice u:object_r:wfdservice_service:s0
DigitalPen u:object_r:usf_service:s0
dts_eagle_service u:object_r:dtseagleservice_service:s0
-wfd.native.mm.service u:object_r:wfdservice_service:s0
extphone u:object_r:radio_service:s0
qti.ims.ext u:object_r:radio_service:s0
com.qualcomm.location.izat.IzatService u:object_r:izat_service:s0
diff --git a/common/ssgtzd.te b/common/ssgtzd.te
new file mode 100644
index 0000000..ad76802
--- /dev/null
+++ b/common/ssgtzd.te
@@ -0,0 +1,37 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# ssgtzd - SSG TZ Daemon
+type ssgtzd, domain, mlstrustedsubject;
+type ssgtzd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(ssgtzd)
+
+#Allow access to smcinvoke device
+allow ssgtzd smcinvoke_device:chr_file rw_file_perms;
+
+allow ssgtzd ssg_app:unix_stream_socket connectto;
diff --git a/common/vm_bms.te b/common/vm_bms.te
index 4ade7c4..788cc4d 100644
--- a/common/vm_bms.te
+++ b/common/vm_bms.te
@@ -12,6 +12,16 @@
battery_data_device
}:chr_file rw_file_perms;
+allow vm_bms {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:dir r_dir_perms;
+
+allow vm_bms {
+ sysfs_battery_supply
+ sysfs_usb_supply
+}:file rw_file_perms;
+
#allow vm_bms to drop down to system service
allow vm_bms self:capability { setpcap setgid setuid };
diff --git a/common/vndservice.te b/common/vndservice.te
index 6da24d5..c5360fc 100644
--- a/common/vndservice.te
+++ b/common/vndservice.te
@@ -29,3 +29,4 @@
type qdisplay_service, vndservice_manager_type;
type qseeproxy_service, vndservice_manager_type;
type esepmdaemon_service, vndservice_manager_type;
+type wfdnativemm_service, vndservice_manager_type;
diff --git a/common/vndservice_contexts b/common/vndservice_contexts
index 35bcf1c..d345755 100644
--- a/common/vndservice_contexts
+++ b/common/vndservice_contexts
@@ -29,3 +29,4 @@
display.qservice u:object_r:qdisplay_service:s0
com.qualcomm.qti.qseeproxy u:object_r:qseeproxy_service:s0
eSEPowerManagerService u:object_r:esepmdaemon_service:s0
+wfd.native.mm.service u:object_r:wfdnativemm_service:s0
diff --git a/common/wcnss_service.te b/common/wcnss_service.te
index 18fbcd3..9723f46 100644
--- a/common/wcnss_service.te
+++ b/common/wcnss_service.te
@@ -60,3 +60,9 @@
#binder_use(wcnss_service)
use_per_mgr(wcnss_service)
+
+hwbinder_use(wcnss_service)
+get_prop(wcnss_service, hwservicemanager_prop)
+
+#access to perflock
+hal_client_domain(wcnss_service, hal_perf)
diff --git a/common/wfdservice.te b/common/wfdservice.te
index 05744e5..e52c23e 100644
--- a/common/wfdservice.te
+++ b/common/wfdservice.te
@@ -1,5 +1,6 @@
#allow access to sysfs to know HDMI repeater state
allow wfdservice sysfs_graphics:file rw_file_perms;
+allow wfdservice sysfs_graphics:dir r_dir_perms;
#Allow access to firmware files for HDCP session
r_dir_file(wfdservice, firmware_file)
@@ -20,5 +21,3 @@
#Denial seen - SELinux : avc: denied { find } for interface=com.qualcomm.qti.wifidisplayhal::IHDCPSession
#pid=3530 scontext=u:r:wfdservice:s0 tcontext=u:object_r:wifidisplayhalservice_hwservice:s0 tclass=hwservice_manager
allow wfdservice wifidisplayhalservice_hwservice:hwservice_manager find;
-allow wfdservice sysfs_graphics:file r_file_perms;
-allow wfdservice sysfs_graphics:dir r_dir_perms;
diff --git a/common/wifidisplayhalservice.te b/common/wifidisplayhalservice.te
index 50dbfff..71abb2c 100644
--- a/common/wifidisplayhalservice.te
+++ b/common/wifidisplayhalservice.te
@@ -28,22 +28,29 @@
#Define Domain
type wifidisplayhalservice_qti, domain;
type wifidisplayhalservice_qti_exec, exec_type, vendor_file_type, file_type;
-hal_server_domain(wifidisplayhalservice_qti,wifidisplayhalservice)
+net_domain(wifidisplayhalservice_qti)
+
+hal_server_domain_bypass(wifidisplayhalservice_qti,wifidisplayhalservice)
#Allow for transition from init domain to wifidisplayhalservice
init_daemon_domain(wifidisplayhalservice_qti)
#Allow wifidisplayhalservice to use Vendor Binder IPC
-allow wifidisplayhalservice_client wfdservice_service:service_manager find;
vndbinder_use(wifidisplayhalservice)
-binder_call(wfdservice,wifidisplayhalservice);
-
-#Allow hardware binder use
-hwbinder_use(wifidisplayhalservice_client)
-get_prop(wifidisplayhalservice, hwservicemanager_prop)
# Allow hwbinder call from hal client to server
binder_call(wifidisplayhalservice_client, wifidisplayhalservice_server)
+binder_call(wifidisplayhalservice_server, wifidisplayhalservice_client)
# Add hwservice related rules
add_hwservice(wifidisplayhalservice_server, wifidisplayhalservice_hwservice)
+
+#Direct streaming native service
+add_service(wifidisplayhalservice, wfdnativemm_service)
+
+#Allow access to firmware files for HDCP session
+r_dir_file(wifidisplayhalservice, firmware_file)
+
+#Allow access to tee/ion device and tcp socket for HDCP sessions
+allow wifidisplayhalservice tee_device:chr_file rw_file_perms;
+allow wifidisplayhalservice ion_device:chr_file r_file_perms;
diff --git a/msm8909/mm-qcamerad.te b/msm8909/mm-qcamerad.te
new file mode 100644
index 0000000..bfda441
--- /dev/null
+++ b/msm8909/mm-qcamerad.te
@@ -0,0 +1,31 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Allow camera Eztune library to create/bind/listen socket
+userdebug_or_eng(`
+ allow mm-qcamerad self:tcp_socket { bind create setopt };
+')
diff --git a/msm8998/system_app.te b/msm8998/system_app.te
index 96209b7..db9a256 100644
--- a/msm8998/system_app.te
+++ b/msm8998/system_app.te
@@ -30,5 +30,5 @@
#for regionalization
allow system_app regionalization_file:file r_file_perms;
allow system_app regionalization_file:dir r_dir_perms;
-allow system_app vendor_radio_data_file:dir r_dir_perms;
+allow system_app vendor_radio_data_file:dir rw_dir_perms;
allow system_app vendor_radio_data_file:file create_file_perms;
diff --git a/private/device.te b/private/device.te
index 6e1b46c..3c4efad 100644
--- a/private/device.te
+++ b/private/device.te
@@ -29,8 +29,5 @@
#Define seemplog device
type seemplog_device, dev_type;
-#define smcinvoke device
-type smcinvoke_device, dev_type;
-
#Define smd7 device
type smd7_device, dev_type;
diff --git a/private/seempd.te b/private/seempd.te
index bbf65da..d1a21b2 100644
--- a/private/seempd.te
+++ b/private/seempd.te
@@ -48,6 +48,8 @@
binder_call(seempd, appdomain)
binder_call(seempd, smcinvoke_daemon)
+allow seempd MinkBinderSvc:service_manager { find };
+
#for seemp
allow seempd seemp_service:service_manager { find add };
allow seempd self:binder call;
diff --git a/public/device.te b/public/device.te
new file mode 100644
index 0000000..74370f8
--- /dev/null
+++ b/public/device.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#define smcinvoke device
+type smcinvoke_device, dev_type;
diff --git a/sdm660/system_app.te b/sdm660/system_app.te
index 96209b7..db9a256 100644
--- a/sdm660/system_app.te
+++ b/sdm660/system_app.te
@@ -30,5 +30,5 @@
#for regionalization
allow system_app regionalization_file:file r_file_perms;
allow system_app regionalization_file:dir r_dir_perms;
-allow system_app vendor_radio_data_file:dir r_dir_perms;
+allow system_app vendor_radio_data_file:dir rw_dir_perms;
allow system_app vendor_radio_data_file:file create_file_perms;
diff --git a/ssg/seapp_contexts b/ssg/seapp_contexts
index 7267cc8..9c3481a 100644
--- a/ssg/seapp_contexts
+++ b/ssg/seapp_contexts
@@ -1,3 +1,4 @@
# SSG apps for Connection Security
user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.connectionsecurity type=app_data_file levelFrom=all
user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.telemetry type=app_data_file levelFrom=all
+user=_app seinfo=ssgapp domain=ssg_app name=com.qualcomm.qti.qms.service.credentials type=app_data_file levelFrom=all
diff --git a/ssg/ssg_app.te b/ssg/ssg_app.te
index 3136aca..20cbc56 100644
--- a/ssg/ssg_app.te
+++ b/ssg/ssg_app.te
@@ -37,6 +37,7 @@
# Allow access to sockets
unix_socket_connect(ssg_app, mlid, mlid)
unix_socket_connect(ssg_app, ssgqmig, ssgqmigd)
+unix_socket_connect(ssg_app, ssgtzd, ssgtzd)
allow ssg_app radio_service:service_manager find;
allow ssg_app surfaceflinger_service:service_manager find;