FP2-15: create Product ID for FP2 project
Change-Id: Ie902ba40af1902d57cc12bb32f91bfecaaf03410
diff --git a/Android.mk b/Android.mk
new file mode 100755
index 0000000..4601d70
--- /dev/null
+++ b/Android.mk
@@ -0,0 +1,109 @@
+# Board specific SELinux policy variable definitions
+ifeq ($(call is-vendor-board-platform,QCOM),true)
+BOARD_SEPOLICY_DIRS := \
+ device/qcom/sepolicy \
+ device/qcom/sepolicy/common \
+ device/qcom/sepolicy/test \
+ device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
+
+BOARD_SEPOLICY_UNION := \
+ genfs_contexts \
+ file_contexts \
+ service_contexts \
+ property_contexts \
+ te_macros \
+ device.te \
+ vold.te \
+ ueventd.te \
+ file.te \
+ property.te \
+ untrusted_app.te \
+ drmserver.te \
+ adbd.te \
+ app.te \
+ cnd.te \
+ system_server.te \
+ mediaserver.te \
+ msm_irqbalanced.te \
+ qmuxd.te \
+ netmgrd.te \
+ port-bridge.te \
+ atfwd.te \
+ radio.te \
+ smd_test.te \
+ qmi_ping.te \
+ qmi_test_service.te \
+ irsc_util.te \
+ netd.te \
+ rild.te \
+ diag.te \
+ diag_test.te \
+ audiod.te \
+ service.te \
+ system_app.te \
+ thermal-engine.te \
+ vm_bms.te \
+ system_app.te \
+ bluetooth.te \
+ init_shell.te \
+ mpdecision.te \
+ perfd.te \
+ mm-qcamerad.te \
+ domain.te \
+ init.te \
+ time_daemon.te \
+ rmt_storage.te \
+ rfs_access.te \
+ hvdcp.te \
+ qti.te \
+ qseecomd.te \
+ mcStarter.te \
+ keystore.te \
+ ims.te \
+ imscm.te \
+ healthd.te \
+ charger_monitor.te \
+ surfaceflinger.te \
+ mm-pp-daemon.te \
+ wpa.te \
+ bootanim.te \
+ zygote.te \
+ mdm_helper.te \
+ peripheral_manager.te \
+ qcomsysd.te \
+ usb_uicc_daemon.te \
+ adsprpcd.te \
+ qlogd.te \
+ ipacm.te \
+ dpmd.te \
+ ssr_setup.te \
+ subsystem_ramdump.te \
+ ssr_diag.te \
+ sectest.te \
+ location.te \
+ location_app.te \
+ seapp_contexts \
+ logd.te \
+ installd.te \
+ wcnss_service.te \
+ mmi.te \
+ dhcp.te \
+ wfd_app.te \
+ mediaserver_test.te \
+ hbtp.te \
+ kernel.te \
+ vold.te
+
+# Compile sensor pilicy only for SSC targets
+SSC_TARGET_LIST := apq8084
+SSC_TARGET_LIST += msm8226
+SSC_TARGET_LIST += msm8960
+SSC_TARGET_LIST += msm8974
+SSC_TARGET_LIST += msm8994
+
+#ifeq ($(call is-board-platform-in-list,$(SSC_TARGET_LIST)),true)
+BOARD_SEPOLICY_UNION += sensors.te
+BOARD_SEPOLICY_UNION += sensors_test.te
+#endif
+
+endif
diff --git a/apq8084/Android.mk b/apq8084/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/apq8084/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/apq8084/qseecomd.te b/apq8084/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/apq8084/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/common/adbd.te b/common/adbd.te
new file mode 100644
index 0000000..8d00910
--- /dev/null
+++ b/common/adbd.te
@@ -0,0 +1,2 @@
+#Make adbd daemon permissive for userdebug or eng builds
+allow adbd tombstone_data_file:dir getattr;
diff --git a/common/adsprpcd.te b/common/adsprpcd.te
new file mode 100644
index 0000000..795115d
--- /dev/null
+++ b/common/adsprpcd.te
@@ -0,0 +1,9 @@
+# adsprpcd daemon
+type adsprpcd, domain;
+type adsprpcd_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(adsprpcd)
+
+#============= adsprpcd ==============
+allow adsprpcd qdsp_device:chr_file { read ioctl open };
diff --git a/common/app.te b/common/app.te
new file mode 100644
index 0000000..ac49f97
--- /dev/null
+++ b/common/app.te
@@ -0,0 +1,9 @@
+# allow application to access cnd domain and socket
+unix_socket_connect(appdomain, cnd, cnd)
+
+# allow application to access dpmd domain and socket
+unix_socket_connect(appdomain, dpmwrapper, dpmd)
+
+unix_socket_connect(appdomain, qlogd, qlogd)
+#Allow all apps to open and send ioctl to qdsp device
+allow appdomain qdsp_device:chr_file r_file_perms;
diff --git a/common/atfwd.te b/common/atfwd.te
new file mode 100644
index 0000000..f3d84a8
--- /dev/null
+++ b/common/atfwd.te
@@ -0,0 +1,17 @@
+type atfwd, domain;
+type atfwd_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(atfwd)
+
+# Creates/Talks to qmuxd via the qmux_radio socket.
+qmux_socket(atfwd);
+
+#Allow IPC binding with ServiceManager & System apps
+binder_use(atfwd);
+binder_call(atfwd, system_app);
+binder_call(atfwd, servicemanager);
+r_dir_file(atfwd, sysfs_ssr);
+
+allow atfwd self:udp_socket create;
+unix_socket_connect(atfwd, property, init);
diff --git a/common/audiod.te b/common/audiod.te
new file mode 100644
index 0000000..72d6546
--- /dev/null
+++ b/common/audiod.te
@@ -0,0 +1,8 @@
+# audio deamon
+type audiod, domain;
+type audiod_exec, exec_type, file_type;
+init_daemon_domain(audiod)
+allow audiod proc_audiod:file r_file_perms;
+allow audiod audio_device:chr_file rw_file_perms;
+binder_use(audiod)
+binder_call(audiod, mediaserver)
diff --git a/common/bluetooth.te b/common/bluetooth.te
new file mode 100644
index 0000000..17817b8
--- /dev/null
+++ b/common/bluetooth.te
@@ -0,0 +1,41 @@
+#Adding all bt related service to bt domains
+type sapd, bluetoothdomain;
+type sapd_exec, exec_type, file_type;
+domain_auto_trans(init, sapd_exec, bluetooth)
+
+type dun-server, bluetoothdomain;
+type dun-server_exec, exec_type, file_type;
+domain_auto_trans(init, dun-server_exec, bluetooth)
+
+type btsnoop, bluetoothdomain;
+type btsnoop_exec, exec_type, file_type;
+domain_auto_trans(init, btsnoop_exec, bluetooth)
+
+#BT needes read and write on smd device node
+allow bluetooth smd_device:chr_file rw_file_perms;
+
+allow bluetooth bluetooth_prop:property_service set;
+allow bluetooth serial_device:chr_file rw_file_perms;
+allow bluetooth sysfs:file rw_file_perms;
+
+#BT Snoop logging
+allow bluetooth self:tcp_socket { create setopt bind accept listen };
+allow bluetooth port:tcp_socket name_bind;
+allow bluetooth node:tcp_socket node_bind;
+
+allow bluetooth uhid_device:chr_file rw_file_perms;
+allow bluetooth input_device:chr_file { open read write ioctl };
+
+allow bluetooth persist_file:dir search;
+allow bluetooth persist_file:file rw_file_perms;
+
+#dun-server requires interaction with net_domain socket
+net_domain(bluetooth);
+
+#dun-server requires binding with system_app and servicemanager
+binder_use(bluetooth);
+binder_call(bluetooth, system_app);
+binder_call(bluetooth, servicemanager);
+
+#sapd requires interaction with qmux sockets
+qmux_socket(bluetooth);
diff --git a/common/bootanim.te b/common/bootanim.te
new file mode 100644
index 0000000..0e66297
--- /dev/null
+++ b/common/bootanim.te
@@ -0,0 +1 @@
+allow bootanim shell_data_file:dir search;
diff --git a/common/charger_monitor.te b/common/charger_monitor.te
new file mode 100644
index 0000000..125cb1b
--- /dev/null
+++ b/common/charger_monitor.te
@@ -0,0 +1,16 @@
+#integrated process
+type charger_monitor, domain;
+type charger_monitor_exec, exec_type, file_type;
+
+#started by init
+init_daemon_domain(charger_monitor)
+
+#charger monitor will use uevent, visit sysfs and use the wake lock
+allow charger_monitor self:netlink_kobject_uevent_socket { read create setopt bind };
+allow charger_monitor sysfs:file rw_file_perms;
+allow charger_monitor sysfs_wake_lock:file rw_file_perms;
+
+allow charger_monitor sysfs_battery_supply:dir search;
+allow charger_monitor sysfs_battery_supply:file rw_file_perms;
+allow charger_monitor sysfs_usb_supply:dir search;
+allow charger_monitor sysfs_usb_supply:file r_file_perms;
diff --git a/common/cnd.te b/common/cnd.te
new file mode 100644
index 0000000..5e419e8
--- /dev/null
+++ b/common/cnd.te
@@ -0,0 +1,73 @@
+#permissive cnd;
+type cnd, domain;
+type cnd_exec, exec_type, file_type;
+file_type_auto_trans(cnd, socket_device, cnd_socket);
+
+# cnd is started by init, type transit from init domain to cnd domain
+init_daemon_domain(cnd)
+# associate netdomain as an attribute of cnd domain
+net_domain(cnd)
+
+allow cnd smem_log_device:chr_file rw_file_perms;
+
+# allow cnd the following capability
+allow cnd self:capability { setuid setgid dac_override net_raw chown
+ fsetid net_admin sys_module };
+allow cnd self:capability2 block_suspend;
+
+# socket used to communicate with kernel via the netlink syscall
+allow cnd self:netlink_tcpdiag_socket { bind create write read
+ nlmsg_read getopt};
+allow cnd self:netlink_route_socket { read bind create write
+ nlmsg_read };
+allow cnd self:netlink_socket { create setopt getopt bind getattr write read };
+
+# allow cnd to set system property
+allow cnd system_prop:property_service set;
+allow cnd property_socket:sock_file write;
+allow cnd init:unix_stream_socket connectto;
+
+# allow cnd to communicate with wlan driver
+allow cnd kernel:system module_request;
+
+# allow cnd to access cnd_data_file
+allow cnd cnd_data_file:file create_file_perms;
+allow cnd cnd_data_file:sock_file { unlink create setattr };
+allow cnd cnd_data_file:dir { open read write add_name remove_name search };
+
+# allow cnd to access qmux_radio_socket
+qmux_socket(cnd)
+
+# cnd access diag_device /dev/diag for logging
+allow cnd diag_device:chr_file { read write open ioctl };
+
+# allow cnd to access wpa_socket
+allow cnd wpa:unix_dgram_socket sendto;
+allow cnd wpa_socket:dir { write remove_name search add_name search };
+allow cnd wpa_socket:sock_file { write create unlink setattr };
+allow cnd wifi_data_file:dir search;
+# allow cnd to obtain wakelock
+allow cnd sysfs_wake_lock:file { open append };
+
+# allow cnd to communicate with all application
+allow cnd appdomain:dir search;
+allow cnd appdomain:fd use;
+allow cnd appdomain:file { read open };
+allow cnd appdomain:tcp_socket rw_socket_perms;
+
+# allow cnd to communicate with system_server
+allow cnd system_server:dir search;
+allow cnd system_server:file { read open };
+allow cnd system_server:tcp_socket { write getattr shutdown getopt read bind };
+
+# allow cnd to communicate with mediaserver
+allow cnd mediaserver:dir search;
+allow cnd mediaserver:fd use;
+allow cnd mediaserver:tcp_socket { read write bind getattr shutdown getopt };
+allow cnd mediaserver:file { open read };
+
+# allow cnd to access ipa_dev
+allow cnd ipa_dev:chr_file r_file_perms;
+
+# allow cnd to perform socket operation on itself
+allow cnd self:socket create_socket_perms;
diff --git a/common/device.te b/common/device.te
new file mode 100755
index 0000000..081b8ad
--- /dev/null
+++ b/common/device.te
@@ -0,0 +1,93 @@
+#Define the logging device type
+type diag_device, dev_type;
+type smem_log_device, dev_type;
+
+#Define the hsic device
+type hsic_device, dev_type;
+
+#Define the mhi device
+type mhi_device, dev_type;
+
+#device type for smd device nodes, ie /dev/smd*
+type smd_device, dev_type;
+
+#device type for rmnet device nodes, ie /dev/rmnet_ctrl*
+type rmnet_device, dev_type;
+
+#Define thermal-engine devices
+type thermal_device, dev_type;
+
+#Define vm_bms devices
+type vm_bms_device, dev_type;
+type battery_data_device, dev_type;
+
+#Add qdsp_device type
+type qdsp_device, dev_type;
+#Define hvdcp/quickcharge device
+type hvdcp_device, dev_type;
+
+#Define mpdecision device
+type device_latency, dev_type;
+
+#Define rct device type for time daemon
+type rtc_device, dev_type;
+
+#Added for fm_radio device
+type fm_radio_device, dev_type;
+
+#Add for storage pertitions for EFS partitions
+type modem_efs_partition_device, dev_type;
+
+#Define device for partition links
+type ssd_device, dev_type;
+type rpmb_device, dev_type;
+
+#ESOC device
+type esoc_device, dev_type;
+
+#SSR device
+type ssr_device, dev_type;
+
+#Ramdump device
+type ramdump_device, dev_type;
+
+#Kickstart bridge devices
+type ksbridgehsic_device, dev_type;
+
+#EFS sync bridge devices
+type efsbridgehsic_device, dev_type;
+
+#EFS sync block devices
+type efs_boot_dev, dev_type;
+
+#Misc partition
+type misc_partition, dev_type;
+
+#Bootselect partition
+type bootselect_device, dev_type;
+
+#define usb_uicc_device for usb_uicc daemon
+type usb_uicc_device, dev_type;
+
+# Define IPA devices
+type ipa_dev, dev_type;
+
+type wcnss_device, dev_type;
+
+type mmc_block_device, dev_type;
+
+# Define QDSS devices
+type qdss_device, dev_type;
+
+#Define Gadget serial device
+type gadget_serial_device, dev_type;
+
+#Added for hbtp
+type bu21150_device, dev_type;
+type hbtp_device, dev_type;
+
+#added for voice device
+type voice_device, dev_type;
+
+#Define system health monitor devices
+type system_health_monitor_device, dev_type;
diff --git a/common/dhcp.te b/common/dhcp.te
new file mode 100644
index 0000000..8a16a0c
--- /dev/null
+++ b/common/dhcp.te
@@ -0,0 +1 @@
+unix_socket_connect(dhcp, cnd, cnd)
diff --git a/common/diag.te b/common/diag.te
new file mode 100644
index 0000000..d8458dc
--- /dev/null
+++ b/common/diag.te
@@ -0,0 +1,28 @@
+type diag, domain;
+type diag_exec, exec_type, file_type;
+userdebug_or_eng(`
+ domain_auto_trans(shell, diag_exec, diag)
+ domain_auto_trans(adbd, diag_exec, diag)
+ file_type_auto_trans(diag, system_data_file, diag_data_file);
+ allow diag diag_device:chr_file {ioctl read write open getattr};
+ allow diag devpts:chr_file {ioctl read write open getattr};
+ allow diag shell:fd {use};
+ allow diag su:fd {use};
+ allow diag cgroup:dir { create add_name };
+ allow diag console_device:chr_file { read write };
+ allow diag port:tcp_socket name_connect;
+ allow diag sdcard_internal:dir { create add_name write search };
+ allow diag self:capability { setuid net_raw sys_admin setgid dac_override };
+ allow diag self:capability2 { syslog block_suspend };
+ allow diag self:tcp_socket { create connect setopt};
+ allow diag sysfs_wake_lock:file { write open append };
+ allow diag kernel:system syslog_mod;
+ # allow drmdiagapp access to drm related paths
+ allow diag persist_file:dir r_dir_perms;
+ r_dir_file(diag, persist_data_file)
+ # Write to drm related pieces of persist partition
+ allow diag persist_drm_file:dir create_dir_perms;
+ allow diag persist_drm_file:file create_file_perms;
+ # allow access to qseecom for drmdiagapp
+ allow sectest tee_device:chr_file rw_file_perms;
+')
diff --git a/common/domain.te b/common/domain.te
new file mode 100644
index 0000000..acadbb9
--- /dev/null
+++ b/common/domain.te
@@ -0,0 +1,7 @@
+userdebug_or_eng(`
+ allow domain diag_device:chr_file rw_file_perms;
+')
+
+r_dir_file(domain, sysfs_socinfo);
+r_dir_file(domain, sysfs_esoc);
+r_dir_file(domain, sysfs_ssr);
diff --git a/common/dpmd.te b/common/dpmd.te
new file mode 100644
index 0000000..61e6919
--- /dev/null
+++ b/common/dpmd.te
@@ -0,0 +1,41 @@
+#dpmd as domain
+type dpmd, domain;
+type dpmd_exec, exec_type, file_type;
+file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
+init_daemon_domain(dpmd)
+net_domain(dpmd)
+allow dpmd dpmd_exec:file execute_no_trans;
+
+#allow dpmd to access dpm_data_file
+allow dpmd dpmd_data_file:file create_file_perms;
+allow dpmd dpmd_data_file:dir create_dir_perms;
+
+#allow dpmd to access qmux radio socket
+qmux_socket(dpmd);
+
+#self capability
+allow dpmd sysfs_wake_lock:file rw_file_perms;
+allow dpmd self:socket rw_socket_perms;
+allow dpmd self:netlink_socket rw_socket_perms;
+allow dpmd self:capability { setuid setgid dac_override net_raw chown fsetid net_admin sys_module };
+
+#socket, self
+allow dpmd smem_log_device:chr_file rw_file_perms;
+unix_socket_connect(dpmd, property, init)
+allow dpmd self:capability2 block_suspend;
+allow dpmd system_prop:property_service set;
+allow dpmd ctl_default_prop:property_service set;
+
+#misc.
+allow dpmd shell_exec:file { read execute open execute_no_trans };
+allow dpmd system_file:file execute_no_trans;
+
+#kernel
+allow dpmd kernel:system module_request;
+
+#appdomain
+allow dpmd appdomain:fd use;
+allow dpmd appdomain:tcp_socket { read write getopt getattr };
+
+#permission to unlink dpmwrapper socket
+allow dpmd socket_device:dir remove_name;
diff --git a/common/drmserver.te b/common/drmserver.te
new file mode 100644
index 0000000..b6668bd
--- /dev/null
+++ b/common/drmserver.te
@@ -0,0 +1,6 @@
+#Address denial logs for drm server accessing firmware file
+allow drmserver firmware_file:file { read getattr open };
+allow drmserver firmware_file:dir r_dir_perms;
+
+#Address denial logs for drm server accessing qseecom driver
+allow drmserver tee_device:chr_file rw_file_perms;
diff --git a/common/file.te b/common/file.te
new file mode 100644
index 0000000..b1f92b7
--- /dev/null
+++ b/common/file.te
@@ -0,0 +1,114 @@
+# Default type for anything under /firmware.
+type firmware_file, fs_type, contextmount_type;
+
+#Define the qmux socket type
+type qmuxd_socket, file_type;
+
+#Define the pps socket type
+type pps_socket, file_type;
+
+# Define cnd socket and data file type
+type cnd_socket, file_type;
+type cnd_data_file, file_type;
+
+# Define dpmd data file type
+type dpmd_socket, file_type;
+type dpmwrapper_socket, file_type;
+type dpmd_data_file, file_type, data_file_type;
+
+#Define the timeout for platform specific transports
+type sysfs_hsic_modem_wait, sysfs_type, fs_type;
+type sysfs_smd_open_timeout, sysfs_type, fs_type;
+
+#Define the files written during the operation of netmgrd and qmuxd
+type data_test_data_file, file_type, data_file_type;
+type sysrq_trigger_proc, fs_type, mlstrustedobject;
+# Persist file types
+type persist_file, file_type;
+type persist_data_file, file_type;
+type persist_drm_file, file_type;
+type data_qsee_file, file_type;
+
+type diag_data_file, file_type, data_file_type;
+
+#file type for restricting proc read by audiod
+type proc_audiod, fs_type;
+
+# Sensor file types
+type sensors_socket, file_type;
+type sensors_data_file, file_type, data_file_type;
+type sensors_persist_file, file_type;
+
+#type for thermal-engine
+type sysfs_thermal, sysfs_type, fs_type;
+type thermal_socket, file_type;
+#type for uart
+type sysfs_msmuart_file, sysfs_type, fs_type;
+
+# Storage RFS file types
+type rfs_data_file, file_type;
+type rfs_system_file, file_type;
+type rfs_shared_hlos_file, file_type;
+
+#mm-pp-daemon file type for sysfs access
+type sysfs_leds, fs_type, sysfs_type;
+
+#Define the files written during the operation of mm-pp-daemon
+type data_ad_calib_cfg, file_type, data_file_type;
+
+#SurfaceFlinger file type for sysfs access
+type sysfs_graphics, sysfs_type, fs_type;
+
+# USB/battery power supply type for hvdcp/quickcharge
+type sysfs_usb_supply, sysfs_type, fs_type;
+type sysfs_battery_supply, sysfs_type, fs_type;
+
+#Define the files written during the operation of mpdecision
+type sysfs_mpdecision, fs_type, sysfs_type;
+type sysfs_rqstats, fs_type, sysfs_type;
+type sysfs_cpu_online, fs_type, sysfs_type;
+type mpctl_socket, file_type;
+type mpctl_data_file, file_type, data_file_type;
+
+#mm-qcamera-daemon socket
+type camera_socket, file_type;
+
+#Socket node needed by ims_data daemon
+type ims_socket, file_type;
+
+#location file types
+type location_data_file, file_type, data_file_type;
+type location_socket, file_type;
+type location_app_data_file, file_type, data_file_type;
+
+#File types required by mdm-helper
+type sysfs_esoc, sysfs_type, fs_type;
+type sysfs_ssr, sysfs_type, fs_type;
+type sysfs_ssr_toggle, sysfs_type, file_type;
+type sysfs_hsic, sysfs_type, fs_type;
+type sysfs_hsic_host_rdy, sysfs_type, file_type;
+
+# Files accessed by qcom-system-daemon
+type sysfs_socinfo, fs_type, sysfs_type;
+
+#Define the sysfs files for usb_uicc_daemon
+type sysfs_usb_uicc, sysfs_type, fs_type;
+
+type qlogd_socket, file_type;
+type qlogd_data_file, file_type;
+#Define the files written during the operation of mm-pp-daemon
+type display_config, file_type, data_file_type;
+
+# IPA file types
+type ipacm_socket, file_type;
+type ipacm_data_file, file_type;
+
+#Define the files written during the operation of mmi
+type mmi_data_file, file_type, data_file_type;
+
+#needed by vold
+type proc_dirty_ratio, fs_type;
+
+# hbtp config file
+type hbtp_cfg_file, file_type;
+type hbtp_log_file, file_type;
diff --git a/common/file_contexts b/common/file_contexts
new file mode 100644
index 0000000..85c7efb
--- /dev/null
+++ b/common/file_contexts
@@ -0,0 +1,249 @@
+###################################
+# Dev nodes
+#
+/dev/adsprpc-smd u:object_r:qdsp_device:s0
+/dev/cpu_dma_latency u:object_r:device_latency:s0
+/dev/diag u:object_r:diag_device:s0
+/dev/hsicctl.* u:object_r:hsic_device:s0
+/dev/kgsl-3d0 u:object_r:gpu_device:s0
+/dev/mhi_pipe_.* u:object_r:mhi_device:s0
+/dev/msm_.* u:object_r:audio_device:s0
+/dev/msm_dsps u:object_r:sensors_device:s0
+/dev/msm_thermal_query u:object_r:thermal_device:s0
+/dev/nfc-nci u:object_r:nfc_device:s0
+/dev/qseecom u:object_r:tee_device:s0
+/dev/radio0 u:object_r:fm_radio_device:s0
+/dev/rtc0 u:object_r:rtc_device:s0
+/dev/sensors u:object_r:sensors_device:s0
+/dev/smd.* u:object_r:smd_device:s0
+/dev/smem_log u:object_r:smem_log_device:s0
+/dev/ttyHSL0 u:object_r:console_device:s0
+/dev/ttyHS[0-9]* u:object_r:serial_device:s0
+/dev/ttyGS0 u:object_r:gadget_serial_device:s0
+/dev/usb_ext_chg u:object_r:hvdcp_device:s0
+/dev/media([0-9])+ u:object_r:camera_device:s0
+/dev/jpeg[0-9]* u:object_r:camera_device:s0
+/dev/v4l-subdev.* u:object_r:camera_device:s0
+/dev/vm_bms u:object_r:vm_bms_device:s0
+/dev/battery_data u:object_r:battery_data_device:s0
+/dev/block/bootdevice/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/fsg u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/fsc u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/ssd u:object_r:ssd_device:s0
+/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
+/dev/ccid_bridge u:object_r:usb_uicc_device:s0
+/dev/block/bootdevice/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/mdm1m9kefsc u:object_r:efs_boot_dev:s0
+/dev/subsys_.* u:object_r:ssr_device:s0
+/dev/ramdump_.* u:object_r:ramdump_device:s0
+/dev/esoc.* u:object_r:esoc_device:s0
+/dev/ks_hsic_bridge u:object_r:ksbridgehsic_device:s0
+/dev/efs_hsic_bridge u:object_r:efsbridgehsic_device:s0
+/dev/block/bootdevice/by-name/misc u:object_r:misc_partition:s0
+/dev/block/bootdevice/by-name/bootselect u:object_r:bootselect_device:s0
+/dev/ipa u:object_r:ipa_dev:s0
+/dev/wwan_ioctl u:object_r:ipa_dev:s0
+/dev/ipaNatTable u:object_r:ipa_dev:s0
+/dev/block/mmcblk0 u:object_r:mmc_block_device:s0
+/dev/rmnet_ctrl.* u:object_r:rmnet_device:s0
+/dev/dpl_ctrl u:object_r:rmnet_device:s0
+/dev/wcnss_ctrl u:object_r:wcnss_device:s0
+/dev/wcnss_wlan u:object_r:wcnss_device:s0
+/dev/hbtp_input u:object_r:hbtp_device:s0
+/dev/jdi-bu21150 u:object_r:bu21150_device:s0
+/dev/voice_svc u:object_r:voice_device:s0
+/dev/coresight-stm u:object_r:qdss_device:s0
+/dev/coresight-tmc-etf u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr-stream u:object_r:qdss_device:s0
+/dev/system_health_monitor u:object_r:system_health_monitor_device:s0
+
+###################################
+# Dev socket nodes
+#
+/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/sensor_ctl_socket u:object_r:sensors_socket:s0
+/dev/socket/cnd u:object_r:cnd_socket:s0
+/dev/socket/nims u:object_r:cnd_socket:s0
+/dev/socket/thermal-send-client u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-client u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0
+/dev/socket/ims_qmid u:object_r:ims_socket:s0
+/dev/socket/ims_datad u:object_r:ims_socket:s0
+/dev/socket/ims_rtpd u:object_r:ims_socket:s0
+/dev/socket/perfd(/.*)? u:object_r:mpctl_socket:s0
+/dev/socket/qlogd u:object_r:qlogd_socket:s0
+/dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0
+/dev/socket/dpmd u:object_r:dpmd_socket:s0
+/dev/socket/dpmwrapper u:object_r:dpmwrapper_socket:s0
+/dev/socket/pps u:object_r:pps_socket:s0
+/dev/socket/rild2 u:object_r:rild_socket:s0
+/dev/socket/rild2-debug u:object_r:rild_debug_socket:s0
+/dev/socket/rild3 u:object_r:rild_socket:s0
+/dev/socket/rild3-debug u:object_r:rild_debug_socket:s0
+
+###################################
+# System files
+#
+/system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0
+/system/bin/PktRspTest u:object_r:diag_exec:s0
+/system/bin/audiod u:object_r:audiod_exec:s0
+/system/bin/charger_monitor u:object_r:charger_monitor_exec:s0
+/system/bin/cnd u:object_r:cnd_exec:s0
+/system/bin/diag_callback_client u:object_r:diag_exec:s0
+/system/bin/diag_dci_sample u:object_r:diag_exec:s0
+/system/bin/diag_klog u:object_r:diag_exec:s0
+/system/bin/diag_mdlog u:object_r:qlogd_exec:s0
+/system/bin/diag_qshrink4_daemon u:object_r:diag_exec:s0
+/system/bin/diag_socket_log u:object_r:diag_exec:s0
+/system/bin/diag_uart_log u:object_r:diag_exec:s0
+/system/bin/drmdiagapp u:object_r:diag_exec:s0
+/system/bin/irsc_util u:object_r:irsc_util_exec:s0
+/system/bin/mm-pp-daemon u:object_r:mm-pp-daemon_exec:s0
+/system/bin/mmi u:object_r:mmi_exec:s0
+/system/bin/mpdecision u:object_r:mpdecision_exec:s0
+/system/bin/perfd u:object_r:perfd_exec:s0
+/system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0
+/system/bin/imsdatadaemon u:object_r:ims_exec:s0
+/system/bin/imsqmidaemon u:object_r:ims_exec:s0
+/system/bin/ims_rtp_daemon u:object_r:ims_exec:s0
+/system/bin/imscmservice u:object_r:imscm_exec:s0
+/system/bin/netmgrd u:object_r:netmgrd_exec:s0
+/system/bin/qmuxd u:object_r:qmuxd_exec:s0
+/system/bin/port-bridge u:object_r:port-bridge_exec:s0
+/system/bin/sensors.qcom u:object_r:sensors_exec:s0
+/system/bin/sns.* u:object_r:sensors_test_exec:s0
+/system/bin/test_diag u:object_r:diag_exec:s0
+/system/bin/thermal-engine u:object_r:thermal-engine_exec:s0
+/system/bin/vm_bms u:object_r:vm_bms_exec:s0
+/system/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
+/system/rfs.* u:object_r:rfs_system_file:s0
+/system/bin/time_daemon u:object_r:time_daemon_exec:s0
+/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0
+/system/bin/rfs_access u:object_r:rfs_access_exec:s0
+/system/bin/tftp_server u:object_r:rfs_access_exec:s0
+/system/bin/hvdcp u:object_r:hvdcp_exec:s0
+/system/bin/qseecomd u:object_r:tee_exec:s0
+/system/bin/hostapd_cli u:object_r:hostapd_exec:s0
+/system/bin/adsprpcd u:object_r:adsprpcd_exec:s0
+/system/bin/wpa_cli u:object_r:wcnss_service_exec:s0
+/system/bin/cnss-daemon u:object_r:wcnss_service_exec:s0
+/system/bin/mdm_helper u:object_r:mdm_helper_exec:s0
+/system/bin/mdm_helper_proxy u:object_r:mdm_helper_exec:s0
+/system/bin/ks u:object_r:mdm_helper_exec:s0
+/system/bin/pm-service u:object_r:per_mgr_exec:s0
+/system/bin/usb_uicc_client u:object_r:usb_uicc_daemon_exec:s0
+/system/bin/qcom-system-daemon u:object_r:qcomsysd_exec:s0
+/system/xbin/qlogd u:object_r:qlogd_exec:s0
+/system/bin/ipacm u:object_r:ipacm_exec:s0
+/system/bin/ipacm-diag u:object_r:ipacm-diag_exec:s0
+/system/bin/dpmd u:object_r:dpmd_exec:s0
+/system/bin/ssr_setup u:object_r:ssr_setup_exec:s0
+/system/bin/subsystem_ramdump u:object_r:subsystem_ramdump_exec:s0
+/system/bin/ssr_diag u:object_r:ssr_diag_exec:s0
+/system/bin/loc_launcher u:object_r:location_exec:s0
+/system/bin/quipc_main u:object_r:location_exec:s0
+/system/bin/ipepb u:object_r:location_exec:s0
+/system/bin/quipc_igsn u:object_r:location_exec:s0
+/system/bin/lowi-server u:object_r:location_exec:s0
+/system/bin/location-mq u:object_r:location_exec:s0
+/system/bin/xtwifi-inet-agent u:object_r:location_exec:s0
+/system/bin/xtwifi-client u:object_r:location_exec:s0
+/system/bin/gsiff_daemon u:object_r:location_exec:s0
+/system/bin/garden_app u:object_r:location_exec:s0
+/system/bin/gpsone_daemon u:object_r:location_exec:s0
+/system/vendor/bin/slim_ap_daemon u:object_r:location_exec:s0
+/system/vendor/bin/qti u:object_r:qti_exec:s0
+/system/bin/wcnss_service u:object_r:wcnss_service_exec:s0
+/system/vendor/bin/hbtp_daemon u:object_r:hbtp_exec:s0
+/system/bin/sapd u:object_r:sapd_exec:s0
+/system/bin/btsnoop u:object_r:btsnoop_exec:s0
+/system/bin/dun-server u:object_r:dun-server_exec:s0
+
+###################################
+# sysfs files
+#
+/sys/class/graphics/fb0/mdp/caps u:object_r:sysfs_graphics:s0
+/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/devices/.*bcl.*(/.*)? u:object_r:sysfs_thermal:s0
+/sys/devices/f9200000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_dwc3/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_otg/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
+/sys/devices/qpnp-charger.*/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0
+/sys/devices/system/cpu/cpu0/rq-stats/* u:object_r:sysfs_rqstats:s0
+/sys/devices/virtual/graphics/fb([0-2])+/idle_time u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-2])+/product_description u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-2])+/vendor_name u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/smdpkt/smdcntl[0-9]/open_timeout u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/module/msm_serial_hs/parameters/debug_mask u:object_r:sysfs_msmuart_file:s0
+/sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_mpdecision:s0
+/sys/devices/f9a55000.*/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0
+/sys/devices/virtual/graphics/fb([0-2])+/hpd u:object_r:sysfs_graphics:s0
+/sys/class/graphics/fb([0-2])+/mdp/caps u:object_r:sysfs_graphics:s0
+/sys/class/graphics/fb([0-2])+/ad u:object_r:sysfs_graphics:s0
+/sys/bus/platform/drivers/xhci_msm_hsic(/.*)? u:object_r:sysfs_hsic:s0
+/sys/devices/msm_hsic_host/host_ready u:object_r:sysfs_hsic_host_rdy:s0
+/sys/bus/esoc(/.*)? u:object_r:sysfs_esoc:s0
+/sys/bus/msm_subsys(/.*)? u:object_r:sysfs_ssr:s0
+/sys/module/ccid_bridge(/.*)? u:object_r:sysfs_usb_uicc:s0
+/sys/bus/msm_subsys/devices/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/bus/msm_subsys/devices/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0
+/sys/devices/soc0/.* u:object_r:sysfs_socinfo:s0
+
+###################################
+# data files
+#
+/data/connectivity(/.*)? u:object_r:cnd_data_file:s0
+/data/data_test(/.*)? u:object_r:data_test_data_file:s0
+/data/diag_log(/.*)? u:object_r:diag_data_file:s0
+/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/rfs.* u:object_r:rfs_data_file:s0
+/data/hlos_rfs(/.*)? u:object_r:rfs_shared_hlos_file:s0
+/data/camera(/.*)? u:object_r:camera_socket:s0
+/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/time(/.*)? u:object_r:time_data_file:s0
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/system/perfd(/.*)? u:object_r:mpctl_data_file:s0
+/data/misc/perfd(/.*)? u:object_r:mpctl_socket:s0
+/data/misc/display(/.*)? u:object_r:display_config:s0
+/data/misc/ipa(/.*)? u:object_r:ipacm_data_file:s0
+/data/dpm(/.*)? u:object_r:dpmd_data_file:s0
+/data/misc/qsee(/.*)? u:object_r:data_qsee_file:s0
+/data/misc/location(/.*)? u:object_r:location_data_file:s0
+/data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0
+/data/misc/hbtp(/.*)? u:object_r:hbtp_log_file:s0
+/data/misc/qlogd(/.*)? u:object_r:qlogd_data_file:s0
+
+###################################
+# persist files
+#
+/persist(/.*)? u:object_r:persist_file:s0
+/persist/sensors(/.*)? u:object_r:sensors_persist_file:s0
+/persist/data(/.*)? u:object_r:persist_drm_file:s0
+/persist/data/tz(/.*)? u:object_r:persist_drm_file:s0
+/persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0
+
+###################################
+# oem files
+#
+/oem(/.*)? u:object_r:system_file:s0
+
+###################################
+# etc files
+#
+/etc/firmware/hbtp/* u:object_r:hbtp_cfg_file:s0
diff --git a/common/genfs_contexts b/common/genfs_contexts
new file mode 100755
index 0000000..f92adbd
--- /dev/null
+++ b/common/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
+genfscon proc /proc/sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0
diff --git a/common/hbtp.te b/common/hbtp.te
new file mode 100644
index 0000000..2d7db0e
--- /dev/null
+++ b/common/hbtp.te
@@ -0,0 +1,19 @@
+# Policies for hbtp (host based touch processing)
+type hbtp, domain;
+type hbtp_exec, exec_type, file_type;
+
+init_daemon_domain(hbtp)
+
+# Allow access for /dev/hbtp_input and /dev/jdi-bu21150
+allow hbtp hbtp_device:chr_file rw_file_perms;
+allow hbtp bu21150_device:chr_file rw_file_perms;
+
+allow hbtp hbtp_cfg_file:dir rw_dir_perms;
+allow hbtp hbtp_cfg_file:file create_file_perms;
+
+allow hbtp hbtp_log_file:dir rw_dir_perms;
+allow hbtp hbtp_log_file:file create_file_perms;
+
+allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
+
+binder_use(hbtp);
diff --git a/common/healthd.te b/common/healthd.te
new file mode 100644
index 0000000..b14073f
--- /dev/null
+++ b/common/healthd.te
@@ -0,0 +1,4 @@
+allow healthd sysfs_battery_supply:dir search;
+allow healthd sysfs_battery_supply:file { read open };
+allow healthd sysfs_usb_supply:dir search;
+allow healthd sysfs_usb_supply:file { read open };
diff --git a/common/hvdcp.te b/common/hvdcp.te
new file mode 100644
index 0000000..9d3c4da
--- /dev/null
+++ b/common/hvdcp.te
@@ -0,0 +1,16 @@
+# HVDVP quickcharge
+type hvdcp, domain;
+type hvdcp_exec, exec_type, file_type;
+
+# Make transition to its own HVDCP domain from init
+init_daemon_domain(hvdcp)
+
+# Add rules for access permissions
+allow hvdcp hvdcp_device:chr_file rw_file_perms;
+allow hvdcp sysfs_battery_supply:file rw_file_perms;
+allow hvdcp sysfs_battery_supply:dir { search };
+allow hvdcp sysfs_usb_supply:file rw_file_perms;
+allow hvdcp sysfs_usb_supply:dir { search };
+allow hvdcp self:capability { setgid setuid };
+allow hvdcp cgroup:dir { create add_name };
+allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/common/ims.te b/common/ims.te
new file mode 100644
index 0000000..5a10478
--- /dev/null
+++ b/common/ims.te
@@ -0,0 +1,57 @@
+#integrated sensor process
+type ims, domain;
+type ims_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(ims)
+net_domain(ims)
+
+# Talk to qmuxd
+qmux_socket(ims)
+
+# To make VT call
+binder_use(ims)
+
+# Bring up IMSPDM
+allow ims kernel:system module_request;
+
+allow ims self:socket create_socket_perms;
+allow ims self:capability { net_admin net_raw };
+
+# Use generic netlink socket
+allow ims self:netlink_socket create_socket_perms;
+
+# To run NDC command
+allow ims shell_exec:file rx_file_perms;
+allow ims system_file:file rx_file_perms;
+
+# IMS route installation
+allow ims wcnss_service_exec:file rx_file_perms;
+
+# Talk to netd via netd_socket
+unix_socket_connect(ims, netd, netd)
+
+# Talk to qumuxd via ims_socket
+unix_socket_connect(ims, ims, qmuxd)
+
+# Talk to init via property_socket
+unix_socket_connect(ims, property, init)
+
+#Add connectionmanager service
+allow ims imscm_service:service_manager add;
+
+# Set property to start imsdata_daemon and ims_rtp_daemon
+allow ims qcom_ims_prop:property_service set;
+
+# permissions needed for IMS to connect and interact with WPA supplicant
+allow ims wpa:unix_dgram_socket sendto;
+allow ims wpa_exec:file rx_file_perms;
+allow ims wpa_socket:dir w_dir_perms;
+allow ims wpa_socket:sock_file { write create unlink setattr };
+allow ims wifi_data_file:dir r_dir_perms;
+
+# permissions for communication with CNE in LBO use case
+unix_socket_connect(ims, cnd, cnd)
+
+#Communication with voice_svc device for audio on APP
+allow ims voice_device:chr_file rw_file_perms;
diff --git a/common/imscm.te b/common/imscm.te
new file mode 100644
index 0000000..22a514d
--- /dev/null
+++ b/common/imscm.te
@@ -0,0 +1,25 @@
+#integrated sensor process
+type imscm, domain;
+type imscm_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(imscm)
+net_domain(imscm)
+
+# To make VT call
+binder_use(imscm)
+
+#Add connectionmanager service
+allow imscm imscm_service:service_manager add;
+
+#allow imscm ims_socket:sock_file write;
+#allow imscm ims:unix_stream_socket connectto;
+unix_socket_connect(imscm, ims, ims)
+allow imscm self:capability net_raw;
+#allow imscm untrusted_app:binder call;
+
+# imscm needs to communicate with test app
+# using binder call
+userdebug_or_eng(`
+ binder_call(imscm, untrusted_app)
+')
diff --git a/common/init.te b/common/init.te
new file mode 100644
index 0000000..baf1f76
--- /dev/null
+++ b/common/init.te
@@ -0,0 +1,4 @@
+# Adding allow rule for search on /fuse
+allow init fuse:dir search;
+allow init self:capability sys_module;
+allow init fuse:dir mounton;
diff --git a/common/init_shell.te b/common/init_shell.te
new file mode 100644
index 0000000..34b8f89
--- /dev/null
+++ b/common/init_shell.te
@@ -0,0 +1,29 @@
+#for accessing fmradio device node
+allow init_shell fm_radio_device:chr_file { open read ioctl };
+# for insmod of iris ko , this is needed .
+allow init_shell self:capability sys_module;
+
+
+#for property starting with hw
+allow init_shell system_prop:property_service set ;
+
+#for access to set BT property
+allow init_shell bluetooth_prop:property_service set;
+
+#most of the default properties are set by init_shell
+allow init_shell default_prop:property_service set;
+
+allow init_shell shell_exec:file execute_no_trans;
+
+#Needed in order to set properties while going in/out of debug mode.
+allow init_shell ctl_default_prop:property_service set;
+
+allow init_shell efs_boot_dev:blk_file r_file_perms;
+
+#perfd
+allow init_shell ctl_default_prop:property_service set;
+
+allow init_shell ctl_rildaemon_prop:property_service set;
+
+#for access to UICC property
+allow init_shell uicc_prop:property_service set;
diff --git a/common/installd.te b/common/installd.te
new file mode 100644
index 0000000..edac081
--- /dev/null
+++ b/common/installd.te
@@ -0,0 +1,2 @@
+allow installd location_app_data_file:dir { relabelto create_dir_perms };
+allow installd location_app_data_file:lnk_file create_file_perms;
diff --git a/common/ipacm.te b/common/ipacm.te
new file mode 100644
index 0000000..1c061fd
--- /dev/null
+++ b/common/ipacm.te
@@ -0,0 +1,31 @@
+# General definitions
+type ipacm, domain;
+type ipacm-diag, domain;
+type ipacm_exec, exec_type, file_type;
+type ipacm-diag_exec, exec_type, file_type;
+init_daemon_domain(ipacm)
+init_daemon_domain(ipacm-diag)
+
+userdebug_or_eng(`
+ # Allow using the logging file between ipacm and ipacm-diag
+ allow ipacm ipacm-diag:unix_dgram_socket sendto;
+ allow ipacm ipacm_socket:sock_file write;
+')
+
+# Allow capabilities to perform network operations and interactions with network interfaces
+allow ipacm kernel:system module_request;
+allow ipacm ipacm:capability net_admin;
+
+# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
+allow ipacm ipa_dev:chr_file rw_file_perms;
+
+# Allow querying the network stack via IOCTLs
+allow ipacm ipacm:udp_socket { create ioctl };
+
+# Allow receiving NETLINK messages
+allow ipacm ipacm:netlink_route_socket { create getopt setopt bind read };
+allow ipacm ipacm:netlink_socket { create setopt bind getattr read write };
+
+# Allow creating and modifying the PID file
+allow ipacm ipacm_data_file:file create_file_perms;
+allow ipacm ipacm_data_file:dir w_dir_perms;
diff --git a/common/irsc_util.te b/common/irsc_util.te
new file mode 100644
index 0000000..b39290d
--- /dev/null
+++ b/common/irsc_util.te
@@ -0,0 +1,11 @@
+type irsc_util, domain;
+type irsc_util_exec, exec_type, file_type;
+init_daemon_domain(irsc_util)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, irsc_util_exec, irsc_util)
+ domain_auto_trans(adbd, irsc_util_exec, irsc_util)
+')
+
+allow irsc_util irsc_util:socket {create ioctl};
+allow irsc_util devpts:chr_file {read write getattr ioctl};
diff --git a/common/kernel.te b/common/kernel.te
new file mode 100755
index 0000000..2a9a083
--- /dev/null
+++ b/common/kernel.te
@@ -0,0 +1 @@
+allow kernel block_device:blk_file r_file_perms;
diff --git a/common/keystore.te b/common/keystore.te
new file mode 100644
index 0000000..524fc3f
--- /dev/null
+++ b/common/keystore.te
@@ -0,0 +1,2 @@
+# Allow keystore to operate using qseecom_device
+allow keystore tee_device:chr_file rw_file_perms;
diff --git a/common/location.te b/common/location.te
new file mode 100644
index 0000000..1698fd4
--- /dev/null
+++ b/common/location.te
@@ -0,0 +1,30 @@
+# location - Location daemon
+type location, domain;
+type location_exec, exec_type, file_type;
+
+init_daemon_domain(location)
+net_domain(location)
+
+# Socket is created by the daemon, not by init, and under /data/gps,
+# not under /dev/socket.
+type_transition location location_data_file:sock_file location_socket;
+
+qmux_socket(location)
+binder_use(location)
+binder_call(location, system_server)
+
+allow location location_data_file:dir rw_dir_perms;
+allow location location_data_file:fifo_file create_file_perms;
+allow location location_data_file:file create_file_perms;
+allow location location_exec:file execute_no_trans;
+allow location location_socket:sock_file create_file_perms;
+allow location self:capability { setuid setgid };
+allow location self:socket create_socket_perms;
+allow location sensors:unix_stream_socket connectto;
+allow location sensors_device:chr_file r_file_perms;
+allow location sensors_socket:sock_file w_file_perms;
+allow location self:netlink_socket create_socket_perms;
+allow location system_server:unix_stream_socket { read write };
+
+dontaudit location domain:dir r_dir_perms;
+r_dir_file(location, netmgrd)
diff --git a/common/location_app.te b/common/location_app.te
new file mode 100644
index 0000000..79db731
--- /dev/null
+++ b/common/location_app.te
@@ -0,0 +1,17 @@
+type location_app, domain;
+app_domain(location_app)
+binder_use(location_app)
+
+qmux_socket(location_app)
+
+#Permissions for JDWP
+userdebug_or_eng(`
+allow location_app adbd:unix_stream_socket connectto;
+allow location_app su:unix_stream_socket connectto;
+')
+
+allow location_app location_app_data_file:dir create_dir_perms;
+allow location_app location_app_data_file:file create_file_perms ;
+allow location_app location_data_file:dir rw_dir_perms;
+allow location_app location_data_file:sock_file create_file_perms;
+allow location_app self:socket create_socket_perms;
diff --git a/common/logd.te b/common/logd.te
new file mode 100644
index 0000000..fc5c304
--- /dev/null
+++ b/common/logd.te
@@ -0,0 +1,2 @@
+allow logd location_app:dir r_dir_perms;
+allow logd location_app:file r_file_perms;
diff --git a/common/mcStarter.te b/common/mcStarter.te
new file mode 100644
index 0000000..e2ca4cd
--- /dev/null
+++ b/common/mcStarter.te
@@ -0,0 +1,7 @@
+# mobicore daemon
+type mcStarter, domain;
+type mcStarter_exec, exec_type, file_type;
+init_daemon_domain(mcStarter)
+
+# Allow Mobicore to use qseecom services for loading the app
+allow mcStarter tee_device:chr_file rw_file_perms;
diff --git a/common/mdm_helper.te b/common/mdm_helper.te
new file mode 100755
index 0000000..fe9a099
--- /dev/null
+++ b/common/mdm_helper.te
@@ -0,0 +1,57 @@
+#Policy for mdm_helper
+#mdm_helper - mdm_helper domain
+type mdm_helper, domain;
+type mdm_helper_exec, exec_type, file_type;
+init_daemon_domain(mdm_helper);
+
+#block_suspend capability is needed by kickstart(ks)
+allow mdm_helper self:capability2 block_suspend;
+
+#Needed to power on the peripheral
+allow mdm_helper ssr_device:chr_file { open read };
+
+#Needed to access the esoc device to control the mdm
+allow mdm_helper esoc_device:chr_file { read write ioctl open };
+allow mdm_helper esoc_device:dir { open search };
+
+#Needed to detect presence of hsic bridge and to xfer images
+allow mdm_helper ksbridgehsic_device:chr_file { read write open getattr ioctl};
+
+#Needed to detect efs sync and for kickstart to run the efs sync server
+allow mdm_helper efsbridgehsic_device:chr_file { read write open getattr ioctl};
+
+#Needed for communication with the HSIC driver
+allow mdm_helper sysfs_hsic:dir { open read search };
+allow mdm_helper sysfs_hsic:file { read write open };
+
+#Needed by libmdmdetect to figure out the system configuration
+allow mdm_helper sysfs_esoc:dir { open search read };
+allow mdm_helper sysfs_esoc:lnk_file { read };
+
+#Needed by libmdmdetect to get system information regarding subsystems and to check their states
+allow mdm_helper sysfs_ssr:dir { open search read };
+allow mdm_helper sysfs_ssr:lnk_file { read open };
+
+#Needed in order to run kickstart
+allow mdm_helper shell:fd { use };
+allow mdm_helper shell_exec:file { read open execute execute_no_trans };
+allow mdm_helper system_file:file { execute_no_trans };
+allow mdm_helper mdm_helper_exec:file {execute_no_trans };
+
+#Needed to inform the hsic driver that mdm has booted up
+allow mdm_helper sysfs:file { open read write getattr };
+
+#Needed by ks in order to access the efs sync partitions.
+allow mdm_helper efs_boot_dev:blk_file { open read getattr write};
+allow mdm_helper block_device:dir { getattr search write };
+
+#Ks needs to aquire the wake lock
+allow mdm_helper sysfs_wake_lock:file {open append};
+
+#Needed in order to access the firmware partition
+allow mdm_helper firmware_file:dir { search };
+allow mdm_helper firmware_file:file { open read getattr };
+
+#Needed in order to collect ramdumps
+allow mdm_helper tombstone_data_file:file { create read write open getattr };
+allow mdm_helper tombstone_data_file:dir { create search open read write getattr add_name };
diff --git a/common/mediaserver.te b/common/mediaserver.te
new file mode 100644
index 0000000..4971305
--- /dev/null
+++ b/common/mediaserver.te
@@ -0,0 +1,38 @@
+# allow mediaserver to communicate with cnd
+unix_socket_connect(mediaserver, cnd, cnd)
+
+allow mediaserver camera_device:chr_file rw_file_perms;
+unix_socket_send(mediaserver, camera, mm-qcamerad)
+
+allow mediaserver tee_device:chr_file rw_file_perms;
+allow mediaserver qdsp_device:chr_file r_file_perms;
+
+allow mediaserver self:socket create_socket_perms;
+
+binder_call(mediaserver, rild)
+
+qmux_socket(mediaserver)
+allow mediaserver camera_data_file:sock_file write;
+userdebug_or_eng(`
+ allow mediaserver camera_data_file:dir rw_dir_perms;
+ allow mediaserver camera_data_file:file create_file_perms;
+')
+
+allow mediaserver sysfs_esoc:dir r_dir_perms;
+allow mediaserver sysfs_esoc:lnk_file read;
+allow mediaserver system_app_data_file:file rw_file_perms;
+# access to perflock
+allow mediaserver mpctl_socket:dir r_dir_perms;
+unix_socket_send(mediaserver, mpctl, mpdecision)
+unix_socket_connect(mediaserver, mpctl, mpdecision)
+
+# access to perflock
+allow mediaserver mpctl_socket:dir r_dir_perms;
+unix_socket_send(mediaserver, mpctl, perfd)
+unix_socket_connect(mediaserver, mpctl, perfd)
+
+# for thermal sock files
+unix_socket_connect(mediaserver, thermal, thermal-engine)
+
+#allow mediaserver to communicate with timedaemon
+allow mediaserver time_daemon:unix_stream_socket connectto;
diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
new file mode 100755
index 0000000..a6a0647
--- /dev/null
+++ b/common/mm-pp-daemon.te
@@ -0,0 +1,54 @@
+type mm-pp-daemon, domain;
+type mm-pp-daemon_exec, exec_type, file_type;
+
+init_daemon_domain(mm-pp-daemon)
+
+#============= mm-pp-daemon ==============
+#Need to use fb ioctls to communicate with kernel
+allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
+allow mm-pp-daemon graphics_device:dir search;
+
+# Allow reading/writing to persist
+# The color config file is dynamically created
+allow mm-pp-daemon persist_file:dir rw_dir_perms;
+allow mm-pp-daemon persist_file:file create_file_perms;
+
+# Allow reading/writing data config files
+allow mm-pp-daemon display_config:dir create_dir_perms;
+allow mm-pp-daemon display_config:file create_file_perms;
+
+# Allow read to sensor device and read/write to sensor socket
+allow mm-pp-daemon sensors_device:chr_file r_file_perms;
+allow mm-pp-daemon sensors_socket:sock_file rw_file_perms;
+allow mm-pp-daemon sensors:unix_stream_socket connectto;
+
+allow mm-pp-daemon system_prop:property_service set;
+
+userdebug_or_eng(`
+ # Display calibration service opens /dev/diag in order to communicate with the
+ # target device
+ allow mm-pp-daemon diag_device:chr_file rw_file_perms;
+
+ # QDCM needs to trigger screen refreshes in some cases to reach the
+ # convergent state
+ binder_use(mm-pp-daemon)
+ binder_call(mm-pp-daemon, system_server)
+ binder_call(mm-pp-daemon, surfaceflinger)
+
+ # This allows pp-daemon to use shell commands to blank
+ # the display - it uses input keyevent to do this
+ allow mm-pp-daemon shell_exec:file rx_file_perms;
+ allow mm-pp-daemon system_file:file execute_no_trans;
+ allow mm-pp-daemon zygote_exec:file rx_file_perms;
+ allow mm-pp-daemon self:process ptrace;
+')
+
+# Allow mm-pp-daemon to change the brightness of the target during display
+# calibration
+allow mm-pp-daemon sysfs:file rw_file_perms;
+
+# Allow socket calls in pp-daemon
+unix_socket_connect(mm-pp-daemon, property, init)
+unix_socket_connect(mm-pp-daemon, pps, init)
+allow mm-pp-daemon init:unix_stream_socket listen;
+allow mm-pp-daemon init:unix_stream_socket accept;
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
new file mode 100644
index 0000000..0fb8750
--- /dev/null
+++ b/common/mm-qcamerad.te
@@ -0,0 +1,40 @@
+type mm-qcamerad, domain;
+type mm-qcamerad_exec, exec_type, file_type;
+init_daemon_domain(mm-qcamerad)
+
+userdebug_or_eng(`
+ allow mm-qcamerad debugfs:dir search;
+')
+
+#Communicate with user land process through domain socket
+allow mm-qcamerad camera_socket:sock_file { create unlink write };
+allow mm-qcamerad camera_socket:dir w_dir_perms;
+unix_socket_connect(mm-qcamerad, sensors, sensors)
+
+allow mm-qcamerad self:process execmem;
+# Interact with other media devices
+allow mm-qcamerad camera_device:dir search;
+allow mm-qcamerad { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms;
+
+allow mm-qcamerad { surfaceflinger mediaserver }:fd use;
+# Need to investigate this
+allow mm-qcamerad self:tcp_socket create_socket_perms;
+
+allow mm-qcamerad camera_data_file:dir { write remove_name search add_name };
+allow mm-qcamerad camera_data_file:sock_file { create unlink };
+allow mm-qcamerad node:tcp_socket node_bind;
+allow mm-qcamerad self:tcp_socket listen;
+
+userdebug_or_eng(`
+ allow mm-qcamerad camera_data_file:file create_file_perms;
+')
+
+#/data/fdAlbum
+allow mm-qcamerad system_data_file:dir w_dir_perms;
+allow mm-qcamerad system_data_file:file create_file_perms;
+
+#Remove GL fine reference
+allow mm-qcamerad shell_data_file:dir search;
+
+# IMS use camera daemon to make VT call
+allow mm-qcamerad port:tcp_socket name_bind;
diff --git a/common/mmi.te b/common/mmi.te
new file mode 100644
index 0000000..1f58af1
--- /dev/null
+++ b/common/mmi.te
@@ -0,0 +1,31 @@
+#integrated process
+type mmi, domain;
+type mmi_exec, exec_type, file_type;
+
+#started by init
+init_daemon_domain(mmi)
+
+#self capability
+allow mmi self:capability { sys_nice dac_override };
+allow mmi self:capability2 block_suspend;
+
+#For various devices
+allow mmi graphics_device:chr_file rw_file_perms;
+allow mmi input_device:chr_file r_file_perms;
+allow mmi input_device:dir r_file_perms;
+allow mmi nfc_device:chr_file rw_file_perms;
+allow mmi shell_exec:file rx_file_perms;
+allow mmi sysfs_wake_lock:file rw_file_perms;
+
+#FTM_AP folder permissions
+allow mmi mmi_data_file:dir rw_dir_perms;
+allow mmi mmi_data_file:file rw_file_perms;
+
+#socket
+unix_socket_connect(mmi, property, init)
+
+#allow mmi set system prop
+allow mmi powerctl_prop:property_service set;
+
+#allow mmi operation on MISC partition
+allow mmi misc_partition:blk_file w_file_perms;
diff --git a/common/mpdecision.te b/common/mpdecision.te
new file mode 100644
index 0000000..96f4484
--- /dev/null
+++ b/common/mpdecision.te
@@ -0,0 +1,34 @@
+type mpdecision, domain;
+type mpdecision_exec, exec_type, file_type;
+
+init_daemon_domain(mpdecision)
+
+allow mpdecision sysfs_mpdecision:file rw_file_perms;
+allow mpdecision sysfs_devices_system_cpu:file rw_file_perms;
+allow mpdecision sysfs_rqstats:file w_file_perms;
+allow mpdecision sysfs_cpu_online:file rw_file_perms;
+#Allow mpdecision set cpu affinity
+allow mpdecision kernel:process setsched;
+#Allow writes to /dev/cpu_dma_latency
+allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind };
+allow mpdecision self:socket create_socket_perms;
+allow mpdecision device_latency:chr_file w_file_perms;
+
+allow mpdecision sysfs_rqstats:dir search;
+allow mpdecision sysfs_thermal:dir search;
+
+#policies for mpctl
+#mpctl socket
+allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice };
+allow mpdecision mpctl_socket:dir rw_dir_perms;
+allow mpdecision mpctl_socket:sock_file { create_file_perms unlink };
+
+allow mpdecision sysfs:file write;
+
+#default_values file
+allow mpdecision mpctl_data_file:dir rw_dir_perms;
+allow mpdecision mpctl_data_file:file { create_file_perms unlink };
+
+#allow poll of system_server status
+allow mpdecision system_server:dir search;
+allow mpdecision system_server:file { open read };
diff --git a/common/msm_irqbalanced.te b/common/msm_irqbalanced.te
new file mode 100644
index 0000000..dc8429c
--- /dev/null
+++ b/common/msm_irqbalanced.te
@@ -0,0 +1,8 @@
+type msm_irqbalanced, domain;
+type msm_irqbalanced_exec, exec_type, file_type;
+init_daemon_domain(msm_irqbalanced)
+allow msm_irqbalanced cgroup:dir { create add_name };
+allow msm_irqbalanced proc:file write;
+allow msm_irqbalanced sysfs_devices_system_cpu:file write;
+allow msm_irqbalanced self:capability { setuid setgid dac_override };
+r_dir_file(msm_irqbalanced, sysfs_rqstats);
diff --git a/common/netd.te b/common/netd.te
new file mode 100644
index 0000000..124178a
--- /dev/null
+++ b/common/netd.te
@@ -0,0 +1,11 @@
+#Policies for IPv6 tethering
+allow netd netd:capability { setgid setuid };
+allow netd netd:packet_socket { create bind setopt read ioctl };
+allow netd wfd_app:fd use;
+allow netd wfd_app:tcp_socket { read write setopt getopt };
+
+dontaudit netd self:capability sys_module;
+
+#needed for ipt_TCPMSS and ip6t_TCPMSS
+allow netd kernel:system module_request;
+unix_socket_connect(netd, cnd, cnd)
diff --git a/common/netmgrd.te b/common/netmgrd.te
new file mode 100644
index 0000000..51d39a2
--- /dev/null
+++ b/common/netmgrd.te
@@ -0,0 +1,66 @@
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+net_domain(netmgrd)
+init_daemon_domain(netmgrd)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, netmgrd_exec, netmgrd)
+ domain_auto_trans(adbd, netmgrd_exec, netmgrd)
+')
+
+#Allow files to be written during the operation of netmgrd
+file_type_auto_trans(netmgrd, system_data_file, data_test_data_file)
+
+#Allow netmgrd operations
+allow netmgrd netmgrd:capability { dac_override net_raw net_admin sys_module fsetid setgid setuid setpcap };
+
+#Allow access to kernel modules
+allow netmgrd kernel:system { module_request };
+
+#Allow logging
+allow netmgrd diag_device:chr_file { rw_file_perms };
+allow netmgrd smem_log_device:chr_file { rw_file_perms };
+
+#Allow operations on different types of sockets
+allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
+allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read };
+allow netmgrd netmgrd:netlink_socket { write read create bind };
+allow netmgrd netmgrd:socket { create ioctl };
+allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
+allow netmgrd init:unix_stream_socket { connectto };
+allow netmgrd property_socket:sock_file write;
+
+unix_socket_connect(netmgrd, cnd, cnd);
+
+qmux_socket(netmgrd);
+
+#Allow writing of ipv6 network properties
+allow netmgrd proc_net:file { write };
+
+#Allow address configuration
+allow netmgrd system_prop:property_service { set };
+
+#Allow setting of DNS and GW Android properties
+allow netmgrd net_radio_prop:property_service { set };
+
+#Allow execution of commands in shell
+allow netmgrd system_file:file { execute_no_trans };
+
+allow netmgrd self:socket create_socket_perms;
+allow netmgrd sysfs_esoc:dir r_dir_perms;
+
+#Allow communication with netd
+allow netmgrd netd_socket:sock_file write;
+allow netmgrd net_data_file:file r_file_perms;
+allow netmgrd wpa_exec:file rx_file_perms;
+allow netmgrd net_data_file:dir r_dir_perms;
+
+#Allow nemtgrd to use esoc api's to determine target
+allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans };
+allow netmgrd sysfs_esoc:lnk_file read;
+
+r_dir_file(netmgrd, sysfs_ssr);
+
+allow netmgrd { wcnss_service_exec wpa_exec }:file rx_file_perms;
+
+allow netmgrd sysfs:file write;
diff --git a/common/perfd.te b/common/perfd.te
new file mode 100644
index 0000000..4cf061c
--- /dev/null
+++ b/common/perfd.te
@@ -0,0 +1,31 @@
+type perfd, domain;
+type perfd_exec, exec_type, file_type;
+
+init_daemon_domain(perfd)
+
+allow perfd self:capability { net_admin chown dac_override fsetid };
+allow perfd sysfs_devices_system_cpu:file rw_file_perms;
+allow perfd sysfs_cpu_online:file rw_file_perms;
+allow perfd cpuctl_device:file rw_file_perms;
+allow perfd self:netlink_kobject_uevent_socket { create read setopt bind };
+allow perfd self:socket create_socket_perms;
+
+#mpctl socket
+allow perfd mpctl_socket:dir rw_dir_perms;
+allow perfd mpctl_socket:sock_file { create_file_perms unlink };
+
+allow perfd sysfs:file write;
+
+#default_values file
+allow perfd mpctl_data_file:dir rw_dir_perms;
+allow perfd mpctl_data_file:file { create_file_perms unlink };
+
+#allow poll of system_server status
+allow perfd system_server:dir search;
+allow perfd system_server:file { open read };
+
+allow perfd proc:file write;
+
+#KTM
+allow perfd sysfs_thermal:dir search;
+allow perfd sysfs_thermal:file { open write };
diff --git a/common/peripheral_manager.te b/common/peripheral_manager.te
new file mode 100644
index 0000000..fb08d2e
--- /dev/null
+++ b/common/peripheral_manager.te
@@ -0,0 +1,32 @@
+#Policy for peripheral_manager
+#per_mgr - peripheral_manager domain
+type per_mgr, domain;
+
+type per_mgr_exec, exec_type, file_type;
+init_daemon_domain(per_mgr);
+
+#Needed for binder transactions
+binder_use(per_mgr);
+binder_service(per_mgr);
+allow per_mgr self:socket { create ioctl bind read write };
+allow per_mgr per_mgr_service:service_manager add;
+
+#Rules for peripheral manager clients
+#Rules for RILD
+binder_call(per_mgr, rild);
+binder_call(rild, per_mgr);
+
+#Needed by ipc_router
+allow per_mgr self:capability { net_raw };
+
+#Needed to power on the peripheral
+allow per_mgr ssr_device:chr_file { open read };
+
+#Needed by libmdmdetect to figure out the system configuration
+allow per_mgr sysfs_esoc:dir { open search read };
+allow per_mgr sysfs_esoc:lnk_file { read };
+
+#Needed by libmdmdetect to get subsystem info and to check their states
+allow per_mgr sysfs_ssr:dir { open search read };
+allow per_mgr sysfs_ssr:lnk_file { read open };
+
diff --git a/common/port-bridge.te b/common/port-bridge.te
new file mode 100644
index 0000000..3a737d7
--- /dev/null
+++ b/common/port-bridge.te
@@ -0,0 +1,20 @@
+type port-bridge, domain;
+type port-bridge_exec, exec_type, file_type;
+init_daemon_domain(port-bridge)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, port-bridge_exec, netmgrd)
+ domain_auto_trans(adbd, port-bridge_exec, netmgrd)
+')
+
+#Allow operations on different types of sockets
+allow port-bridge port-bridge:netlink_kobject_uevent_socket { create bind read };
+
+#Allow process capabilities
+allow port-bridge port-bridge:capability { dac_override };
+
+#Allow operations on mhi transport
+allow port-bridge mhi_device:chr_file rw_file_perms;
+
+#Allow operations on gadget serial device
+allow port-bridge gadget_serial_device:chr_file { rw_file_perms };
diff --git a/common/property.te b/common/property.te
new file mode 100644
index 0000000..ea480c7
--- /dev/null
+++ b/common/property.te
@@ -0,0 +1,3 @@
+# property for uicc_daemon
+type uicc_prop, property_type;
+type qcom_ims_prop, property_type;
diff --git a/common/property_contexts b/common/property_contexts
new file mode 100644
index 0000000..b9863ba
--- /dev/null
+++ b/common/property_contexts
@@ -0,0 +1,4 @@
+wc_transport. u:object_r:bluetooth_prop:s0
+sys.usb_uicc. u:object_r:uicc_prop:s0
+sys.ims. u:object_r:qcom_ims_prop:s0
+dolby.audio. u:object_r:audio_prop:s0
diff --git a/common/qcomsysd.te b/common/qcomsysd.te
new file mode 100644
index 0000000..f9c2916
--- /dev/null
+++ b/common/qcomsysd.te
@@ -0,0 +1,24 @@
+#Policy file for qcom-system-daemon
+#qcomsysd = qcom-system-daemon domain
+type qcomsysd, domain;
+type qcomsysd_exec, exec_type, file_type;
+init_daemon_domain(qcomsysd);
+
+#Needed for logging
+allow qcomsysd smem_log_device:chr_file { open read write ioctl };
+
+#Needed for handling diag commands
+allow qcomsysd diag_device:chr_file { open read write ioctl };
+
+#Needed to read/write cookies to the misc partition
+allow qcomsysd block_device:dir { search };
+allow qcomsysd misc_partition:blk_file { open read getattr write };
+
+#Needed to access the bootselect partition
+allow qcomsysd bootselect_device:blk_file { open read getattr write };
+
+#Needed to get image info from socinfo
+allow qcomsysd sysfs_socinfo:dir { open search read };
+allow qcomsysd sysfs_socinfo:file { open read write };
+
+allow qcomsysd self:capability { dac_override };
diff --git a/common/qlogd.te b/common/qlogd.te
new file mode 100644
index 0000000..dd525d9
--- /dev/null
+++ b/common/qlogd.te
@@ -0,0 +1,56 @@
+# qlogd
+type qlogd, domain;
+type qlogd_exec, exec_type, file_type;
+
+# make transition from init to its domain
+init_daemon_domain(qlogd)
+
+# need to access sharemem log device for smem logs
+allow qlogd smem_log_device:chr_file rw_file_perms;
+
+# need to add more capabilities for qlogd
+allow qlogd self:capability { setuid setgid dac_override dac_read_search
+ sys_admin net_raw net_admin fowner fsetid kill sys_module };
+allow qlogd self:capability2 { block_suspend syslog };
+allow qlogd self:packet_socket { create ioctl bind getopt setopt };
+
+# need to access system_data partitions for configration files
+allow qlogd qlogd_data_file:dir rw_dir_perms;
+allow qlogd qlogd_data_file:file create_file_perms;
+allow qlogd system_file:file execute_no_trans;
+
+# need to create and listen socket
+allow qlogd qlogd_socket:sock_file create_file_perms;
+
+# need to start shell execute files
+allow qlogd shell_exec:file { execute read open execute_no_trans };
+
+# need to create and write files in fuse partition
+allow qlogd fuse:dir create_dir_perms;
+allow qlogd fuse:file create_file_perms;
+
+# need to capture kmsg
+allow qlogd kernel:system syslog_mod;
+
+# need for qdss log
+userdebug_or_eng(`
+ allow qlogd debugfs:file read;
+ allow qlogd sysfs:file write;
+ allow qlogd qdss_device:chr_file { open read };
+')
+
+# need for capture adb logs
+unix_socket_connect(qlogd, logdr, logd)
+
+# need for subsystem ramdump
+allow qlogd device:dir r_dir_perms;
+allow qlogd ramdump_device:chr_file { setattr rw_file_perms };
+
+# need for qxdm log
+allow qlogd diag_exec:file rx_file_perms;
+allow qlogd sysfs_wake_lock:file ra_file_perms;
+
+# need for tcpdump
+userdebug_or_eng(`
+ allow qlogd kernel:system module_request;
+')
diff --git a/common/qmuxd.te b/common/qmuxd.te
new file mode 100644
index 0000000..daab790
--- /dev/null
+++ b/common/qmuxd.te
@@ -0,0 +1,47 @@
+type qmuxd, domain;
+type qmuxd_exec, exec_type, file_type;
+net_domain(qmuxd)
+init_daemon_domain(qmuxd)
+
+userdebug_or_eng(`
+ domain_auto_trans(shell, qmuxd_exec, qmuxd)
+ domain_auto_trans(adbd, qmuxd_exec, qmuxd)
+')
+
+#Allow qmuxd to operate on various qmux device sockets
+#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
+#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
+#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
+
+qmux_socket(qmuxd);
+
+#Allow logging
+allow qmuxd diag_device:chr_file { rw_file_perms };
+
+#Allow operation in platform specific transports
+allow qmuxd smd_device:chr_file { rw_file_perms };
+allow qmuxd hsic_device:chr_file { rw_file_perms };
+
+#Allow qmuxd to operate in platform specific transports
+allow qmuxd sysfs_smd_open_timeout:file w_file_perms;
+allow qmuxd sysfs_wake_lock:file { append open };
+
+#Allow qmuxd to write in hsic specific transport
+allow qmuxd sysfs:file w_file_perms;
+
+allow qmuxd self:capability { setuid setgid setpcap dac_override };
+
+#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability
+allow qmuxd qmuxd:capability2 { block_suspend };
+
+allow qmuxd sysfs_esoc:dir r_dir_perms;
+allow qmuxd sysfs_hsic_modem_wait:file w_file_perms;
+allow qmuxd sysfs_esoc:lnk_file read;
+
+r_dir_file(qmuxd, sysfs_ssr);
+allow qmuxd mhi_device:chr_file rw_file_perms;
diff --git a/common/qseecomd.te b/common/qseecomd.te
new file mode 100755
index 0000000..cb81b09
--- /dev/null
+++ b/common/qseecomd.te
@@ -0,0 +1,49 @@
+# tee starts as root, and drops privileges
+allow tee self:capability { setuid setgid dac_override sys_rawio };
+
+# Need to directly manipulate certain block devices
+# for anti-rollback protection
+allow tee block_device:dir r_dir_perms;
+allow tee rpmb_device:blk_file rw_file_perms;
+
+
+# Allow qseecom to qsee folder so that listeners can create
+# respective directories
+allow tee data_qsee_file:dir create_dir_perms;
+allow tee data_qsee_file:file create_file_perms;
+allow tee system_data_file:dir r_dir_perms;
+
+allow tee persist_file:dir r_dir_perms;
+r_dir_file(tee, persist_data_file)
+# Write to drm related pieces of persist partition
+allow tee persist_drm_file:dir create_dir_perms;
+allow tee persist_drm_file:file create_file_perms;
+
+# Provide tee access to ssd partition for HW FDE
+allow tee ssd_device:blk_file rw_file_perms;
+
+# allow tee to operate tee device
+allow tee tee_device:chr_file rw_file_perms;
+
+# allow tee to load firmware images
+allow tee firmware_file:dir r_dir_perms;
+allow tee firmware_file:file r_file_perms;
+
+# allow qseecom access to time domain
+allow tee time_daemon:unix_stream_socket connectto;
+
+# allow tee access for secure UI to work
+allow tee graphics_device:chr_file r_file_perms;
+allow tee graphics_device:dir r_dir_perms;
+
+binder_call(tee, surfaceflinger)
+binder_use(tee)
+
+allow tee system_app:unix_dgram_socket sendto;
+unix_socket_connect(tee, property, init)
+
+userdebug_or_eng(`
+ allow tee su:unix_dgram_socket sendto;
+ allow tee shell_data_file:file rw_file_perms;
+ allow tee shell_data_file:dir search;
+')
diff --git a/common/qti.te b/common/qti.te
new file mode 100644
index 0000000..f694747
--- /dev/null
+++ b/common/qti.te
@@ -0,0 +1,21 @@
+type qti, domain;
+type qti_exec, exec_type, file_type;
+init_daemon_domain(qti)
+net_domain(qti)
+
+allow qti rmnet_device:chr_file rw_file_perms;
+allow qti smem_log_device:chr_file rw_file_perms;
+userdebug_or_eng(`
+ allow qti kmsg_device:chr_file w_file_perms;
+')
+allow qti mhi_device:chr_file rw_file_perms;
+qmux_socket(qti)
+allow qti rmnet_device:chr_file rw_file_perms;
+allow qti self:capability { net_admin net_raw fsetid sys_module dac_override };
+allow qti self:netlink_socket { write bind create read };
+allow qti self:socket { write read create ioctl };
+allow qti self:udp_socket { create ioctl };
+allow qti kernel:system module_request;
+allow qti shell_exec:file rx_file_perms;
+allow qti smd_device:chr_file rw_file_perms;
+allow qti system_file:file execute_no_trans;
diff --git a/common/radio.te b/common/radio.te
new file mode 100644
index 0000000..2b854f5
--- /dev/null
+++ b/common/radio.te
@@ -0,0 +1,13 @@
+# Talks to qmuxd via the qmux_radio socket.
+qmux_socket(radio);
+allow radio ims_socket:sock_file write;
+
+#Need permission to execute com.qualcomm.qti.telephony/app_dex/xx
+allow radio radio_data_file:file execute;
+allow radio shell_data_file:dir search;
+
+#Need permission to execute dpmd talk to radio layer
+unix_socket_connect(radio, dpmd, dpmd)
+
+# IMS needs permission to use unix domain socket
+allow radio ims:unix_stream_socket connectto;
diff --git a/common/rfs_access.te b/common/rfs_access.te
new file mode 100644
index 0000000..27d426e
--- /dev/null
+++ b/common/rfs_access.te
@@ -0,0 +1,49 @@
+# rfs_access - rfs_access daemon
+type rfs_access, domain;
+type rfs_access_exec, exec_type, file_type;
+init_daemon_domain(rfs_access)
+
+#The files created by rfs_access process in the /data folder will have type rfs_data_file
+type_transition rfs_access system_data_file:{ dir file } rfs_data_file;
+type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";
+
+#To read the uio char device
+allow rfs_access uio_device:chr_file rw_file_perms;
+
+#For QMI sockets and IPCR Sockets
+allow rfs_access self:socket create_socket_perms;
+allow rfs_access smem_log_device:chr_file rw_file_perms;
+
+#For Wakelocks
+allow rfs_access self:capability2 block_suspend;
+allow rfs_access sysfs_wake_lock:file w_file_perms;
+
+#To create the folders in /data
+allow rfs_access system_data_file:dir create_dir_perms;
+
+#For system folder entries
+allow rfs_access rfs_system_file:dir r_dir_perms;
+allow rfs_access rfs_system_file:lnk_file r_file_perms;
+allow rfs_access rfs_system_file:file r_file_perms;
+
+#For data folder entries
+allow rfs_access rfs_data_file:dir create_dir_perms;
+allow rfs_access rfs_data_file:file create_file_perms;
+
+allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
+allow rfs_access rfs_shared_hlos_file:file create_file_perms;
+
+#For ramdump entries in /data/tombstones.
+allow rfs_access tombstone_data_file:dir create_dir_perms;
+allow rfs_access tombstone_data_file:file create_file_perms;
+
+#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
+allow rfs_access firmware_file:dir r_dir_perms;
+allow rfs_access firmware_file:file r_file_perms;
+
+#For dropping permisions from root and wakelock
+allow rfs_access self:capability { setuid setgid setpcap net_raw };
+
+#Prevent other domains from accessing RFS data files.
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms;
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms;
diff --git a/common/rild.te b/common/rild.te
new file mode 100644
index 0000000..be35748
--- /dev/null
+++ b/common/rild.te
@@ -0,0 +1,27 @@
+#allow rild qmux_radio_socket:dir { write remove_name search add_name };
+#allow rild qmux_radio_socket:sock_file { write create unlink setattr };
+#allow rild qmuxd:unix_stream_socket connectto;
+qmux_socket(rild);
+binder_use(rild)
+
+allow rild ssr_device:chr_file { open read };
+allow rild sysfs_esoc:dir { search read open};
+allow rild sysfs_esoc:lnk_file { read };
+allow rild sysfs_esoc:file { write };
+allow rild sysfs_ssr:dir { open search read };
+allow rild sysfs_ssr:lnk_file { read open };
+
+allow rild mediaserver:binder { transfer call };
+
+#allow rild diag_device:chr_file { open read write };
+allow rild rild_socket:chr_file { open read write };
+allow rild system_health_monitor_device:chr_file r_file_perms;
+
+allow rild sysfs_ssr:dir r_dir_perms;
+allow rild sysfs_ssr:lnk_file read;
+allow rild system_data_file:dir w_dir_perms;
+allow rild system_data_file:file create_file_perms;
+allow rild time_daemon:unix_stream_socket connectto;
+
+dontaudit rild domain:dir r_dir_perms;
+r_dir_file(rild, netmgrd)
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
new file mode 100644
index 0000000..19aea1d
--- /dev/null
+++ b/common/rmt_storage.te
@@ -0,0 +1,18 @@
+# rmt_storage - rmt_storage daemon
+type rmt_storage, domain;
+type rmt_storage_exec, exec_type, file_type;
+init_daemon_domain(rmt_storage)
+
+allow rmt_storage modem_efs_partition_device:blk_file rw_file_perms;
+allow rmt_storage block_device:dir r_dir_perms;
+allow rmt_storage cgroup:dir create_dir_perms;
+allow rmt_storage smem_log_device:chr_file rw_file_perms;
+
+# sys_admin is needed for ioprio_set
+allow rmt_storage self:capability { setuid setgid sys_admin dac_override net_raw setpcap };
+
+allow rmt_storage self:capability2 block_suspend;
+allow rmt_storage self:socket create_socket_perms;
+allow rmt_storage sysfs_wake_lock:file w_file_perms;
+allow rmt_storage uio_device:chr_file rw_file_perms;
+allow rmt_storage mmc_block_device:blk_file r_file_perms;
\ No newline at end of file
diff --git a/common/seapp_contexts b/common/seapp_contexts
new file mode 100644
index 0000000..a75ef41
--- /dev/null
+++ b/common/seapp_contexts
@@ -0,0 +1,4 @@
+#Add new domain for Location services
+user=gps domain=location_app type=location_app_data_file
+user=system seinfo=platform name=com.qualcomm.services.location domain=location_app type=location_app_data_file
+user=system seinfo=platform name=com.qualcomm.location.XT domain=location_app type=location_app_data_file
diff --git a/common/sensors.te b/common/sensors.te
new file mode 100644
index 0000000..60f889d
--- /dev/null
+++ b/common/sensors.te
@@ -0,0 +1,57 @@
+# Policy for sensor daemon
+type sensors, domain;
+type sensors_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(sensors)
+
+type_transition sensors system_data_file:{ dir file } sensors_data_file;
+
+# Change own perms to (nobody,nobody)
+allow sensors self:capability { setuid setgid };
+# Chown /data/misc/sensors/debug/ to nobody
+allow sensors self:capability chown;
+dontaudit sensors self:capability fsetid;
+
+# Access /data/misc/sensors/debug and /data/system/sensors/settings
+allow sensors self:capability { dac_override dac_read_search net_bind_service };
+
+# Sensors socket
+allow sensors sensors_socket:sock_file create_file_perms;
+type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket";
+allow sensors socket_device:dir rw_dir_perms;
+
+# Create directories and files under /data/misc/sensors
+# and /data/system/sensors. Allow generic r/w file access.
+allow sensors system_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:file create_file_perms;
+
+# Access sensor nodes (/dev/msm_dsps, /dev/sensors)
+allow sensors sensors_device:chr_file rw_file_perms;
+
+# Access to /persist/sensors
+allow sensors persist_file:dir r_dir_perms;
+allow sensors sensors_persist_file:dir create_dir_perms;
+allow sensors sensors_persist_file:file create_file_perms;
+
+# Access to execmem
+allow sensors self:process execmem;
+
+# Wake lock access
+wakelock_use(sensors)
+
+allow sensors cgroup:dir { create add_name };
+
+allow sensors self:socket *;
+
+# Access to other devices
+allow sensors smd_device:chr_file rw_file_perms;
+allow sensors smem_log_device:chr_file rw_file_perms;
+allow sensors device_latency:chr_file w_file_perms;
+
+# Access to tests from userdebug/eng builds
+userdebug_or_eng(`
+ domain_auto_trans(shell, sensors_exec, sensors)
+ allow sensors diag_device:chr_file rw_file_perms;
+')
diff --git a/common/service.te b/common/service.te
new file mode 100644
index 0000000..e662570
--- /dev/null
+++ b/common/service.te
@@ -0,0 +1,9 @@
+type atfwd_service, service_manager_type;
+type per_mgr_service, service_manager_type;
+type dpmservice, service_manager_type;
+type cne_service, service_manager_type;
+type wbc_service, service_manager_type;
+type dun_service, service_manager_type;
+type digitalpen_service, service_manager_type;
+type imscm_service, service_manager_type;
+type color_service, service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
new file mode 100644
index 0000000..eccd3fd
--- /dev/null
+++ b/common/service_contexts
@@ -0,0 +1,10 @@
+AtCmdFwd u:object_r:atfwd_service:s0
+dpmservice u:object_r:dpmservice:s0
+listen.service u:object_r:mediaserver_service:s0
+cneservice u:object_r:cne_service:s0
+vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0
+wbc_service u:object_r:wbc_service:s0
+dun u:object_r:dun_service:s0
+DigitalPen u:object_r:digitalpen_service:s0
+qti.ims.connectionmanagerservice u:object_r:imscm_service:s0
+com.qti.snapdragon.sdk.display.IColorService u:object_r:color_service:s0
diff --git a/common/ssr_diag.te b/common/ssr_diag.te
new file mode 100755
index 0000000..62fa587
--- /dev/null
+++ b/common/ssr_diag.te
@@ -0,0 +1,8 @@
+type ssr_diag, domain;
+type ssr_diag_exec, exec_type, file_type;
+init_daemon_domain(ssr_diag);
+
+userdebug_or_eng(`
+ allow ssr_diag diag_device:chr_file rw_file_perms;
+ allow ssr_diag sysfs:file rw_file_perms;
+')
diff --git a/common/ssr_setup.te b/common/ssr_setup.te
new file mode 100644
index 0000000..0ec733a
--- /dev/null
+++ b/common/ssr_setup.te
@@ -0,0 +1,17 @@
+#Policy for ssr_setup
+#ssr_setup - ssr_setup domain
+type ssr_setup, domain;
+type ssr_setup_exec, exec_type, file_type;
+init_daemon_domain(ssr_setup);
+
+#Required to discover esoc's
+allow ssr_setup sysfs_esoc:dir { r_file_perms search };
+allow ssr_setup sysfs_esoc:lnk_file r_file_perms;
+
+#Required to enable/disable ssr
+allow ssr_setup sysfs_ssr:dir { r_file_perms search };
+allow ssr_setup sysfs_ssr_toggle:file rw_file_perms;
+allow ssr_setup sysfs_ssr:lnk_file rw_file_perms;
+
+#Keeping this here till sysfs labeling is resolved
+allow ssr_setup sysfs:file w_file_perms;
diff --git a/common/subsystem_ramdump.te b/common/subsystem_ramdump.te
new file mode 100755
index 0000000..6113b0a
--- /dev/null
+++ b/common/subsystem_ramdump.te
@@ -0,0 +1,8 @@
+type subsystem_ramdump, domain;
+type subsystem_ramdump_exec, exec_type, file_type;
+init_daemon_domain(subsystem_ramdump);
+
+userdebug_or_eng(`
+ allow subsystem_ramdump ramdump_device:chr_file r_file_perms;
+ allow subsystem_ramdump sysfs:file w_file_perms;
+')
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
new file mode 100644
index 0000000..854ff8c
--- /dev/null
+++ b/common/surfaceflinger.te
@@ -0,0 +1,8 @@
+allow surfaceflinger sysfs_graphics:file rw_file_perms;
+allow surfaceflinger shell_data_file:dir search;
+
+# Allows pp-daemon to refresh the screen in calibration mode
+r_dir_file(surfaceflinger, mm-pp-daemon)
+
+binder_call(surfaceflinger, location)
+binder_call(surfaceflinger, tee)
diff --git a/common/system_app.te b/common/system_app.te
new file mode 100644
index 0000000..1942a77
--- /dev/null
+++ b/common/system_app.te
@@ -0,0 +1,37 @@
+# fm_radio app needes open read write on fm_radio_device
+allow system_app fm_radio_device:chr_file { read open ioctl};
+allow system_app ctl_default_prop:property_service set;
+allow system_app atfwd_service:service_manager add;
+allow system_app dun_service:service_manager add;
+
+# access to perflock
+allow system_app mpctl_socket:dir r_dir_perms;
+unix_socket_send(system_app, mpctl, mpdecision)
+unix_socket_connect(system_app, mpctl, mpdecision)
+allow system_app dpmservice:service_manager add;
+unix_socket_send(system_app, mpctl, perfd)
+unix_socket_connect(system_app, mpctl, perfd)
+
+# access to mm-pp-daemon
+unix_socket_connect(system_app, pps, mm-pp-daemon)
+allow system_app cne_service:service_manager add;
+
+userdebug_or_eng(`
+ allow system_app debugfs:file r_file_perms;
+ allow system_app su:unix_dgram_socket sendto;
+ allow system_app persist_file:dir r_dir_perms;
+ allow system_app sensors_persist_file:dir r_dir_perms;
+ allow system_app sensors_persist_file:file rw_file_perms;
+')
+allow system_app cnd_data_file:dir w_dir_perms;
+allow system_app cnd_data_file:file create_file_perms;
+allow system_app bluetooth:unix_stream_socket ioctl;
+
+# access to tee domain
+allow system_app tee:unix_dgram_socket sendto;
+
+# access to time_daemon
+allow system_app time_daemon:unix_stream_socket connectto;
+
+# access to color service SDK
+allow system_app color_service:service_manager add;
diff --git a/common/system_server.te b/common/system_server.te
new file mode 100644
index 0000000..4f9e89c
--- /dev/null
+++ b/common/system_server.te
@@ -0,0 +1,52 @@
+#============= system_server ==============
+# allow system_server to communicate with cnd process over cnd_socket
+unix_socket_connect(system_server, cnd, cnd)
+# allow system/framework applications to update the cnd configuration files
+allow system_server cnd_data_file:dir { read open write getattr add_name };
+allow system_server cnd_data_file:file { create write getattr setattr read lock open };
+
+# Access to sensors socket
+unix_socket_connect(system_server, sensors, sensors)
+unix_socket_send(system_server, sensors, sensors)
+allow system_server sensors:unix_stream_socket sendto;
+allow system_server sensors_socket:sock_file r_file_perms;
+qmux_socket(system_server);
+
+# access to perflock
+allow system_server mpctl_socket:dir r_dir_perms;
+unix_socket_send(system_server, mpctl, mpdecision)
+unix_socket_connect(system_server, mpctl, mpdecision)
+
+# allow system/framework applications to update the dpmd configuration files
+unix_socket_connect(system_server, dpmd, dpmd);
+allow system_server dpmd_socket:sock_file write;
+allow system_server dpmd_data_file:dir create_dir_perms;
+allow system_server dpmservice:service_manager add;
+allow system_server dpmd_data_file:file create_file_perms;
+allow system_server socket_device:sock_file write;
+
+unix_socket_send(system_server, mpctl, perfd)
+unix_socket_connect(system_server, mpctl, perfd)
+
+allow system_server location:unix_stream_socket connectto;
+allow system_server location_data_file:dir rw_dir_perms;
+allow system_server location_data_file:fifo_file create_file_perms;
+allow system_server location_socket:sock_file rw_file_perms;
+allow system_server location_app_data_file:dir r_dir_perms;
+allow system_server location_data_file:sock_file rw_file_perms;
+
+#For wifistatemachine
+allow system_server kernel:key search;
+allow system_server wbc_service:service_manager add;
+allow system_server digitalpen_service:service_manager add;
+
+#For ssr
+allow system_server ssr_device:chr_file { read open };
+
+allow system_server fuse:dir search;
+allow system_server persist_file:dir search;
+
+#For ANT tty communication and to set wc_transport prop
+allow system_server bluetooth_prop:property_service set;
+allow system_server serial_device:chr_file rw_file_perms;
+allow system_server smd_device:chr_file rw_file_perms;
diff --git a/common/te_macros b/common/te_macros
new file mode 100644
index 0000000..485bfb7
--- /dev/null
+++ b/common/te_macros
@@ -0,0 +1,11 @@
+#####################################
+# qmux_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`qmux_socket', `
+allow $1 qmuxd_socket:dir create_dir_perms;
+unix_socket_connect($1, qmuxd, qmuxd)
+allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink };
+')
diff --git a/common/thermal-engine.te b/common/thermal-engine.te
new file mode 100644
index 0000000..158f6a9
--- /dev/null
+++ b/common/thermal-engine.te
@@ -0,0 +1,26 @@
+# thermal-engine daemon
+type thermal-engine, domain;
+type thermal-engine_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(thermal-engine)
+
+#============= thermal-engine ==============
+#This is to access thermal query device
+allow thermal-engine thermal_device:chr_file rw_file_perms;
+#This is required to access smem log device
+allow thermal-engine smem_log_device:chr_file rw_file_perms;
+allow thermal-engine self:capability { dac_read_search dac_override fsetid };
+allow thermal-engine self:socket create_socket_perms;
+#This is required to access thermal sockets
+allow thermal-engine thermal_socket:dir w_dir_perms;
+allow thermal-engine thermal_socket:sock_file { create setattr open read write };
+#This is required for thermal sysfs access
+allow thermal-engine sysfs_thermal:dir r_dir_perms;
+allow thermal-engine sysfs_thermal:file rw_file_perms;
+allow thermal-engine sysfs_thermal:lnk_file read;
+allow thermal-engine sysfs:file write;
+#This is required for qmi access
+qmux_socket(thermal-engine);
+allow thermal-engine sysfs_mpdecision:file rw_file_perms;
+r_dir_file(thermal-engine, sysfs_ssr);
diff --git a/common/time_daemon.te b/common/time_daemon.te
new file mode 100644
index 0000000..5793197
--- /dev/null
+++ b/common/time_daemon.te
@@ -0,0 +1,21 @@
+# Policies for time daemon
+type time_daemon, domain;
+type time_daemon_exec, exec_type, file_type;
+type time_data_file, file_type, data_file_type;
+
+# Make transition to its own time_daemon domain from init
+init_daemon_domain(time_daemon)
+allow time_daemon smem_log_device:chr_file rw_file_perms;
+
+# Add rules for access permissions
+#============= IOCTL operations ==============
+allow time_daemon rtc_device:chr_file { open read ioctl };
+allow time_daemon alarm_device:chr_file { open read write ioctl };
+
+#============= File read/write ==============
+allow time_daemon time_data_file:file { write create open read};
+allow time_daemon time_data_file:dir { write add_name search};
+allow time_daemon self:socket { write read create ioctl};
+allow time_daemon self:capability { setuid setgid };
+
+r_dir_file(time_daemon, sysfs_esoc);
diff --git a/common/ueventd.te b/common/ueventd.te
new file mode 100644
index 0000000..eb390a8
--- /dev/null
+++ b/common/ueventd.te
@@ -0,0 +1,17 @@
+#Allow firmware_file access to load Non-HLOS images
+allow ueventd firmware_file:dir search;
+allow ueventd firmware_file:file { read getattr open };
+
+#Allow persist_file access to wcnss bin
+allow ueventd persist_file:dir search;
+allow ueventd persist_file:file { read getattr open };
+
+#for wifi to access wifi_data_file
+allow ueventd wifi_data_file:dir search;
+allow ueventd wifi_data_file:file { read getattr open };
+
+allow ueventd sysfs_battery_supply:file w_file_perms;
+allow ueventd sysfs_thermal:file w_file_perms;
+allow ueventd sysfs_usb_supply:file w_file_perms;
+
+allow ueventd sysfs_socinfo:file w_file_perms;
diff --git a/common/untrusted_app.te b/common/untrusted_app.te
new file mode 100644
index 0000000..0791009
--- /dev/null
+++ b/common/untrusted_app.te
@@ -0,0 +1,12 @@
+# access to perflock
+allow untrusted_app mpctl_socket:dir r_dir_perms;
+unix_socket_send(untrusted_app, mpctl, perfd)
+unix_socket_connect(untrusted_app, mpctl, perfd)
+unix_socket_send(untrusted_app, mpctl, mpdecision)
+unix_socket_connect(untrusted_app, mpctl, mpdecision)
+
+# test apps needs to communicate with imscm
+# using binder call
+userdebug_or_eng(`
+ binder_call(untrusted_app, imscm)
+')
diff --git a/common/usb_uicc_daemon.te b/common/usb_uicc_daemon.te
new file mode 100644
index 0000000..7b4a056
--- /dev/null
+++ b/common/usb_uicc_daemon.te
@@ -0,0 +1,14 @@
+# usb_uicc_daemon
+type usb_uicc_daemon, domain;
+type usb_uicc_daemon_exec, exec_type, file_type;
+
+# Make transition from init to its domain
+init_daemon_domain(usb_uicc_daemon)
+
+allow usb_uicc_daemon property_socket:sock_file w_file_perms;
+allow usb_uicc_daemon self:socket create_socket_perms;
+allow usb_uicc_daemon usb_uicc_device:chr_file rw_file_perms;
+allow usb_uicc_daemon uicc_prop:property_service set;
+allow usb_uicc_daemon sysfs_usb_uicc:file rw_file_perms;
+allow usb_uicc_daemon sysfs_usb_uicc:dir rw_dir_perms;
+allow usb_uicc_daemon init:unix_stream_socket connectto;
diff --git a/common/vm_bms.te b/common/vm_bms.te
new file mode 100644
index 0000000..68f2862
--- /dev/null
+++ b/common/vm_bms.te
@@ -0,0 +1,23 @@
+#integrated process
+type vm_bms, domain;
+type vm_bms_exec, exec_type, file_type;
+
+#started by init
+init_daemon_domain(vm_bms)
+
+#allow vm_bms to visit chr_file
+allow vm_bms tmpfs:chr_file { read write getattr };
+allow vm_bms vm_bms_device:chr_file { open read write ioctl };
+allow vm_bms battery_data_device:chr_file { open read write ioctl };
+
+#allow vm_bms to drop down to system service
+allow vm_bms self:capability { setpcap setgid setuid };
+
+#allow vm_bms to block the system suspend
+allow vm_bms self:capability2 block_suspend;
+
+#allow vm_bms to get the wake lock
+allow vm_bms sysfs_wake_lock:file rw_file_perms;
+
+#allow vm_bms to visit sysfs
+allow vm_bms sysfs:file rw_file_perms;
diff --git a/common/vold.te b/common/vold.te
new file mode 100755
index 0000000..71b32cd
--- /dev/null
+++ b/common/vold.te
@@ -0,0 +1,9 @@
+allow vold tee_device:chr_file rw_file_perms;
+allow vold kernel:system module_request;
+allow vold self:capability2 block_suspend;
+allow vold fscklogs:file { write create open getattr };
+allow vold proc_sysrq:file rw_file_perms;
+allow vold self:capability sys_boot;
+allow vold cache_file:dir { write add_name };
+allow vold cache_file:file { write create open };
+allow vold proc_dirty_ratio:file rw_file_perms;
diff --git a/common/wcnss_service.te b/common/wcnss_service.te
new file mode 100644
index 0000000..85d566e
--- /dev/null
+++ b/common/wcnss_service.te
@@ -0,0 +1,29 @@
+type wcnss_service, domain;
+type wcnss_service_exec, exec_type, file_type;
+
+init_daemon_domain(wcnss_service)
+net_domain(wcnss_service)
+
+unix_socket_connect(wcnss_service, property, init)
+allow wcnss_service wcnss_device:chr_file rw_file_perms;
+
+qmux_socket(wcnss_service);
+
+allow wcnss_service wifi_data_file:dir w_dir_perms;
+allow wcnss_service wifi_data_file:file create_file_perms;
+
+allow wcnss_service system_prop:property_service set;
+allow wcnss_service persist_file:dir r_dir_perms;
+qmux_socket(wcnss_service);
+
+allow wcnss_service self:socket create_socket_perms;
+allow wcnss_service smem_log_device:chr_file rw_file_perms;
+allow wcnss_service proc_net:file write;
+
+# allow wpa_supplicant to send back wifi information to cnd
+allow wcnss_service cnd:unix_dgram_socket sendto;
+allow wcnss_service self:capability { setuid setgid dac_override net_admin };
+
+allow wcnss_service self:netlink_socket create_socket_perms;
+allow wcnss_service firmware_file:dir r_dir_perms;
+allow wcnss_service firmware_file:file r_file_perms;
diff --git a/common/wfd_app.te b/common/wfd_app.te
new file mode 100644
index 0000000..e9d3dec
--- /dev/null
+++ b/common/wfd_app.te
@@ -0,0 +1,24 @@
+allow wfd_app init:unix_stream_socket connectto;
+allow wfd_app node:tcp_socket node_bind;
+allow wfd_app port:tcp_socket { name_bind name_connect };
+allow wfd_app self:tcp_socket { bind create setopt listen write read getopt connect accept getattr };
+allow wfd_app dalvikcache_data_file:file { write setattr };
+allow wfd_app graphics_device:chr_file rw_file_perms;
+allow wfd_app graphics_device:dir r_dir_perms;
+allow wfd_app node:udp_socket node_bind;
+allow wfd_app port:udp_socket name_bind;
+allow wfd_app self:udp_socket { bind create getattr write setopt ioctl read getopt };
+allow wfd_app video_device:dir r_dir_perms;
+allow wfd_app video_device:chr_file rw_file_perms;
+allow wfd_app audio_device:dir r_dir_perms;
+allow wfd_app audio_device:chr_file rw_file_perms;
+allow wfd_app fwmarkd_socket:sock_file write;
+allow wfd_app mpctl_socket:dir r_dir_perms;
+allow wfd_app netd:unix_stream_socket connectto;
+allow wfd_app firmware_file:dir r_dir_perms;
+allow wfd_app firmware_file:file r_file_perms;
+allow wfd_app tee_device:chr_file rw_file_perms;
+allow wfd_app media_rw_data_file:dir rw_dir_perms;
+allow wfd_app media_rw_data_file:file create_file_perms;
+allow wfd_app system_app_data_file:dir create_dir_perms;
+allow wfd_app uhid_device:chr_file rw_file_perms;
diff --git a/common/wpa.te b/common/wpa.te
new file mode 100644
index 0000000..15a0164
--- /dev/null
+++ b/common/wpa.te
@@ -0,0 +1,12 @@
+allow wpa persist_file:dir search;
+qmux_socket(wpa);
+
+allow wpa self:socket create_socket_perms;
+allow wpa smem_log_device:chr_file rw_file_perms;
+allow wpa proc_net:file write;
+
+# allow wpa_supplicant to send back wifi information to cnd
+allow wpa cnd:unix_dgram_socket sendto;
+
+# permission for wpa socket which IMS use to communicate
+allow wpa ims:unix_dgram_socket sendto;
diff --git a/common/zygote.te b/common/zygote.te
new file mode 100644
index 0000000..9c7c35e
--- /dev/null
+++ b/common/zygote.te
@@ -0,0 +1 @@
+allow zygote shell_data_file:dir search;
diff --git a/mpq8064/Android.mk b/mpq8064/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/mpq8064/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/mpq8064/qseecomd.te b/mpq8064/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/mpq8064/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/mpq8092/Android.mk b/mpq8092/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/mpq8092/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8916/Android.mk b/msm8916/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/msm8916/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8939/Android.mk b/msm8939/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/msm8939/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8960/Android.mk b/msm8960/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/msm8960/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8960/device.te b/msm8960/device.te
new file mode 100755
index 0000000..24d277a
--- /dev/null
+++ b/msm8960/device.te
@@ -0,0 +1,2 @@
+#mdm helper device
+type mdm_device, dev_type;
diff --git a/msm8960/file.te b/msm8960/file.te
new file mode 100644
index 0000000..e5cea97
--- /dev/null
+++ b/msm8960/file.te
@@ -0,0 +1,2 @@
+#efs file types
+type efs_data_file, file_type, data_file_type;
diff --git a/msm8960/file_contexts b/msm8960/file_contexts
new file mode 100755
index 0000000..7e51456
--- /dev/null
+++ b/msm8960/file_contexts
@@ -0,0 +1,22 @@
+###################################
+# Dev nodes
+#
+/dev/msm_camera(/.*)? u:object_r:camera_device:s0
+/dev/msm_rotator u:object_r:graphics_device:s0
+/dev/mdm u:object_r:mdm_device:s0
+/dev/block/bootdevice/by-name/m9kefs1 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/m9kefs2 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/m9kefs3 u:object_r:efs_boot_dev:s0
+/dev/block/bootdevice/by-name/m9kefsc u:object_r:efs_boot_dev:s0
+
+###################################
+# System files
+#
+/system/bin/thermald u:object_r:thermal-engine_exec:s0
+/system/bin/qcks u:object_r:mdm_helper_exec:s0
+/system/bin/efks u:object_r:mdm_helper_exec:s0
+
+###################################
+# Data files
+#
+/data/qcks(/.*)? u:object_r:efs_data_file:s0
diff --git a/msm8960/mdm_helper.te b/msm8960/mdm_helper.te
new file mode 100755
index 0000000..5fe3608
--- /dev/null
+++ b/msm8960/mdm_helper.te
@@ -0,0 +1,8 @@
+#Needed in order to access the data partition bin files
+type_transition mdm_helper system_data_file:{ file } efs_data_file;
+
+allow mdm_helper mdm_device:file rw_file_perms;
+allow mdm_helper mdm_device:chr_file rw_file_perms;
+allow mdm_helper self:capability { dac_read_search dac_override };
+allow mdm_helper efs_data_file:file create_file_perms;
+allow mdm_helper efs_data_file:dir create_dir_perms;
diff --git a/msm8960/mm-pp-daemon.te b/msm8960/mm-pp-daemon.te
new file mode 100644
index 0000000..cbaafcf
--- /dev/null
+++ b/msm8960/mm-pp-daemon.te
@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+ #Allow pp-daemon to access stream socket
+ allow mm-pp-daemon init:unix_stream_socket { read write };
+')
diff --git a/msm8960/mpdecision.te b/msm8960/mpdecision.te
new file mode 100644
index 0000000..f9adcee
--- /dev/null
+++ b/msm8960/mpdecision.te
@@ -0,0 +1,3 @@
+allow mpdecision socket_device:dir w_dir_perms;
+allow mpdecision socket_device:sock_file create;
+allow mpdecision self:capability sys_nice;
diff --git a/msm8960/qseecomd.te b/msm8960/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8960/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/msm8960/rild.te b/msm8960/rild.te
new file mode 100644
index 0000000..81cafff
--- /dev/null
+++ b/msm8960/rild.te
@@ -0,0 +1,2 @@
+#allow rild to access smd_cmx_qmi device;
+allow rild smd_device:chr_file rw_file_perms;
diff --git a/msm8960/rmt_storage.te b/msm8960/rmt_storage.te
new file mode 100644
index 0000000..3b3bbb2
--- /dev/null
+++ b/msm8960/rmt_storage.te
@@ -0,0 +1,5 @@
+# rmt_storage - rmt_storage daemon
+allow rmt_storage rpmb_device:blk_file { open read };
+allow rmt_storage ssd_device:blk_file { open read write };
+unix_socket_connect(rmt_storage, property, init)
+allow rmt_storage ctl_default_prop:property_service set;
diff --git a/msm8960/ssr_diag.te b/msm8960/ssr_diag.te
new file mode 100644
index 0000000..6b170b0
--- /dev/null
+++ b/msm8960/ssr_diag.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+ allow ssr_diag self:netlink_kobject_uevent_socket create;
+')
diff --git a/msm8960/system_server.te b/msm8960/system_server.te
new file mode 100644
index 0000000..1ac7260
--- /dev/null
+++ b/msm8960/system_server.te
@@ -0,0 +1,2 @@
+# WifiStateMachine to access wpa_wlan0 socket
+allow system_server init:unix_dgram_socket sendto;
diff --git a/msm8960/thermal-engine.te b/msm8960/thermal-engine.te
new file mode 100644
index 0000000..707717d
--- /dev/null
+++ b/msm8960/thermal-engine.te
@@ -0,0 +1,2 @@
+allow thermal-engine self:netlink_kobject_uevent_socket create;
+allow thermal-engine socket_device:dir w_dir_perms;
diff --git a/msm8960/wpa.te b/msm8960/wpa.te
new file mode 100644
index 0000000..24ce72f
--- /dev/null
+++ b/msm8960/wpa.te
@@ -0,0 +1,2 @@
+allow wpa devpts:chr_file rw_file_perms;
+allow wpa init:unix_dgram_socket { read write };
diff --git a/msm8974/Android.mk b/msm8974/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/msm8974/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8974/qseecomd.te b/msm8974/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8974/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/msm8994/Android.mk b/msm8994/Android.mk
new file mode 100644
index 0000000..4447397
--- /dev/null
+++ b/msm8994/Android.mk
@@ -0,0 +1 @@
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8x10/Android.mk b/msm8x10/Android.mk
new file mode 100644
index 0000000..09bbd96
--- /dev/null
+++ b/msm8x10/Android.mk
@@ -0,0 +1 @@
+ BOARD_SEPOLICY_UNION += \
diff --git a/msm8x10/qseecomd.te b/msm8x10/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8x10/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/msm8x26/Android.mk b/msm8x26/Android.mk
new file mode 100644
index 0000000..09bbd96
--- /dev/null
+++ b/msm8x26/Android.mk
@@ -0,0 +1 @@
+ BOARD_SEPOLICY_UNION += \
diff --git a/msm8x26/qseecomd.te b/msm8x26/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8x26/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/test/diag_test.te b/test/diag_test.te
new file mode 100644
index 0000000..3ed3815
--- /dev/null
+++ b/test/diag_test.te
@@ -0,0 +1,11 @@
+type diagdciclient_exec, exec_type, file_type;
+userdebug_or_eng(`
+ type diag_test, domain;
+ domain_auto_trans(shell, diagdciclient_exec, diag_test)
+ domain_auto_trans(adbd, diagdciclient_exec, diag_test)
+ allow diag_test devpts:chr_file getattr;
+ allow diag_test self:capability dac_override;
+ allow diag_test diag_device:chr_file {ioctl read write open};
+ allow diag_test devpts:chr_file {ioctl read write open};
+')
+
diff --git a/test/file.te b/test/file.te
new file mode 100644
index 0000000..4b8b67d
--- /dev/null
+++ b/test/file.te
@@ -0,0 +1,3 @@
+#Define the files written during the operation of mm-pp-daemon
+type display_test_media_file, file_type, data_file_type;
+
diff --git a/test/file_contexts b/test/file_contexts
new file mode 100755
index 0000000..f41cc3c
--- /dev/null
+++ b/test/file_contexts
@@ -0,0 +1,62 @@
+/system/bin/kernel-tests/smd.* u:object_r:smd_test_exec:s0
+/system/bin/qmi-framework-tests/qmi_ping.* u:object_r:qmi_ping_exec:s0
+/system/bin/qmi-framework-tests/qmi_test.* u:object_r:qmi_test_service_exec:s0
+
+/system/bin/diag_dci_client u:object_r:diagdciclient_exec:s0
+
+/system/bin/ptt_socket_app u:object_r:wcnss_service_exec:s0
+/system/bin/athdiag u:object_r:wcnss_service_exec:s0
+/system/bin/cld-fwlog-netlink u:object_r:wcnss_service_exec:s0
+/system/bin/cld-fwlog-record u:object_r:wcnss_service_exec:s0
+/system/bin/cld-fwlog-parser u:object_r:wcnss_service_exec:s0
+/system/bin/cnss_diag u:object_r:wcnss_service_exec:s0
+/system/bin/iwpriv u:object_r:wcnss_service_exec:s0
+/system/bin/iwconfig u:object_r:wcnss_service_exec:s0
+/system/bin/iw u:object_r:wcnss_service_exec:s0
+/system/bin/iwlist u:object_r:wcnss_service_exec:s0
+/system/bin/iwss_test u:object_r:wcnss_service_exec:s0
+/system/bin/pktlogconf u:object_r:wcnss_service_exec:s0
+/system/bin/iperf u:object_r:wcnss_service_exec:s0
+/system/bin/mboxping u:object_r:wcnss_service_exec:s0
+/system/bin/sigma_dut u:object_r:wcnss_service_exec:s0
+/system/bin/pktlog u:object_r:wcnss_service_exec:s0
+/system/bin/hal_proxy_daemon u:object_r:wcnss_service_exec:s0
+/system/bin/Wifilogger_app u:object_r:wcnss_service_exec:s0
+/system/bin/hs20-osu-client u:object_r:wcnss_service_exec:s0
+/system/bin/ndc u:object_r:wcnss_service_exec:s0
+/system/bin/playreadygtest(.*) u:object_r:sectest_exec:s0
+/system/bin/oem(.*)test u:object_r:sectest_exec:s0
+/system/bin/widevine(.*) u:object_r:sectest_exec:s0
+/system/bin/qseecom_sample_client u:object_r:sectest_exec:s0
+/system/bin/isdbtmmtest u:object_r:sectest_exec:s0
+/system/bin/secure_ui_sample_client u:object_r:sectest_exec:s0
+/system/bin/qseecom_security_test u:object_r:sectest_exec:s0
+/system/bin/qfipsverify u:object_r:sectest_exec:s0
+/system/bin/qseecom_assurance_test u:object_r:sectest_exec:s0
+/system/bin/drm_generic_prov_test u:object_r:sectest_exec:s0
+/system/bin/ParserApp u:object_r:sectest_exec:s0
+/system/bin/StoreKeybox u:object_r:sectest_exec:s0
+/system/bin/InstallKeybox u:object_r:sectest_exec:s0
+
+#Context for location features
+/system/bin/sdp_test u:object_r:location_exec:s0
+/system/bin/icm_test u:object_r:location_exec:s0
+/system/bin/pf_test_app u:object_r:location_exec:s0
+/system/bin/quipc_ipe_test u:object_r:location_exec:s0
+/system/bin/ipead_test u:object_r:location_exec:s0
+/system/bin/quipc_iwmm_test u:object_r:location_exec:s0
+/system/bin/slimcw_test u:object_r:location_exec:s0
+/system/bin/lowi_test u:object_r:location_exec:s0
+/system/bin/test-lowi-client u:object_r:location_exec:s0
+/system/bin/quipc_os_api_test_1 u:object_r:location_exec:s0
+/system/bin/quipc_os_api_test_2 u:object_r:location_exec:s0
+/system/bin/loc_api_v02_utt u:object_r:location_exec:s0
+/system/bin/test-version u:object_r:location_exec:s0
+/system/bin/test-pos-tx u:object_r:location_exec:s0
+/system/bin/xtwifi-upload-test u:object_r:location_exec:s0
+/system/bin/test-fake-ap u:object_r:location_exec:s0
+/system/bin/loc_api_app u:object_r:location_exec:s0
+/system/bin/test_loc_api_client u:object_r:location_exec:s0
+
+#Context for mediaserver
+/data/display-tests/media(/.*)? u:object_r:display_test_media_file:s0
diff --git a/test/init_shell.te b/test/init_shell.te
new file mode 100755
index 0000000..4a47717
--- /dev/null
+++ b/test/init_shell.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ domain_auto_trans(init_shell, su_exec, su)
+ allow init_shell fuse:dir create_dir_perms;
+ allow init_shell fuse:file create_file_perms;
+')
diff --git a/test/mediaserver_test.te b/test/mediaserver_test.te
new file mode 100644
index 0000000..338e67b
--- /dev/null
+++ b/test/mediaserver_test.te
@@ -0,0 +1,5 @@
+#Access to media files for testing
+userdebug_or_eng(`
+ allow mediaserver display_test_media_file:dir r_dir_perms;
+ allow mediaserver display_test_media_file:file r_file_perms;
+')
diff --git a/test/qmi_ping.te b/test/qmi_ping.te
new file mode 100644
index 0000000..c5808f1
--- /dev/null
+++ b/test/qmi_ping.te
@@ -0,0 +1,23 @@
+#must be defined for file_contexts
+type qmi_ping_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ type qmi_ping, domain;
+ domain_auto_trans(shell, qmi_ping_exec, qmi_ping)
+ domain_auto_trans(adbd, qmi_ping_exec, qmi_ping)
+ #test launched from pseudo terminal, so output goes there
+ allow qmi_ping devpts:chr_file {read write ioctl getattr};
+ #to access smem logs
+ allow qmi_ping smem_log_device:chr_file {read write open ioctl};
+ #to enable qmuxd interface apis to access diag
+ allow qmi_ping diag_device:chr_file {read write open ioctl};
+ #enable accessing the path where qmuxds named sockets are present
+ #to interface with qmuxd through unix sockets
+ #to use socket interface to ipc router
+ allow qmi_ping qmi_ping:socket {create bind read write ioctl setopt};
+ #enable running test as root user => privileged process
+ #enable privileged processes to bypass permission checks
+ allow qmi_ping qmi_ping:capability {dac_override dac_read_search setgid setuid fsetid};
+ #QCCI calls qmuxd API. The API will internally require this
+ qmux_socket(qmi_ping);
+')
diff --git a/test/qmi_test_service.te b/test/qmi_test_service.te
new file mode 100644
index 0000000..55066bb
--- /dev/null
+++ b/test/qmi_test_service.te
@@ -0,0 +1,28 @@
+#must be defined for file_contexts
+type qmi_test_service_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ type qmi_test_service, domain;
+ domain_auto_trans(shell, qmi_test_service_exec, qmi_test_service)
+ domain_auto_trans(adbd, qmi_test_service_exec, qmi_test_service)
+ #enable access to loader in 64 bit system
+ allow qmi_test_service shell:fd use;
+ #test is launched from pseudo terminal so output goes there
+ allow qmi_test_service devpts:chr_file {read write getattr ioctl};
+ #to access smem log
+ allow qmi_test_service smem_log_device:chr_file {read write open ioctl};
+ #to enable qmuxd interface apis to access diag
+ allow qmi_test_service diag_device:chr_file {read write open ioctl};
+ #enable accessing the path where qmuxds named sockets are present
+ #to interface with qmuxd through unix sockets
+ #to access ipc router socket
+ allow qmi_test_service qmi_test_service:socket {create bind ioctl read write setopt};
+ #enable running test as root user => privileged process
+ #enable privileged processes to bypass permission checks
+ allow qmi_test_service qmi_test_service:capability {dac_override dac_read_search setgid setuid fsetid};
+ #QCCI calls qmuxd API. The API will internally require this
+ qmux_socket(qmi_test_service);
+ #enable accessing the system health monitor to check the system health,
+ #if a request times out
+ allow qmi_test_service system_health_monitor_device:chr_file rw_file_perms;
+')
diff --git a/test/sectest.te b/test/sectest.te
new file mode 100755
index 0000000..e248a61
--- /dev/null
+++ b/test/sectest.te
@@ -0,0 +1,22 @@
+type sectest, domain;
+type sectest_exec, exec_type, file_type;
+userdebug_or_eng(`
+ init_daemon_domain(sectest)
+ # allow sectest access to drm related paths
+ allow sectest persist_file:dir r_dir_perms;
+ r_dir_file(sectest, persist_data_file)
+ # Write to drm related pieces of persist partition
+ allow sectest persist_drm_file:dir create_dir_perms;
+ allow sectest persist_drm_file:file create_file_perms;
+ allow sectest tee_device:chr_file rw_file_perms;
+
+ # Allow qseecom to qsee folder so that listeners can create
+ # respective directories
+ allow sectest data_qsee_file:dir create_dir_perms;
+ allow sectest data_qsee_file:file create_file_perms;
+ allow sectest system_data_file:dir r_dir_perms;
+
+ # Allow secure apps to access /data for older targets
+ allow sectest system_data_file:dir create_dir_perms;
+ allow sectest system_data_file:file create_file_perms;
+')
diff --git a/test/sensors_test.te b/test/sensors_test.te
new file mode 100644
index 0000000..2d8d222
--- /dev/null
+++ b/test/sensors_test.te
@@ -0,0 +1,17 @@
+# Policy for sensor test binaries
+type sensors_test_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ type sensors_test, domain;
+
+ domain_auto_trans(shell, sensors_test_exec, sensors_test)
+ domain_auto_trans(adbd, sensors_test_exec, sensors_test)
+
+ allow sensors_test devpts:chr_file rw_file_perms;
+ allow sensors_test sensors:unix_stream_socket connectto;
+ allow sensors_test sensors_device:chr_file rw_file_perms;
+ allow sensors_test sensors_socket:sock_file rw_file_perms;
+ allow sensors_test smd_device:chr_file rw_file_perms;
+ allow sensors_test socket_device:dir r_dir_perms;
+ allow system_app sensors_test_exec:file rx_file_perms;
+')
diff --git a/test/smd_test.te b/test/smd_test.te
new file mode 100644
index 0000000..b5b2df1
--- /dev/null
+++ b/test/smd_test.te
@@ -0,0 +1,13 @@
+#must be defined for file_contexts
+type smd_test_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ type smd_test, domain;
+ domain_auto_trans(shell, smd_test_exec, smd_test)
+ domain_auto_trans(adbd, smd_test_exec, smd_test)
+ #SMD device node and test file contexts
+ allow smd_test smd_device:chr_file {ioctl read write open getattr append};
+ #tests are launched from pseudo terminal, so output will be directed there
+ #and as such needs adequate allow rules
+ allow smd_test devpts:chr_file {ioctl read write open getattr};
+')
diff --git a/test/system_app.te b/test/system_app.te
new file mode 100644
index 0000000..56821a7
--- /dev/null
+++ b/test/system_app.te
@@ -0,0 +1,8 @@
+#============= system_app ==============
+userdebug_or_eng(`
+ # Rules for QSensors Test Application
+ allow system_app sensors:unix_stream_socket connectto;
+ allow system_app sensors_device:chr_file getattr;
+ allow system_app sensors_socket:sock_file write;
+ allow system_app socket_device:dir read;
+')