Merge "sepolicy : added ueventd write permission to sysfs_battery_supply sysfs_usb_supply and sysfs_thermal."
diff --git a/Android.mk b/Android.mk
index 6bb46bc..98db201 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,4 +1,5 @@
 # Board specific SELinux policy variable definitions
+ifeq ($(call is-vendor-board-platform,QCOM),true)
 BOARD_SEPOLICY_DIRS := \
        device/qcom/sepolicy \
        device/qcom/sepolicy/common \
@@ -8,6 +9,7 @@
 BOARD_SEPOLICY_UNION := \
        genfs_contexts \
        file_contexts \
+       service_contexts \
        device.te \
        vold.te \
        ueventd.te \
@@ -33,12 +35,34 @@
        diag.te \
        diag_test.te \
        audiod.te \
-       sensors.te \
-       sensors_test.te \
+       service.te \
        system_app.te \
        thermal-engine.te \
        global_macros.te \
        system_app.te \
        bluetooth.te \
        init_shell.te \
-       mpdecision.te
+       mpdecision.te \
+       mm-qcamerad.te \
+       domain.te \
+       init_shell.te \
+       time_daemon.te \
+       rmt_storage.te \
+       hvdcp.te \
+       qseecomd.te \
+       mcStarter.te \
+       keystore.te \
+       ims_rmt.te
+
+# Compile sensor pilicy only for SSC targets
+SSC_TARGET_LIST := apq8084
+SSC_TARGET_LIST += msm8226
+SSC_TARGET_LIST += msm8960
+SSC_TARGET_LIST += msm8974
+SSC_TARGET_LIST += msm8994
+
+#ifeq ($(call is-board-platform-in-list,$(SSC_TARGET_LIST)),true)
+BOARD_SEPOLICY_UNION += sensors.te
+BOARD_SEPOLICY_UNION += sensors_test.te
+#endif
+endif
diff --git a/common/atfwd.te b/common/atfwd.te
index 4108a5c..6cf530b 100644
--- a/common/atfwd.te
+++ b/common/atfwd.te
@@ -2,23 +2,14 @@
 type atfwd_exec, exec_type, file_type;
 
 # Started by init
-#init_daemon_domain(atfwd)
-
-#============= atfwd ==============
-#Set CTL property
-#allow atfwd ctl_default_prop:property_service set;
-
-#Allow logging
-#allow atfwd diag_device:chr_file { read write open };
-
-# Talks to init via the property socket.
-#unix_socket_connect(atfwd, property, init);
+init_daemon_domain(atfwd)
 
 # Creates/Talks to qmuxd via the qmux_radio socket.
-#unix_socket_connect(atfwd, qmux_radio, qmuxd);
-#allow atfwd qmux_radio_socket:sock_file create;
-#allow atfwd qmux_radio_socket:dir { write search add_name };
+allow atfwd qmux_radio_socket:dir rw_dir_perms;
+allow atfwd qmux_radio_socket:sock_file create_file_perms;
+unix_socket_connect(atfwd, qmux_radio, qmuxd);
 
 #Allow IPC binding with ServiceManager & System apps
-#allow atfwd servicemanager:binder call;
-#allow atfwd system_app:binder call;
+binder_use(atfwd);
+binder_call(atfwd, system_app);
+binder_call(atfwd, servicemanager);
diff --git a/common/device.te b/common/device.te
index 3b074a4..0702ccf 100755
--- a/common/device.te
+++ b/common/device.te
@@ -26,11 +26,15 @@
 #Define mpdecision device
 type device_latency, dev_type;
 
-#Define qrngd device
-type qrng_device, dev_type;
-
 #Define rct device type for time daemon
 type rtc_device, dev_type;
 
 #Added for fm_radio device
 type  fm_radio_device, dev_type;
+
+#Add for storage pertitions for EFS partitions
+type modem_efs_partition_device, dev_type;
+
+#Define device for partition links
+type ssd_device, dev_type;
+type rpmb_device, dev_type;
diff --git a/common/domain.te b/common/domain.te
new file mode 100644
index 0000000..07223d1
--- /dev/null
+++ b/common/domain.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow domain diag_device:chr_file rw_file_perms;
+')
diff --git a/common/drmserver.te b/common/drmserver.te
index 412b890..9275aa6 100644
--- a/common/drmserver.te
+++ b/common/drmserver.te
@@ -1,2 +1,5 @@
 #Address denial logs for drm server accessing firmware file
 allow drmserver firmware_file:file { read getattr open };
+
+#Address denial logs for drm server accessing qseecom driver
+allow drmserver qseecom_device:chr_file { read write ioctl open };
diff --git a/common/file.te b/common/file.te
index 8676045..1b545c5 100755
--- a/common/file.te
+++ b/common/file.te
@@ -27,7 +27,6 @@
 type proc_audiod, fs_type;
 
 # Sensor file types
-type sensors_system_file, file_type;
 type sensors_socket, file_type;
 type sensors_data_file, file_type, data_file_type;
 type sensors_persist_file, file_type;
@@ -59,3 +58,9 @@
 type sysfs_mpdecision, fs_type, sysfs_type;
 type sysfs_rqstats, fs_type, sysfs_type;
 type sysfs_cpu_online, fs_type, sysfs_type;
+
+#mm-qcamera-daemon socket
+type camera_socket, file_type;
+
+#Socket node needed by ims_data daemon
+type ims_socket, file_type;
diff --git a/common/file_contexts b/common/file_contexts
index f6c0c93..966ac1c 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -1,156 +1,121 @@
-/dev/qseecom      u:object_r:qseecom_device:s0
+###################################
+# Dev nodes
+#
+/dev/adsprpc-smd                                u:object_r:qdsp_device:s0
+/dev/cpu_dma_latency                            u:object_r:device_latency:s0
+/dev/diag                                       u:object_r:diag_device:s0
+/dev/hsicctl.*                                  u:object_r:hsic_device:s0
+/dev/kgsl-3d0                                   u:object_r:gpu_device:s0
+/dev/mhi_pipe_.*                                u:object_r:mhi_device:s0
+/dev/msm_.*                                     u:object_r:audio_device:s0
+/dev/msm_dsps                                   u:object_r:sensors_device:s0
+/dev/msm_thermal_query                          u:object_r:thermal_device:s0
+/dev/nfc-nci                                    u:object_r:nfc_device:s0
+/dev/qseecom                                    u:object_r:qseecom_device:s0
+/dev/radio0                                     u:object_r:fm_radio_device:s0
+/dev/rtc0                                       u:object_r:rtc_device:s0
+/dev/sensors                                    u:object_r:sensors_device:s0
+/dev/smd.*                                      u:object_r:smd_device:s0
+/dev/smem_log                                   u:object_r:smem_log_device:s0
+/dev/subsys_esoc0                               u:object_r:subsys_esoc0_device:s0
+/dev/ttyHSL0                                    u:object_r:console_device:s0
+/dev/ttyHS[0-9]*                                u:object_r:serial_device:s0
+/dev/usb_ext_chg                                u:object_r:hvdcp_device:s0
+/dev/media([0-9])+                              u:object_r:camera_device:s0
+/dev/jpeg[0-9]*                                 u:object_r:camera_device:s0
+/dev/v4l-subdev.*                               u:object_r:camera_device:s0
+/dev/block/bootdevice/by-name/modemst1          u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/modemst2          u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/fsg               u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/fsc               u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/ssd               u:object_r:ssd_device:s0
+/dev/block/bootdevice/by-name/rpmb              u:object_r:rpmb_device:s0
+###################################
+# Dev socket nodes
+#
+/dev/socket/qmux_audio                          u:object_r:qmux_audio_socket:s0
+/dev/socket/qmux_bluetooth                      u:object_r:qmux_bluetooth_socket:s0
+/dev/socket/qmux_gps                            u:object_r:qmux_gps_socket:s0
+/dev/socket/qmux_radio                          u:object_r:qmux_radio_socket:s0
+/dev/socket/sensor_ctl_socket                   u:object_r:sensors_socket:s0
+/dev/socket/cnd                                 u:object_r:cnd_socket:s0
+/dev/socket/nims                                u:object_r:cnd_socket:s0
+/dev/socket/thermal-send-client                 u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-client                 u:object_r:thermal_socket:s0
+/dev/socket/thermal-recv-passive-client         u:object_r:thermal_socket:s0
+/dev/socket/ims_qmid                            u:object_r:ims_socket:s0
+/dev/socket/ims_datad                           u:object_r:ims_socket:s0
+/dev/socket/ims_rtpd                            u:object_r:ims_socket:s0
 
-#Contexts for the qmux sockets
-/dev/socket/qmux_audio       u:object_r:qmux_audio_socket:s0
-/dev/socket/qmux_bluetooth   u:object_r:qmux_bluetooth_socket:s0
-/dev/socket/qmux_gps         u:object_r:qmux_gps_socket:s0
-/dev/socket/qmux_radio       u:object_r:qmux_radio_socket:s0
-
-#Context for irq balence
-/system/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0
-
-#Context for the logging
-/dev/diag     u:object_r:diag_device:s0
-/system/bin/test_diag            u:object_r:diag_exec:s0
-/system/bin/PktRspTest           u:object_r:diag_exec:s0
-/system/bin/diag_callback_client u:object_r:diag_exec:s0
-/system/bin/diag_dci_sample      u:object_r:diag_exec:s0
-/system/bin/diag_klog            u:object_r:diag_exec:s0
-/system/bin/diag_mdlog           u:object_r:diag_exec:s0
-/system/bin/diag_socket_log      u:object_r:diag_exec:s0
-/system/bin/diag_uart_log        u:object_r:diag_exec:s0
-/system/bin/diag_qshrink4_daemon u:object_r:diag_exec:s0
-/data/diag_log(/.*)?             u:object_r:diag_data_file:s0
-
-/dev/smem_log u:object_r:smem_log_device:s0
-
-#Context for the hsic devices
-/dev/hsicctl.*        u:object_r:hsic_device:s0
-
-#Context for the mhi devices
-/dev/mhi_pipe_.*      u:object_r:mhi_device:s0
-
-#Context for the timeout for platform specific transports
-/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait    u:object_r:sysfs_hsic_modem_wait:s0
-/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait   u:object_r:sysfs_hsic_modem_wait:s0
-/sys/devices/virtual/smdpkt/smdcntl[0-9]/open_timeout   u:object_r:sysfs_smd_open_timeout:s0
-/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout  u:object_r:sysfs_smd_open_timeout:s0
-
-#Context for the files written during the operation of netmgrd and qmuxd
-/data/data_test(/.*)?  u:object_r:data_test_data_file:s0
-
-#Context for the netmgrd and qmuxd daemons
-/system/bin/netmgrd        u:object_r:netmgrd_exec:s0
-/system/bin/qmuxd          u:object_r:qmuxd_exec:s0
-/dev/kgsl-3d0              u:object_r:gpu_device:s0
-
-#Context for ATFWD daemon
-/system/bin/ATFWD-daemon   u:object_r:atfwd_exec:s0
-
-/dev/smd.*  	 	   u:object_r:smd_device:s0
-/system/bin/irsc_util	   u:object_r:irsc_util_exec:s0
-# Persist filesystem
-/persist(/.*)?             u:object_r:persist_file:s0
-
-/dev/subsys_esoc0          u:object_r:subsys_esoc0_device:s0
-
-#Context for cnd
-/dev/socket/cnd     u:object_r:cnd_socket:s0
-/system/bin/cnd     u:object_r:cnd_exec:s0
-/dev/socket/nims    u:object_r:cnd_socket:s0
-/data/connectivity(/.*)? u:object_r:cnd_data_file:s0
-
-#context for audio devices
-/dev/msm_.*                     u:object_r:audio_device:s0
-/system/bin/audiod              u:object_r:audiod_exec:s0
-
-# Context for sensor objects
-# Sensor devices
-/dev/sensors                           u:object_r:sensors_device:s0
-/dev/msm_dsps                          u:object_r:sensors_device:s0
-
-# Sensor socket
-/dev/socket/sensor_ctl_socket          u:object_r:sensors_socket:s0
-
-# Sensor system files
-/system/bin/sensors.qcom               u:object_r:sensors_exec:s0
-/system/bin/sns.*                      u:object_r:sensors_test_exec:s0
-/system/etc/sensors(/.*)?              u:object_r:sensors_system_file:s0
-/system/etc/sensor_def_qcomdev.conf    u:object_r:sensors_system_file:s0
-
-# Sensor data files
-/data/misc/sensors(/.*)?               u:object_r:sensors_data_file:s0
-
-# Sensor persist files
-/persist/sensors(/.*)?                 u:object_r:sensors_persist_file:s0
-
-#Contexts for thermal-engine
-/system/bin/thermal-engine                               u:object_r:thermal-engine_exec:s0
-/dev/msm_thermal_query                                   u:object_r:thermal_device:s0
-/sys/devices/platform/battery_current_limit              u:object_r:sysfs_thermal:s0
-/sys/devices/.*bcl.*(/.*)?                               u:object_r:sysfs_thermal:s0
-/sys/module/msm_thermal(/.*)?                            u:object_r:sysfs_thermal:s0
-/sys/class/thermal(/.*)?                                 u:object_r:sysfs_thermal:s0
-/sys/devices/virtual/thermal(/.*)?                       u:object_r:sysfs_thermal:s0
-/dev/socket/thermal-send-client                          u:object_r:thermal_socket:s0
-/dev/socket/thermal-recv-client                          u:object_r:thermal_socket:s0
-/dev/socket/thermal-recv-passive-client                  u:object_r:thermal_socket:s0
-
-#Add context for adsp device
-/dev/adsprpc-smd u:object_r:qdsp_device:s0
-
-# Contexts for UART
-/dev/ttyHSL0                  u:object_r:console_device:s0
-/dev/ttyHS[0-9]*              u:object_r:serial_device:s0
-
-# UART DebugFS
-/sys/module/msm_serial_hs/parameters/debug_mask u:object_r:sysfs_msmuart_file:s0
-
+###################################
 # System files
-#/system/bin/rmt_storage       u:object_r:rmt_storage_exec:s0
-#/system/bin/rfs_access        u:object_r:rfs_access_exec:s0
+#
+/system/bin/ATFWD-daemon                        u:object_r:atfwd_exec:s0
+/system/bin/PktRspTest                          u:object_r:diag_exec:s0
+/system/bin/audiod                              u:object_r:audiod_exec:s0
+/system/bin/cnd                                 u:object_r:cnd_exec:s0
+/system/bin/diag_callback_client                u:object_r:diag_exec:s0
+/system/bin/diag_dci_sample                     u:object_r:diag_exec:s0
+/system/bin/diag_klog                           u:object_r:diag_exec:s0
+/system/bin/diag_mdlog                          u:object_r:diag_exec:s0
+/system/bin/diag_qshrink4_daemon                u:object_r:diag_exec:s0
+/system/bin/diag_socket_log                     u:object_r:diag_exec:s0
+/system/bin/diag_uart_log                       u:object_r:diag_exec:s0
+/system/bin/irsc_util                           u:object_r:irsc_util_exec:s0
+/system/bin/mpdecision                          u:object_r:mpdecision_exec:s0
+/system/bin/msm_irqbalance                      u:object_r:msm_irqbalanced_exec:s0
+/system/bin/netmgrd                             u:object_r:netmgrd_exec:s0
+/system/bin/qmuxd                               u:object_r:qmuxd_exec:s0
+/system/bin/sensors.qcom                        u:object_r:sensors_exec:s0
+/system/bin/sns.*                               u:object_r:sensors_test_exec:s0
+/system/bin/test_diag                           u:object_r:diag_exec:s0
+/system/bin/thermal-engine                      u:object_r:thermal-engine_exec:s0
+/system/bin/mm-qcamera-daemon                   u:object_r:mm-qcamerad_exec:s0
+/system/rfs.*                                   u:object_r:rfs_system_file:s0
+/system/bin/time_daemon                         u:object_r:time_daemon_exec:s0
+/system/bin/rmt_storage                         u:object_r:rmt_storage_exec:s0
+/system/bin/hvdcp                               u:object_r:hvdcp_exec:s0
+/system/bin/qseecomd                            u:object_r:qseecomd_exec:s0
 
-# Storage RFS files
-/system/rfs.*                 u:object_r:rfs_system_file:s0
-/data/rfs.*                   u:object_r:rfs_data_file:s0
+###################################
+# sysfs files
+#
+/sys/class/graphics/fb0/mdp/caps                                    u:object_r:sysfs_graphics:s0
+/sys/class/thermal(/.*)?                                            u:object_r:sysfs_thermal:s0
+/sys/devices/.*bcl.*(/.*)?                                          u:object_r:sysfs_thermal:s0
+/sys/devices/f9200000.*/power_supply/usb(/.*)?                      u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_dwc3/power_supply/usb(/.*)?                        u:object_r:sysfs_usb_supply:s0
+/sys/devices/msm_otg/power_supply/usb(/.*)?                         u:object_r:sysfs_usb_supply:s0
+/sys/devices/platform/battery_current_limit                         u:object_r:sysfs_thermal:s0
+/sys/devices/qpnp-charger.*/power_supply/battery(/.*)?              u:object_r:sysfs_battery_supply:s0
+/sys/devices/system/cpu/cpu0/rq-stats/*                             u:object_r:sysfs_rqstats:s0
+/sys/devices/virtual/graphics/fb0/idle_time                         u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb1/product_description               u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb1/vendor_name                       u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait               u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait                u:object_r:sysfs_hsic_modem_wait:s0
+/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout              u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/smdpkt/smdcntl[0-9]/open_timeout               u:object_r:sysfs_smd_open_timeout:s0
+/sys/devices/virtual/thermal(/.*)?                                  u:object_r:sysfs_thermal:s0
+/sys/module/msm_serial_hs/parameters/debug_mask                     u:object_r:sysfs_msmuart_file:s0
+/sys/module/msm_thermal(/.*)?                                       u:object_r:sysfs_thermal:s0
+/sys/module/msm_thermal/core_control/cpus_offlined                  u:object_r:sysfs_mpdecision:s0
+/sys/devices/f9a55000.*/power_supply/usb(/.*)?                      u:object_r:sysfs_usb_supply:s0
 
-# Contexts for mm-pp-daemon
-#/system/bin/mm-pp-daemon u:object_r:mm-pp-daemon_exec:s0
+###################################
+# data files
+#
+/data/connectivity(/.*)?                                            u:object_r:cnd_data_file:s0
+/data/data_test(/.*)?                                               u:object_r:data_test_data_file:s0
+/data/diag_log(/.*)?                                                u:object_r:diag_data_file:s0
+/data/misc/sensors(/.*)?                                            u:object_r:sensors_data_file:s0
+/data/rfs.*                                                         u:object_r:rfs_data_file:s0
+/data/camera(/.*)?                                                  u:object_r:camera_socket:s0
+/data/system/sensors(/.*)?                                          u:object_r:sensors_data_file:s0
+/data/time/*                                                        u:object_r:time_data_file:s0
 
-#Contexts for SurfaceFlinger sysfs nodes all other in this folder get
-#default context (i.e.,sysfs) .
-/sys/devices/virtual/graphics/fb0/idle_time u:object_r:sysfs_graphics:s0
-/sys/class/graphics/fb0/mdp/caps u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb1/vendor_name u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb1/product_description u:object_r:sysfs_graphics:s0
-
-# These are for quick charge related entries
-#/system/bin/hvdcp                                               u:object_r:hvdcp_exec:s0
-/dev/usb_ext_chg                                                u:object_r:hvdcp_device:s0
-
-# USB power supply related entries other entries like /sys/devices/f9axxx
-# are device specific will go to respective folder
-/sys/devices/msm_otg/power_supply/usb(/.*)?                     u:object_r:sysfs_usb_supply:s0
-/sys/devices/f9200000.*/power_supply/usb(/.*)?                  u:object_r:sysfs_usb_supply:s0
-/sys/devices/msm_dwc3/power_supply/usb(/.*)?                    u:object_r:sysfs_usb_supply:s0
-/sys/devices/qpnp-charger.*/power_supply/battery(/.*)?          u:object_r:sysfs_battery_supply:s0
-
-#Context for mpdecision
-/sys/module/msm_thermal/core_control/cpus_offlined              u:object_r:sysfs_mpdecision:s0
-/dev/cpu_dma_latency                                            u:object_r:device_latency:s0
-/system/bin/mpdecision                                          u:object_r:mpdecision_exec:s0
-/sys/devices/system/cpu/cpu0/rq-stats/*                         u:object_r:sysfs_rqstats:s0
-
-#QSEECOM related contexts
-#/system/bin/qseecomd         u:object_r:qseecomd_exec:s0
-/dev/msm-rng                 u:object_r:qrng_device:s0
-#/system/bin/qrngd            u:object_r:qrngd_exec:s0
-
-# Files and devices
-#/system/bin/time_daemon       u:object_r:time_daemon_exec:s0
-/dev/rtc0                     u:object_r:rtc_device:s0
-#/data/time/*                  u:object_r:time_data_file:s0
-
-#Added for fm_radio  device
-/dev/radio0                   u:object_r:fm_radio_device:s0
-
+###################################
+# persist files
+#
+/persist(/.*)?                                                      u:object_r:persist_file:s0
+/persist/sensors(/.*)?                                              u:object_r:sensors_persist_file:s0
diff --git a/common/hvdcp.te b/common/hvdcp.te
new file mode 100644
index 0000000..9d3c4da
--- /dev/null
+++ b/common/hvdcp.te
@@ -0,0 +1,16 @@
+# HVDVP quickcharge
+type hvdcp, domain;
+type hvdcp_exec, exec_type, file_type;
+
+# Make transition to its own HVDCP domain from init
+init_daemon_domain(hvdcp)
+
+# Add rules for access permissions
+allow hvdcp hvdcp_device:chr_file rw_file_perms;
+allow hvdcp sysfs_battery_supply:file rw_file_perms;
+allow hvdcp sysfs_battery_supply:dir { search };
+allow hvdcp sysfs_usb_supply:file rw_file_perms;
+allow hvdcp sysfs_usb_supply:dir { search };
+allow hvdcp self:capability { setgid setuid };
+allow hvdcp cgroup:dir { create add_name };
+allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/common/ims_rmt.te b/common/ims_rmt.te
new file mode 100644
index 0000000..7e98c2d
--- /dev/null
+++ b/common/ims_rmt.te
@@ -0,0 +1,10 @@
+#integrated sensor process
+type ims_rtp_daemon, domain;
+type ims_rtp_daemon_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(ims_rtp_daemon)
+
+allow radio ims_socket:sock_file { open read write };
+allow ims_rtp_daemon ims_socket:sock_file { open read write };
+
diff --git a/common/keystore.te b/common/keystore.te
new file mode 100644
index 0000000..589fc18
--- /dev/null
+++ b/common/keystore.te
@@ -0,0 +1,2 @@
+# Allow keystore to operate using qseecom_device
+allow keystore qseecom_device:chr_file { read write ioctl open };
diff --git a/common/mcStarter.te b/common/mcStarter.te
new file mode 100644
index 0000000..30ae91c
--- /dev/null
+++ b/common/mcStarter.te
@@ -0,0 +1,7 @@
+# mobicore daemon
+type mcStarter, domain;
+type mcStarter_exec, exec_type, file_type;
+init_daemon_domain(mcStarter)
+
+# Allow Mobicore to use qseecom services for loading the app
+allow mcStarter qseecom_device:chr_file { read write ioctl open };
diff --git a/common/mediaserver.te b/common/mediaserver.te
index b67ad17..a0a6d5f 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -1,2 +1,7 @@
 # allow mediaserver to communicate with cnd
 unix_socket_connect(mediaserver, cnd, cnd)
+
+allow mediaserver camera_device:chr_file rw_file_perms;
+unix_socket_send(mediaserver, camera, mm-qcamerad)
+
+allow mediaserver qseecom_device:chr_file { read write ioctl open };
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
new file mode 100644
index 0000000..fd4371d
--- /dev/null
+++ b/common/mm-qcamerad.te
@@ -0,0 +1,21 @@
+type mm-qcamerad, domain;
+type mm-qcamerad_exec, exec_type, file_type;
+init_daemon_domain(mm-qcamerad)
+
+userdebug_or_eng(`
+  allow mm-qcamerad debugfs:dir search;
+')
+
+#Communicate with user land process through domain socket
+allow mm-qcamerad camera_socket:sock_file { create unlink write };
+allow mm-qcamerad camera_socket:dir w_dir_perms;
+unix_socket_connect(mm-qcamerad, sensors, sensors)
+
+allow mm-qcamerad self:process execmem;
+# Interact with other media devices
+allow mm-qcamerad camera_device:dir search;
+allow mm-qcamerad { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms;
+
+allow mm-qcamerad { surfaceflinger mediaserver }:fd use;
+# Need to investigate this
+allow mm-qcamerad self:tcp_socket create_socket_perms;
diff --git a/common/netmgrd.te b/common/netmgrd.te
index c135843..49bf70c 100644
--- a/common/netmgrd.te
+++ b/common/netmgrd.te
@@ -45,3 +45,8 @@
 
 #Allow execution of commands in shell
 allow netmgrd system_file:file { execute_no_trans };
+
+allow netmgrd self:socket read;
+
+#Allow communication with netd
+allow netmgrd netd_socket:sock_file write;
diff --git a/common/qseecomd.te b/common/qseecomd.te
new file mode 100644
index 0000000..faff1f6
--- /dev/null
+++ b/common/qseecomd.te
@@ -0,0 +1,7 @@
+type qseecomd, domain;
+type qseecomd_exec, exec_type, file_type;
+init_daemon_domain(qseecomd)
+allow qseecomd ssd_device:blk_file { read write getattr open ioctl };
+allow qseecomd rpmb_device:blk_file { read write getattr open ioctl };
+allow qseecomd block_device:dir search;
+allow qseecomd qseecom_device:chr_file { read write ioctl };
diff --git a/common/radio.te b/common/radio.te
index 5b4031f..8bd7e28 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -1,3 +1,4 @@
 # Talks to qmuxd via the qmux_radio socket.
 unix_socket_connect(radio, qmux_radio, qmuxd);
 allow radio qmux_radio_socket:dir search;
+allow radio ims_socket:sock_file write;
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
new file mode 100644
index 0000000..2ee8365
--- /dev/null
+++ b/common/rmt_storage.te
@@ -0,0 +1,14 @@
+# rmt_storage - rmt_storage daemon
+type rmt_storage, domain;
+type rmt_storage_exec, exec_type, file_type;
+init_daemon_domain(rmt_storage)
+
+allow rmt_storage modem_efs_partition_device:blk_file { read write open };
+allow rmt_storage block_device:dir search;
+allow rmt_storage cgroup:dir { create add_name };
+allow rmt_storage smem_log_device:chr_file { read write ioctl open };
+allow rmt_storage self:capability { setuid setgid sys_admin dac_override };
+allow rmt_storage self:capability2 block_suspend;
+allow rmt_storage self:socket { create_socket_perms };
+allow rmt_storage sysfs_wake_lock:file { open write append };
+allow rmt_storage uio_device:chr_file { read write open };
diff --git a/common/sensors.te b/common/sensors.te
index 40c52cc..e865b35 100644
--- a/common/sensors.te
+++ b/common/sensors.te
@@ -2,35 +2,50 @@
 type sensors, domain;
 type sensors_exec, exec_type, file_type;
 
+# Started by init
 init_daemon_domain(sensors)
 
-type_transition sensors apk_data_file:sock_file sensors_socket;
-type_transition sensors persist_file:{ dir file } sensors_persist_file;
-type_transition sensors socket_device:{ dir sock_file } sensors_socket;
-type_transition sensors system_data_file:{ dir file } sensors_data_file;
+# Change own perms to (nobody,nobody)
+allow sensors self:capability { setuid setgid };
+# Chown /data/misc/sensors/debug/ to nobody
+allow sensors self:capability chown;
+dontaudit sensors self:capability fsetid;
 
+# Access /data/misc/sensors/debug and /data/system/sensors/settings
+allow sensors self:capability { dac_override dac_read_search };
+
+# Sensors socket
+allow sensors sensors_socket:sock_file create_file_perms;
+type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket";
+allow sensors socket_device:dir rw_dir_perms;
+
+# Create directories and files under /data/misc/sensors
+# and /data/system/sensors. Allow generic r/w file access.
+allow sensors sensors_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:file create_file_perms;
+
+# Access sensor nodes (/dev/msm_dsps, /dev/sensors)
+allow sensors sensors_device:chr_file rw_file_perms;
+
+# Access to /persist/sensors
+allow sensors persist_file:dir r_dir_perms;
+allow sensors sensors_persist_file:dir rw_dir_perms;
+allow sensors sensors_persist_file:file create_file_perms;
+
+# Wake lock access
+wakelock_use(sensors)
+
+allow sensors cgroup:dir { create add_name };
+
+allow sensors self:socket *;
+
+# Access to other devices
+allow sensors smd_device:chr_file rw_file_perms;
+allow sensors smem_log_device:chr_file rw_file_perms;
+allow sensors device_latency:chr_file w_file_perms;
+
+# Access to tests from userdebug/eng builds
 userdebug_or_eng(`
   domain_auto_trans(shell, sensors_exec, sensors)
-  domain_auto_trans(adbd, sensors_exec, sensors)
+  allow sensors diag_device:chr_file rw_file_perms;
 ')
-
-#============= sensors ==============
-allow sensors apk_data_file:dir { write add_name remove_name };
-allow sensors cgroup:dir { create add_name };
-allow sensors diag_device:chr_file { read write ioctl open };
-allow sensors persist_file:dir { search getattr };
-allow sensors self:capability { setuid chown setgid dac_override };
-allow sensors self:capability2 block_suspend;
-allow sensors self:socket { read bind create write ioctl };
-allow sensors sensors_data_file:dir { write getattr setattr read create open add_name };
-allow sensors sensors_data_file:file { write getattr setattr read create open append };
-allow sensors sensors_device:chr_file { read ioctl open };
-allow sensors sensors_persist_file:dir search;
-allow sensors sensors_persist_file:file { read open };
-allow sensors sensors_socket:sock_file { write create getattr setattr unlink };
-allow sensors sensors_system_file:dir { read search open };
-allow sensors sensors_system_file:file { read getattr open };
-allow sensors smd_device:chr_file { read open append };
-allow sensors smem_log_device:chr_file { read write ioctl open };
-allow sensors socket_device:dir { write add_name };
-allow sensors sysfs_wake_lock:file { open append };
diff --git a/common/service.te b/common/service.te
new file mode 100644
index 0000000..612d43d
--- /dev/null
+++ b/common/service.te
@@ -0,0 +1 @@
+type atfwd_service,             service_manager_type;
diff --git a/common/service_contexts b/common/service_contexts
new file mode 100644
index 0000000..c549ecf
--- /dev/null
+++ b/common/service_contexts
@@ -0,0 +1 @@
+AtCmdFwd                u:object_r:atfwd_service:s0
diff --git a/common/system_app.te b/common/system_app.te
index 48103f8..da0489e 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -1,3 +1,4 @@
 # fm_radio app needes  open read write on fm_radio_device
 allow system_app fm_radio_device:chr_file { read open ioctl};
 allow system_app ctl_default_prop:property_service set;
+allow system_app atfwd_service:service_manager add;
diff --git a/common/system_server.te b/common/system_server.te
index 6787e7a..a0701af 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -5,6 +5,8 @@
 allow system_server cnd_data_file:dir { read open write getattr add_name };
 allow system_server cnd_data_file:file { create write getattr setattr read lock open };
 
-# allow system_server to communicate with sensors daemon over sensors_socket
-allow system_server sensors:unix_stream_socket connectto;
-allow system_server sensors_socket:sock_file write;
+# Access to sensors socket
+unix_socket_connect(system_server, sensors, sensors)
+unix_socket_send(system_server, sensors, sensors)
+allow system_server sensors:unix_stream_socket sendto;
+allow system_server sensors_socket:sock_file r_file_perms;
diff --git a/common/time_daemon.te b/common/time_daemon.te
new file mode 100644
index 0000000..1a3d415
--- /dev/null
+++ b/common/time_daemon.te
@@ -0,0 +1,18 @@
+# Policies for time daemon
+type time_daemon, domain;
+type time_daemon_exec, exec_type, file_type;
+type time_data_file, file_type, data_file_type;
+
+# Make transition to its own time_daemon domain from init
+init_daemon_domain(time_daemon)
+
+# Add rules for access permissions
+#============= IOCTL operations ==============
+allow time_daemon rtc_device:chr_file { open read ioctl };
+allow time_daemon alarm_device:chr_file { open read write ioctl };
+
+#============= File read/write ==============
+allow time_daemon time_data_file:file { write create open read};
+allow time_daemon time_data_file:dir { write add_name search};
+allow time_daemon self:socket { write read create ioctl};
+allow time_daemon self:capability { setuid setgid };
diff --git a/test/sensors_test.te b/test/sensors_test.te
index 591ba5e..92872b5 100644
--- a/test/sensors_test.te
+++ b/test/sensors_test.te
@@ -7,10 +7,10 @@
   domain_auto_trans(shell, sensors_test_exec, sensors_test)
   domain_auto_trans(adbd, sensors_test_exec, sensors_test)
 
-  allow sensors_test devpts:chr_file { open read write ioctl getattr };
+  allow sensors_test devpts:chr_file rw_file_perms;
   allow sensors_test sensors:unix_stream_socket connectto;
-  allow sensors_test sensors_device:chr_file { getattr read };
-  allow sensors_test sensors_socket:sock_file { read write };
-  allow sensors_test smd_device:chr_file { read write open };
-  allow sensors_test socket_device:dir read;
+  allow sensors_test sensors_device:chr_file rw_file_perms;
+  allow sensors_test sensors_socket:sock_file rw_file_perms;
+  allow sensors_test smd_device:chr_file rw_file_perms;
+  allow sensors_test socket_device:dir r_dir_perms;
 ')