From 53a898d1021ed56968c270c4a3f2cf2bed5f6a65 Mon Sep 17 00:00:00 2001
From: Mohammad Afaneh <mohammad.afaneh92@gmail.com>
Date: Sun, 19 Jan 2020 14:08:44 +0200
Subject: [PATCH 1/9] [SQUASH] [1 PART] msm8226-common: sepolicy updates

---
 sepolicy/common/audioserver.te                   |  1 +
 sepolicy/common/file.te                          |  1 +
 sepolicy/common/hal_graphics_composer_default.te |  1 +
 sepolicy/common/hal_lineage_touch_default.te     |  1 +
 sepolicy/common/init.te                          |  4 ++++
 sepolicy/common/installd.te                      |  1 +
 sepolicy/common/mediaserver.te                   |  5 +++++
 sepolicy/common/mediaswcodec.te                  |  1 +
 sepolicy/common/netd.te                          |  1 +
 sepolicy/common/rild.te                          |  2 +-
 sepolicy/common/servicemanager.te                |  3 +++
 sepolicy/common/system_app.te                    |  3 +++
 sepolicy/common/system_server.te                 |  3 +++
 sepolicy/common/tee.te                           |  1 +
 sepolicy/common/ueventd.te                       |  2 ++
 sepolicy/common/untrusted_app_25.te              |  2 ++
 sepolicy/common/vendor_init.te                   | 11 +++++++++++
 sepolicy/common/webview_zygote.te                |  2 ++
 18 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 sepolicy/common/audioserver.te
 create mode 100644 sepolicy/common/hal_graphics_composer_default.te
 create mode 100644 sepolicy/common/installd.te
 create mode 100644 sepolicy/common/mediaswcodec.te
 create mode 100644 sepolicy/common/servicemanager.te
 create mode 100644 sepolicy/common/tee.te
 create mode 100644 sepolicy/common/untrusted_app_25.te
 create mode 100644 sepolicy/common/vendor_init.te

diff --git a/sepolicy/common/audioserver.te b/sepolicy/common/audioserver.te
new file mode 100644
index 0000000..458421b
--- /dev/null
+++ b/sepolicy/common/audioserver.te
@@ -0,0 +1 @@
+allow audioserver device:chr_file ioctl;
diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te
index 776d927..dad9838 100644
--- a/sepolicy/common/file.te
+++ b/sepolicy/common/file.te
@@ -1,4 +1,5 @@
 type proc_bt_sleep, fs_type, proc_type;
+type proc_last_kmsg, fs_type, proc_type;
 
 type sysfs_camera, fs_type, sysfs_type;
 type sysfs_disk_stat, fs_type, sysfs_type;
diff --git a/sepolicy/common/hal_graphics_composer_default.te b/sepolicy/common/hal_graphics_composer_default.te
new file mode 100644
index 0000000..eb43206
--- /dev/null
+++ b/sepolicy/common/hal_graphics_composer_default.te
@@ -0,0 +1 @@
+allow hal_graphics_composer_default default_android_vndservice:service_manager add;
diff --git a/sepolicy/common/hal_lineage_touch_default.te b/sepolicy/common/hal_lineage_touch_default.te
index d8feec1..4b3034d 100644
--- a/sepolicy/common/hal_lineage_touch_default.te
+++ b/sepolicy/common/hal_lineage_touch_default.te
@@ -1,3 +1,4 @@
+allow hal_lineage_touch_default sysfs_sec_touchkey:dir search;
 allow hal_lineage_touch_default sysfs_sec_tsp:dir search;
 allow hal_lineage_touch_default sysfs_sec_tsp:file rw_file_perms;
 allow hal_lineage_touch_default sysfs_sec_touchkey:dir search;
diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te
index 2e4c3ec..379914c 100644
--- a/sepolicy/common/init.te
+++ b/sepolicy/common/init.te
@@ -11,6 +11,7 @@ allow init {
 }:lnk_file read;
 
 allow init {
+    proc
     sysfs_audio
     sysfs_batteryinfo
     sysfs_bluetooth_writable
@@ -57,3 +58,6 @@ allow init {
 
 allow init sysfs:file setattr;
 allow init sysfs_devfreq:file setattr;
+allow init efs_file:dir mounton;
+allow init init:capability2 block_suspend;
+allow init system_file:file mounton;
diff --git a/sepolicy/common/installd.te b/sepolicy/common/installd.te
new file mode 100644
index 0000000..702e5ad
--- /dev/null
+++ b/sepolicy/common/installd.te
@@ -0,0 +1 @@
+allow installd device:file write;
diff --git a/sepolicy/common/mediaserver.te b/sepolicy/common/mediaserver.te
index bc8db09..4eab131 100644
--- a/sepolicy/common/mediaserver.te
+++ b/sepolicy/common/mediaserver.te
@@ -1,3 +1,8 @@
+allow mediaserver cameraproxy_service:service_manager find;
+allow mediaserver device:dir read;
+allow mediaserver hal_camera_default:binder { call transfer };
+allow mediaserver hal_camera_hwservice:hwservice_manager find;
+allow mediaserver sensor_privacy_service:service_manager find;
 allow mediaserver sysfs_camera:dir search;
 allow mediaserver sysfs_camera:file r_file_perms;
 allow mediaserver vendor_file:file execmod;
diff --git a/sepolicy/common/mediaswcodec.te b/sepolicy/common/mediaswcodec.te
new file mode 100644
index 0000000..9d7b448
--- /dev/null
+++ b/sepolicy/common/mediaswcodec.te
@@ -0,0 +1 @@
+allow mediaswcodec servicemanager:binder call;
diff --git a/sepolicy/common/netd.te b/sepolicy/common/netd.te
index a6fd4ba..cfd63c1 100644
--- a/sepolicy/common/netd.te
+++ b/sepolicy/common/netd.te
@@ -1 +1,2 @@
 allow system_app netd:binder call; 
+allow netd device:file { open write };
diff --git a/sepolicy/common/rild.te b/sepolicy/common/rild.te
index d4796ba..a44127d 100644
--- a/sepolicy/common/rild.te
+++ b/sepolicy/common/rild.te
@@ -6,6 +6,6 @@ allow rild radio_data_file:lnk_file read;
 
 allow rild proc_net:file w_file_perms;
 allow rild sysfs_sec_key:file rw_file_perms;
-allow rild unlabeled:dir search;
 
+allow rild unlabeled:dir search;
 allow rild unlabeled:file { getattr open read };
diff --git a/sepolicy/common/servicemanager.te b/sepolicy/common/servicemanager.te
new file mode 100644
index 0000000..d968d53
--- /dev/null
+++ b/sepolicy/common/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager mediaswcodec:dir search;
+allow servicemanager mediaswcodec:file { open read };
+allow servicemanager mediaswcodec:process getattr;
diff --git a/sepolicy/common/system_app.te b/sepolicy/common/system_app.te
index 9aa08bc..ffc5568 100644
--- a/sepolicy/common/system_app.te
+++ b/sepolicy/common/system_app.te
@@ -1,2 +1,5 @@
+allow system_app apex_service:service_manager find;
+allow system_app proc_pagetypeinfo:file { open read };
 allow system_app sysfs_mdnie:dir search;
 allow system_app sysfs_mdnie:file rw_file_perms;
+allow system_app system_suspend_control_service:service_manager find;
diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te
index 561cb7f..92e0ad0 100644
--- a/sepolicy/common/system_server.te
+++ b/sepolicy/common/system_server.te
@@ -5,6 +5,7 @@ allow system_server {
 
 allow system_server {
     efs_file
+    proc_last_kmsg
     qti_debugfs
 }:file r_file_perms;
 
@@ -14,4 +15,6 @@ allow system_server {
     sysfs_sec_touchkey
 }:file w_file_perms;
 
+allow system_server init:binder call;
 allow system_server unlabeled:file unlink;
+allow system_server proc:file { getattr open read };
diff --git a/sepolicy/common/tee.te b/sepolicy/common/tee.te
new file mode 100644
index 0000000..6db4f92
--- /dev/null
+++ b/sepolicy/common/tee.te
@@ -0,0 +1 @@
+allow tee rpmb_device:blk_file ioctl;
diff --git a/sepolicy/common/ueventd.te b/sepolicy/common/ueventd.te
index 0a057f0..3068def 100644
--- a/sepolicy/common/ueventd.te
+++ b/sepolicy/common/ueventd.te
@@ -1,2 +1,4 @@
 allow ueventd vfat:dir search;
 allow ueventd vfat:file { getattr open read };
+
+allow ueventd proc:file { read };
diff --git a/sepolicy/common/untrusted_app_25.te b/sepolicy/common/untrusted_app_25.te
new file mode 100644
index 0000000..cd5173f
--- /dev/null
+++ b/sepolicy/common/untrusted_app_25.te
@@ -0,0 +1,2 @@
+dontaudit untrusted_app_25 net_dns_prop:file read;
+dontaudit untrusted_app_25 proc:file read;
diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te
new file mode 100644
index 0000000..c54c4aa
--- /dev/null
+++ b/sepolicy/common/vendor_init.te
@@ -0,0 +1,11 @@
+allow vendor_init firmware_file:lnk_file { read };
+allow vendor_init kernel:security { check_context };
+allow vendor_init packages_list_file:file { getattr open read };
+allow vendor_init radio_data_file:lnk_file { relabelto unlink };
+allow vendor_init seapp_contexts_file:file { getattr open read };
+allow vendor_init selinuxfs:file { write };
+allow vendor_init sysfs:file { relabelfrom };
+allow vendor_init sysfs:dir { relabelfrom };
+allow vendor_init system_data_file:file { setattr write };
+allow vendor_init system_data_file:lnk_file { create getattr relabelfrom };
+allow vendor_init wifi_data_file:file { getattr setattr write };
diff --git a/sepolicy/common/webview_zygote.te b/sepolicy/common/webview_zygote.te
index aa8f675..0e99828 100644
--- a/sepolicy/common/webview_zygote.te
+++ b/sepolicy/common/webview_zygote.te
@@ -1 +1,3 @@
 allow webview_zygote zygote:unix_dgram_socket write; 
+
+allow webview_zygote app_data_file:dir getattr;

From 8a6489fcbaf0a93acd7e5b803008e7581caa6808 Mon Sep 17 00:00:00 2001
From: RomanDesigner <romashkarus08@gmail.com>
Date: Mon, 27 Jan 2020 17:17:50 +0300
Subject: [PATCH 2/9] [SQUASH] [2 PART] msm8226-common: sepolicy updates (2)

---
 BoardConfigCommon.mk | 1 -
 sepolicy/sepolicy.mk | 2 --
 2 files changed, 3 deletions(-)

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 2d5d439..551d893 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -97,7 +97,6 @@ DEVICE_MATRIX_FILE := device/samsung/msm8226-common/compatibility_matrix.xml
 TARGET_KEYMASTER_SKIP_WAITING_FOR_QSEE := true
 
 # SELinux
-CONFIG_NEO_MSM_SEPOLICY_TYPE := temporary
 include device/samsung/msm8226-common/sepolicy/sepolicy.mk
 
 # Partitions
diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
index e2fa5ed..ff3265b 100644
--- a/sepolicy/sepolicy.mk
+++ b/sepolicy/sepolicy.mk
@@ -14,8 +14,6 @@
 # limitations under the License.
 #
 
-ifeq ($(CONFIG_NEO_MSM_SEPOLICY_TYPE), common)
 include device/qcom/sepolicy-legacy/sepolicy.mk
 BOARD_SEPOLICY_DIRS += \
     device/samsung/msm8226-common/sepolicy/common
-endif

From 3d058c8af86113347cbeed90b82d0a08c05e65da Mon Sep 17 00:00:00 2001
From: DJABhipHop <castellanos.kevin@rocketmail.com>
Date: Fri, 31 Jan 2020 15:30:19 -0500
Subject: [PATCH 3/9] delete duplicate sysfs_disk_stat definition

---
 sepolicy/common/file.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te
index dad9838..03b8628 100644
--- a/sepolicy/common/file.te
+++ b/sepolicy/common/file.te
@@ -2,7 +2,6 @@ type proc_bt_sleep, fs_type, proc_type;
 type proc_last_kmsg, fs_type, proc_type;
 
 type sysfs_camera, fs_type, sysfs_type;
-type sysfs_disk_stat, fs_type, sysfs_type;
 type sysfs_hal_pwr, fs_type, sysfs_type;
 type sysfs_iio, fs_type, sysfs_type;
 type sysfs_input, fs_type, sysfs_type;

From d3fa579b1200562c5a30a115008cda8436752fd8 Mon Sep 17 00:00:00 2001
From: DJABhipHop <castellanos.kevin@rocketmail.com>
Date: Fri, 31 Jan 2020 20:34:25 -0500
Subject: [PATCH 4/9] [SQUASH] [3 PART] msm8226-common: sepolicy updates (3)

---
 sepolicy/.DS_Store             | Bin 0 -> 6148 bytes
 sepolicy/common/crash_dump.te  |   1 +
 sepolicy/common/device.te      |   1 +
 sepolicy/common/domain.te      |   1 +
 sepolicy/common/radio.te       |   1 +
 sepolicy/common/snap_app.te    |   2 ++
 sepolicy/common/vendor_init.te |   9 +++++++++
 7 files changed, 15 insertions(+)
 create mode 100644 sepolicy/.DS_Store
 create mode 100644 sepolicy/common/crash_dump.te
 create mode 100644 sepolicy/common/domain.te
 create mode 100644 sepolicy/common/radio.te
 create mode 100644 sepolicy/common/snap_app.te

diff --git a/sepolicy/.DS_Store b/sepolicy/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..eacb9d26e23d31dd7189bacfcab9463b3cca7199
GIT binary patch
literal 6148
zcmeHK!A`?447Fj0N?dl_F~871h^F!dJ#k`EE3pG5Lt^)Q#J&!}zwjIz)NYZuAcT-z
zCC^E0CwWqnn230L99yC_5j7}+EJ{VByE=4b#w#F~7>S<fo}M2c+P)I#FLue=8yYCl
zgm1R~Ax($bf-h{Q)OF+WWgvRJdu!fLwK!86zqL8++x~2>*|e@Y1I~am;0!neKh6N|
zY?0<h(Q9YG8E^)^7?ATJpa@38tXPf?R3!xf$}_qMbjc;eCm2S<tcVc^t1D1l*-{Kv
zck~Cdi-uWI-H9#vV4L|fdEqiU;)h~R92LEG2AqK<1J~MI%l&_gU#6PmFI~Ll3^)V-
zi~(MCeYeG?>~6i-p4_zoWrrdnc3Bh%^u;3p4LL_PWl+b1=&*~1Sy7@$e{l!;L!c1i
Kl{4@Q4153{L@r4H

literal 0
HcmV?d00001

diff --git a/sepolicy/common/crash_dump.te b/sepolicy/common/crash_dump.te
new file mode 100644
index 0000000..f24e7ca
--- /dev/null
+++ b/sepolicy/common/crash_dump.te
@@ -0,0 +1 @@
+allow crash_dump init:process ptrace;
diff --git a/sepolicy/common/device.te b/sepolicy/common/device.te
index eef944e..ffcf03e 100644
--- a/sepolicy/common/device.te
+++ b/sepolicy/common/device.te
@@ -1,2 +1,3 @@
 type bluetooth_device, dev_type;
 type efs_block_device, dev_type;
+type alarm_device, dev_type, mlstrustedobject;
diff --git a/sepolicy/common/domain.te b/sepolicy/common/domain.te
new file mode 100644
index 0000000..73d4575
--- /dev/null
+++ b/sepolicy/common/domain.te
@@ -0,0 +1 @@
+allow domain alarm_device:chr_file r_file_perms;
diff --git a/sepolicy/common/radio.te b/sepolicy/common/radio.te
new file mode 100644
index 0000000..236fe8d
--- /dev/null
+++ b/sepolicy/common/radio.te
@@ -0,0 +1 @@
+allow radio alarm_device:chr_file rw_file_perms;
diff --git a/sepolicy/common/snap_app.te b/sepolicy/common/snap_app.te
new file mode 100644
index 0000000..4b6ec98
--- /dev/null
+++ b/sepolicy/common/snap_app.te
@@ -0,0 +1,2 @@
+get_prop(appdomain, camera_prop)
+binder_call(appdomain, gpuservice)
diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te
index c54c4aa..33bb638 100644
--- a/sepolicy/common/vendor_init.te
+++ b/sepolicy/common/vendor_init.te
@@ -9,3 +9,12 @@ allow vendor_init sysfs:dir { relabelfrom };
 allow vendor_init system_data_file:file { setattr write };
 allow vendor_init system_data_file:lnk_file { create getattr relabelfrom };
 allow vendor_init wifi_data_file:file { getattr setattr write };
+
+type_transition vendor_init system_data_file:file wifi_data_file;
+
+allow vendor_init packages_list_file:file r_file_perms;
+allow vendor_init proc_security:file rw_file_perms;
+allow vendor_init radio_data_file:lnk_file create_file_perms;
+allow vendor_init seapp_contexts_file:file r_file_perms;
+allow vendor_init wifi_data_file:dir rw_dir_perms;
+allow vendor_init wifi_data_file:file create_file_perms;

From 179bef25428d003e8fd0d2bb2e784f3f57d1bac5 Mon Sep 17 00:00:00 2001
From: DJABhipHop <castellanos.kevin@rocketmail.com>
Date: Fri, 31 Jan 2020 21:51:42 -0500
Subject: [PATCH 5/9] [SQUASH] [4 PART] msm8226-common: sepolicy updates (4)

---
 sepolicy/.DS_Store                | Bin 6148 -> 6148 bytes
 sepolicy/common/.DS_Store         | Bin 0 -> 6148 bytes
 sepolicy/common/init.te           |   2 ++
 sepolicy/common/installd.te       |   1 +
 sepolicy/common/servicemanager.te |   1 +
 sepolicy/common/thermal-engine.te |   2 ++
 sepolicy/common/time_daemon.te    |   1 +
 sepolicy/common/ueventd.te        |   2 ++
 sepolicy/common/vendor_init.te    |   2 ++
 9 files changed, 11 insertions(+)
 create mode 100644 sepolicy/common/.DS_Store
 create mode 100644 sepolicy/common/time_daemon.te

diff --git a/sepolicy/.DS_Store b/sepolicy/.DS_Store
index eacb9d26e23d31dd7189bacfcab9463b3cca7199..149353e8c14f452859287ee153375d8c4a1f6649 100644
GIT binary patch
delta 540
zcmZ8eF;Ck-6n@VM!AU80i4!UYD2iID4wXAr9e^-I5kn$^P*7Wt?Ocpi=gvJ}lERWD
zOe{nhm=Qyl4oLY8%=`ivnb~0EVpBo;PP+H$d+&YkbYI`>o5y)2nHl`d4?ZsDQUHJe
zIsgOeIi0}vnLRqi--+J1lmbT<TJk(A%ZWof@V!u&<~1sb<V0#xO=n(Ay`0wcSK5r0
z%^JD<?CaTGJ!@Oe50|qxZLBe$@uJ@*UtR7sYJuf=)U6BhOVqprva8Sh*V@}4jh!cM
zb3c$x#uE|gl{g_Z609_vArbXwc>7zp$GT-fT4mZ~azV!<-AW)lM#C+_Lz%ZN&MoSa
z;{JEvvWZ`zMJ5Dm)jfyxX#6fMQgIlqaxzvZEZ@qHkx^J#{|ny7K!-vM08|||snsIs
z!b&yf(xAdy_yQ%U0s#R>Z~|v=4i|6<S8xOOh?v1F=5QVta1mGE;S!qhtRgLnV(u|N
zCj2D9KOS{zocfHqlE<Nm#^?=xP)3ugrb^GHuXl-|W_;GAUL+|mWvn%-8-EfH0_%p|

delta 98
zcmZoMXfc=|#>B`mu~2NHo}wrV0|Nsi1A_nqLq0<uLp(!aPP$?6#KPr_ERzM<L^j`L
s)neMLz`@Qkv0>Y0b`E|Hpw7*L9N(EI^NUylHGwrVL1~uF5h81t0UE~>nE(I)

diff --git a/sepolicy/common/.DS_Store b/sepolicy/common/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..5008ddfcf53c02e82d7eee2e57c38e5672ef89f6
GIT binary patch
literal 6148
zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3
zem<@ulZcFPQ@L2!n>{z**<q8>++&mCkOWA81W14cNZ<zv;LbK1Poaz?KmsK2CSc!(
z0ynLxE!0092;Krf2c+FF_Fe*7ECH>lEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ
zLs35+`xjp>T0<F0fCPF1$Cyrb|F7^5{eNG?83~ZUUlGt@xh*qZDeu<Z%US-OSsOPv
j)R!Z4KLME7ReXlK;d!wEw5GODWMKRea10D2@KpjYNUI8I

literal 0
HcmV?d00001

diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te
index 379914c..370ffa8 100644
--- a/sepolicy/common/init.te
+++ b/sepolicy/common/init.te
@@ -61,3 +61,5 @@ allow init sysfs_devfreq:file setattr;
 allow init efs_file:dir mounton;
 allow init init:capability2 block_suspend;
 allow init system_file:file mounton;
+allow init sysfs_leds:lnk_file read;
+
diff --git a/sepolicy/common/installd.te b/sepolicy/common/installd.te
index 702e5ad..601fea2 100644
--- a/sepolicy/common/installd.te
+++ b/sepolicy/common/installd.te
@@ -1 +1,2 @@
 allow installd device:file write;
+allow installd device:file open;
diff --git a/sepolicy/common/servicemanager.te b/sepolicy/common/servicemanager.te
index d968d53..d5a6f46 100644
--- a/sepolicy/common/servicemanager.te
+++ b/sepolicy/common/servicemanager.te
@@ -1,3 +1,4 @@
 allow servicemanager mediaswcodec:dir search;
 allow servicemanager mediaswcodec:file { open read };
 allow servicemanager mediaswcodec:process getattr;
+allow surfaceflinger hal_graphics_allocator_hwservice:hwservice_manager add;
diff --git a/sepolicy/common/thermal-engine.te b/sepolicy/common/thermal-engine.te
index eadef86..34f7b37 100644
--- a/sepolicy/common/thermal-engine.te
+++ b/sepolicy/common/thermal-engine.te
@@ -3,3 +3,5 @@ type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-r
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";
 
 allow thermal-engine self:capability chown;
+
+allow thermal-engine sysfs_batteryinfo:dir search;
diff --git a/sepolicy/common/time_daemon.te b/sepolicy/common/time_daemon.te
new file mode 100644
index 0000000..c90a9b9
--- /dev/null
+++ b/sepolicy/common/time_daemon.te
@@ -0,0 +1 @@
+allow time_daemon device:chr_file { read write };
diff --git a/sepolicy/common/ueventd.te b/sepolicy/common/ueventd.te
index 3068def..51a1c7d 100644
--- a/sepolicy/common/ueventd.te
+++ b/sepolicy/common/ueventd.te
@@ -1,4 +1,6 @@
 allow ueventd vfat:dir search;
 allow ueventd vfat:file { getattr open read };
 
+allow ueventd exfat:dir search;
+
 allow ueventd proc:file { read };
diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te
index 33bb638..733042c 100644
--- a/sepolicy/common/vendor_init.te
+++ b/sepolicy/common/vendor_init.te
@@ -18,3 +18,5 @@ allow vendor_init radio_data_file:lnk_file create_file_perms;
 allow vendor_init seapp_contexts_file:file r_file_perms;
 allow vendor_init wifi_data_file:dir rw_dir_perms;
 allow vendor_init wifi_data_file:file create_file_perms;
+allow vendor_init system_data_file:lnk_file unlink;
+allow vendor_init wcnss_device:chr_file write;

From 0694dda9c9d645acac559e8985ef84e4c65a66b8 Mon Sep 17 00:00:00 2001
From: DJABhipHop <castellanos.kevin@rocketmail.com>
Date: Fri, 31 Jan 2020 22:09:16 -0500
Subject: [PATCH 6/9] [SQUASH] [5 PART] msm8226-common: sepolicy updates (5)

---
 sepolicy/common/hal_wifi_default.te | 1 +
 sepolicy/common/mediaserver.te      | 2 ++
 sepolicy/common/system_app.te       | 1 +
 sepolicy/common/thermal-engine.te   | 1 +
 sepolicy/common/time_daemon.te      | 1 +
 sepolicy/common/ueventd.te          | 1 +
 sepolicy/common/vendor_init.te      | 1 +
 7 files changed, 8 insertions(+)

diff --git a/sepolicy/common/hal_wifi_default.te b/sepolicy/common/hal_wifi_default.te
index a581037..a11e4ae 100644
--- a/sepolicy/common/hal_wifi_default.te
+++ b/sepolicy/common/hal_wifi_default.te
@@ -3,3 +3,4 @@ r_dir_file(hal_wifi_default, wifi_efs_file)
 allow hal_wifi_default efs_file:dir search;
 allow hal_wifi_default sysfs_wifi_writeable:file w_file_perms;
 allow hal_wifi_default wifi_data_file:file r_file_perms;
+allow hal_wifi_default default_prop:property_service set;
diff --git a/sepolicy/common/mediaserver.te b/sepolicy/common/mediaserver.te
index 4eab131..682d456 100644
--- a/sepolicy/common/mediaserver.te
+++ b/sepolicy/common/mediaserver.te
@@ -8,3 +8,5 @@ allow mediaserver sysfs_camera:file r_file_perms;
 allow mediaserver vendor_file:file execmod;
 allow mediaserver system_data_file:sock_file write;
 allow mediaserver hal_lineage_camera_motor_hwservice:hwservice_manager find;
+allow mediaserver cameraserver_service:service_manager add;
+allow mediaserver fwk_camera_hwservice:hwservice_manager add;
diff --git a/sepolicy/common/system_app.te b/sepolicy/common/system_app.te
index ffc5568..643536d 100644
--- a/sepolicy/common/system_app.te
+++ b/sepolicy/common/system_app.te
@@ -3,3 +3,4 @@ allow system_app proc_pagetypeinfo:file { open read };
 allow system_app sysfs_mdnie:dir search;
 allow system_app sysfs_mdnie:file rw_file_perms;
 allow system_app system_suspend_control_service:service_manager find;
+allow system_app apk_data_file:dir write;
diff --git a/sepolicy/common/thermal-engine.te b/sepolicy/common/thermal-engine.te
index 34f7b37..c2428c1 100644
--- a/sepolicy/common/thermal-engine.te
+++ b/sepolicy/common/thermal-engine.te
@@ -5,3 +5,4 @@ type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-r
 allow thermal-engine self:capability chown;
 
 allow thermal-engine sysfs_batteryinfo:dir search;
+allow thermal-engine sysfs_batteryinfo:file read;
diff --git a/sepolicy/common/time_daemon.te b/sepolicy/common/time_daemon.te
index c90a9b9..7a39145 100644
--- a/sepolicy/common/time_daemon.te
+++ b/sepolicy/common/time_daemon.te
@@ -1 +1,2 @@
 allow time_daemon device:chr_file { read write };
+allow time_daemon device:chr_file open;
diff --git a/sepolicy/common/ueventd.te b/sepolicy/common/ueventd.te
index 51a1c7d..408293f 100644
--- a/sepolicy/common/ueventd.te
+++ b/sepolicy/common/ueventd.te
@@ -2,5 +2,6 @@ allow ueventd vfat:dir search;
 allow ueventd vfat:file { getattr open read };
 
 allow ueventd exfat:dir search;
+allow ueventd exfat:file read;
 
 allow ueventd proc:file { read };
diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te
index 733042c..c5760b4 100644
--- a/sepolicy/common/vendor_init.te
+++ b/sepolicy/common/vendor_init.te
@@ -20,3 +20,4 @@ allow vendor_init wifi_data_file:dir rw_dir_perms;
 allow vendor_init wifi_data_file:file create_file_perms;
 allow vendor_init system_data_file:lnk_file unlink;
 allow vendor_init wcnss_device:chr_file write;
+allow vendor_init wcnss_device:chr_file open;

From 1c642898e59906a9f2c5e2678b30e41216952047 Mon Sep 17 00:00:00 2001
From: DJABhipHop <castellanos.kevin@rocketmail.com>
Date: Fri, 31 Jan 2020 22:28:38 -0500
Subject: [PATCH 7/9] [SQUASH] [6 PART] msm8226-common: sepolicy updates (6)

---
 sepolicy/common/mediaserver.te    | 1 +
 sepolicy/common/qti_init_shell.te | 9 +++++++++
 sepolicy/common/thermal-engine.te | 1 +
 sepolicy/common/time_daemon.te    | 1 +
 sepolicy/common/ueventd.te        | 2 ++
 sepolicy/common/vold.te           | 2 ++
 6 files changed, 16 insertions(+)
 create mode 100644 sepolicy/common/qti_init_shell.te

diff --git a/sepolicy/common/mediaserver.te b/sepolicy/common/mediaserver.te
index 682d456..60f33dd 100644
--- a/sepolicy/common/mediaserver.te
+++ b/sepolicy/common/mediaserver.te
@@ -10,3 +10,4 @@ allow mediaserver system_data_file:sock_file write;
 allow mediaserver hal_lineage_camera_motor_hwservice:hwservice_manager find;
 allow mediaserver cameraserver_service:service_manager add;
 allow mediaserver fwk_camera_hwservice:hwservice_manager add;
+allow mediaserver hidl_base_hwservice:hwservice_manager add;
diff --git a/sepolicy/common/qti_init_shell.te b/sepolicy/common/qti_init_shell.te
new file mode 100644
index 0000000..b3317f9
--- /dev/null
+++ b/sepolicy/common/qti_init_shell.te
@@ -0,0 +1,9 @@
+allow qti_init_shell bluetooth_loader_exec:file getattr;
+allow qti_init_shell bluetooth_loader_exec:file execute;
+allow qti_init_shell bluetooth_loader_exec:file { open read };
+allow qti_init_shell bluetooth_loader_exec:file execute_no_trans;
+allow qti_init_shell efs_file:dir search;
+allow qti_init_shell bluetooth_efs_file:dir search;
+allow qti_init_shell bluetooth_efs_file:file read;
+allow qti_init_shell bluetooth_efs_file:file open;
+allow qti_init_shell bluetooth_efs_file:file getattr;
\ No newline at end of file
diff --git a/sepolicy/common/thermal-engine.te b/sepolicy/common/thermal-engine.te
index c2428c1..936aeb9 100644
--- a/sepolicy/common/thermal-engine.te
+++ b/sepolicy/common/thermal-engine.te
@@ -6,3 +6,4 @@ allow thermal-engine self:capability chown;
 
 allow thermal-engine sysfs_batteryinfo:dir search;
 allow thermal-engine sysfs_batteryinfo:file read;
+allow thermal-engine sysfs_batteryinfo:file open;
diff --git a/sepolicy/common/time_daemon.te b/sepolicy/common/time_daemon.te
index 7a39145..182b3e3 100644
--- a/sepolicy/common/time_daemon.te
+++ b/sepolicy/common/time_daemon.te
@@ -1,2 +1,3 @@
 allow time_daemon device:chr_file { read write };
 allow time_daemon device:chr_file open;
+allow time_daemon device:chr_file ioctl;
diff --git a/sepolicy/common/ueventd.te b/sepolicy/common/ueventd.te
index 408293f..e7d24b9 100644
--- a/sepolicy/common/ueventd.te
+++ b/sepolicy/common/ueventd.te
@@ -3,5 +3,7 @@ allow ueventd vfat:file { getattr open read };
 
 allow ueventd exfat:dir search;
 allow ueventd exfat:file read;
+allow ueventd exfat:file open;
+allow ueventd exfat:file getattr;
 
 allow ueventd proc:file { read };
diff --git a/sepolicy/common/vold.te b/sepolicy/common/vold.te
index 5cfbaf5..30da8b2 100644
--- a/sepolicy/common/vold.te
+++ b/sepolicy/common/vold.te
@@ -2,6 +2,8 @@ allow vold efs_file:dir rw_dir_perms;
 allow vold efs_file:file create;
 allow vold persist_data_file:dir { open read };
 
+allow vold hal_bootctl_hwservice:hwservice_manager find;
+
 allow vold {
     block_device
     cache_block_device

From 883bc2191698f485f9efafc6477d5dc4c19910ec Mon Sep 17 00:00:00 2001
From: DJABhipHop <castellanos.kevin@rocketmail.com>
Date: Sun, 2 Feb 2020 18:20:58 -0500
Subject: [PATCH 8/9] [SQUASH] [7 PART] msm8226-common: sepolicy updates (7)

---
 sepolicy/.DS_Store               | Bin 6148 -> 0 bytes
 sepolicy/common/file.te          |   4 +---
 sepolicy/common/firmware_file.te |   1 +
 sepolicy/common/system_app.te    |   2 ++
 sepolicy/common/vendor_init.te   |   2 ++
 5 files changed, 6 insertions(+), 3 deletions(-)
 delete mode 100644 sepolicy/.DS_Store
 create mode 100644 sepolicy/common/firmware_file.te

diff --git a/sepolicy/.DS_Store b/sepolicy/.DS_Store
deleted file mode 100644
index 149353e8c14f452859287ee153375d8c4a1f6649..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHKy>1gh5T0?2u^qrioREkDjI02qQ&Vs<Mo~mz3rENnKgPaWUryZJ9_O<|sN7J|
zBJlvc053sJj|e3-B_*>zC^inF0}Jg~yWi~W%<SH`ce`Ey!1~zT0k8ldPeow1NYyDK
z`bAlgjJD(mQRd(f`OYLB1bndIZ48D1!@#mJAimukIKUyK-`w|$uLg18kJ4K03uacb
zXL4urh2rYD^A}3i#nM`-TwdR}w7Ip}v&w_M^UO>5ICAgsfG71}%pQ7)@3!N<<40a6
zWiQgU|C05rwO?HCGxy1fY5yoDpY;=iOt+gb7Rh|g;c&##&WzrDG&<midnpU|q9LdJ
z6Q3P6<J9NT=mAScgx!9U^dpbej~)m80SlT@ou?@eJHEpsHLH?LLd{mfM1tz=Z)%;Y
z_Pw9VO{G{+RSNBi7VJm;kQJ(SOW6vvPj164*o77_NZ~cSg?I2CKEOvfhOh7)5sO&H
z4ZMO^@fu#o8(34J8QMUlT-K-oX_KB`ph-K40v>r}7cu$S#e*I^54@eW!^2o75U}7A
z@<ziQrw+iU?&tjRo6~*VKl;Q63uDa;Yt-dtK)-VN)#aY1nVn(4Fz^o;5c@-gia=ZA
zRH58DsFGIz!YrAkkZuWuu%gk{I8{hJB&b3ORVeB!2C8tfSG1q4ajH;-1M15M>XA|3
zP*9Fe`76>L&{k+_!+>F6o`DtBw8Z&;_xJbz`5@CW3>XIfD+VyzXgBKgNcwDDcsOy^
wR;WCsB1HI270M8*^l>Z|aTIS+kwSeHp%B^{rwYkJV*Ut78cbyv_^S;30KMm;MF0Q*

diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te
index 03b8628..fac7010 100644
--- a/sepolicy/common/file.te
+++ b/sepolicy/common/file.te
@@ -1,6 +1,5 @@
 type proc_bt_sleep, fs_type, proc_type;
-type proc_last_kmsg, fs_type, proc_type;
-
+# type proc_last_kmsg, fs_type, proc_type;
 type sysfs_camera, fs_type, sysfs_type;
 type sysfs_hal_pwr, fs_type, sysfs_type;
 type sysfs_iio, fs_type, sysfs_type;
@@ -18,7 +17,6 @@ type sysfs_sec_touchkey, fs_type, sysfs_type;
 type sysfs_sec_tsp, fs_type, sysfs_type;
 type sysfs_usb_otg, fs_type, sysfs_type;
 type sysfs_wifi_writeable, fs_type, sysfs_type;
-
 type bt_fw_file, file_type;
 type nfc_fw_file, file_type;
 type wifi_efs_file, file_type;
diff --git a/sepolicy/common/firmware_file.te b/sepolicy/common/firmware_file.te
new file mode 100644
index 0000000..54bf7cb
--- /dev/null
+++ b/sepolicy/common/firmware_file.te
@@ -0,0 +1 @@
+allow firmware_file labeledfs:filesystem associate;
\ No newline at end of file
diff --git a/sepolicy/common/system_app.te b/sepolicy/common/system_app.te
index 643536d..2fccb38 100644
--- a/sepolicy/common/system_app.te
+++ b/sepolicy/common/system_app.te
@@ -4,3 +4,5 @@ allow system_app sysfs_mdnie:dir search;
 allow system_app sysfs_mdnie:file rw_file_perms;
 allow system_app system_suspend_control_service:service_manager find;
 allow system_app apk_data_file:dir write;
+allow system_app proc_pagetypeinfo:file getattr;
+allow system_app sysfs_zram:dir search;
diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te
index c5760b4..ac41d89 100644
--- a/sepolicy/common/vendor_init.te
+++ b/sepolicy/common/vendor_init.te
@@ -21,3 +21,5 @@ allow vendor_init wifi_data_file:file create_file_perms;
 allow vendor_init system_data_file:lnk_file unlink;
 allow vendor_init wcnss_device:chr_file write;
 allow vendor_init wcnss_device:chr_file open;
+allow vendor_init firmware_file:dir create;
+allow vendor_init firmware_file:dir setattr;
\ No newline at end of file

From 47cb7fedd7574bc4c533e2dc2e7844c0c20ccb0b Mon Sep 17 00:00:00 2001
From: DJABhipHop <castellanos.kevin@rocketmail.com>
Date: Mon, 10 Feb 2020 10:31:56 -0500
Subject: [PATCH 9/9] [SQUASH] [8 PART] msm8226-common: sepolicy updates (8)

---
 sepolicy/common/flags_health_check.te | 115 ++++++++++++++++++++++++++
 sepolicy/common/rild.te               |   4 +
 sepolicy/common/system_server.te      |   1 +
 sepolicy/common/vendor_init.te        |   3 +-
 4 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 sepolicy/common/flags_health_check.te

diff --git a/sepolicy/common/flags_health_check.te b/sepolicy/common/flags_health_check.te
new file mode 100644
index 0000000..dbfd800
--- /dev/null
+++ b/sepolicy/common/flags_health_check.te
@@ -0,0 +1,115 @@
+allow flags_health_check alarm_boot_prop:file { getattr open };
+allow flags_health_check alarm_handled_prop:file { getattr open };
+allow flags_health_check alarm_instance_prop:file { getattr open };
+allow flags_health_check apexd_prop:file { getattr open };
+allow flags_health_check bg_boot_complete_prop:file { getattr open };
+allow flags_health_check bg_daemon_prop:file { getattr open };
+allow flags_health_check bluetooth_prop:file { getattr open };
+allow flags_health_check boot_animation_prop:file { getattr open };
+allow flags_health_check boot_mode_prop:file { getattr open };
+allow flags_health_check bootloader_boot_reason_prop:file { getattr open };
+allow flags_health_check boottime_prop:file { getattr open };
+allow flags_health_check bpf_progs_loaded_prop:file { getattr open };
+allow flags_health_check bservice_prop:file { getattr open };
+allow flags_health_check camera_prop:file { getattr open };
+allow flags_health_check coresight_prop:file { getattr open };
+allow flags_health_check crash_prop:file { getattr open };
+allow flags_health_check ctl_LKCore_prop:file { getattr open };
+allow flags_health_check ctl_adbd_prop:file { getattr open };
+allow flags_health_check ctl_bootanim_prop:file { getattr open };
+allow flags_health_check ctl_bugreport_prop:file { getattr open };
+allow flags_health_check ctl_console_prop:file { getattr open };
+allow flags_health_check ctl_default_prop:file { getattr open };
+allow flags_health_check ctl_dumpstate_prop:file { getattr open };
+allow flags_health_check ctl_fuse_prop:file { getattr open };
+allow flags_health_check ctl_gsid_prop:file { getattr open };
+allow flags_health_check ctl_hbtp_prop:file { getattr open };
+allow flags_health_check ctl_interface_restart_prop:file { getattr open };
+allow flags_health_check ctl_interface_start_prop:file { getattr open };
+allow flags_health_check ctl_interface_stop_prop:file { getattr open };
+allow flags_health_check ctl_mdnsd_prop:file { getattr open };
+allow flags_health_check ctl_netmgrd_prop:file { getattr open };
+allow flags_health_check ctl_port-bridge_prop:file { getattr open };
+allow flags_health_check ctl_qmuxd_prop:file { getattr open };
+allow flags_health_check ctl_restart_prop:file { getattr open };
+allow flags_health_check ctl_rildaemon_prop:file { getattr open };
+allow flags_health_check ctl_sigstop_prop:file { getattr open };
+allow flags_health_check ctl_start_prop:file { getattr open };
+allow flags_health_check ctl_stop_prop:file { getattr open };
+allow flags_health_check ctl_vendor_imsrcsservice_prop:file { getattr open };
+allow flags_health_check ctl_vendor_wigigsvc_prop:file { getattr open };
+allow flags_health_check device_logging_prop:file { getattr open };
+allow flags_health_check diag_mdlog_prop:file { getattr open };
+allow flags_health_check dolby_prop:file { getattr open };
+allow flags_health_check dumpstate_options_prop:file { getattr open };
+allow flags_health_check dynamic_system_prop:file { getattr open };
+allow flags_health_check firstboot_prop:file { getattr open };
+allow flags_health_check fm_prop:file { getattr open };
+allow flags_health_check freq_prop:file { getattr open };
+allow flags_health_check fst_prop:file { getattr open };
+allow flags_health_check gamed_prop:file { getattr open };
+allow flags_health_check graphics_vulkan_prop:file { getattr open };
+allow flags_health_check gsid_prop:file { getattr open };
+allow flags_health_check heapprofd_enabled_prop:file { getattr open };
+allow flags_health_check hwservicemanager_prop:file { getattr open };
+allow flags_health_check hwui_prop:file { getattr open };
+allow flags_health_check ipacm-diag_prop:file { getattr open };
+allow flags_health_check ipacm_prop:file { getattr open };
+allow flags_health_check last_boot_reason_prop:file { getattr open };
+allow flags_health_check llkd_prop:file { getattr open };
+allow flags_health_check location_prop:file { getattr open };
+allow flags_health_check logpersistd_logging_prop:file { getattr open };
+allow flags_health_check lowpan_prop:file { getattr open };
+allow flags_health_check lpdumpd_prop:file { getattr open };
+allow flags_health_check mdm_helper_prop:file { getattr open };
+allow flags_health_check mmc_prop:file { getattr open };
+allow flags_health_check mmi_prop:file { getattr open };
+allow flags_health_check mpdecision_prop:file { getattr open };
+allow flags_health_check msm_irqbalance_prop:file { getattr open };
+allow flags_health_check msm_irqbl_sdm630_prop:file { getattr open };
+allow flags_health_check net_dns_prop:file { getattr open };
+allow flags_health_check netd_prop:file { getattr open };
+allow flags_health_check netd_stable_secret_prop:file { getattr open };
+allow flags_health_check nfc_nq_prop:file { getattr open };
+allow flags_health_check nnapi_ext_deny_product_prop:file { getattr open };
+allow flags_health_check opengles_prop:file { getattr open };
+allow flags_health_check overlay_prop:file { getattr open };
+allow flags_health_check per_mgr_state_prop:file { getattr open };
+allow flags_health_check perfd_prop:file { getattr open };
+allow flags_health_check persistent_properties_ready_prop:file { getattr open };
+allow flags_health_check postprocessing_prop:file { getattr open };
+allow flags_health_check ppd_prop:file { getattr open };
+allow flags_health_check qcom_ims_prop:file { getattr open };
+allow flags_health_check qdma_prop:file { getattr open };
+allow flags_health_check qemu_gles_prop:file { getattr open };
+allow flags_health_check qti_prop:file { getattr open };
+allow flags_health_check reschedule_service_prop:file { getattr open };
+allow flags_health_check rmnet_mux_prop:file { getattr open };
+allow flags_health_check safemode_prop:file { getattr open };
+allow flags_health_check scr_enabled_prop:file { getattr open };
+allow flags_health_check sdm_idle_time_prop:file { getattr open };
+allow flags_health_check sensors_prop:file { getattr open };
+allow flags_health_check serialno_prop:file { getattr open };
+allow flags_health_check spcomlib_prop:file { getattr open };
+allow flags_health_check sys_usb_configfs_prop:file { getattr open };
+allow flags_health_check sys_usb_controller_prop:file { getattr open };
+allow flags_health_check sys_usb_tethering_prop:file { getattr open };
+allow flags_health_check system_boot_reason_prop:file { getattr open };
+allow flags_health_check system_lmk_prop:file { getattr open };
+allow flags_health_check system_trace_prop:file { getattr open };
+allow flags_health_check test_boot_reason_prop:file { getattr open };
+allow flags_health_check theme_prop:file { getattr open };
+allow flags_health_check time_prop:file { getattr open };
+allow flags_health_check traced_enabled_prop:file { getattr open };
+allow flags_health_check traced_lazy_prop:file { getattr open };
+allow flags_health_check uicc_prop:file { getattr open };
+allow flags_health_check usf_prop:file { getattr open };
+allow flags_health_check vendor_mpctl_prop:file { getattr open };
+allow flags_health_check vendor_rild_libpath_prop:file { getattr open };
+allow flags_health_check vendor_system_prop:file { getattr open };
+allow flags_health_check vendor_wifi_prop:file { getattr open };
+allow flags_health_check vm_bms_prop:file { getattr open };
+allow flags_health_check wifi_prop:file { getattr open };
+allow flags_health_check wififtmd_prop:file { getattr open };
+allow flags_health_check wigig_prop:file { getattr open };
+allow flags_health_check xlat_prop:file { getattr open };
\ No newline at end of file
diff --git a/sepolicy/common/rild.te b/sepolicy/common/rild.te
index a44127d..bea054d 100644
--- a/sepolicy/common/rild.te
+++ b/sepolicy/common/rild.te
@@ -9,3 +9,7 @@ allow rild sysfs_sec_key:file rw_file_perms;
 
 allow rild unlabeled:dir search;
 allow rild unlabeled:file { getattr open read };
+
+allow rild device:chr_file read;
+allow rild device:chr_file open;
+allow rild device:chr_file ioctl;
\ No newline at end of file
diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te
index 92e0ad0..23f3302 100644
--- a/sepolicy/common/system_server.te
+++ b/sepolicy/common/system_server.te
@@ -18,3 +18,4 @@ allow system_server {
 allow system_server init:binder call;
 allow system_server unlabeled:file unlink;
 allow system_server proc:file { getattr open read };
+allow system_server crash_dump:process getpgid;
\ No newline at end of file
diff --git a/sepolicy/common/vendor_init.te b/sepolicy/common/vendor_init.te
index ac41d89..3701dc0 100644
--- a/sepolicy/common/vendor_init.te
+++ b/sepolicy/common/vendor_init.te
@@ -22,4 +22,5 @@ allow vendor_init system_data_file:lnk_file unlink;
 allow vendor_init wcnss_device:chr_file write;
 allow vendor_init wcnss_device:chr_file open;
 allow vendor_init firmware_file:dir create;
-allow vendor_init firmware_file:dir setattr;
\ No newline at end of file
+allow vendor_init firmware_file:dir setattr;
+allow vendor_init bluetooth_data_file:file setattr;