[ALPS04793867] selinux: policy sync

Android Q and R have different policy in basic.
We sync it from Q policy and fix R neverallow rule

MTK-Commit-Id: 67144e1e0efe28d30381b1f3a98728c1a87e396e

Change-Id: Id7c92fa79976951c86d1286262f684e8f747427b
CR-Id: ALPS04793867
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK

r_non_plat/aee_aedv.te

@@ -431,3 +431,6 @@ allow aee_aedv debugfs_vpu_memory:file r_file_perms;
 
 # Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo
 allow aee_aedv proc_dbg_repo:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/pl_lk
+allow aee_aedv proc_pl_lk:file r_file_perms;

r_non_plat/atci_service.te

@@ -13,9 +13,6 @@ init_daemon_domain(atci_service)
 allow atci_service block_device:dir search;
 allow atci_service misc2_block_device:blk_file { open read write };
 allow atci_service misc2_device:chr_file { open read write };
-allow atci_service bootdevice_block_device:blk_file { open read write };
-
-allow atci_service self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin };
 allow atci_service camera_isp_device:chr_file { read write ioctl open };
 allow atci_service graphics_device:chr_file { read write ioctl open };
 allow atci_service graphics_device:dir search;
@@ -71,11 +68,9 @@ allow atci_service storage_file:lnk_file read;
 #allow atci_service media_rw_data_file:file { read write create open };
 
 #============= atci_service ==============
-allow atci_service property_socket:sock_file write;
 allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open};
 
-allow atci_service init:unix_stream_socket connectto;
+set_prop(atci_service, mtk_em_prop)
-allow atci_service mtk_em_prop:property_service set;
 
 # Date : 2016/03/02
 # Operation : M-Migration

r_non_plat/atcid.te

@@ -9,10 +9,10 @@ type atcid, domain;
 type atcid_exec, exec_type, file_type, vendor_file_type;
 
 init_daemon_domain(atcid)
-allow atcid init:unix_stream_socket connectto;
+set_prop(atcid,persist_service_atci_prop)
-allow atcid property_socket:sock_file write;
 allow atcid block_device:dir search;
 allow atcid socket_device:sock_file write;
+allow atcid gsmrild_socket:sock_file write;
 
 # Date : WK17.21
 # Purpose: Allow to use HIDL
@@ -20,11 +20,8 @@ hwbinder_use(atcid)
 hal_client_domain(atcid, hal_telephony)
 
 allow atcid ttyGS_device:chr_file { read write ioctl open };
-allow atcid persist_service_atci_prop:property_service set;
-allow atcid misc2_device:chr_file { read write open };
 allow atcid wmtWifi_device:chr_file { write open };
 allow atcid misc2_block_device:blk_file { read write open };
-allow atcid bootdevice_block_device:blk_file { open read write };
 allow atci_service gpu_device:chr_file { read write open ioctl getattr };
 allow atcid self:capability sys_time;
 

r_non_plat/ccci_fsd.te

@@ -44,9 +44,9 @@ allow ccci_fsd otp_device:chr_file rw_file_perms;
 allow ccci_fsd sysfs:file r_file_perms;
 allow ccci_fsd sysfs_boot_type:file { read open };
 #============= ccci_fsd MD block data==============
+##restore>NVM_GetDeviceInfo>open  /dev/block/platform/bootdevice/by-name/nvram
 allow ccci_fsd block_device:dir search;
 allow ccci_fsd nvram_device:blk_file rw_file_perms;
-allow ccci_fsd bootdevice_block_device:blk_file rw_file_perms;
 allow ccci_fsd nvdata_device:blk_file rw_file_perms;
 #============= ccci_fsd cryption related ==============
 allow ccci_fsd rawfs:dir create_dir_perms;
@@ -63,7 +63,7 @@ allow ccci_fsd kmsg_device:chr_file w_file_perms;
 allow ccci_fsd proc_lk_env:file rw_file_perms;
 
 #============= ccci_fsd MD Low Power Monitor Related ==============
-allow ccci_fsd vendor_data_file:dir create_dir_perms;
+allow ccci_fsd ccci_data_md1_file:dir create_dir_perms;
-allow ccci_fsd vendor_data_file:file create_file_perms;
+allow ccci_fsd ccci_data_md1_file:file create_file_perms;
 allow ccci_fsd sysfs_mmcblk:dir search;
 allow ccci_fsd sysfs_mmcblk:file { read getattr open };

r_non_plat/ccci_mdinit.te

@@ -71,15 +71,11 @@ allow ccci_mdinit protect_s_data_file:dir rw_dir_perms;
 allow ccci_mdinit protect_s_data_file:file create_file_perms;
 allow ccci_mdinit nvram_device:blk_file rw_file_perms;
 allow ccci_mdinit nvdata_device:blk_file rw_file_perms;
-allow ccci_mdinit bootdevice_block_device:blk_file rw_file_perms;
 
 set_prop(ccci_mdinit, ril_mux_report_case_prop)
 
 allow ccci_mdinit ccci_cfg_file:dir create_dir_perms;
 allow ccci_mdinit ccci_cfg_file:file create_file_perms;
-allow ccci_mdinit block_device:dir search;
-allow ccci_mdinit preloader_block_device:blk_file r_file_perms;
-allow ccci_mdinit secro_block_device:blk_file r_file_perms;
 #===============security relate ==========================
 allow ccci_mdinit preloader_device:chr_file rw_file_perms;
 allow ccci_mdinit misc_sd_device:chr_file r_file_perms;

r_non_plat/domain.te

@@ -20,14 +20,6 @@ allow {
   -isolated_app
 } sysfs_devinfo:file r_file_perms;
 
-# Date:20170519
-# Purpose: Full treble bootup issue, coredomain need to access libudf.so where
-# located on /vendor.
-# TODO:: In O MR1 may need to change design
-allow coredomain vendor_file:dir r_dir_perms;
-#allow coredomain vendor_file:file { read open getattr execute };
-allow coredomain vendor_file:lnk_file { getattr read };
-
 # Date:20170630
 # Purpose: allow trusted process to connect aee daemon
 #allow {

r_non_plat/dumpstate.te

@@ -54,8 +54,7 @@ allow dumpstate sysfs_lowmemorykiller:dir search;
 allow dumpstate expdb_block_device:blk_file { read write ioctl open };
 
 #/data/anr/SF_RTT
-allow dumpstate sf_rtt_file:dir search;
+allow dumpstate sf_rtt_file:dir { search getattr };
-allow dumpstate sf_rtt_file:file r_file_perms;
 
 # Data : 2017/03/22
 # Operation : add fd use selinux rule
@@ -174,3 +173,11 @@ allow dumpstate sysfs_adsp:file r_file_perms;
 
 #Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon
 allow dumpstate debugfs_smi_mon:file r_file_perms;
+
+# MTEE Trusty
+allow dumpstate mtee_trusty_file:file rw_file_perms;
+
+# 09-05 15:58:31.552000  9693  9693 W df      : type=1400 audit(0.0:990):
+# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0
+# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
+allow dumpstate mnt_expand_file:dir search;

r_non_plat/em_hidl.te

@@ -124,3 +124,7 @@ set_prop(em_hidl, mtk_em_hidl_prop)
 # Operation : EM AAL
 # Purpose: for em set aal property
 set_prop(em_hidl, mtk_pq_prop)
+# Date :  2019/09/10
+# Operation : EM wcn coredump
+# Purpose: for em set wcn coredump property
+set_prop(em_hidl, coredump_prop)

r_non_plat/file.te

@@ -13,6 +13,7 @@ type wpa_supplicant_data_file, file_type, data_file_type;
 type radvd_data_file, file_type, data_file_type;
 type volte_vt_socket, file_type;
 type dfo_socket, file_type;
+type gsmrild_socket, file_type;
 type rild2_socket, file_type;
 type rild3_socket, file_type;
 type rild4_socket, file_type;
@@ -136,6 +137,7 @@ type sf_rtt_file, file_type, data_file_type, core_data_file_type;
 type rild-dongle_socket, file_type;
 
 type ccci_cfg_file, file_type, data_file_type;
+type ccci_data_md1_file, file_type, data_file_type;
 type c2k_file, file_type, data_file_type;
 #For sensor
 type sensor_data_file, file_type, data_file_type;
@@ -343,10 +345,10 @@ type debugfs_regmap, fs_type, debugfs_type;
 type sys_usb_rawbulk, fs_type, sysfs_type;
 
 # Backlight brightness file
-type sysfs_vibrator_setting, fs_type, sysfs_type;
+type sysfs_leds_setting, fs_type, sysfs_type;
 
 # Vibrator vibrate file
-type sysfs_leds_setting, fs_type, sysfs_type;
+type sysfs_vibrator_setting, fs_type, sysfs_type;
 
 # Date : 2019/04/09
 # Purpose: mtk EM battery settings
@@ -380,3 +382,29 @@ type debugfs_smi_mon, fs_type, debugfs_type;
 # Date : WK19.34
 # Purpose: Android Migration for video codec driver
 type vcodec_file, file_type, data_file_type;
+
+# Date : 2019/08/24
+type sysfs_sensor, fs_type, sysfs_type;
+
+#MTEE trusty
+type mtee_trusty_file, fs_type, sysfs_type;
+
+# Date : 2019/08/29
+# Purpose: Allow rild access proc/aed/reboot-reason
+type proc_aed_reboot_reason, fs_type, proc_type;
+
+# Date : 2019/09/05
+# Purpose: Allow powerhal to control kernel resources
+type proc_ppm, fs_type, proc_type;
+type proc_cpufreq, fs_type, proc_type;
+type proc_hps, fs_type, proc_type;
+type proc_cm_mgr, fs_type, proc_type;
+type proc_ca_drv, fs_type, proc_type;
+type sysfs_ged, fs_type, sysfs_type;
+type sysfs_fbt_cpu, fs_type, sysfs_type;
+type sysfs_fbt_fteh, fs_type, sysfs_type;
+
+# Date : WK19.38
+# Purpose: Android Migration for video codec driver
+type sysfs_device_tree_model, fs_type, sysfs_type;
+

r_non_plat/file_contexts

@@ -28,6 +28,7 @@
 /data/vendor/gps(/.*)?   u:object_r:gps_data_file:s0
 /data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0
 /data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0
+/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0
 /data/vendor/flashless(/.*)? u:object_r:c2k_file:s0
 /data/core(/.*)? u:object_r:aee_core_data_file:s0
 /data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0
@@ -262,6 +263,22 @@
 /dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0
 /dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0
 /dev/socket/netd(/.*)? u:object_r:netd_socket:s0
+/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/rild-atci u:object_r:gsmrild_socket:s0
+/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0
 /dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0
 /dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0
 /dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0
@@ -273,6 +290,8 @@
 /dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0
 /dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0
 /dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0
+/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0
+/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0
 /dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0
 /dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0
 /dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0
@@ -289,6 +308,8 @@
 /dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0
 /dev/socket/rild(/.*)? u:object_r:rild_socket:s0
 /dev/socket/rild-via u:object_r:rild_via_socket:s0
+/dev/socket/rildc-debug u:object_r:rild_via_socket:s0
+/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0
 /dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0
 /dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0
 /dev/socket/rpc u:object_r:rpc_socket:s0
@@ -486,10 +507,8 @@
 /dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])?    u:object_r:vbmeta_block_device:s0
 
 # Key manager
-/dev/block/platform/bootdevice/by-name/kb        u:object_r:kb_block_device:s0
+/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb   u:object_r:kb_block_device:s0
-/dev/block/platform/bootdevice/by-name/dkb       u:object_r:dkb_block_device:s0
+/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb  u:object_r:dkb_block_device:s0
-/dev/kb                                          u:object_r:kb_block_device:s0
-/dev/dkb                                         u:object_r:dkb_block_device:s0
 
 # W19.23 Q new feature - Userdata Checkpoint
 /dev/block/by-name/md_udc             u:object_r:metadata_block_device:s0

r_non_plat/genfs_contexts

@@ -89,6 +89,8 @@ genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_expr
 genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0
 genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/mt-rtc/rtc    u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0
 genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0
 genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0
 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0
@@ -107,7 +109,10 @@ genfscon sysfs /devices/virtual/misc/scp_B  u:object_r:sysfs_scp:s0
 genfscon sysfs /devices/virtual/misc/sspm  u:object_r:sysfs_sspm:s0
 genfscon sysfs /devices/virtual/misc/adsp  u:object_r:sysfs_adsp:s0
 
+# Date : 2019/09/12
 genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0
+genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0
+
 genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0
 
 genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0
@@ -158,9 +163,9 @@ genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc
 
 # Date : 2019/07/12
 # Purpose:dumpstate mmcblk1 access
+genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0
 genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0
 
-
 #############################
 # debugfs files
 #
@@ -213,4 +218,29 @@ genfscon iso9660 / u:object_r:iso9660:s0
 genfscon rawfs / u:object_r:rawfs:s0
 genfscon fuseblk / u:object_r:fuseblk:s0
 
+# 2019/08/24
+genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0
+genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0
 
+# MTEE trusty
+genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0
+
+# Date : 2019/08/29
+# Purpose: allow rild to access /proc/aed/reboot-reason
+genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0
+
+
+# 2019/09/05
+# Purpose: Allow powerhal to control kernel resources
+genfscon proc /ppm u:object_r:proc_ppm:s0
+genfscon proc /cpufreq u:object_r:proc_cpufreq:s0
+genfscon proc /hps u:object_r:proc_hps:s0
+genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0
+genfscon proc /ca_drv u:object_r:proc_ca_drv:s0
+genfscon sysfs /module/ged u:object_r:sysfs_ged:s0
+genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0
+genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0
+
+# Date : WK19.38
+# Purpose: Android Migration for video codec driver
+genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0

r_non_plat/hal_graphics_allocator_default.te

@@ -21,3 +21,4 @@ allow hal_graphics_allocator_default debugfs_tracing:file open;
 allow hal_graphics_allocator_default proc_ged:file r_file_perms;
 allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls };
 
+#============= hal_graphics_allocator_default ==============

r_non_plat/ioctl_defines

@@ -15,6 +15,7 @@ define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a')
 define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b')
 define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c')
 define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d')
+define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e')
 
 define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764')
 define(`GED_BRIDGE_IO_GE_GET', `0x6765')

r_non_plat/ioctl_macros

@@ -14,6 +14,7 @@ define(`proc_ged_ioctls', `{
   GED_BRIDGE_IO_QUERY_TARGET_FPS
   GED_BRIDGE_IO_VSYNC_WAIT
   GED_BRIDGE_IO_GPU_HINT_TO_CPU
+  GED_BRIDGE_IO_HINT_FORCE_MDP
   GED_BRIDGE_IO_GE_ALLOC
   GED_BRIDGE_IO_GE_GET
   GED_BRIDGE_IO_GE_SET

r_non_plat/mtk_hal_audio.te

@@ -158,17 +158,13 @@ allow mtk_hal_audio mnt_user_file:lnk_file {read write};
 # Operation : Migration
 # Purpose: read/open sysfs node
 allow mtk_hal_audio sysfs_ccci:file r_file_perms;
+allow mtk_hal_audio sysfs_ccci:dir search;
 
 # Date : WK16.18
 # Operation : Migration
 # Purpose: research root dir "/"
 allow mtk_hal_audio tmpfs:dir search;
 
-# Date : WK16.18
-# Operation : Migration
-# Purpose: access sysfs node
-allow mtk_hal_audio sysfs:file { open read write };
-allow mtk_hal_audio sysfs_ccci:dir search;
 # Purpose: Dump debug info
 allow mtk_hal_audio debugfs_binder:dir search;
 allow mtk_hal_audio kmsg_device:chr_file { open write };

r_non_plat/mtk_hal_bluetooth.te

@@ -45,4 +45,8 @@ get_prop(mtk_hal_bluetooth, hwservicemanager_prop)
 allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find;
 
 allow mtk_hal_bluetooth system_data_file:lnk_file read;
+
 hal_server_domain(mtk_hal_bluetooth,hal_bluetooth);
+
+# Purpose: Allow BT Driver to insmod
+allow mtk_hal_bluetooth wmt_prop:property_service set;

r_non_plat/mtk_hal_gpu.te

@@ -31,11 +31,6 @@ hal_client_domain(mtk_hal_gpu, hal_allocator)
 # Purpose : Allow to use kernel driver
 allow mtk_hal_gpu graphics_device:chr_file rw_file_perms;
 
-# Purpose : Allow property set
-allow mtk_hal_gpu init:unix_stream_socket connectto;
-allow mtk_hal_gpu property_socket:sock_file write;
-
-
 # Purpose : Allow permission to set pq property
 #set_prop(mtk_hal_gpu, mtk_gpu_prop)
 

r_non_plat/mtk_hal_light.te

@@ -14,7 +14,6 @@ binder_call(mtk_hal_light, system_server)
 # system file
 allow mtk_hal_light system_file:dir read;
 allow mtk_hal_light system_file:dir open;
-allow mtk_hal_light sysfs:file rw_file_perms;
 
 allow mtk_hal_light sysfs_leds:lnk_file read;
 allow mtk_hal_light sysfs_leds:file rw_file_perms;

r_non_plat/mtk_hal_mms.te

@@ -40,6 +40,7 @@ allow mtk_hal_mms mtk_hal_pq:binder call;
 # Purpose : Allow to use graphics allocator fd for gralloc_extra
 allow mtk_hal_mms hal_graphics_allocator_default:fd use;
 allow mtk_hal_mms debugfs_ion:dir search;
+allow mtk_hal_mms merged_hal_service:fd use;
 
 # Purpose : VDEC/VENC device node
 allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms;

r_non_plat/mtk_hal_power.te

@@ -18,10 +18,6 @@ allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find;
 hal_server_domain(mtk_hal_power, hal_power);
 hal_server_domain(mtk_hal_power, hal_wifi);
 
-# proc fs
-allow mtk_hal_power proc:dir r_dir_perms;
-allow mtk_hal_power proc:file rw_file_perms;
-
 # sysfs
 allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms;
 
@@ -62,7 +58,6 @@ allow mtk_hal_power mtk_hal_camera:file r_file_perms;
 # Operation: SQC
 # Purpose : Allow powerHAL to access thermal
 allow mtk_hal_power proc_thermal:dir r_dir_perms;
-allow mtk_hal_power sysfs:file rw_file_perms;
 allow mtk_hal_power debugfs_fpsgo:dir r_dir_perms;
 allow mtk_hal_power debugfs_fpsgo:file rw_file_perms;
 
@@ -147,3 +142,20 @@ allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls;
 # Purpose : MTK power hal interface permission
 set_prop(mtk_hal_power, mtk_powerhal_prop)
 
+# Date : 2019/09/05
+# Operation: SQC
+# Purpose : Add procfs, sysfs policy
+allow mtk_hal_power proc_ppm:dir r_dir_perms;
+allow mtk_hal_power proc_ppm:file rw_file_perms;
+allow mtk_hal_power proc_cpufreq:dir r_dir_perms;
+allow mtk_hal_power proc_cpufreq:file rw_file_perms;
+allow mtk_hal_power proc_hps:dir r_dir_perms;
+allow mtk_hal_power proc_hps:file rw_file_perms;
+allow mtk_hal_power proc_cm_mgr:dir r_dir_perms;
+allow mtk_hal_power proc_cm_mgr:file rw_file_perms;
+allow mtk_hal_power sysfs_ged:dir r_dir_perms;
+allow mtk_hal_power sysfs_ged:file rw_file_perms;
+allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms;
+allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms;
+allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms;
+allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms;

r_non_plat/mtk_hal_sensors.te

@@ -27,7 +27,8 @@ allow mtk_hal_sensors system_file:dir read;
 allow mtk_hal_sensors system_file:dir open;
 
 # sensors input rw access
-allow mtk_hal_sensors sysfs:file rw_file_perms;
+allow mtk_hal_sensors sysfs_sensor:dir r_dir_perms;
+allow mtk_hal_sensors sysfs_sensor:file rw_file_perms;
 
 # hal sensor for chr_file
 allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms;

r_non_plat/mtkrild.te

@@ -54,7 +54,7 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms;
 allow mtkrild sdcardfs:dir r_dir_perms;
 # Violate Android P rule
 #allow mtkrild system_file:file x_file_perms;
-allow mtkrild proc:file rw_file_perms;
+#allow mtkrild proc:file rw_file_perms;
 allow mtkrild proc_net:file w_file_perms;
 
 # Set and get routes directly via netlink.
@@ -68,13 +68,13 @@ allow mtkrild mtd_device:dir search;
 allow mtkrild tty_device:chr_file rw_file_perms;
 allow mtkrild eemcs_device:chr_file { rw_file_perms };
 
-allow mtkrild Vcodec_device:chr_file { rw_file_perms };
+#allow mtkrild Vcodec_device:chr_file { rw_file_perms };
 allow mtkrild devmap_device:chr_file { r_file_perms };
 allow mtkrild devpts:chr_file { rw_file_perms };
 allow mtkrild ccci_device:chr_file { rw_file_perms };
 allow mtkrild misc_device:chr_file { rw_file_perms };
 allow mtkrild proc_lk_env:file rw_file_perms;
-allow mtkrild bootdevice_block_device:blk_file { rw_file_perms };
+#allow mtkrild bootdevice_block_device:blk_file { rw_file_perms };
 allow mtkrild para_block_device:blk_file { rw_file_perms };
 
 # Allow dir search, fd uses
@@ -82,10 +82,6 @@ allow mtkrild block_device:dir search;
 allow mtkrild platform_app:fd use;
 allow mtkrild radio:fd use;
 
-# For emulator
-allow mtkrild qemu_pipe_device:chr_file rw_file_perms;
-allow mtkrild socket_device:sock_file { w_file_perms };
-
 # For MAL MFI
 allow mtkrild mal_mfi_socket:sock_file { w_file_perms };
 
@@ -93,8 +89,6 @@ allow mtkrild mal_mfi_socket:sock_file { w_file_perms };
 allow mtkrild sysfs_ccci:dir search;
 allow mtkrild sysfs_ccci:file r_file_perms;
 
-allow init socket_device:sock_file { create unlink setattr };
-
 #For Kryptowire mtklog issue
 allow mtkrild aee_aedv:unix_stream_socket connectto;
 # Allow ioctl in order to control network interface

r_non_plat/nvram_agent_binder.te

@@ -21,7 +21,6 @@ init_daemon_domain(nvram_agent_binder)
 # Operation : 2rd Selinux Migration 
 # Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission
 allow nvram_agent_binder nvram_device:blk_file rw_file_perms;
-allow nvram_agent_binder bootdevice_block_device:blk_file rw_file_perms;
 allow nvram_agent_binder nvdata_device:blk_file rw_file_perms;
 allow nvram_agent_binder nvram_data_file:dir create_dir_perms;
 allow nvram_agent_binder nvram_data_file:file create_file_perms;
@@ -34,9 +33,6 @@ allow nvram_agent_binder als_ps_device:chr_file r_file_perms;
 allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms;
 allow nvram_agent_binder gsensor_device:chr_file r_file_perms;
 allow nvram_agent_binder gyroscope_device:chr_file r_file_perms;
-allow nvram_agent_binder init:unix_stream_socket connectto;
-allow nvram_agent_binder property_socket:sock_file write;
-allow nvram_agent_binder sysfs:file write;
 allow nvram_agent_binder self:capability { fowner chown fsetid };
 
 # Purpose: for backup
@@ -44,7 +40,6 @@ allow nvram_agent_binder nvram_device:chr_file rw_file_perms;
 allow nvram_agent_binder pro_info_device:chr_file rw_file_perms;
 allow nvram_agent_binder block_device:dir search;
 
-allow nvram_agent_binder app_data_file:file write;
 # for MLC device
 allow nvram_agent_binder mtd_device:dir search;
 allow nvram_agent_binder mtd_device:chr_file rw_file_perms;

r_non_plat/nvram_daemon.te

@@ -21,7 +21,6 @@ init_daemon_domain(nvram_daemon)
 # Operation : Migration 
 # Purpose : the device is used to store Nvram backup data that can not be lost. 
 allow nvram_daemon nvram_device:blk_file rw_file_perms;
-allow nvram_daemon bootdevice_block_device:blk_file rw_file_perms;
 allow nvram_daemon nvdata_device:blk_file rw_file_perms;
 
 # Date : WK14.35
@@ -41,7 +40,6 @@ allow nvram_daemon gyroscope_device:chr_file r_file_perms;
 allow nvram_daemon init:unix_stream_socket connectto;
 
 # Purpose: for property set
-allow nvram_daemon sysfs:file w_file_perms;
 allow nvram_daemon self:capability { fowner chown fsetid };
 
 # Purpose: for backup

r_non_plat/property.te

@@ -320,3 +320,6 @@ type mtk_wifi_hotspot_prop, property_type, mtk_core_property_type;
 
 #=============mtk hdmi property=============
 type mtk_hdmi_prop, property_type, mtk_core_property_type;
+
+#=============mtk nn option property=============
+type mtk_nn_option_prop, property_type;

r_non_plat/property_contexts

@@ -348,3 +348,6 @@ ro.vendor.wifi.sap.interface u:object_r:mtk_wifi_hotspot_prop:s0
 
 #=============allow mtk hdmi==============#
 persist.vendor.sys.hdmi_hidl. u:object_r:mtk_hdmi_prop:s0
+
+#=============mtk nn option==============#
+ro.vendor.mtk_nn.option u:object_r:mtk_nn_option_prop:s0

r_non_plat/rild.te

@@ -43,7 +43,6 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
 # Violate Android P rule
 allow rild sdcardfs:dir r_dir_perms;
 #allow rild system_file:file x_file_perms;
-allow rild proc:file rw_file_perms;
 allow rild proc_net:file w_file_perms;
 
 # Allow rild to create and use netlink sockets.
@@ -58,14 +57,14 @@ allow rild mtd_device:dir search;
 allow rild tty_device:chr_file rw_file_perms;
 allow rild eemcs_device:chr_file { rw_file_perms };
 
-allow rild Vcodec_device:chr_file { rw_file_perms };
+#allow rild Vcodec_device:chr_file { rw_file_perms };
 allow rild devmap_device:chr_file { r_file_perms };
 allow rild devpts:chr_file { rw_file_perms };
 allow rild ccci_device:chr_file { rw_file_perms };
 allow rild misc_device:chr_file { rw_file_perms };
 allow rild proc_lk_env:file rw_file_perms;
 allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms };
-allow rild bootdevice_block_device:blk_file { rw_file_perms };
+#allow rild bootdevice_block_device:blk_file { rw_file_perms };
 allow rild para_block_device:blk_file { rw_file_perms };
 
 # Allow dir search, fd uses
@@ -155,3 +154,7 @@ allow rild proc_cmdline:file r_file_perms;
 # Operation: AP wifi path
 # Purpose: Allow packet can be filtered by RILD process
 allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl };
+
+# Date : 2019/08/29
+# Purpose: Allow rild to access proc/aed/reboot-reason
+allow rild proc_aed_reboot_reason:file rw_file_perms;

r_non_plat/rilproxy.te

@@ -18,7 +18,6 @@ allow rild init:unix_stream_socket connectto;
 allow rild mtkrild:unix_stream_socket connectto;
 allow rild property_socket:sock_file write;
 allow rild self:capability setuid;
-allow rild socket_device:sock_file write;
 allow rild radio_prop:property_service set;
 allow rild ril_mux_report_case_prop:property_service set;
 allow rild mtk_agpsd:unix_stream_socket connectto;
@@ -72,3 +71,9 @@ set_prop(mtkrild, mtk_ss_vendor_prop)
 # Purpose: Allow rild access to send SUPL INIT to mnld
 allow rild mnld:unix_dgram_socket sendto;
 allow mtkrild mnld:unix_dgram_socket sendto;
+
+# Date : W19.35
+# Operation: Q migration
+# Purpose: Fix rilproxy SeLinux warning of pre-defined socket
+allow rild gsmrild_socket:sock_file write;
+

r_non_plat/system_server.te

@@ -207,3 +207,8 @@ allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls };
 # Date: 2019/06/14
 # Operation : Migration
 get_prop(system_server, vendor_default_prop)
+
+# Date: 2019/06/14
+# Operation : when WFD turnning on, turn off hdmi
+allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find;
+allow system_server mtk_hal_hdmi:binder call;

r_non_plat/thermal_manager.te

@@ -39,16 +39,17 @@ allow thermal_manager camera_isp_device:chr_file { read write };
 allow thermal_manager cameraserver:fd use;
 allow thermal_manager kd_camera_hw_device:chr_file { read write };
 allow thermal_manager MTK_SMI_device:chr_file read;
-allow thermal_manager property_socket:sock_file write;
 allow thermal_manager surfaceflinger:fd use;
-allow thermal_manager init:unix_stream_socket connectto;
+set_prop(thermal_manager ,mtk_thermal_config_prop)
-allow thermal_manager sysfs:file write;
 
-# Date : WK17.12
+# Date : 2019/09/12
 # Operation : Migration
-# Purpose : Allow thermal_manager to notify SPA.
+# Purpose : add sysfs permission
-allow thermal_manager mtk_thermal_config_prop:file { getattr open read };
+# path = " sys/devices/virtual/thermal/"
-allow thermal_manager mtk_thermal_config_prop:property_service set;
+# path = " sys/class/thermal/"
+allow thermal_manager sysfs_therm:file w_file_perms;
+
+
 
 # Date : WK18.18
 # Operation : P Migration

r_non_plat/vendor_init.te

@@ -32,6 +32,7 @@ set_prop(vendor_init, tel_switch_prop)
 set_prop(vendor_init, mtk_aal_ro_prop)
 set_prop(vendor_init, mtk_pq_ro_prop)
 set_prop(vendor_init, mtk_default_prop)
+set_prop(vendor_init, mtk_nn_option_prop)
 
 set_prop(vendor_init, mtk_emmc_support_prop)
 set_prop(vendor_init, mtk_anr_support_prop)