diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS
index 791abb4a..5232bc31 100644
--- a/sepolicy/OWNERS
+++ b/sepolicy/OWNERS
@@ -1,3 +1,4 @@
-include platform/system/sepolicy:/OWNERS
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
-rurumihong@google.com
diff --git a/sepolicy/gs201-sepolicy.mk b/sepolicy/gs201-sepolicy.mk
index 5334d755..ebc4a447 100644
--- a/sepolicy/gs201-sepolicy.mk
+++ b/sepolicy/gs201-sepolicy.mk
@@ -16,6 +16,7 @@ BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/whitechapel_pro
# unresolved SELinux error log with bug tracking
BOARD_SEPOLICY_DIRS += device/google/gs201/sepolicy/tracking_denials
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs201/sepolicy/public
PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201/sepolicy/private
# system_ext
diff --git a/sepolicy/private/debug_camera_app.te b/sepolicy/private/debug_camera_app.te
new file mode 100644
index 00000000..c14637be
--- /dev/null
+++ b/sepolicy/private/debug_camera_app.te
@@ -0,0 +1,16 @@
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+ app_domain(debug_camera_app)
+ net_domain(debug_camera_app)
+
+ allow debug_camera_app app_api_service:service_manager find;
+ allow debug_camera_app audioserver_service:service_manager find;
+ allow debug_camera_app cameraserver_service:service_manager find;
+ allow debug_camera_app mediaextractor_service:service_manager find;
+ allow debug_camera_app mediametrics_service:service_manager find;
+ allow debug_camera_app mediaserver_service:service_manager find;
+
+ # Allows camera app to access the PowerHAL.
+ hal_client_domain(debug_camera_app, hal_power)
+')
diff --git a/sepolicy/private/google_camera_app.te b/sepolicy/private/google_camera_app.te
new file mode 100644
index 00000000..6a9dff32
--- /dev/null
+++ b/sepolicy/private/google_camera_app.te
@@ -0,0 +1,17 @@
+typeattribute google_camera_app coredomain;
+
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows camera app to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/sepolicy/private/seapp_contexts b/sepolicy/private/seapp_contexts
new file mode 100644
index 00000000..bfe5a549
--- /dev/null
+++ b/sepolicy/private/seapp_contexts
@@ -0,0 +1,11 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
diff --git a/sepolicy/public/debug_camera_app.te b/sepolicy/public/debug_camera_app.te
new file mode 100644
index 00000000..6f497680
--- /dev/null
+++ b/sepolicy/public/debug_camera_app.te
@@ -0,0 +1 @@
+type debug_camera_app, domain;
diff --git a/sepolicy/public/google_camera_app.te b/sepolicy/public/google_camera_app.te
new file mode 100644
index 00000000..c93038cc
--- /dev/null
+++ b/sepolicy/public/google_camera_app.te
@@ -0,0 +1 @@
+type google_camera_app, domain;
diff --git a/sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
similarity index 100%
rename from sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
rename to sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
diff --git a/sepolicy/system_ext/private/con_monitor.te b/sepolicy/system_ext/private/con_monitor.te
new file mode 100644
index 00000000..c68ec1f8
--- /dev/null
+++ b/sepolicy/system_ext/private/con_monitor.te
@@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
diff --git a/sepolicy/system_ext/private/file.te b/sepolicy/system_ext/private/file.te
new file mode 100644
index 00000000..9344be7e
--- /dev/null
+++ b/sepolicy/system_ext/private/file.te
@@ -0,0 +1,2 @@
+
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
diff --git a/sepolicy/system_ext/private/hbmsvmanager_app.te b/sepolicy/system_ext/private/hbmsvmanager_app.te
new file mode 100644
index 00000000..6f5ff7ac
--- /dev/null
+++ b/sepolicy/system_ext/private/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/sepolicy/system_ext/private/keys.conf b/sepolicy/system_ext/private/keys.conf
new file mode 100644
index 00000000..c2228db6
--- /dev/null
+++ b/sepolicy/system_ext/private/keys.conf
@@ -0,0 +1,3 @@
+[@UWB]
+ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
+
diff --git a/sepolicy/system_ext/private/mac_permissions.xml b/sepolicy/system_ext/private/mac_permissions.xml
new file mode 100644
index 00000000..51af79f6
--- /dev/null
+++ b/sepolicy/system_ext/private/mac_permissions.xml
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
diff --git a/sepolicy/system_ext/private/seapp_contexts b/sepolicy/system_ext/private/seapp_contexts
new file mode 100644
index 00000000..82f4347c
--- /dev/null
+++ b/sepolicy/system_ext/private/seapp_contexts
@@ -0,0 +1,10 @@
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# Qorvo UWB system app
+# TODO(b/222204912): Should this run under uwb user?
+user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+
diff --git a/sepolicy/system_ext/private/uwb_vendor_app.te b/sepolicy/system_ext/private/uwb_vendor_app.te
new file mode 100644
index 00000000..3ae5ecd3
--- /dev/null
+++ b/sepolicy/system_ext/private/uwb_vendor_app.te
@@ -0,0 +1,12 @@
+app_domain(uwb_vendor_app)
+
+not_recovery(`
+
+allow uwb_vendor_app app_api_service:service_manager find;
+allow uwb_vendor_app nfc_service:service_manager find;
+allow uwb_vendor_app radio_service:service_manager find;
+
+allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
+allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
+
+')
diff --git a/sepolicy/system_ext/public/con_monitor.te b/sepolicy/system_ext/public/con_monitor.te
new file mode 100644
index 00000000..6a4d1dac
--- /dev/null
+++ b/sepolicy/system_ext/public/con_monitor.te
@@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
diff --git a/sepolicy/system_ext/public/hbmsvmanager_app.te b/sepolicy/system_ext/public/hbmsvmanager_app.te
new file mode 100644
index 00000000..4fcf2bdb
--- /dev/null
+++ b/sepolicy/system_ext/public/hbmsvmanager_app.te
@@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
diff --git a/sepolicy/system_ext/public/uwb_vendor_app.te b/sepolicy/system_ext/public/uwb_vendor_app.te
new file mode 100644
index 00000000..6824e4e9
--- /dev/null
+++ b/sepolicy/system_ext/public/uwb_vendor_app.te
@@ -0,0 +1,2 @@
+type uwb_vendor_app, domain;
+
diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map
index e196acd8..39726296 100644
--- a/sepolicy/tracking_denials/bug_map
+++ b/sepolicy/tracking_denials/bug_map
@@ -1,24 +1,11 @@
-cat_engine_service_app system_app_data_file dir b/238705599
-dex2oat privapp_data_file dir b/276386138
-hal_contexthub_default fwk_stats_service service_manager b/241714943
+hal_face_default traced_producer_socket sock_file b/305600808
hal_power_default hal_power_default capability b/237492146
-hal_radioext_default radio_vendor_data_file file b/237093466
-incidentd debugfs_wakeup_sources file b/237492091
-incidentd incidentd anon_inode b/268147092
-init-insmod-sh vendor_ready_prop property_service b/239364360
-kernel vendor_charger_debugfs dir b/238571150
-kernel vendor_usb_debugfs dir b/227121550
-shell adb_keys_file file b/239484612
-shell cache_file lnk_file b/239484612
-shell init_exec lnk_file b/239484612
-shell linkerconfig_file dir b/239484612
-shell metadata_file dir b/239484612
-shell mirror_data_file dir b/239484612
-shell postinstall_mnt_dir dir b/239484612
-shell rootfs file b/239484612
-shell sscoredump_vendor_data_crashinfo_file dir b/241714944
-shell system_dlkm_file dir b/239484612
-su modem_img_file filesystem b/240653918
-system_app proc_pagetypeinfo file b/275645892
-system_server privapp_data_file lnk_file b/276385494
-system_server system_userdir_file dir b/282096141
+incidentd debugfs_wakeup_sources file b/282626428
+incidentd incidentd anon_inode b/282626428
+kernel vendor_charger_debugfs dir b/307863370
+rild default_prop file b/315720727
+rild default_prop file b/315721328
+surfaceflinger selinuxfs file b/315104594
+vendor_init default_prop file b/315104479
+vendor_init default_prop file b/315104803
+vendor_init default_prop property_service b/315104803
diff --git a/sepolicy/tracking_denials/dmd.te b/sepolicy/tracking_denials/dmd.te
new file mode 100644
index 00000000..68719b9b
--- /dev/null
+++ b/sepolicy/tracking_denials/dmd.te
@@ -0,0 +1,2 @@
+#b/303391666
+dontaudit dmd servicemanager:binder { call };
diff --git a/sepolicy/tracking_denials/dumpstate.te b/sepolicy/tracking_denials/dumpstate.te
index 0dc30ea7..ffb8518c 100644
--- a/sepolicy/tracking_denials/dumpstate.te
+++ b/sepolicy/tracking_denials/dumpstate.te
@@ -1,6 +1,2 @@
# b/185723618
dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
-# b/237491813
-dontaudit dumpstate app_zygote:process { signal };
-# b/277155245
-dontaudit dumpstate default_android_service:service_manager { find };
diff --git a/sepolicy/tracking_denials/hal_drm_widevine.te b/sepolicy/tracking_denials/hal_drm_widevine.te
deleted file mode 100644
index cfe7fcf7..00000000
--- a/sepolicy/tracking_denials/hal_drm_widevine.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/229209076
-dontaudit hal_drm_widevine vndbinder_device:chr_file { read };
diff --git a/sepolicy/tracking_denials/hal_power_default.te b/sepolicy/tracking_denials/hal_power_default.te
deleted file mode 100644
index a2ce6fdb..00000000
--- a/sepolicy/tracking_denials/hal_power_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/237492146
-dontaudit hal_power_default hal_power_default:capability { dac_override };
-dontaudit hal_power_default hal_power_default:capability { dac_read_search };
diff --git a/sepolicy/tracking_denials/hal_thermal_default.te b/sepolicy/tracking_denials/hal_thermal_default.te
deleted file mode 100644
index abbd2f97..00000000
--- a/sepolicy/tracking_denials/hal_thermal_default.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# b/205904328
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt };
-dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write };
diff --git a/sepolicy/tracking_denials/hal_uwb_vendor_default.te b/sepolicy/tracking_denials/hal_uwb_vendor_default.te
deleted file mode 100644
index 2e0025fc..00000000
--- a/sepolicy/tracking_denials/hal_uwb_vendor_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/208721505
-dontaudit hal_uwb_vendor_default dumpstate:fd { use };
-dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write };
diff --git a/sepolicy/tracking_denials/hal_vibrator_default.te b/sepolicy/tracking_denials/hal_vibrator_default.te
index 390bfa3c..d9199c77 100644
--- a/sepolicy/tracking_denials/hal_vibrator_default.te
+++ b/sepolicy/tracking_denials/hal_vibrator_default.te
@@ -1,2 +1,3 @@
-# b/274727778
-dontaudit hal_vibrator_default default_android_service:service_manager { find };
+# b/306344298
+dontaudit hal_vibrator_default service_manager_type:service_manager find;
+
diff --git a/sepolicy/tracking_denials/incidentd.te b/sepolicy/tracking_denials/incidentd.te
deleted file mode 100644
index e6fce309..00000000
--- a/sepolicy/tracking_denials/incidentd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/237492091
-dontaudit incidentd debugfs_wakeup_sources:file { read };
diff --git a/sepolicy/tracking_denials/kernel.te b/sepolicy/tracking_denials/kernel.te
deleted file mode 100644
index a2e21639..00000000
--- a/sepolicy/tracking_denials/kernel.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/227121550
-dontaudit kernel vendor_votable_debugfs:dir search;
diff --git a/sepolicy/tracking_denials/servicemanager.te b/sepolicy/tracking_denials/servicemanager.te
index 72e6e6e9..a6b549ff 100644
--- a/sepolicy/tracking_denials/servicemanager.te
+++ b/sepolicy/tracking_denials/servicemanager.te
@@ -1,2 +1,2 @@
-# b/214122471
-dontaudit servicemanager hal_fingerprint_default:binder { call };
+# b/305600595
+dontaudit servicemanager hal_thermal_default:binder call;
diff --git a/sepolicy/tracking_denials/surfaceflinger.te b/sepolicy/tracking_denials/surfaceflinger.te
deleted file mode 100644
index cd7b63d9..00000000
--- a/sepolicy/tracking_denials/surfaceflinger.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/215042694
-dontaudit surfaceflinger kernel:process { setsched };
-# b/208721808
-dontaudit surfaceflinger hal_graphics_composer_default:dir { search };
diff --git a/sepolicy/tracking_denials/vendor_init.te b/sepolicy/tracking_denials/vendor_init.te
deleted file mode 100644
index ea8ff1e4..00000000
--- a/sepolicy/tracking_denials/vendor_init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/205656950
-dontaudit vendor_init thermal_link_device:file { create };
diff --git a/sepolicy/tracking_denials/vndservicemanager.te b/sepolicy/tracking_denials/vndservicemanager.te
deleted file mode 100644
index 9931d437..00000000
--- a/sepolicy/tracking_denials/vndservicemanager.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/278639040
-dontaudit vndservicemanager hal_keymint_citadel:binder { call };
-# b/278639040
-dontaudit vndservicemanager hal_keymint_citadel:binder { call };
diff --git a/sepolicy/whitechapel_pro/cat_engine_service_app.te b/sepolicy/whitechapel_pro/cat_engine_service_app.te
index eacf9621..876b7967 100644
--- a/sepolicy/whitechapel_pro/cat_engine_service_app.te
+++ b/sepolicy/whitechapel_pro/cat_engine_service_app.te
@@ -4,5 +4,6 @@ userdebug_or_eng(`
app_domain(cat_engine_service_app)
get_prop(cat_engine_service_app, vendor_rild_prop)
allow cat_engine_service_app app_api_service:service_manager find;
- allow cat_engine_service_app system_app_data_file:dir r_dir_perms;
+ allow cat_engine_service_app system_app_data_file:dir create_dir_perms;
+ allow cat_engine_service_app system_app_data_file:file create_file_perms;
')
diff --git a/sepolicy/whitechapel_pro/con_monitor.te b/sepolicy/whitechapel_pro/con_monitor.te
index 8695ccaa..32c2056d 100644
--- a/sepolicy/whitechapel_pro/con_monitor.te
+++ b/sepolicy/whitechapel_pro/con_monitor.te
@@ -1,10 +1,2 @@
-# ConnectivityMonitor app
-type con_monitor_app, domain, coredomain;
-
-app_domain(con_monitor_app)
-
-set_prop(con_monitor_app, radio_prop)
-allow con_monitor_app app_api_service:service_manager find;
-allow con_monitor_app radio_service:service_manager find;
allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
allow con_monitor_app radio_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/whitechapel_pro/debug_camera_app.te b/sepolicy/whitechapel_pro/debug_camera_app.te
index 5342fb74..427a7735 100644
--- a/sepolicy/whitechapel_pro/debug_camera_app.te
+++ b/sepolicy/whitechapel_pro/debug_camera_app.te
@@ -1,27 +1,12 @@
-type debug_camera_app, domain, coredomain;
-
userdebug_or_eng(`
- app_domain(debug_camera_app)
- net_domain(debug_camera_app)
-
- allow debug_camera_app app_api_service:service_manager find;
- allow debug_camera_app audioserver_service:service_manager find;
- allow debug_camera_app cameraserver_service:service_manager find;
- allow debug_camera_app mediaextractor_service:service_manager find;
- allow debug_camera_app mediametrics_service:service_manager find;
- allow debug_camera_app mediaserver_service:service_manager find;
-
- # Allows camera app to access the GXP device.
+ # Allows camera app to access the GXP device and properties.
allow debug_camera_app gxp_device:chr_file rw_file_perms;
+ get_prop(debug_camera_app, vendor_gxp_prop)
# Allows camera app to search for GXP firmware file.
allow debug_camera_app vendor_fw_file:dir search;
- # Allows camera app to access the PowerHAL.
- hal_client_domain(debug_camera_app, hal_power)
-')
-userdebug_or_eng(`
# Allows GCA-Eng to find and access the EdgeTPU.
allow debug_camera_app edgetpu_app_service:service_manager find;
allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-')
\ No newline at end of file
+')
diff --git a/sepolicy/whitechapel_pro/device.te b/sepolicy/whitechapel_pro/device.te
index b66248a7..ae74fea2 100644
--- a/sepolicy/whitechapel_pro/device.te
+++ b/sepolicy/whitechapel_pro/device.te
@@ -1,18 +1,14 @@
-type sda_block_device, dev_type;
-type devinfo_block_device, dev_type;
type modem_block_device, dev_type;
type custom_ab_block_device, dev_type;
type persist_block_device, dev_type;
type efs_block_device, dev_type;
type modem_userdata_block_device, dev_type;
type mfg_data_block_device, dev_type;
-type sg_device, dev_type;
type vendor_toe_device, dev_type;
type lwis_device, dev_type;
type logbuffer_device, dev_type;
type rls_device, dev_type;
type fingerprint_device, dev_type;
-type gxp_device, dev_type, mlstrustedobject;
type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
type vframe_heap_device, dmabuf_heap_device_type, dev_type;
@@ -24,7 +20,3 @@ type fips_block_device, dev_type;
# SecureElement SPI device
type st54spi_device, dev_type;
type st33spi_device, dev_type;
-
-# Raw HID device
-type hidraw_device, dev_type;
-
diff --git a/sepolicy/whitechapel_pro/dumpstate.te b/sepolicy/whitechapel_pro/dumpstate.te
index eaab9b2f..da71a845 100644
--- a/sepolicy/whitechapel_pro/dumpstate.te
+++ b/sepolicy/whitechapel_pro/dumpstate.te
@@ -13,4 +13,4 @@ allow dumpstate modem_efs_file:dir r_dir_perms;
allow dumpstate modem_userdata_file:dir r_dir_perms;
allow dumpstate modem_img_file:dir r_dir_perms;
allow dumpstate fuse:dir search;
-
+allow dumpstate rlsservice:binder call;
\ No newline at end of file
diff --git a/sepolicy/whitechapel_pro/fastbootd.te b/sepolicy/whitechapel_pro/fastbootd.te
index e7909d26..c9df82df 100644
--- a/sepolicy/whitechapel_pro/fastbootd.te
+++ b/sepolicy/whitechapel_pro/fastbootd.te
@@ -4,4 +4,5 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms;
allow fastbootd sda_block_device:blk_file rw_file_perms;
allow fastbootd sysfs_ota:file rw_file_perms;
allow fastbootd st54spi_device:chr_file rw_file_perms;
+allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
')
diff --git a/sepolicy/whitechapel_pro/file.te b/sepolicy/whitechapel_pro/file.te
index 4a232600..378c466c 100644
--- a/sepolicy/whitechapel_pro/file.te
+++ b/sepolicy/whitechapel_pro/file.te
@@ -7,10 +7,7 @@ type vendor_slog_file, file_type, data_file_type;
type updated_wifi_firmware_data_file, file_type, data_file_type;
type vendor_media_data_file, file_type, data_file_type;
type vendor_misc_data_file, file_type, data_file_type;
-type sensor_debug_data_file, file_type, data_file_type;
-type sensor_reg_data_file, file_type, data_file_type;
type per_boot_file, file_type, data_file_type, core_data_file_type;
-type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
type uwb_data_vendor, file_type, data_file_type;
type powerstats_vendor_data_file, file_type, data_file_type;
type vendor_gps_file, file_type, data_file_type;
@@ -30,7 +27,6 @@ type sysfs_em_profile, sysfs_type, fs_type;
# sysfs
type sysfs_chosen, sysfs_type, fs_type;
-type sysfs_ota, sysfs_type, fs_type;
type bootdevice_sysdev, dev_type;
type sysfs_fabric, sysfs_type, fs_type;
type sysfs_acpm_stats, sysfs_type, fs_type;
@@ -60,7 +56,6 @@ allow modem_img_file self:filesystem associate;
type persist_battery_file, file_type, vendor_persist_type;
type persist_camera_file, file_type, vendor_persist_type;
type persist_modem_file, file_type, vendor_persist_type;
-type persist_sensor_reg_file, file_type, vendor_persist_type;
type persist_ss_file, file_type, vendor_persist_type;
type persist_uwb_file, file_type, vendor_persist_type;
type persist_display_file, file_type, vendor_persist_type;
diff --git a/sepolicy/whitechapel_pro/file_contexts b/sepolicy/whitechapel_pro/file_contexts
index 03e8c70f..b1ad6d8e 100644
--- a/sepolicy/whitechapel_pro/file_contexts
+++ b/sepolicy/whitechapel_pro/file_contexts
@@ -20,9 +20,9 @@
/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0
/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0
-/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0
/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0
/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0
@@ -36,7 +36,6 @@
/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0
/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0
/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0
-/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0
/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0
/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0
/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0
@@ -46,10 +45,14 @@
/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0
/vendor/bin/dump/dump_power_gs201\.sh u:object_r:dump_power_gs201_exec:s0
/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
+/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0
# Vendor Firmwares
/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
+# Gralloc
+/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0
+
# Vendor libraries
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0
@@ -62,8 +65,6 @@
/vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0
# Graphics
/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0
@@ -104,6 +105,7 @@
/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0
/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0
/dev/logbuffer_bd u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpif u:object_r:logbuffer_device:s0
/dev/logbuffer_pcie0 u:object_r:logbuffer_device:s0
/dev/logbuffer_pcie1 u:object_r:logbuffer_device:s0
/dev/bbd_pwrstat u:object_r:power_stats_device:s0
@@ -145,7 +147,6 @@
/dev/gxp u:object_r:gxp_device:s0
/dev/dit2 u:object_r:vendor_toe_device:s0
/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
-/dev/sg1 u:object_r:sg_device:s0
/dev/st21nfc u:object_r:nfc_device:s0
/dev/st54spi u:object_r:st54spi_device:s0
/dev/st33spi u:object_r:st33spi_device:s0
@@ -206,8 +207,6 @@
/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0
/data/per_boot(/.*)? u:object_r:per_boot_file:s0
-/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0
-/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0
/dev/maxfg_history u:object_r:battery_history_device:s0
/dev/battery_history u:object_r:battery_history_device:s0
@@ -217,7 +216,6 @@
/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0
/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0
/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0
-/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0
/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
@@ -227,6 +225,3 @@
/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0
/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0
/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0
-
-# Raw HID device
-/dev/hidraw[0-9]* u:object_r:hidraw_device:s0
diff --git a/sepolicy/whitechapel_pro/genfs_contexts b/sepolicy/whitechapel_pro/genfs_contexts
index 7f34649e..ff6464f4 100644
--- a/sepolicy/whitechapel_pro/genfs_contexts
+++ b/sepolicy/whitechapel_pro/genfs_contexts
@@ -346,6 +346,13 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-c
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-9/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
@@ -360,6 +367,8 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wir
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0
@@ -468,6 +477,18 @@ genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:ob
genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0
genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0
+genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0
# GPS
genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0
+
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0
\ No newline at end of file
diff --git a/sepolicy/whitechapel_pro/google_camera_app.te b/sepolicy/whitechapel_pro/google_camera_app.te
index d73cd3db..0ef04cc4 100644
--- a/sepolicy/whitechapel_pro/google_camera_app.te
+++ b/sepolicy/whitechapel_pro/google_camera_app.te
@@ -1,26 +1,10 @@
-type google_camera_app, domain, coredomain;
-app_domain(google_camera_app)
-net_domain(google_camera_app)
-
-allow google_camera_app app_api_service:service_manager find;
-allow google_camera_app audioserver_service:service_manager find;
-allow google_camera_app cameraserver_service:service_manager find;
-allow google_camera_app mediaextractor_service:service_manager find;
-allow google_camera_app mediametrics_service:service_manager find;
-allow google_camera_app mediaserver_service:service_manager find;
-
-# Allows camera app to access the GXP device.
+# Allows camera app to access the GXP device and properties.
allow google_camera_app gxp_device:chr_file rw_file_perms;
+get_prop(google_camera_app, vendor_gxp_prop)
# Allows camera app to search for GXP firmware file.
allow google_camera_app vendor_fw_file:dir search;
-# Allows camera app to access the PowerHAL.
-hal_client_domain(google_camera_app, hal_power)
-
# Allows GCA to find and access the EdgeTPU.
allow google_camera_app edgetpu_app_service:service_manager find;
allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-# Library code may try to access vendor properties, but should be denied
-dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/sepolicy/whitechapel_pro/gxp_logging.te b/sepolicy/whitechapel_pro/gxp_logging.te
deleted file mode 100644
index 107942d1..00000000
--- a/sepolicy/whitechapel_pro/gxp_logging.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type gxp_logging, domain;
-type gxp_logging_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(gxp_logging)
-
-# The logging service accesses /dev/gxp
-allow gxp_logging gxp_device:chr_file rw_file_perms;
-
-# Allow gxp tracing service to send packets to Perfetto
-userdebug_or_eng(`perfetto_producer(gxp_logging)')
diff --git a/sepolicy/whitechapel_pro/hal_bootctl_default.te b/sepolicy/whitechapel_pro/hal_bootctl_default.te
deleted file mode 100644
index 30db79bd..00000000
--- a/sepolicy/whitechapel_pro/hal_bootctl_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default sysfs_ota:file rw_file_perms;
diff --git a/sepolicy/whitechapel_pro/hal_camera_default.te b/sepolicy/whitechapel_pro/hal_camera_default.te
index 05909984..c16b2481 100644
--- a/sepolicy/whitechapel_pro/hal_camera_default.te
+++ b/sepolicy/whitechapel_pro/hal_camera_default.te
@@ -28,9 +28,6 @@ binder_call(hal_camera_default, edgetpu_vendor_server)
allow hal_camera_default edgetpu_app_service:service_manager find;
binder_call(hal_camera_default, edgetpu_app_server)
-# Allow the camera hal to access the GXP device.
-allow hal_camera_default gxp_device:chr_file rw_file_perms;
-
# Allow access to data files used by the camera HAL
allow hal_camera_default mnt_vendor_file:dir search;
allow hal_camera_default persist_file:dir search;
diff --git a/sepolicy/whitechapel_pro/hal_health_default.te b/sepolicy/whitechapel_pro/hal_health_default.te
index fbbad6bb..805b707d 100644
--- a/sepolicy/whitechapel_pro/hal_health_default.te
+++ b/sepolicy/whitechapel_pro/hal_health_default.te
@@ -18,3 +18,4 @@ allow hal_health_default sysfs_batteryinfo:file w_file_perms;
allow hal_health_default sysfs_thermal:dir search;
allow hal_health_default sysfs_thermal:file w_file_perms;
allow hal_health_default thermal_link_device:dir search;
+allow hal_health_default sysfs_wlc:file r_file_perms;
diff --git a/sepolicy/whitechapel_pro/hal_sensors_default.te b/sepolicy/whitechapel_pro/hal_sensors_default.te
index 076ceaf7..620095d0 100644
--- a/sepolicy/whitechapel_pro/hal_sensors_default.te
+++ b/sepolicy/whitechapel_pro/hal_sensors_default.te
@@ -2,15 +2,14 @@
# USF sensor HAL SELinux type enforcements.
#
-# Allow access to the AoC communication driver.
-allow hal_sensors_default aoc_device:chr_file rw_file_perms;
+# Allow reading of camera persist files.
+r_dir_file(hal_sensors_default, persist_camera_file)
-# Allow access to CHRE socket to connect to nanoapps.
-allow hal_sensors_default chre:unix_stream_socket connectto;
-allow hal_sensors_default chre_socket:sock_file write;
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
-# Allow create thread to watch AOC's device.
-allow hal_sensors_default device:dir r_dir_perms;
+# Allow display_info_service access to the backlight driver.
+allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
# Allow access for dynamic sensor properties.
get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
@@ -18,70 +17,11 @@ get_prop(hal_sensors_default, vendor_dynamic_sensor_prop)
# Allow access to raw HID devices for dynamic sensors.
allow hal_sensors_default hidraw_device:chr_file rw_file_perms;
-# Allow SensorSuez to connect AIDL stats.
-allow hal_sensors_default fwk_stats_service:service_manager find;
-
-# Allow reading of sensor registry persist files and camera persist files.
-allow hal_sensors_default mnt_vendor_file:dir search;
-allow hal_sensors_default persist_file:dir search;
-allow hal_sensors_default persist_file:file r_file_perms;
-allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms;
-allow hal_sensors_default persist_sensor_reg_file:file r_file_perms;
-r_dir_file(hal_sensors_default, persist_camera_file)
-
-# Allow creation and writing of sensor registry data files.
-allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
-allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
-
-userdebug_or_eng(`
- # Allow creation and writing of sensor debug data files.
- allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms;
- allow hal_sensors_default sensor_debug_data_file:file create_file_perms;
-')
-
-# Allow access to the display info for ALS.
-allow hal_sensors_default sysfs_display:file rw_file_perms;
-
-# Allow access to the sysfs_aoc.
-allow hal_sensors_default sysfs_aoc:dir search;
-allow hal_sensors_default sysfs_aoc:file r_file_perms;
-
-# Allow access for AoC properties.
-get_prop(hal_sensors_default, vendor_aoc_prop)
-
-# Allow sensor HAL to read AoC dumpstate.
-allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
-
-# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
-# to synchronize the AP and AoC clock timestamps.
-allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms;
-
-# Allow access to the files of CDT information.
-allow hal_sensors_default sysfs_chosen:dir search;
-allow hal_sensors_default sysfs_chosen:file r_file_perms;
-
-# Allow access to sensor service for sensor_listener.
-binder_call(hal_sensors_default, system_server);
-
-# Allow sensor HAL to reset AOC.
-allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms;
-
-# Allow sensor HAL to read AoC dumpstate.
-allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms;
-
# Allow sensor HAL to access the display service HAL
allow hal_sensors_default hal_pixel_display_service:service_manager find;
-# Allow display_info_service access to the backlight driver.
-allow hal_sensors_default sysfs_leds:dir search;
-allow hal_sensors_default sysfs_leds:file r_file_perms;
-
# Allow sensor HAL to access the graphics composer.
-binder_call(hal_sensors_default, hal_graphics_composer_default);
-
-# Allow display_info_service access to the backlight driver.
-allow hal_sensors_default sysfs_write_leds:file rw_file_perms;
+binder_call(hal_sensors_default, hal_graphics_composer_default)
# Allow access to the power supply files for MagCC.
-r_dir_file(hal_sensors_default, sysfs_batteryinfo)
allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
diff --git a/sepolicy/whitechapel_pro/hal_usb_impl.te b/sepolicy/whitechapel_pro/hal_usb_impl.te
index 5d2a65e7..4c997733 100644
--- a/sepolicy/whitechapel_pro/hal_usb_impl.te
+++ b/sepolicy/whitechapel_pro/hal_usb_impl.te
@@ -29,3 +29,7 @@ allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms;
allow hal_usb_impl device:dir r_dir_perms;
allow hal_usb_impl usb_device:chr_file rw_file_perms;
allow hal_usb_impl usb_device:dir r_dir_perms;
+
+# For monitoring usb sysfs attributes
+allow hal_usb_impl sysfs_wakeup:dir search;
+allow hal_usb_impl sysfs_wakeup:file r_file_perms;
diff --git a/sepolicy/whitechapel_pro/hal_wireless_charger.te b/sepolicy/whitechapel_pro/hal_wireless_charger.te
index 04b3e5e2..8d6c0118 100644
--- a/sepolicy/whitechapel_pro/hal_wireless_charger.te
+++ b/sepolicy/whitechapel_pro/hal_wireless_charger.te
@@ -1,2 +1,7 @@
type hal_wireless_charger, domain;
type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type;
+
+r_dir_file(hal_wireless_charger, sysfs_wlc)
+
+allow hal_wireless_charger sysfs_wlc:dir search;
+allow hal_wireless_charger sysfs_wlc:file rw_file_perms;
diff --git a/sepolicy/whitechapel_pro/hbmsvmanager_app.te b/sepolicy/whitechapel_pro/hbmsvmanager_app.te
index b7058090..bbedea8c 100644
--- a/sepolicy/whitechapel_pro/hbmsvmanager_app.te
+++ b/sepolicy/whitechapel_pro/hbmsvmanager_app.te
@@ -1,14 +1,2 @@
-type hbmsvmanager_app, domain, coredomain;
-
-app_domain(hbmsvmanager_app);
-
-allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
-allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
binder_call(hbmsvmanager_app, hal_graphics_composer_default)
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/sepolicy/whitechapel_pro/init-check_ap_pd_auth-sh.te b/sepolicy/whitechapel_pro/init-check_ap_pd_auth-sh.te
new file mode 100644
index 00000000..bcd855c2
--- /dev/null
+++ b/sepolicy/whitechapel_pro/init-check_ap_pd_auth-sh.te
@@ -0,0 +1,14 @@
+type init-check_ap_pd_auth-sh, domain;
+type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(init-check_ap_pd_auth-sh)
+
+ set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop)
+
+ allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms;
+ allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms;
+
+ allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms;
+ allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms;
+')
diff --git a/sepolicy/whitechapel_pro/kernel.te b/sepolicy/whitechapel_pro/kernel.te
index 2cddb45b..9f5bf882 100644
--- a/sepolicy/whitechapel_pro/kernel.te
+++ b/sepolicy/whitechapel_pro/kernel.te
@@ -11,3 +11,5 @@ allow kernel self:perf_event cpu;
dontaudit kernel vendor_battery_debugfs:dir search;
dontaudit kernel vendor_maxfg_debugfs:dir { search };
dontaudit kernel vendor_regmap_debugfs:dir search;
+dontaudit kernel vendor_votable_debugfs:dir search;
+dontaudit kernel vendor_usb_debugfs:dir search;
diff --git a/sepolicy/whitechapel_pro/keys.conf b/sepolicy/whitechapel_pro/keys.conf
index a7027f81..972a9fa5 100644
--- a/sepolicy/whitechapel_pro/keys.conf
+++ b/sepolicy/whitechapel_pro/keys.conf
@@ -4,9 +4,6 @@ ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/app.x509.pem
[@MDS]
ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
-[@UWB]
-ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
-
[@EUICCSUPPORTPIXEL]
ALL : device/google/gs201/sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem
diff --git a/sepolicy/whitechapel_pro/mac_permissions.xml b/sepolicy/whitechapel_pro/mac_permissions.xml
index 7627b9d0..290daa9c 100644
--- a/sepolicy/whitechapel_pro/mac_permissions.xml
+++ b/sepolicy/whitechapel_pro/mac_permissions.xml
@@ -27,9 +27,6 @@
-
-
-
diff --git a/sepolicy/whitechapel_pro/modem_diagnostic_app.te b/sepolicy/whitechapel_pro/modem_diagnostic_app.te
index b5cce03a..b21b7929 100644
--- a/sepolicy/whitechapel_pro/modem_diagnostic_app.te
+++ b/sepolicy/whitechapel_pro/modem_diagnostic_app.te
@@ -9,6 +9,9 @@ allow modem_diagnostic_app radio_service:service_manager find;
userdebug_or_eng(`
hal_client_domain(modem_diagnostic_app, hal_power_stats);
+ allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find;
+ binder_call(modem_diagnostic_app, rild)
+
binder_call(modem_diagnostic_app, dmd)
set_prop(modem_diagnostic_app, vendor_cbd_prop)
diff --git a/sepolicy/whitechapel_pro/pixelstats_vendor.te b/sepolicy/whitechapel_pro/pixelstats_vendor.te
index 6aba16ae..15856a17 100644
--- a/sepolicy/whitechapel_pro/pixelstats_vendor.te
+++ b/sepolicy/whitechapel_pro/pixelstats_vendor.te
@@ -33,6 +33,9 @@ allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms;
# BCL
allow pixelstats_vendor sysfs_bcl:dir search;
allow pixelstats_vendor sysfs_bcl:file r_file_perms;
+allow pixelstats_vendor mitigation_vendor_data_file:dir search;
+allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms;
+get_prop(pixelstats_vendor, vendor_brownout_reason_prop);
# PCIe statistics
allow pixelstats_vendor sysfs_exynos_pcie_stats:dir search;
diff --git a/sepolicy/whitechapel_pro/property.te b/sepolicy/whitechapel_pro/property.te
index d297abea..559511a0 100644
--- a/sepolicy/whitechapel_pro/property.te
+++ b/sepolicy/whitechapel_pro/property.te
@@ -42,5 +42,5 @@ vendor_internal_prop(vendor_trusty_storage_prop)
# Mali Integration
vendor_restricted_prop(vendor_arm_runtime_option_prop)
-# ArmNN
-vendor_internal_prop(vendor_armnn_config_prop)
+# SJTAG lock state
+vendor_internal_prop(vendor_sjtag_lock_state_prop)
diff --git a/sepolicy/whitechapel_pro/property_contexts b/sepolicy/whitechapel_pro/property_contexts
index 947adf2c..0ff833e8 100644
--- a/sepolicy/whitechapel_pro/property_contexts
+++ b/sepolicy/whitechapel_pro/property_contexts
@@ -83,7 +83,6 @@ vendor.gps. u:object_r:vendor_gps_prop:s0
persist.vendor.gps. u:object_r:vendor_gps_prop:s0
# Fingerprint
-persist.vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0
vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0
vendor.gf. u:object_r:vendor_fingerprint_prop:s0
@@ -107,5 +106,6 @@ ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop
# Mali GPU driver configuration and debug options
vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix
-# ArmNN configuration
-ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix
+# SJTAG lock state
+ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0
+ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0
diff --git a/sepolicy/whitechapel_pro/rild.te b/sepolicy/whitechapel_pro/rild.te
index 534bea17..356e8727 100644
--- a/sepolicy/whitechapel_pro/rild.te
+++ b/sepolicy/whitechapel_pro/rild.te
@@ -43,4 +43,6 @@ allow rild modem_img_file:lnk_file r_file_perms;
# Allow rild to ptrace for memory leak detection
userdebug_or_eng(`
allow rild self:process ptrace;
+
+binder_call(rild, modem_diagnostic_app)
')
diff --git a/sepolicy/whitechapel_pro/rlsservice.te b/sepolicy/whitechapel_pro/rlsservice.te
index e5f1acef..e531b0d6 100644
--- a/sepolicy/whitechapel_pro/rlsservice.te
+++ b/sepolicy/whitechapel_pro/rlsservice.te
@@ -16,6 +16,8 @@ allow rlsservice mnt_vendor_file:dir search;
allow rlsservice rls_device:chr_file rw_file_perms;
binder_call(rlsservice, hal_camera_default)
+binder_call(rlsservice, servicemanager)
+
# Allow access to display backlight information
allow rlsservice sysfs_leds:dir search;
@@ -30,3 +32,7 @@ allow rlsservice apex_info_file:file r_file_perms;
# Allow read camera property
get_prop(rlsservice, vendor_camera_prop);
+
+# Allow rlsservice bugreport generation
+allow rlsservice dumpstate:fd use;
+allow rlsservice dumpstate:fifo_file write;
\ No newline at end of file
diff --git a/sepolicy/whitechapel_pro/seapp_contexts b/sepolicy/whitechapel_pro/seapp_contexts
index 149e2287..eda8c10c 100644
--- a/sepolicy/whitechapel_pro/seapp_contexts
+++ b/sepolicy/whitechapel_pro/seapp_contexts
@@ -27,43 +27,22 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag
# Domain for omadm
user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all
-# HbmSVManager
-user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
# grilservice
user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all
-# Domain for connectivity monitor
-user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
# Modem Diagnostic System
user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user
# CBRS setup app
user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
-# Qorvo UWB system app
-# TODO(b/222204912): Should this run under uwb user?
-user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
-
# Domain for EuiccSupportPixel
user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
# Sub System Ramdump
user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
-# Google Camera
-user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
-
-# Google Camera Eng
-user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
-
-# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
-user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
-
-# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
-user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
-
# Domain for CatEngineService
user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all
diff --git a/sepolicy/whitechapel_pro/service.te b/sepolicy/whitechapel_pro/service.te
index 1c49d4f8..2fff6689 100644
--- a/sepolicy/whitechapel_pro/service.te
+++ b/sepolicy/whitechapel_pro/service.te
@@ -3,3 +3,5 @@ type hal_uwb_vendor_service, service_manager_type, hal_service_type;
# WLC
type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type;
+
+type rls_service, service_manager_type;
diff --git a/sepolicy/whitechapel_pro/service_contexts b/sepolicy/whitechapel_pro/service_contexts
index a3849bb7..e3ae0e74 100644
--- a/sepolicy/whitechapel_pro/service_contexts
+++ b/sepolicy/whitechapel_pro/service_contexts
@@ -2,3 +2,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_
hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0
vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0
+
+rlsservice u:object_r:rls_service:s0
diff --git a/sepolicy/whitechapel_pro/ssr_detector.te b/sepolicy/whitechapel_pro/ssr_detector.te
index 2caf6d77..a93d5bdb 100644
--- a/sepolicy/whitechapel_pro/ssr_detector.te
+++ b/sepolicy/whitechapel_pro/ssr_detector.te
@@ -13,11 +13,13 @@ userdebug_or_eng(`
allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
get_prop(ssr_detector_app, vendor_aoc_prop)
+ set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop)
allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
allow ssr_detector_app proc_vendor_sched:dir search;
allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
allow ssr_detector_app cgroup:file write;
+ allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans;
')
get_prop(ssr_detector_app, vendor_ssrdump_prop)
diff --git a/sepolicy/whitechapel_pro/te_macros b/sepolicy/whitechapel_pro/te_macros
deleted file mode 100644
index 01ac13c1..00000000
--- a/sepolicy/whitechapel_pro/te_macros
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# USF SELinux type enforcement macros.
-#
-
-#
-# usf_low_latency_transport(domain)
-#
-# Allows domain use of the USF low latency transport.
-#
-define(`usf_low_latency_transport', `
- allow $1 hal_graphics_mapper_hwservice:hwservice_manager find;
- hal_client_domain($1, hal_graphics_allocator)
-')
-
diff --git a/sepolicy/whitechapel_pro/tee.te b/sepolicy/whitechapel_pro/tee.te
index 256fb384..bfff0a91 100644
--- a/sepolicy/whitechapel_pro/tee.te
+++ b/sepolicy/whitechapel_pro/tee.te
@@ -7,7 +7,6 @@ allow tee persist_file:dir r_dir_perms;
allow tee mnt_vendor_file:dir r_dir_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:lnk_file r_file_perms;
-allow tee sg_device:chr_file rw_file_perms;
# Allow storageproxyd access to gsi_public_metadata_file
read_fstab(tee)
diff --git a/sepolicy/whitechapel_pro/uwb_vendor_app.te b/sepolicy/whitechapel_pro/uwb_vendor_app.te
index aa4564e6..cc5a9de4 100644
--- a/sepolicy/whitechapel_pro/uwb_vendor_app.te
+++ b/sepolicy/whitechapel_pro/uwb_vendor_app.te
@@ -1,18 +1,8 @@
-type uwb_vendor_app, domain;
-
-app_domain(uwb_vendor_app)
not_recovery(`
-hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
-
-allow uwb_vendor_app app_api_service:service_manager find;
allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
-allow uwb_vendor_app nfc_service:service_manager find;
-allow uwb_vendor_app radio_service:service_manager find;
-
-allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
-allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
+hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
allow hal_uwb_vendor_default self:global_capability_class_set sys_nice;
allow hal_uwb_vendor_default kernel:process setsched;
diff --git a/sepolicy/whitechapel_pro/vendor_init.te b/sepolicy/whitechapel_pro/vendor_init.te
index 415d7c8f..c8acdbb5 100644
--- a/sepolicy/whitechapel_pro/vendor_init.te
+++ b/sepolicy/whitechapel_pro/vendor_init.te
@@ -41,6 +41,3 @@ allow vendor_init tee_data_file:lnk_file read;
# Mali
set_prop(vendor_init, vendor_arm_runtime_option_prop)
-
-# ArmNN
-set_prop(vendor_init, vendor_armnn_config_prop)
diff --git a/sepolicy/whitechapel_pro/vndservice.te b/sepolicy/whitechapel_pro/vndservice.te
index bd59e836..06ef0b2d 100644
--- a/sepolicy/whitechapel_pro/vndservice.te
+++ b/sepolicy/whitechapel_pro/vndservice.te
@@ -1,3 +1,2 @@
-type rls_service, vndservice_manager_type;
type vendor_surfaceflinger_vndservice, vndservice_manager_type;
type eco_service, vndservice_manager_type;
diff --git a/sepolicy/whitechapel_pro/vndservice_contexts b/sepolicy/whitechapel_pro/vndservice_contexts
index 16ae43a4..6ddcabfe 100644
--- a/sepolicy/whitechapel_pro/vndservice_contexts
+++ b/sepolicy/whitechapel_pro/vndservice_contexts
@@ -1,3 +1,2 @@
-rlsservice u:object_r:rls_service:s0
Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0
media.ecoservice u:object_r:eco_service:s0