From 4abebb1669f639395d111e8be091a89ba2f9ee48 Mon Sep 17 00:00:00 2001
From: Ramii Ahmed <ramy@ahmedramy.com>
Date: Sun, 17 Apr 2022 04:32:09 +0000
Subject: [PATCH] sm6375-common: initial SEPolicy

Co-authored-by: Cosmin Tanislav <demonsingur@gmail.com>
Co-authored-by: Arian <arian.kulmer@web.de>
Co-authored-by: ItsVixano <giovanniricca@protonmail.com>
Change-Id: I2ab2e0b5981ec8044c22caa3ff41ba094ccadf38
---
 BoardConfigCommon.mk                     |  1 +
 sepolicy/private/file_contexts           |  2 +
 sepolicy/public/property_contexts        |  5 ++
 sepolicy/vendor/adsprpcd.te              |  1 +
 sepolicy/vendor/batterysecret.te         | 40 ++++++++++++++++
 sepolicy/vendor/device.te                |  6 +++
 sepolicy/vendor/file.te                  | 12 +++++
 sepolicy/vendor/file_contexts            | 61 +++++++++++++++++-------
 sepolicy/vendor/genfs_contexts           | 46 ++++++++++++++++++
 sepolicy/vendor/hal_audio_default.te     | 13 +++++
 sepolicy/vendor/hal_bluetooth_default.te |  6 +++
 sepolicy/vendor/hal_bootctl_default.te   |  1 +
 sepolicy/vendor/hal_camera_default.te    |  2 +
 sepolicy/vendor/hal_health_default.te    |  2 +
 sepolicy/vendor/hal_ir_default.te        |  1 +
 sepolicy/vendor/hal_nfc_default.te       |  2 +
 sepolicy/vendor/hal_perf_default.te      |  5 ++
 sepolicy/vendor/hal_sensors_default.te   | 10 ++++
 sepolicy/vendor/hal_wifi_default.te      |  1 +
 sepolicy/vendor/hwservice_contexts       |  4 ++
 sepolicy/vendor/mi_thermald.te           | 29 +++++++++++
 sepolicy/vendor/property.te              |  5 ++
 sepolicy/vendor/property_contexts        | 18 ++++++-
 sepolicy/vendor/qti_init_shell.te        |  1 +
 sepolicy/vendor/recovery.te              |  1 +
 sepolicy/vendor/sensors.te               |  1 +
 sepolicy/vendor/tee.te                   |  2 +
 sepolicy/vendor/vendor_modprobe.te       |  4 ++
 28 files changed, 265 insertions(+), 17 deletions(-)
 create mode 100644 sepolicy/private/file_contexts
 create mode 100644 sepolicy/public/property_contexts
 create mode 100644 sepolicy/vendor/adsprpcd.te
 create mode 100644 sepolicy/vendor/batterysecret.te
 create mode 100644 sepolicy/vendor/hal_audio_default.te
 create mode 100644 sepolicy/vendor/hal_bluetooth_default.te
 create mode 100644 sepolicy/vendor/hal_bootctl_default.te
 create mode 100644 sepolicy/vendor/hal_camera_default.te
 create mode 100644 sepolicy/vendor/hal_health_default.te
 create mode 100644 sepolicy/vendor/hal_ir_default.te
 create mode 100644 sepolicy/vendor/hal_nfc_default.te
 create mode 100644 sepolicy/vendor/hal_perf_default.te
 create mode 100644 sepolicy/vendor/hal_sensors_default.te
 create mode 100644 sepolicy/vendor/hal_wifi_default.te
 create mode 100644 sepolicy/vendor/mi_thermald.te
 create mode 100644 sepolicy/vendor/property.te
 create mode 100644 sepolicy/vendor/qti_init_shell.te
 create mode 100644 sepolicy/vendor/recovery.te
 create mode 100644 sepolicy/vendor/sensors.te
 create mode 100644 sepolicy/vendor/tee.te
 create mode 100644 sepolicy/vendor/vendor_modprobe.te

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index f1712d3..f5dd853 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -189,6 +189,7 @@ VENDOR_SECURITY_PATCH := 2022-02-01
 
 # Sepolicy
 include device/qcom/sepolicy_vndr/SEPolicy.mk
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private
 BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/public
 BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
 
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
new file mode 100644
index 0000000..3ffbc81
--- /dev/null
+++ b/sepolicy/private/file_contexts
@@ -0,0 +1,2 @@
+# Dev nodes
+/dev/stune(/.*)?                                        u:object_r:cgroup:s0
diff --git a/sepolicy/public/property_contexts b/sepolicy/public/property_contexts
new file mode 100644
index 0000000..fd41c4a
--- /dev/null
+++ b/sepolicy/public/property_contexts
@@ -0,0 +1,5 @@
+# Camera
+camera.					u:object_r:vendor_camera_prop:s0
+
+# Fingerprint
+sys.fp.vendor				u:object_r:vendor_fp_prop:s0
diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te
new file mode 100644
index 0000000..58fe3e7
--- /dev/null
+++ b/sepolicy/vendor/adsprpcd.te
@@ -0,0 +1 @@
+r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics)
diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te
new file mode 100644
index 0000000..20dc1b2
--- /dev/null
+++ b/sepolicy/vendor/batterysecret.te
@@ -0,0 +1,40 @@
+define(`battery_daemons', `{ batteryd batterysecret }')
+
+type batteryd, domain;
+type batteryd_exec, exec_type, vendor_file_type, file_type;
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(batteryd)
+init_daemon_domain(batterysecret)
+
+r_dir_file(battery_daemons, cgroup)
+r_dir_file(battery_daemons, mnt_vendor_file)
+r_dir_file(battery_daemons, persist_subsys_file)
+r_dir_file(battery_daemons, rootfs)
+r_dir_file(battery_daemons, vendor_sysfs_battery_supply)
+r_dir_file(battery_daemons, sysfs_batteryinfo)
+r_dir_file(battery_daemons, sysfs_type)
+r_dir_file(battery_daemons, vendor_sysfs_usb_supply)
+r_dir_file(battery_daemons, vendor_sysfs_usbpd_device)
+
+
+allow battery_daemons persist_subsys_file:dir w_dir_perms;
+allow battery_daemons rootfs:dir w_dir_perms;
+
+allow battery_daemons kmsg_device:chr_file rw_file_perms;
+allow battery_daemons persist_subsys_file:file w_file_perms;
+allow battery_daemons sysfs:file w_file_perms;
+allow battery_daemons vendor_sysfs_battery_supply:file w_file_perms;
+allow battery_daemons sysfs_usb:file w_file_perms;
+allow battery_daemons vendor_sysfs_usb_supply:file w_file_perms;
+allow battery_daemons vendor_sysfs_usbpd_device:file w_file_perms;
+
+allow battery_daemons self:global_capability_class_set sys_tty_config;
+allow battery_daemons self:global_capability_class_set sys_boot;
+
+allow battery_daemons self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+allow battery_daemons self:capability { chown fsetid };
+
+wakelock_use(battery_daemons)
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
index a69ced6..99f0186 100644
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -1,2 +1,8 @@
+# Audio device
+type sound_device, dev_type;
+
 # Fingerprint device
 type vendor_fingerprint_device, dev_type;
+
+# IR device
+type ir_spi_device, dev_type;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 3682aca..c9d058e 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,2 +1,14 @@
+# Audio
+type audio_socket, file_type;
+
+# Battery
+type persist_subsys_file, vendor_persist_type, file_type;
+
+# Camera
+type camera_persist_file, vendor_persist_type, file_type;
+
 # Fingerprint
 type vendor_fingerprint_data_file, data_file_type, file_type;
+
+# Thermal
+type thermal_data_file, data_file_type, file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 409c7ff..e655e3d 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,21 +1,50 @@
+  # Audio
+/dev/socket/audio_hw_socket								u:object_r:audio_socket:s0
+/dev/elliptic(.*)?									u:object_r:sound_device:s0
+/mnt/vendor/persist/audio/cali_test.bin							u:object_r:vendor_persist_audio_file:s0
+/mnt/vendor/persist/audio/fsm_calib.bin							u:object_r:vendor_persist_audio_file:s0
+/mnt/vendor/persist/audio/aw_cali.bin							u:object_r:vendor_persist_audio_file:s0
+
+# Battery
+/vendor/bin/batterysecret								u:object_r:batterysecret_exec:s0
+/mnt/vendor/persist/subsys(/.*)?							u:object_r:persist_subsys_file:s0
+
+# Camera
+/mnt/vendor/persist/camera(/.*)?							u:object_r:camera_persist_file:s0
+
 # Fingerprint
-/dev/goodix_fp											u:object_r:vendor_fingerprint_device:s0
-/dev/silead_fp											u:object_r:vendor_fingerprint_device:s0
-/dev/silead_s.*											u:object_r:vendor_fingerprint_device:s0
-/dev/silead_stub										u:object_r:vendor_fingerprint_device:s0
-/dev/spidev.*											u:object_r:vendor_fingerprint_device:s0
-/mnt/vendor/persist/silead(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
-/mnt/vendor/persist/goodix(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/fpc(/.*)?										u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/fpdump(/.*)?									u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/goodix(/.*)?									u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/goodix/gf_data(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/silead(/.*)?									u:object_r:vendor_fingerprint_data_file:s0
-/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.1-service\.xiaomi_holi		u:object_r:hal_fingerprint_default_exec:s0
-/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service				u:object_r:hal_fingerprint_default_exec:s0
+/dev/goodix_fp										u:object_r:vendor_fingerprint_device:s0
+/dev/silead_fp										u:object_r:vendor_fingerprint_device:s0
+/dev/silead_s.*										u:object_r:vendor_fingerprint_device:s0
+/dev/silead_stub									u:object_r:vendor_fingerprint_device:s0
+/dev/spidev.*										u:object_r:vendor_fingerprint_device:s0
+/mnt/vendor/persist/silead(/.*)?							u:object_r:vendor_fingerprint_data_file:s0
+/mnt/vendor/persist/goodix(/.*)?							u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpc(/.*)?									u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpdump(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix/gf_data(/.*)?							u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/silead(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.1-service\.xiaomi_holi	u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service			u:object_r:hal_fingerprint_default_exec:s0
+
+# IR
+/dev/ir_spi										u:object_r:ir_spi_device:s0
+
+# NFC
+/dev/pn553										u:object_r:nfc_device:s0
+/dev/pn54x										u:object_r:nfc_device:s0
 
 # Sensors
-/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal			u:object_r:hal_sensors_default_exec:s0
+/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal		u:object_r:hal_sensors_default_exec:s0
+
+# Thermal
+/data/vendor/thermal(/.*)?								u:object_r:thermal_data_file:s0
+/vendor/bin/mi_thermald									u:object_r:mi_thermald_exec:s0
 
 # Vibrator
-/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi				u:object_r:hal_vibrator_default_exec:s0
+/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi			u:object_r:hal_vibrator_default_exec:s0
+
+# Xiaomi MAC
+/data/vendor/mac_addr(/.*)?								u:object_r:vendor_wifi_vendor_data_file:s0
+/data/vendor/wlan_logs(/.*)?								u:object_r:vendor_wifi_vendor_data_file:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
index 9de301c..65858f8 100644
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -1,8 +1,54 @@
+# Battery
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply			u:object_r:sysfs_battery_supply:s0
+
 # Fingerprint
 genfscon sysfs /devices/platform/soc/soc:fpc1020					u:object_r:vendor_sysfs_fingerprint:s0
 genfscon sysfs /devices/platform/soc/soc:goodix_fp					u:object_r:vendor_sysfs_fingerprint:s0
 genfscon sysfs /devices/platform/soc/soc:silead_fp					u:object_r:vendor_sysfs_fingerprint:s0
 
+# SSR
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name		u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name		u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name			u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name		u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+
 # Wakeup nodes
 genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup				u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup					u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,power-on@800/wakeup		u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-06/1c40000.qcom,spmi:qcom,pmk8350@0:rtc@6100/wakeup			u:object_r:sysfs_wakeup:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..7e6e5a4
--- /dev/null
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1,13 @@
+# Allow hal_audio_default to read vendor_persist_audio_file
+r_dir_file(hal_audio_default, vendor_persist_audio_file)
+
+r_dir_file(hal_audio_default, sysfs)
+
+binder_call(hal_audio_default, system_suspend_server)
+
+allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
+
+set_prop(hal_audio_default, vendor_audio_prop)
+
+allow hal_audio_default audio_socket:sock_file rw_file_perms;
+allow hal_audio_default sound_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te
new file mode 100644
index 0000000..82c6ef2
--- /dev/null
+++ b/sepolicy/vendor/hal_bluetooth_default.te
@@ -0,0 +1,6 @@
+# Allow hal_bluetooth_default to read files in vendor_wifi_vendor_data_file
+r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file)
+allow hal_bluetooth_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
+allow hal_bluetooth_default vendor_wifi_vendor_data_file:file create_file_perms;
+
+get_prop(hal_bluetooth_default, vendor_wifi_prop)
diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..e5c73b6
--- /dev/null
+++ b/sepolicy/vendor/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..d97b6ee
--- /dev/null
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,2 @@
+r_dir_file(hal_camera_default, camera_persist_file)
+set_prop(hal_camera_default, vendor_camera_sensor_prop)
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..6cecf70
--- /dev/null
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1,2 @@
+allow hal_health_default sysfs_wakeup:dir r_dir_perms;
+allow hal_health_default sysfs_wakeup:file r_file_perms;
diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te
new file mode 100644
index 0000000..46663b7
--- /dev/null
+++ b/sepolicy/vendor/hal_ir_default.te
@@ -0,0 +1 @@
+allow hal_ir_default ir_spi_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..9486137
--- /dev/null
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -0,0 +1,2 @@
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_perf_default.te b/sepolicy/vendor/hal_perf_default.te
new file mode 100644
index 0000000..5d19e84
--- /dev/null
+++ b/sepolicy/vendor/hal_perf_default.te
@@ -0,0 +1,5 @@
+allow vendor_hal_perf_default hal_audio_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_audio_default:file r_file_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms;
+allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms;
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..1d3339e
--- /dev/null
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1,10 @@
+binder_call(hal_sensors_default, hal_audio_default)
+
+hal_client_domain(hal_sensors_default, hal_audio)
+
+allow hal_sensors_default audio_socket:sock_file rw_file_perms;
+allow hal_sensors_default socket_device:sock_file rw_file_perms;
+allow hal_sensors_default sound_device:chr_file rw_file_perms;
+allow hal_sensors_default iio_device:chr_file rw_file_perms;
+
+get_prop(hal_sensors_default, vendor_adsprpc_prop)
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..c6580df
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -0,0 +1 @@
+allow hal_wifi_default self:capability sys_module;
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
index 2a52640..96ef801 100644
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@@ -6,3 +6,7 @@ vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon		u:objec
 vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt	u:object_r:hal_fingerprint_hwservice:s0
 vendor.silead.hardware.fingerprintext::ISileadFingerprint			u:object_r:hal_fingerprint_hwservice:s0
 vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint			u:object_r:hal_fingerprint_hwservice:s0
+
+# NFC
+vendor.nxp.nxpnfc::INxpNfc							u:object_r:hal_nfc_hwservice:s0
+vendor.nxp.nxpnfclegacy::INxpNfcLegacy						u:object_r:hal_nfc_hwservice:s0
diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te
new file mode 100644
index 0000000..e86e8bf
--- /dev/null
+++ b/sepolicy/vendor/mi_thermald.te
@@ -0,0 +1,29 @@
+type mi_thermald, domain;
+type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mi_thermald)
+
+r_dir_file(mi_thermald, sysfs)
+r_dir_file(mi_thermald, sysfs_leds)
+r_dir_file(mi_thermald, sysfs_thermal)
+r_dir_file(mi_thermald, vendor_sysfs_kgsl)
+r_dir_file(mi_thermald, vendor_sysfs_battery_supply)
+r_dir_file(mi_thermald, vendor_sysfs_graphics)
+r_dir_file(mi_thermald, thermal_data_file)
+r_dir_file(mi_thermald, vendor_data_file)
+
+allow mi_thermald sysfs:file w_file_perms;
+allow mi_thermald sysfs_thermal:file w_file_perms;
+allow mi_thermald vendor_sysfs_kgsl:file w_file_perms;
+allow mi_thermald vendor_sysfs_battery_supply:file w_file_perms;
+allow mi_thermald vendor_sysfs_graphics:file w_file_perms;
+allow mi_thermald thermal_data_file:dir w_dir_perms;
+allow mi_thermald thermal_data_file:file create_file_perms;
+allow mi_thermald vendor_data_file:file rw_file_perms;
+allow mi_thermald vendor_data_file:dir w_dir_perms;
+allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
+
+allow mi_thermald self:capability { fsetid sys_boot chown fowner };
+allow mi_thermald self:capability2 { wake_alarm block_suspend };
+
+set_prop(mi_thermald, vendor_thermal_normal_prop)
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..53a8909
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,5 @@
+# Camera
+vendor_internal_prop(vendor_camera_sensor_prop);
+
+# Thermal
+vendor_internal_prop(vendor_thermal_normal_prop)
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 259807d..834183e 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -1,6 +1,22 @@
+# Camera
+persist.camera.				u:object_r:vendor_camera_prop:s0
+ro.boot.camera.config			u:object_r:vendor_camera_sensor_prop:s0
+vendor.camera.config.			u:object_r:vendor_camera_sensor_prop:s0
+
 # Fingerprint
 persist.vendor.sys.fp.			u:object_r:vendor_fp_prop:s0
 ro.hardware.fp.				u:object_r:vendor_fp_prop:s0
 vendor.fps_hal.				u:object_r:vendor_fp_prop:s0
 vendor.silead.fp.ext.			u:object_r:vendor_fp_prop:s0
-sys.fp.vendor				u:object_r:vendor_fp_prop:s0
+
+# RIL
+odm.ril.radio.status.			u:object_r:vendor_radio_prop:s0
+odm.ril.radio.status.sim1		u:object_r:vendor_radio_prop:s0
+odm.ril.radio.status.sim2		u:object_r:vendor_radio_prop:s0
+
+# Thermal
+vendor.sys.thermal.			u:object_r:vendor_thermal_normal_prop:s0
+
+# Wi-Fi
+ro.vendor.ril.oem.btmac			u:object_r:vendor_wifi_prop:s0
+ro.vendor.ril.oem.wifimac		u:object_r:vendor_wifi_prop:s0
diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te
new file mode 100644
index 0000000..0d6641f
--- /dev/null
+++ b/sepolicy/vendor/qti_init_shell.te
@@ -0,0 +1 @@
+allow vendor_qti_init_shell proc_page_cluster:file rw_file_perms;
diff --git a/sepolicy/vendor/recovery.te b/sepolicy/vendor/recovery.te
new file mode 100644
index 0000000..afc4845
--- /dev/null
+++ b/sepolicy/vendor/recovery.te
@@ -0,0 +1 @@
+allow recovery pstorefs:dir r_dir_perms;
diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te
new file mode 100644
index 0000000..0b0d84d
--- /dev/null
+++ b/sepolicy/vendor/sensors.te
@@ -0,0 +1 @@
+r_dir_file(vendor_sensors, vendor_sysfs_graphics)
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
new file mode 100644
index 0000000..d2556fb
--- /dev/null
+++ b/sepolicy/vendor/tee.te
@@ -0,0 +1,2 @@
+allow tee vendor_fingerprint_data_file:dir create_dir_perms;
+allow tee vendor_fingerprint_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/vendor_modprobe.te b/sepolicy/vendor/vendor_modprobe.te
new file mode 100644
index 0000000..4a6f93e
--- /dev/null
+++ b/sepolicy/vendor/vendor_modprobe.te
@@ -0,0 +1,4 @@
+allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe self:cap_userns sys_module;
+allow vendor_modprobe vendor_file:system module_load;
+r_dir_file(vendor_modprobe, vendor_file)