Snap for 10447354 from 07cccd56b507bb63faad951c5f9f31e0ca46f788 to mainline-cellbroadcast-release
Change-Id: I4bd0152f00210f8c54a0932697367c9b17a2b2f3
diff --git a/astd/astd.te b/astd/astd.te
index 9f29caa..815e832 100644
--- a/astd/astd.te
+++ b/astd/astd.te
@@ -1,15 +1,8 @@
# astd service
type astd, domain;
+type astd_exec, exec_type, file_type, system_file_type;
-# /vendor/bin/astc u:object_r:vendor_shell_exec:s0
-# system/sepolicy/public/vendor_shell.te
-# type vendor_shell_exec, exec_type, vendor_file_type, file_type;
-
-# /vendor/bin/astd u:object_r:vendor_toolbox_exec:s0
-# system/sepolicy/public/vendor_toolbox.te
-# type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
-
-type astd_exec, exec_type, vendor_file_type, file_type;
+typeattribute astd coredomain;
userdebug_or_eng(`
init_daemon_domain(astd)
diff --git a/astd/file_contexts b/astd/file_contexts
index 0df5774..17ac54c 100644
--- a/astd/file_contexts
+++ b/astd/file_contexts
@@ -1,3 +1,3 @@
-/vendor/bin/astc u:object_r:astd_exec:s0
-/vendor/bin/astd u:object_r:astd_exec:s0
+/system_ext/bin/astc u:object_r:astd_exec:s0
+/system_ext/bin/astd u:object_r:astd_exec:s0
diff --git a/citadel/file_contexts b/citadel/file_contexts
index 5376def..a253a3d 100644
--- a/citadel/file_contexts
+++ b/citadel/file_contexts
@@ -4,7 +4,10 @@
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.authsecret-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.oemlock-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0
/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
diff --git a/citadel/hal_authsecret_citadel.te b/citadel/hal_authsecret_citadel.te
new file mode 100644
index 0000000..029d957
--- /dev/null
+++ b/citadel/hal_authsecret_citadel.te
@@ -0,0 +1,9 @@
+type hal_authsecret_citadel, domain;
+type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_authsecret_citadel)
+binder_call(hal_authsecret_citadel, citadeld)
+allow hal_authsecret_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_authsecret_citadel, hal_authsecret)
+init_daemon_domain(hal_authsecret_citadel)
diff --git a/citadel/hal_oemlock_citadel.te b/citadel/hal_oemlock_citadel.te
new file mode 100644
index 0000000..d3ff719
--- /dev/null
+++ b/citadel/hal_oemlock_citadel.te
@@ -0,0 +1,9 @@
+type hal_oemlock_citadel, domain;
+type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_oemlock_citadel)
+binder_call(hal_oemlock_citadel, citadeld)
+allow hal_oemlock_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_oemlock_citadel, hal_oemlock)
+init_daemon_domain(hal_oemlock_citadel)
diff --git a/citadel/vndservice.te b/citadel/vndservice.te
index a756bce..880c09c 100644
--- a/citadel/vndservice.te
+++ b/citadel/vndservice.te
@@ -1,2 +1 @@
type citadeld_service, vndservice_manager_type;
-type hal_power_stats_vendor_service, vndservice_manager_type;
diff --git a/common/vendor/te_macros b/common/vendor/te_macros
new file mode 100644
index 0000000..c9a9c04
--- /dev/null
+++ b/common/vendor/te_macros
@@ -0,0 +1,17 @@
+#####################################
+# pixel_bugreport(domain_name)
+# Defines a new domain for executables under /vendor/bin/dump
+# Grants permissions to interact with dumpstate and write to bugreport.
+# See go/pixel-defrag for more details.
+define(`pixel_bugreport', `
+type $1, domain;
+type $1_exec, exec_type, vendor_file_type, file_type;
+typeattribute $1 hal_dumpstate;
+domain_auto_trans(hal_dumpstate_default, $1_exec, $1)
+
+allow $1 dumpstate:fd use;
+allow $1 dumpstate:fifo_file { write getattr };
+allow $1 hal_dumpstate_default:fd use;
+allow $1 shell_data_file:file { write getattr };
+')
+
diff --git a/debugpolicy/file.te b/debugpolicy/file.te
index 604ba50..e2ef397 100644
--- a/debugpolicy/file.te
+++ b/debugpolicy/file.te
@@ -1,2 +1,2 @@
# sysfs
-type sysfs_dpm_variant, sysfs_type, fs_type; # dpm variant
+type sysfs_dpm, sysfs_type, fs_type; # dpm
diff --git a/debugpolicy/genfs_contexts b/debugpolicy/genfs_contexts
index d30809d..b36e9f1 100644
--- a/debugpolicy/genfs_contexts
+++ b/debugpolicy/genfs_contexts
@@ -1 +1,2 @@
-genfscon sysfs /firmware/devicetree/base/dpm/variant u:object_r:sysfs_dpm_variant:s0
+genfscon sysfs /firmware/devicetree/base/dpm/variant u:object_r:sysfs_dpm:s0
+genfscon sysfs /firmware/devicetree/base/dpm/version u:object_r:sysfs_dpm:s0
diff --git a/debugpolicy/init_dpm.te b/debugpolicy/init_dpm.te
index b91c561..3a4f936 100644
--- a/debugpolicy/init_dpm.te
+++ b/debugpolicy/init_dpm.te
@@ -5,7 +5,7 @@
userdebug_or_eng(`
allow init_dpm vendor_toolbox_exec:file execute_no_trans;
-allow init_dpm sysfs_dpm_variant:file r_file_perms;
+allow init_dpm sysfs_dpm:file r_file_perms;
allow init_dpm block_device:dir search;
allow init_dpm dpm_block_device:blk_file rw_file_perms;
')
diff --git a/fingerprint-extension/system_ext/private/file_contexts b/fingerprint-extension/system_ext/private/file_contexts
index e66f969..954424d 100644
--- a/fingerprint-extension/system_ext/private/file_contexts
+++ b/fingerprint-extension/system_ext/private/file_contexts
@@ -1 +1 @@
-/system_ext/bin/fingerprint\.extension\.sh u:object_r:init-fingerprint-extension_exec:s0
+/system_ext/bin/fingerprint\.extension u:object_r:init-fingerprint-extension_exec:s0
diff --git a/googlebattery/dumpstate.te b/googlebattery/dumpstate.te
new file mode 100644
index 0000000..5de6a2e
--- /dev/null
+++ b/googlebattery/dumpstate.te
@@ -0,0 +1,3 @@
+# To find and bind Google Battery HAL
+allow dumpstate hal_googlebattery_service:service_manager find;
+binder_call(dumpstate, hal_googlebattery)
diff --git a/googlebattery/file_contexts b/googlebattery/file_contexts
index 9e247bb..efd6cc5 100644
--- a/googlebattery/file_contexts
+++ b/googlebattery/file_contexts
@@ -1 +1 @@
-/vendor/bin/hw/vendor\.google\.google_battery@1\.2-service-vendor u:object_r:hal_googlebattery_exec:s0
+/vendor/bin/hw/vendor\.google\.google_battery-service u:object_r:hal_googlebattery_exec:s0
diff --git a/googlebattery/hal_googlebattery.te b/googlebattery/hal_googlebattery.te
index cd1253b..2cc3a7c 100644
--- a/googlebattery/hal_googlebattery.te
+++ b/googlebattery/hal_googlebattery.te
@@ -4,15 +4,17 @@
init_daemon_domain(hal_googlebattery)
r_dir_file(hal_googlebattery, sysfs_batteryinfo)
-r_dir_file(hal_googlebattery, sysfs_wlc)
+
allow hal_googlebattery sysfs_batteryinfo:file rw_file_perms;
allow hal_googlebattery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow hal_googlebattery sysfs_chargelevel:file rw_file_perms;
-allow hal_googlebattery sysfs_wlc:file rw_file_perms;
+
set_prop(hal_googlebattery, vendor_battery_defender_prop)
-hwbinder_use(hal_googlebattery)
-add_hwservice(hal_googlebattery, hal_googlebattery_hwservice)
-get_prop(hal_googlebattery, hwservicemanager_prop)
+binder_call(hal_googlebattery, servicemanager)
+add_service(hal_googlebattery, hal_googlebattery_service)
+
+allow hal_googlebattery dumpstate:fd use;
+allow hal_googlebattery dumpstate:fifo_file write;
diff --git a/googlebattery/hwservice.te b/googlebattery/hwservice.te
deleted file mode 100644
index 40323ef..0000000
--- a/googlebattery/hwservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type hal_googlebattery_hwservice, hwservice_manager_type;
diff --git a/googlebattery/hwservice_contexts b/googlebattery/hwservice_contexts
deleted file mode 100644
index 40f1526..0000000
--- a/googlebattery/hwservice_contexts
+++ /dev/null
@@ -1 +0,0 @@
-vendor.google.google_battery::IGoogleBattery u:object_r:hal_googlebattery_hwservice:s0
diff --git a/googlebattery/platform_app.te b/googlebattery/platform_app.te
index 0ee586f..39d4e5e 100644
--- a/googlebattery/platform_app.te
+++ b/googlebattery/platform_app.te
@@ -1,3 +1,3 @@
# allow SystemUI to find and bind Google Battery HAL
-allow platform_app hal_googlebattery_hwservice:hwservice_manager find;
+allow platform_app hal_googlebattery_service:service_manager find;
binder_call(platform_app, hal_googlebattery)
diff --git a/googlebattery/service.te b/googlebattery/service.te
new file mode 100644
index 0000000..e68baa9
--- /dev/null
+++ b/googlebattery/service.te
@@ -0,0 +1 @@
+type hal_googlebattery_service, hal_service_type, service_manager_type;
diff --git a/googlebattery/service_contexts b/googlebattery/service_contexts
new file mode 100644
index 0000000..93954c7
--- /dev/null
+++ b/googlebattery/service_contexts
@@ -0,0 +1 @@
+vendor.google.google_battery.IGoogleBattery/default u:object_r:hal_googlebattery_service:s0
diff --git a/googlebattery/system_app.te b/googlebattery/system_app.te
index 05723bf..7854a1d 100644
--- a/googlebattery/system_app.te
+++ b/googlebattery/system_app.te
@@ -1,3 +1,3 @@
# To allow Settings to find and bind Google Battery HAL
-allow system_app hal_googlebattery_hwservice:hwservice_manager find;
+allow system_app hal_googlebattery_service:service_manager find;
binder_call(system_app, hal_googlebattery)
diff --git a/googlebattery/turbo_adapter.te b/googlebattery/turbo_adapter.te
index 33f99cd..2794fd1 100644
--- a/googlebattery/turbo_adapter.te
+++ b/googlebattery/turbo_adapter.te
@@ -1,3 +1,3 @@
# To find and bind Google Battery HAL
-allow turbo_adapter hal_googlebattery_hwservice:hwservice_manager find;
+allow turbo_adapter hal_googlebattery_service:service_manager find;
binder_call(turbo_adapter, hal_googlebattery)
diff --git a/hardware_info_app/device.te b/hardware_info_app/device.te
new file mode 100644
index 0000000..ceaf547
--- /dev/null
+++ b/hardware_info_app/device.te
@@ -0,0 +1,2 @@
+# Battery history
+type battery_history_device, dev_type;
diff --git a/hardware_info_app/file.te b/hardware_info_app/file.te
new file mode 100644
index 0000000..f891722
--- /dev/null
+++ b/hardware_info_app/file.te
@@ -0,0 +1,12 @@
+# Storage Health HAL
+type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+
+# PixelStats_vendor
+type sysfs_pixelstats, fs_type, sysfs_type;
+
+# Display
+type sysfs_display, sysfs_type, fs_type;
+
+# SoC
+type sysfs_soc, sysfs_type, fs_type;
+type sysfs_chip_id, sysfs_type, fs_type;
diff --git a/hardware_info_app/hardware_info_app.te b/hardware_info_app/hardware_info_app.te
new file mode 100644
index 0000000..751bb88
--- /dev/null
+++ b/hardware_info_app/hardware_info_app.te
@@ -0,0 +1,26 @@
+type hardware_info_app, domain;
+app_domain(hardware_info_app)
+
+allow hardware_info_app app_api_service:service_manager find;
+
+# Storage
+allow hardware_info_app sysfs_scsi_devices_0000:dir search;
+allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms;
+
+# Audio
+allow hardware_info_app sysfs_pixelstats:file r_file_perms;
+
+# Batteryinfo
+allow hardware_info_app sysfs_batteryinfo:dir search;
+allow hardware_info_app sysfs_batteryinfo:file r_file_perms;
+
+# Display
+allow hardware_info_app sysfs_display:dir search;
+allow hardware_info_app sysfs_display:file r_file_perms;
+
+# SoC
+allow hardware_info_app sysfs_soc:file r_file_perms;
+allow hardware_info_app sysfs_chip_id:file r_file_perms;
+
+# Batery history
+allow hardware_info_app battery_history_device:chr_file r_file_perms;
diff --git a/hardware_info_app/seapp_contexts b/hardware_info_app/seapp_contexts
new file mode 100644
index 0000000..390f160
--- /dev/null
+++ b/hardware_info_app/seapp_contexts
@@ -0,0 +1,2 @@
+# Hardware Info Collection
+user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
diff --git a/input/dumpstate.te b/input/dumpstate.te
index 748ff35..38aa25e 100644
--- a/input/dumpstate.te
+++ b/input/dumpstate.te
@@ -1,2 +1,2 @@
binder_call(dumpstate, twoshay)
-
+allow dumpstate touch_context_service:service_manager find;
diff --git a/input/platform_app.te b/input/platform_app.te
index 17cc511..2d47236 100644
--- a/input/platform_app.te
+++ b/input/platform_app.te
@@ -1,2 +1,3 @@
allow platform_app touch_context_service:service_manager find;
+allow platform_app gril_antenna_tuning_service:service_manager find;
binder_call(platform_app, twoshay)
diff --git a/input/service.te b/input/service.te
index 63681d2..d521666 100644
--- a/input/service.te
+++ b/input/service.te
@@ -1 +1,2 @@
-type touch_context_service, service_manager_type, vendor_service;
+type gril_antenna_tuning_service, service_manager_type, hal_service_type;
+type touch_context_service, service_manager_type, hal_service_type;
diff --git a/input/service_contexts b/input/service_contexts
index 95e70f8..ed69aef 100644
--- a/input/service_contexts
+++ b/input/service_contexts
@@ -1 +1,2 @@
+com.google.input.algos.gril.IGrilAntennaTuningService/default u:object_r:gril_antenna_tuning_service:s0
com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0
diff --git a/input/twoshay.te b/input/twoshay.te
index 71b5771..3d48318 100644
--- a/input/twoshay.te
+++ b/input/twoshay.te
@@ -8,6 +8,8 @@
binder_use(twoshay)
add_service(twoshay, touch_context_service)
+add_service(twoshay, gril_antenna_tuning_service)
+binder_call(twoshay, platform_app)
allow twoshay fwk_stats_service:service_manager find;
binder_call(twoshay, stats_service_server)
@@ -20,4 +22,4 @@
dontaudit twoshay twoshay:capability dac_override;
# b/226830650
-dontaudit twoshay boot_status_prop:file read;
\ No newline at end of file
+dontaudit twoshay boot_status_prop:file read;
diff --git a/mm/gki/vendor_init.te b/mm/gki/vendor_init.te
index 5bedbad..018b318 100644
--- a/mm/gki/vendor_init.te
+++ b/mm/gki/vendor_init.te
@@ -1,3 +1,6 @@
allow vendor_init proc_watermark_boost_factor:file w_file_perms;
allow vendor_init proc_lowmem_reserve_ratio:file w_file_perms;
allow vendor_init proc_min_free_kbytes:file w_file_perms;
+
+allow vendor_init debugfs_tracing_instances:dir create_dir_perms;
+allow vendor_init debugfs_tracing_instances:file w_file_perms;
diff --git a/pixelstats/pixelstats_vendor.te b/pixelstats/pixelstats_vendor.te
index 57aba2f..d0850b1 100644
--- a/pixelstats/pixelstats_vendor.te
+++ b/pixelstats/pixelstats_vendor.te
@@ -1,5 +1,8 @@
type pixelstats_vendor, domain;
+# IStats
+binder_use(pixelstats_vendor)
+
type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(pixelstats_vendor)
@@ -8,11 +11,13 @@
allow pixelstats_vendor sysfs_batteryinfo:file w_file_perms;
allow pixelstats_vendor self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow pixelstats_vendor mnt_vendor_file:dir search;
allow pixelstats_vendor sysfs_scsi_devices_0000:dir search;
-allow pixelstats_vendor sysfs_scsi_devices_0000:file r_file_perms;
+allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
allow pixelstats_vendor sysfs_fs_f2fs:dir search;
allow pixelstats_vendor sysfs_fs_f2fs:file rw_file_perms;
get_prop(pixelstats_vendor, boottime_public_prop)
+get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop)
allow pixelstats_vendor fwk_stats_service:service_manager find;
binder_call(pixelstats_vendor, stats_service_server)
@@ -23,6 +28,7 @@
allow pixelstats_vendor sysfs_pixel_stat:file r_file_perms;
userdebug_or_eng(`
+ allow pixelstats_vendor { proc_pressure_cpu proc_pressure_io proc_pressure_mem }:file r_file_perms;
allow pixelstats_vendor proc_vmstat:file r_file_perms;
allow pixelstats_vendor sysfs_ion:dir search;
allow pixelstats_vendor sysfs_ion:file r_file_perms;
diff --git a/power-libperfmgr/file_contexts b/power-libperfmgr/file_contexts
index 027be7a..8ab659f 100644
--- a/power-libperfmgr/file_contexts
+++ b/power-libperfmgr/file_contexts
@@ -1,5 +1,5 @@
/vendor/bin/hw/android\.hardware\.power-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0
-/vendor/bin/hw/android\.hardware\.power@1\.3-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0
+/vendor/bin/sendhint u:object_r:sendhint_vendor_exec:s0
/dev/cpu_dma_latency u:object_r:latency_device:s0
/dev/socket/pps u:object_r:pps_socket:s0
diff --git a/power-libperfmgr/sendhint.te b/power-libperfmgr/sendhint.te
new file mode 100644
index 0000000..e453abe
--- /dev/null
+++ b/power-libperfmgr/sendhint.te
@@ -0,0 +1,8 @@
+# sendhint vendor
+type sendhint_vendor, domain;
+
+type sendhint_vendor_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(sendhint_vendor)
+hal_client_domain(sendhint_vendor, hal_power);
+# sendhint writes directly to kmsg during the boot process
+allow sendhint_vendor kmsg_device:chr_file { getattr w_file_perms };
diff --git a/powerstats/vndservice.te b/powerstats/vndservice.te
new file mode 100644
index 0000000..b4386f8
--- /dev/null
+++ b/powerstats/vndservice.te
@@ -0,0 +1 @@
+type hal_power_stats_vendor_service, vndservice_manager_type;
diff --git a/ramdump/file_contexts b/ramdump/file_contexts
index 590e61b..2f51f74 100644
--- a/ramdump/file_contexts
+++ b/ramdump/file_contexts
@@ -1 +1,2 @@
/vendor/bin/ramdump u:object_r:ramdump_exec:s0
+/vendor/bin/ramdump32 u:object_r:ramdump_exec:s0
diff --git a/storage/file.te b/storage/file.te
deleted file mode 100644
index ba7f362..0000000
--- a/storage/file.te
+++ /dev/null
@@ -1 +0,0 @@
-type debugfs_lpm, debugfs_type, fs_type;
diff --git a/storage/genfs_contexts b/storage/genfs_contexts
deleted file mode 100644
index 2f0b5bb..0000000
--- a/storage/genfs_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-genfscon debugfs /lpm_stats/stats u:object_r:debugfs_lpm:s0
-genfscon sysfs /devices/platform/soc/1d84000.ufshc/power u:object_r:sysfs_scsi_devices_0000:s0
diff --git a/storage/shell.te b/storage/shell.te
deleted file mode 100644
index d8145f1..0000000
--- a/storage/shell.te
+++ /dev/null
@@ -1,6 +0,0 @@
-userdebug_or_eng(`
- allow shell debugfs_lpm:file r_file_perms;
- allow shell sysfs_scsi_devices_0000:file r_file_perms;
- allow shell sysfs_mmc:dir r_dir_perms;
-')
-
diff --git a/thermal/file_contexts b/thermal/file_contexts
index acd360f..c3fb04f 100644
--- a/thermal/file_contexts
+++ b/thermal/file_contexts
@@ -1,4 +1,5 @@
/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0
+/vendor/bin/hw/android\.hardware\.thermal-service\.pixel u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0
/vendor/bin/thermal_controld u:object_r:pixel-thermal-control-sh_exec:s0
/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0
diff --git a/thermal/hal_thermal_default.te b/thermal/hal_thermal_default.te
index 2498b20..45ccf3a 100644
--- a/thermal/hal_thermal_default.te
+++ b/thermal/hal_thermal_default.te
@@ -10,3 +10,7 @@
# read thermal_config
get_prop(hal_thermal_default, vendor_thermal_prop)
+
+# Needed for reporting thermal stats event
+allow hal_thermal_default fwk_stats_service:service_manager find;
+binder_call(hal_thermal_default, servicemanager)
diff --git a/vibrator/common/property_contexts b/vibrator/common/property_contexts
index 64a2600..089a357 100644
--- a/vibrator/common/property_contexts
+++ b/vibrator/common/property_contexts
@@ -1 +1,2 @@
-ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
+ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
+persist.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/cs40l25/hal_vibrator_default.te b/vibrator/cs40l25/hal_vibrator_default.te
index 219a6b1..81c2f3f 100644
--- a/vibrator/cs40l25/hal_vibrator_default.te
+++ b/vibrator/cs40l25/hal_vibrator_default.te
@@ -15,3 +15,7 @@
# Allow vibrator HAL's default implementation to use vendor-binder service
vndbinder_use(hal_vibrator_default);
+
+# Allow Vibrator HAL to communicate with stats service
+allow hal_vibrator_default fwk_stats_service:service_manager find;
+binder_use(hal_vibrator_default)
diff --git a/vibrator/cs40l26/hal_vibrator_default.te b/vibrator/cs40l26/hal_vibrator_default.te
index 478bee9..c61cefe 100644
--- a/vibrator/cs40l26/hal_vibrator_default.te
+++ b/vibrator/cs40l26/hal_vibrator_default.te
@@ -15,5 +15,12 @@
get_prop(hal_vibrator_default, vendor_vibrator_prop);
+# Allow Vibrator HAL to communicate with daemon via socket
+unix_socket_connect(hal_vibrator_default, chre, chre);
+
# Allow vibrator HAL's default implementation to use vendor-binder service
vndbinder_use(hal_vibrator_default);
+
+# Allow Vibrator HAL to communicate with stats service
+allow hal_vibrator_default fwk_stats_service:service_manager find;
+binder_use(hal_vibrator_default)
diff --git a/vibrator/cs40l26/vendor_init.te b/vibrator/cs40l26/vendor_init.te
index 417a40c..da5a9d6 100644
--- a/vibrator/cs40l26/vendor_init.te
+++ b/vibrator/cs40l26/vendor_init.te
@@ -1 +1,2 @@
set_prop(vendor_init, vendor_vibrator_prop)
+get_prop(vendor_init, adaptive_haptics_prop)
diff --git a/wifi_diagnostic/file_contexts b/wifi_diagnostic/file_contexts
new file mode 100644
index 0000000..f0a40d5
--- /dev/null
+++ b/wifi_diagnostic/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/wifi_diagnostic u:object_r:wifi_diagnostic_exec:s0
diff --git a/wifi_diagnostic/hal_wifi_supplicant_default.te b/wifi_diagnostic/hal_wifi_supplicant_default.te
new file mode 100644
index 0000000..9cd58c1
--- /dev/null
+++ b/wifi_diagnostic/hal_wifi_supplicant_default.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+allow hal_wifi_supplicant_default wifi_diagnostic:unix_dgram_socket sendto;
+')
diff --git a/wifi_diagnostic/logger_app.te b/wifi_diagnostic/logger_app.te
new file mode 100644
index 0000000..0fc09a3
--- /dev/null
+++ b/wifi_diagnostic/logger_app.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+ set_prop(logger_app, vendor_wifi_diagnostic_prop)
+')
diff --git a/wifi_diagnostic/property.te b/wifi_diagnostic/property.te
new file mode 100644
index 0000000..ad69f65
--- /dev/null
+++ b/wifi_diagnostic/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_wifi_diagnostic_prop)
diff --git a/wifi_diagnostic/property_contexts b/wifi_diagnostic/property_contexts
new file mode 100644
index 0000000..2348204
--- /dev/null
+++ b/wifi_diagnostic/property_contexts
@@ -0,0 +1,2 @@
+vendor.wifi.diagnostic.start u:object_r:vendor_wifi_diagnostic_prop:s0
+vendor.wifi.diagnostic.reassocBssid u:object_r:vendor_wifi_diagnostic_prop:s0
diff --git a/wifi_diagnostic/wifi_diagnostic.te b/wifi_diagnostic/wifi_diagnostic.te
new file mode 100644
index 0000000..23a39d3
--- /dev/null
+++ b/wifi_diagnostic/wifi_diagnostic.te
@@ -0,0 +1,29 @@
+type wifi_diagnostic, domain;
+type wifi_diagnostic_exec, exec_type, vendor_file_type, file_type;
+
+# make transition from init to its domain
+userdebug_or_eng(`
+init_daemon_domain(wifi_diagnostic)
+net_domain(wifi_diagnostic)
+
+# daemon
+allow wifi_diagnostic wifi_logging_data_file:dir create_dir_perms;
+allow wifi_diagnostic wifi_logging_data_file:file create_file_perms;
+allow wifi_diagnostic vendor_shell_exec:file execute_no_trans;
+allow wifi_diagnostic wifi_diagnostic_exec:file execute_no_trans;
+allow wifi_diagnostic self:capability net_admin;
+allow wifi_diagnostic self:udp_socket ioctl;
+allowxperm wifi_diagnostic self:udp_socket ioctl { SIOCETHTOOL SIOCDEVPRIVATE };
+
+# wpa_cli
+allow wifi_diagnostic self:capability { setgid setuid };
+allow wifi_diagnostic wpa_data_file:dir w_dir_perms;
+allow wifi_diagnostic wpa_data_file:sock_file { create setattr write unlink };
+allow wifi_diagnostic hal_wifi_supplicant_default:unix_dgram_socket sendto;
+allow wifi_diagnostic vendor_file:file execute_no_trans;
+allow wifi_diagnostic vendor_file:dir r_dir_perms;
+
+# property
+get_prop(wifi_diagnostic, vendor_wifi_diagnostic_prop)
+set_prop(wifi_diagnostic, vendor_wifi_diagnostic_prop)
+')
diff --git a/wifi_ext/file_contexts b/wifi_ext/file_contexts
index ab8343b..c3e6d84 100644
--- a/wifi_ext/file_contexts
+++ b/wifi_ext/file_contexts
@@ -1,6 +1,8 @@
# Wifi
/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0
/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0
# Wifi logger
/data/vendor/wifi/wlan_logs(/.*)? u:object_r:wifi_logging_data_file:s0
diff --git a/wifi_ext/hal_wifi_ext.te b/wifi_ext/hal_wifi_ext.te
index 2ed274e..17a58df 100644
--- a/wifi_ext/hal_wifi_ext.te
+++ b/wifi_ext/hal_wifi_ext.te
@@ -6,6 +6,7 @@
# Allow to start the IWifi:wifi_ext service
add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice);
+add_service(hal_wifi_ext, hal_wifi_ext_service)
# Allow to set up bridged interface
allowxperm hal_wifi_ext self:udp_socket ioctl { SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF};
diff --git a/wifi_ext/service.te b/wifi_ext/service.te
new file mode 100644
index 0000000..942f3a0
--- /dev/null
+++ b/wifi_ext/service.te
@@ -0,0 +1,2 @@
+# wifi_ext service
+type hal_wifi_ext_service, service_manager_type, hal_service_type;
diff --git a/wifi_ext/service_contexts b/wifi_ext/service_contexts
new file mode 100644
index 0000000..8f782df
--- /dev/null
+++ b/wifi_ext/service_contexts
@@ -0,0 +1,2 @@
+# Wifi
+vendor.google.wifi_ext.IWifiExt/default u:object_r:hal_wifi_ext_service:s0
diff --git a/wifi_sniffer/property_contexts b/wifi_sniffer/property_contexts
index 19f7e76..cb55d65 100644
--- a/wifi_sniffer/property_contexts
+++ b/wifi_sniffer/property_contexts
@@ -1,3 +1,2 @@
-persist.vendor.wifi.sniffer.freq u:object_r:vendor_wifi_sniffer_prop:s0
-persist.vendor.wifi.sniffer.bandwidth u:object_r:vendor_wifi_sniffer_prop:s0
+persist.vendor.wifi.sniffer. u:object_r:vendor_wifi_sniffer_prop:s0
vendor.wifi.sniffer.start u:object_r:vendor_wifi_sniffer_prop:s0
diff --git a/wifi_sniffer/wifi_sniffer.te b/wifi_sniffer/wifi_sniffer.te
index 3c9ad62..977d6da 100644
--- a/wifi_sniffer/wifi_sniffer.te
+++ b/wifi_sniffer/wifi_sniffer.te
@@ -12,7 +12,19 @@
# interface up
allowxperm wifi_sniffer self:udp_socket ioctl SIOCSIFFLAGS;
- allow wifi_sniffer self:netlink_generic_socket create_socket_perms_no_ioctl;
+ allow wifi_sniffer self:netlink_generic_socket create_socket_perms;
+ allowxperm wifi_sniffer self:netlink_generic_socket ioctl { 0x8910 0x8946 };
+
+# tcpdump
+ allow wifi_sniffer self:packet_socket create_socket_perms;
+ allowxperm wifi_sniffer self:packet_socket ioctl { 0x8933 0x8927 };
+ allow wifi_sniffer self:unix_dgram_socket ioctl;
+ allowxperm wifi_sniffer self:unix_dgram_socket ioctl 0x8946;
+ allow wifi_sniffer sysfs_net:dir search;
+ allow wifi_sniffer sysfs_net:file r_file_perms;
+ allow wifi_sniffer tcpdump_exec:file rx_file_perms;
+ allow wifi_sniffer wifi_logging_data_file:file create_file_perms;
+ allow wifi_sniffer wifi_logging_data_file:dir create_dir_perms;
get_prop(wifi_sniffer, vendor_wifi_sniffer_prop)
')