Revert "Revert "Added new SELinux policies""
This reverts commit eb35f2abefd472dfd9d3dde3d657a1ef271d0693.
diff --git a/sepolicy/at_distributor.te b/sepolicy/at_distributor.te
new file mode 100644
index 0000000..c2984d0
--- /dev/null
+++ b/sepolicy/at_distributor.te
@@ -0,0 +1,94 @@
+#===================at_distributor============================
+type at_distributor, domain;
+type at_distributor_exec, exec_type, file_type;
+init_daemon_domain(at_distributor)
+net_domain(at_distributor)
+
+# To make VT call
+binder_use(at_distributor)
+
+allow at_distributor adbd:dir { read search ioctl open getattr };
+allow at_distributor alarm_device:chr_file { read lock getattr write ioctl open append };
+allow at_distributor app_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor app_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor ashmem_device:chr_file { getattr execute execute_no_trans };
+allow at_distributor at_distributor:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:capability { setuid dac_override sys_nice chown fsetid fowner };
+allow at_distributor at_distributor:dir { read search ioctl open getattr };
+allow at_distributor at_distributor:fd use;
+allow at_distributor at_distributor:fifo_file { read lock getattr write ioctl open append };
+allow at_distributor at_distributor:file { read lock getattr write ioctl open append };
+allow at_distributor at_distributor:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow at_distributor at_distributor:key { search setattr read create write link view };
+allow at_distributor at_distributor:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:lnk_file { read lock ioctl open getattr };
+allow at_distributor at_distributor:msg { receive send };
+allow at_distributor at_distributor:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow at_distributor at_distributor:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow at_distributor at_distributor:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow at_distributor at_distributor:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow at_distributor at_distributor:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow at_distributor at_distributor:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow at_distributor at_distributor:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow at_distributor at_distributor:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow at_distributor at_distributor_exec:file { read open getattr entrypoint execute };
+allow at_distributor at_distributor_tmpfs:file { read write };
+allow at_distributor binderservicedomain:binder { transfer call };
+allow at_distributor binderservicedomain:fd use;
+allow at_distributor block_device:dir { read search ioctl open getattr };
+allow at_distributor carrier_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor carrier_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor cgroup:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor cgroup:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor dumplog_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor dumplog_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor dumplog_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor dumpstate_exec:file { execute execute_no_trans };
+allow at_distributor dumpsys_exec:file { execute execute_no_trans };
+allow at_distributor efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor firmware_file:dir { read search ioctl open getattr };
+allow at_distributor firmware_file:file { read lock ioctl open getattr };
+allow at_distributor imei_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor imei_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor init:process sigchld;
+allow at_distributor init:unix_stream_socket connectto;
+allow at_distributor kernel:system syslog_read;
+allow at_distributor nfc:binder { transfer call };
+allow at_distributor nfc:fd use;
+allow at_distributor property_socket:sock_file write;
+allow at_distributor qseecom_device:chr_file { read lock getattr write ioctl open append };
+allow at_distributor radio:binder { transfer call };
+allow at_distributor radio:fd use;
+allow at_distributor radio_data_file:dir { search read getattr write ioctl remove_name open add_name };
+allow at_distributor radio_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor radio_device:chr_file { read lock getattr write ioctl open append };
+allow at_distributor radio_prop:property_service set;
+allow at_distributor rild:unix_stream_socket connectto;
+allow at_distributor sec-ril:unix_stream_socket connectto;
+allow at_distributor sec_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor sec_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor sensorhubservice:binder { transfer call };
+allow at_distributor sensorhubservice:fd use;
+allow at_distributor servicemanager:binder { transfer call };
+allow at_distributor servicemanager:fd use;
+allow at_distributor shell_exec:file { execute read lock getattr execute_no_trans ioctl open };
+allow at_distributor su_exec:file { execute read lock getattr execute_no_trans ioctl open };
+allow at_distributor sysfs:file { write open append };
+allow at_distributor sysfs_sec:file { setattr read lock getattr write ioctl open append };
+allow at_distributor sysfs_ss_writable:file { read lock getattr write ioctl open append };
+allow at_distributor sysfs_wake_lock:file { read lock getattr write ioctl open append };
+allow at_distributor system_app:binder { transfer call };
+allow at_distributor system_app:fd use;
+allow at_distributor system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow at_distributor system_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow at_distributor system_file:file { getattr execute execute_no_trans };
+allow at_distributor system_server:binder transfer;
+allow at_distributor uart_device:chr_file { read lock getattr write ioctl open append };
+allow at_distributor zygote_exec:file { execute read lock getattr execute_no_trans ioctl open };
diff --git a/sepolicy/audiod.te b/sepolicy/audiod.te
index b768df4..116aa9e 100644
--- a/sepolicy/audiod.te
+++ b/sepolicy/audiod.te
@@ -1,3 +1,24 @@
#====================audiod==========================
allow audiod snd_data_file:dir { add_name open search write };
allow audiod snd_data_file:file { getattr open read write create_file_perms };
+#new#
+allow audiod audiod:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:capability sys_nice;
+allow audiod audiod:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow audiod audiod:key { search setattr read create write link view };
+allow audiod audiod:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:msg { receive send };
+allow audiod audiod:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow audiod audiod:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow audiod audiod:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow audiod audiod:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow audiod audiod:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow audiod audiod:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow audiod audiod:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow audiod audiod:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow audiod audiod:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
diff --git a/sepolicy/connfwexe.te b/sepolicy/connfwexe.te
new file mode 100644
index 0000000..e80cd01
--- /dev/null
+++ b/sepolicy/connfwexe.te
@@ -0,0 +1,66 @@
+#======================connfwexe===========================================
+type connfwexe, domain;
+type connfwexe_exec, exec_type, file_type;
+init_daemon_domain(connfwexe)
+net_domain(connfwexe)
+
+# To make VT call
+binder_use(connfwexe)
+
+allow connfwexe ashmem_device:chr_file { getattr execute execute_no_trans };
+allow connfwexe block_device:dir { read search ioctl open getattr };
+allow connfwexe block_device:lnk_file { read lock ioctl open getattr };
+allow connfwexe bugreport_exec:file { execute execute_no_trans };
+allow connfwexe connfwexe:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:capability { setuid net_raw sys_boot sys_nice dac_override };
+allow connfwexe connfwexe:dir { read search ioctl open getattr };
+allow connfwexe connfwexe:fd use;
+allow connfwexe connfwexe:fifo_file { read lock getattr write ioctl open append };
+allow connfwexe connfwexe:file { read lock getattr write ioctl open append };
+allow connfwexe connfwexe:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow connfwexe connfwexe:key { search setattr read create write link view };
+allow connfwexe connfwexe:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:lnk_file { read lock ioctl open getattr };
+allow connfwexe connfwexe:msg { receive send };
+allow connfwexe connfwexe:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow connfwexe connfwexe:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow connfwexe connfwexe:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow connfwexe connfwexe:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow connfwexe connfwexe:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow connfwexe connfwexe:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow connfwexe connfwexe:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow connfwexe connfwexe:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow connfwexe connfwexe_exec:file { read open getattr entrypoint execute };
+allow connfwexe connfwexe_tmpfs:file { read write };
+allow connfwexe dalvikcache_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow connfwexe ddexe:unix_stream_socket connectto;
+allow connfwexe dumplog_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow connfwexe dumplog_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow connfwexe dumplog_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow connfwexe dumpstate_exec:file { execute execute_no_trans };
+allow connfwexe dumpsys_exec:file { execute execute_no_trans };
+allow connfwexe emmcblk_device:blk_file { read lock getattr write ioctl open append };
+allow connfwexe init:process sigchld;
+allow connfwexe init:unix_stream_socket connectto;
+allow connfwexe property_socket:sock_file { write open append };
+allow connfwexe radio_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow connfwexe radio_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow connfwexe servicemanager:binder { transfer call };
+allow connfwexe servicemanager:fd use;
+allow connfwexe shell_exec:file { execute read lock getattr execute_no_trans ioctl open };
+allow connfwexe sysfs:file { read lock getattr write ioctl open append };
+allow connfwexe sysfs_ss_writable:file { read lock getattr write ioctl open append };
+allow connfwexe sysfs_wake_lock:file { read lock getattr write ioctl open append };
+allow connfwexe system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow connfwexe system_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow connfwexe system_file:file { getattr execute execute_no_trans };
+allow connfwexe system_prop:property_service set;
+allow connfwexe system_server:binder { transfer call };
+allow connfwexe system_server:fd use;
+allow connfwexe zygote_exec:file { execute read lock getattr execute_no_trans ioctl open };
diff --git a/sepolicy/cs.te b/sepolicy/cs.te
new file mode 100644
index 0000000..b2c5923
--- /dev/null
+++ b/sepolicy/cs.te
@@ -0,0 +1,47 @@
+#===================cs========================
+type cs, domain;
+type cs_exec, exec_type, file_type;
+init_daemon_domain(cs)
+net_domain(cs)
+
+# To make VT call
+binder_use(cs)
+
+allow cs cs:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:capability sys_nice;
+allow cs cs:dir { read search ioctl open getattr };
+allow cs cs:fd use;
+allow cs cs:fifo_file { read lock getattr write ioctl open append };
+allow cs cs:file { read lock getattr write ioctl open append };
+allow cs cs:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow cs cs:key { search setattr read create write link view };
+allow cs cs:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:lnk_file { read lock ioctl open getattr };
+allow cs cs:msg { receive send };
+allow cs cs:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow cs cs:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow cs cs:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow cs cs:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow cs cs:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow cs cs:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow cs cs:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow cs cs:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow cs cs_exec:file { read open getattr entrypoint execute };
+allow cs cs_socket:dir { write remove_name search open add_name };
+allow cs cs_socket:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow cs cs_tmpfs:file { read write };
+allow cs efs_file:dir { read search ioctl open getattr };
+allow cs efs_file:file { read lock ioctl open getattr };
+allow cs firmware_file:dir { read search ioctl open getattr };
+allow cs firmware_file:file { read lock ioctl open getattr };
+allow cs firmware_file:lnk_file { read lock ioctl open getattr };
+allow cs init:process sigchld;
+allow cs qseecom_device:chr_file { read lock getattr write ioctl open append };
+allow cs system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow cs system_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
diff --git a/sepolicy/ddexe.te b/sepolicy/ddexe.te
new file mode 100644
index 0000000..474b7fe
--- /dev/null
+++ b/sepolicy/ddexe.te
@@ -0,0 +1,41 @@
+#=========ddexe================
+type ddexe, domain;
+type ddexe_exec, exec_type, file_type;
+init_daemon_domain(ddexe)
+net_domain(ddexe)
+
+# To make VT call
+binder_use(ddexe)
+
+allow ddexe ddexe:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:capability { setuid sys_nice dac_override };
+allow ddexe ddexe:dir { read search ioctl open getattr };
+allow ddexe ddexe:fd use;
+allow ddexe ddexe:fifo_file { read lock getattr write ioctl open append };
+allow ddexe ddexe:file { read lock getattr write ioctl open append };
+allow ddexe ddexe:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow ddexe ddexe:key { search setattr read create write link view };
+allow ddexe ddexe:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:lnk_file { read lock ioctl open getattr };
+allow ddexe ddexe:msg { receive send };
+allow ddexe ddexe:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow ddexe ddexe:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow ddexe ddexe:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ddexe ddexe:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow ddexe ddexe:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow ddexe ddexe:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ddexe ddexe:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ddexe ddexe:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ddexe ddexe_exec:file { read open getattr entrypoint execute };
+allow ddexe ddexe_tmpfs:file { read write };
+allow ddexe device:file { read lock ioctl open getattr };
+allow ddexe gadget_serial_device:chr_file { read lock getattr write ioctl open append };
+allow ddexe init:process sigchld;
+allow ddexe system_data_file:dir { search read getattr write ioctl remove_name open add_name };
+allow ddexe system_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 321ad61..21dca77 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -3,12 +3,86 @@
type touchpanel_sysfs, fs_type, sysfs_type;
+type bugreport, domain;
+type bugreport_exec, exec_type, file_type;
+
+type icd, domain;
+type icd_exec, exec_type, file_type;
+
+type lpm, domain;
+type lpm_exec, exec_type, file_type;
+
+type dumpsys, domain;
+type dumpsys_exec, exec_type, file_type;
+
+type olsrd, domain;
+type olsrd_exec, exec_type, file_type;
+
+type jackservice, domain;
+type jackservice_exec, exec_type, file_type;
+
+type sensorhubservice, domain;
+type sensorhubservice_exec, exec_type, file_type;
+
+type cpk_efs_file, file_type;
+type carrier_efs_file, file_type;
+type iss_efs_file, file_type;
+type drm_efs_file, file_type;
+type modem_firmware, file_type;
+type otadm_efs_file, file_type;
+type pfw_efs_file, file_type;
+type prov_efs_file, file_type;
+type sensor_efs_file, file_type;
type wifi_efs_file, file_type;
type sensors_efs_file, file_type;
type sysfs_camera, fs_type, sysfs_type;
type sysfs_class_camera_rear, fs_type, sysfs_type;
+type sysfs_sensor_writable, fs_type, sysfs_type;
+type sysfs_sec, fs_type, sysfs_type;
+type sysfs_app_writable, fs_type, sysfs_type;
type sysfs_input, fs_type, sysfs_type;
+type sysfs_ss_writable, fs_type, sysfs_type;
type sysfs_vibeamp, fs_type, sysfs_type;
+type jack_data_file, file_type, data_file_type;
+type audit_log, file_type, data_file_type;
+type tima_log, file_type, data_file_type;
+type drm_playready_file, file_type, data_file_type;
+#type drm_data_file, file_type, data_file_type;
type snd_data_file, file_type, data_file_type;
-type keymaster_firmware_file, file_type, data_file_type;
-type sshdcpap_firmware_file, file_type, data_file_type;
+type users_system_data_file, file_type, data_file_type;
+type keymaster_firmware_file, file_type;
+type sshdcpap_firmware_file, file_type;
+type tima_keystore_file, file_type, data_file_type;
+type app_library_file, file_type, data_file_type;
+type obb_apk_file, file_type, data_file_type;
+type app_efs_file, file_type;
+type bin_nv_data_efs_file, file_type;
+type dumplog_data_file, file_type, data_file_type;
+type efs_gsm_file, file_type;
+type emmcblk_device, file_type;
+type smd_cxm_qmi_device, file_type;
+type imei_efs_file, file_type;
+type mbin_device, file_type;
+type nv_core_efs_file, file_type;
+type sec_efs_file, file_type;
+type carrier_file, file_type;
+type uart_device, file_type;
+type cs_socket, file_type;
+type system_fifo, file_type;
+type genlock_device, file_type;
+type ss_conn_daemon_socket, file_type;
+type timerirq_device, file_type;
+type jack_socket, file_type;
+type usb_serial_device, file_type;
+type drsd_socket, file_type;
+type epm_socket, file_type;
+type mtp_socket, file_type;
+type dun_device, file_type;
+type frigate_socket, file_type;
+type tz_socket, file_type;
+type sem_device, file_type;
+type i2c_device, file_type;
+type icd_device, file_type;
+type usb_bus_device, file_type;
+type swap_device, file_type;
+type secure_storage_device, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 8624cf0..a5ac85d 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -13,8 +13,6 @@
/firmware/image/keymaste.* u:object_r:keymaster_firmware_file:s0
/firmware/image/sshdcpap.mdt u:object_r:sshdcpap_firmware_file:s0
-/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0
-/dev/sec-nfc u:object_r:nfc_device:s0
/dev/i2c-1 u:object_r:audio_device:s0
# Camera
@@ -34,3 +32,220 @@
# data files
/data/snd(/.*)? u:object_r:snd_data_file:s0
+
+#############################
+# DATA file of qcom_common
+#
+/data/misc/gpsone_d(/.*)? u:object_r:gps_data_file:s0
+
+#############################
+# EFS file of sec_common
+#
+/cpefs(/.*)? u:object_r:sec_efs_file:s0
+/efs/carrier(/.*)? u:object_r:carrier_efs_file:s0
+/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0
+/efs/drx(/.*)? u:object_r:sec_efs_file:s0
+/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0
+/efs/imei(/.*)? u:object_r:imei_efs_file:s0
+/efs/ims_setting(/.*)? u:object_r:sec_efs_file:s0
+/efs/iss(/.*)? u:object_r:iss_efs_file:s0
+/efs/logguard(/.*)? u:object_r:iss_efs_file:s0
+/efs/maxim(/.*)? u:object_r:sec_efs_file:s0
+/efs/mc(/.*)? u:object_r:prov_efs_file:s0
+/efs/\.nv_core\.bak(.*) u:object_r:nv_core_efs_file:s0
+/efs/otadm(/.*)? u:object_r:otadm_efs_file:s0
+/efs/otadm_sw_version u:object_r:otadm_efs_file:s0
+/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0
+/efs/prov(/.*)? u:object_r:prov_efs_file:s0
+/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0
+/efs/recovery(/.*)? u:object_r:sec_efs_file:s0
+/efs/root(/.*)? u:object_r:app_efs_file:s0
+/efs/sec_efs(/.*)? u:object_r:sec_efs_file:s0
+/efs/security(/.*)? u:object_r:prov_efs_file:s0
+/efs/sktdm_mem(/.*)? u:object_r:sec_efs_file:s0
+/efs/SMS(/.*)? u:object_r:sec_efs_file:s0
+/efs/SlideCount u:object_r:app_efs_file:s0
+/efs/TEE(/.*)? u:object_r:prov_efs_file:s0
+/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0
+/efs_gsm(/.*)? u:object_r:efs_gsm_file:s0
+
+#############################
+# EFS file of qcom_common
+#
+/efs/drm(/.*)? u:object_r:drm_efs_file:s0
+/efs/.drm(/.*)? u:object_r:drm_efs_file:s0
+
+#############################
+# EFS file of slsi_common
+#
+/efs/gyro_cal_data u:object_r:sensor_efs_file:s0
+/efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0
+
+
+#############################
+# MNT of bcom_common
+#
+/mnt/modemfsro(/.*)? u:object_r:modem_firmware:s0
+/mnt/modemfsro_fix(/.*)? u:object_r:modem_firmware:s0
+/mnt/modemfsrw(/.*)? u:object_r:modem_firmware:s0
+/mnt/modemfw(/.*)? u:object_r:modem_firmware:s0
+/mnt/modemlog(/.*)? u:object_r:modem_firmware:s0
+
+#############################
+# Carrier file of sec_common
+# carrier folder for Sprint(Qualcomm and SLSI)
+/carrier(/.*)? u:object_r:carrier_file:s0
+
+#############################
+# DATA file of sec_common
+#
+/data/app-lib(/.*)? u:object_r:app_library_file:s0
+/data/bcmnfc(/.*)? u:object_r:nfc_data_file:s0
+/data/data/.* u:object_r:app_data_file:s0
+#/data/data/.drm(/.*)? u:object_r:drm_data_file:s0
+#/data/data/com.android.providers.downloads/cache u:object_r:download_file:s0
+/data/data/com.android.settings/files/wallpaper u:object_r:wallpaper_file:s0
+/data/data/com.android.shell(/.*)? u:object_r:shell_data_file:s0
+/data/data/imsqmisocket u:object_r:system_data_file:s0
+/data/KEqvTaYEYkuJr1Mn+t-SwFvbgYo_(/.*)? u:object_r:tima_keystore_file:s0
+/data/log(/.*)? u:object_r:dumplog_data_file:s0
+/data/media.tmp(/.*)? u:object_r:media_rw_data_file:s0
+/data/media/obb(/.*)? u:object_r:obb_apk_file:s0
+#from nsa
+/data/misc/jack(/.*)? u:object_r:jack_data_file:s0
+/data/misc/tima(/.*)? u:object_r:tima_log:s0
+
+/data/system/users(/.*)? u:object_r:users_system_data_file:s0
+/data/system/users(/.*)/wallpaper u:object_r:wallpaper_file:s0
+/data/tee(/.*)? u:object_r:tee_data_file:s0
+
+#############################
+# System files of qcom_common
+#/system/bin/mfgloader u:object_r:mfgloader_exec:s0
+/system/bin/qmiproxy u:object_r:qmiproxy_exec:s0
+/system/bin/wlandutservice u:object_r:wlandutservice_exec:s0
+
+#############################
+# System files of sec_common
+#
+/system/bin/app_process u:object_r:zygote_exec:s0
+/system/bin/at_distributor u:object_r:at_distributor_exec:s0
+/system/bin/mksh u:object_r:shell_exec:s0
+/system/bin/bugreport u:object_r:bugreport_exec:s0
+/system/bin/connfwexe u:object_r:connfwexe_exec:s0
+/system/bin/cs u:object_r:cs_exec:s0
+/system/bin/ddexe u:object_r:ddexe_exec:s0
+/system/bin/dumpsys u:object_r:dumpsys_exec:s0
+/system/bin/icd u:object_r:icd_exec:s0
+/system/bin/insthk u:object_r:insthk_exec:s0
+/system/bin/jackservice u:object_r:jackservice_exec:s0
+/system/bin/olsrd u:object_r:olsrd_exec:s0
+/system/bin/sec-ril u:object_r:sec-ril_exec:s0
+/system/bin/sensorhubservice u:object_r:sensorhubservice_exec:s0
+/system/bin/ss_conn_daemon u:object_r:ss_conn_daemon_exec:s0
+/system/bin/smdexe u:object_r:smdexe_exec:s0
+/system/bin/otp_server u:object_r:otp_server_exec:s0
+# conflict with Qcom BSP, /system/bin/wcnss_service u:object_r:wcnss_service_exec:s0
+/system/bin/wpa_supplicant_real u:object_r:wpa_exec:s0
+# to run resopt on system_server
+/system/bin/resopt u:object_r:system_file:s0
+# to run zip on resopt, on system_server
+/system/bin/zip u:object_r:system_file:s0
+
+
+#############################
+# DATA file
+#
+/data/data/.drm(/.*)? u:object_r:drm_playready_file:s0
+#/data/data/.drm/.playready(/.*)? u:object_r:drm_playready_file:s0
+#/data/data/.drm/.playready/aeskey.dat u:object_r:drm_data_file:s0
+/data/nfc/(/.*)? u:object_r:nfc_data_file:s0
+#############################
+# efs file
+#
+# com.sec.android.preloadinstaller write currentlyFactoryReset
+# path was changed /efs/recovery/currentlyFactoryReset" by recovery team.
+#/efs/.currentlyFactoryReset u:object_r:app_efs_file:s0
+# com.sec.imsservice write silent_redial
+/efs/silent_redial u:object_r:app_efs_file:s0
+# HDCP and Widevine key. support r/w for radio and system app
+/efs/h2k.dat u:object_r:cpk_efs_file:s0
+/efs/redata.bin u:object_r:cpk_efs_file:s0
+/efs/wv.keys u:object_r:cpk_efs_file:s0
+/efs/total_call_time u:object_r:app_efs_file:s0
+
+
+#############################
+# System files of sec_common
+#
+/system/bin/ftm_ptt u:object_r:ftm_ptt_exec:s0
+/system/bin/lpm u:object_r:lpm_exec:s0
+
+#############################
+# Device node of sec_common
+#
+/dev/block/mmcblk[0-9].* u:object_r:emmcblk_device:s0
+/dev/block/zram[0-9] u:object_r:ram_device:s0
+
+/sys/class/net/wlan0/queues/rx-[0-9]/rps_cpus u:object_r:sysfs_ss_writable:s0
+/sys/class/kgsl/kgsl-3d0/dispatch(/.*)? -- u:object_r:sysfs_ss_writable:s0
+/sys/class/power_supply/battery/camera u:object_r:sysfs_app_writable:s0
+
+#############################
+# Device node of sec_common
+#
+/dev/.secure_storage(/.*)? u:object_r:secure_storage_device:s0
+/dev/__kmsg u:object_r:klog_device:s0
+/dev/alps_io u:object_r:input_device:s0
+/dev/android_ssusbcon(/.*)? u:object_r:usb_device:s0
+/dev/bcm2079x u:object_r:nfc_device:s0
+/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0
+/dev/block/mmcblk[0-9]* u:object_r:emmcblk_device:s0
+/dev/block/mmcblk1p.* u:object_r:emmcblk_device:s0
+/dev/block/mmcblk1p1 u:object_r:emmcblk_device:s0
+# remove this label because of selabel_lookup_best_match /dev/block/platform/dw_mmc.* u:object_r:dw_mmc_device:s0
+/dev/block/platform/msm_sdcc.1/by-name/param u:object_r:emmcblk_device:s0
+/dev/block/sd[a-z][0-9]* u:object_r:emmcblk_device:s0
+/dev/block/vnswap0 u:object_r:swap_device:s0
+/dev/bus/usb(/.*)? u:object_r:usb_bus_device:s0
+/dev/cdma_.* u:object_r:radio_device:s0
+# conflict with Qcom BSP, /dev/diag u:object_r:diag_device:s0
+/dev/i2c.* u:object_r:i2c_device:s0
+/dev/icd u:object_r:icd_device:s0
+/dev/icdr u:object_r:icd_device:s0
+/dev/pipes(/.*)? u:object_r:system_fifo:s0
+/dev/p3 u:object_r:sem_device:s0
+/dev/p61 u:object_r:sem_device:s0
+/dev/pn547 u:object_r:nfc_device:s0
+/dev/sec-nfc u:object_r:nfc_device:s0
+/dev/sec-nfc-fn u:object_r:nfc_device:s0
+/dev/socket/bluetooth u:object_r:bluetooth_socket:s0
+/dev/socket/cs_socket u:object_r:cs_socket:s0
+/dev/socket/dir_enc_report u:object_r:vold_socket:s0
+/dev/socket/drsd u:object_r:drsd_socket:s0
+/dev/socket/frigate u:object_r:frigate_socket:s0
+/dev/socket/jack(/.*)? u:object_r:jack_socket:s0
+/dev/socket/mtp(/.*)? u:object_r:mtp_socket:s0
+/dev/socket/ppm u:object_r:epm_socket:s0
+/dev/socket/rild[0-9]* u:object_r:rild_socket:s0
+/dev/socket/rild-debug[0-9]* u:object_r:rild_debug_socket:s0
+/dev/socket/ss_conn_daemon u:object_r:ss_conn_daemon_socket:s0
+/dev/socket/tz u:object_r:tz_socket:s0
+/dev/sound_trigger_boost u:object_r:audio_device:s0
+/dev/ssp_sensorhub u:object_r:input_device:s0
+/dev/timerirq u:object_r:timerirq_device:s0
+/dev/ttyGS[0-9]* u:object_r:usb_serial_device:s0
+/dev/ttyUSB[0-9]* u:object_r:usb_device:s0
+/dev/usb(/.*)? u:object_r:usb_device:s0
+/dev/usb.* u:object_r:usb_device:s0
+/dev/usb/tty.* u:object_r:usb_device:s0
+/dev/usb_mtp_gadget.* u:object_r:mtp_device:s0
+/dev/video4[0-9] u:object_r:camera_device:s0
+
+/dev/efs_bridge u:object_r:efsbridgehsic_device:s0
+/dev/ks_bridge u:object_r:ksbridgehsic_device:s0
+/dev/rmnet_mux_ctrl u:object_r:rmnet_device:s0
+
+/dev/ttyHSL[0-9]* u:object_r:serial_device:s0
+#line 1 "vendor/samsung/common/sepolicy/model/ctsv4/file_contexts"
+
diff --git a/sepolicy/ftm_ptt.te b/sepolicy/ftm_ptt.te
new file mode 100644
index 0000000..bec8307
--- /dev/null
+++ b/sepolicy/ftm_ptt.te
@@ -0,0 +1,45 @@
+#==================ftm_ptt=========================
+type ftm_ptt, domain;
+type ftm_ptt_exec, exec_type, file_type;
+init_daemon_domain(ftm_ptt)
+net_domain(ftm_ptt)
+
+# To make VT call
+binder_use(ftm_ptt)
+
+allow ftm_ptt dnsproxyd_socket:sock_file write;
+allow ftm_ptt ftm_ptt:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:capability net_raw;
+allow ftm_ptt ftm_ptt:dir { read search ioctl open getattr };
+allow ftm_ptt ftm_ptt:fd use;
+allow ftm_ptt ftm_ptt:fifo_file { read lock getattr write ioctl open append };
+allow ftm_ptt ftm_ptt:file { read lock getattr write ioctl open append };
+allow ftm_ptt ftm_ptt:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow ftm_ptt ftm_ptt:key { search setattr read create write link view };
+allow ftm_ptt ftm_ptt:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:lnk_file { read lock ioctl open getattr };
+allow ftm_ptt ftm_ptt:msg { receive send };
+allow ftm_ptt ftm_ptt:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow ftm_ptt ftm_ptt:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:netlink_socket { setopt setattr read lock create getattr write ioctl connect shutdown bind getopt append };
+allow ftm_ptt ftm_ptt:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow ftm_ptt ftm_ptt:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ftm_ptt ftm_ptt:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow ftm_ptt ftm_ptt:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow ftm_ptt ftm_ptt:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ftm_ptt ftm_ptt:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ftm_ptt ftm_ptt:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ftm_ptt ftm_ptt_exec:file { read open getattr entrypoint execute };
+allow ftm_ptt ftm_ptt_tmpfs:file { read write };
+allow ftm_ptt fwmarkd_socket:sock_file write;
+allow ftm_ptt init:process sigchld;
+allow ftm_ptt netd:unix_stream_socket connectto;
+allow ftm_ptt node:tcp_socket node_bind;
+allow ftm_ptt node:udp_socket node_bind;
+allow ftm_ptt port:tcp_socket { name_bind name_connect };
+allow ftm_ptt port:udp_socket name_bind;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 0b0abb0..ba0aea9 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -2,3 +2,22 @@
allow init diag_exec:file execute_no_trans;
allow init self:process execmem;
allow init vfat:dir search;
+#new#
+allow init at_distributor:process { siginh transition rlimitinh };
+allow init at_distributor_exec:file { read getattr open execute };
+allow init connfwexe:process { siginh transition rlimitinh };
+allow init connfwexe_exec:file { read getattr open execute };
+allow init cs:process { siginh transition rlimitinh };
+allow init cs_exec:file { read getattr open execute };
+allow init ddexe:process { siginh transition rlimitinh };
+allow init ddexe_exec:file { read getattr open execute };
+allow init ftm_ptt:process { siginh transition rlimitinh };
+allow init ftm_ptt_exec:file { read getattr open execute };
+allow init qmiproxy:process { siginh transition rlimitinh };
+allow init qmiproxy_exec:file { read getattr open execute };
+allow init rild:process { siginh transition rlimitinh };
+allow init smdexe:process { siginh transition rlimitinh };
+allow init smdexe_exec:file { read getattr open execute };
+allow init ss_conn_daemon:process { siginh transition rlimitinh };
+allow init ss_conn_daemon_exec:file { read getattr open execute };
+allow init tee:process { siginh transition rlimitinh };
diff --git a/sepolicy/init_shell.te b/sepolicy/init_shell.te
index ff77ba7..6657a8b 100644
--- a/sepolicy/init_shell.te
+++ b/sepolicy/init_shell.te
@@ -1,2 +1,23 @@
#============= init_shell ==============
allow init_shell bluetooth_loader_exec:file execute_no_trans;
+allow init_shell at_distributor:dir getattr;
+allow init_shell at_distributor:file { read getattr open };
+allow init_shell connfwexe:dir getattr;
+allow init_shell ddexe:dir { read search open };
+allow init_shell ddexe:file getattr;
+allow init_shell firmware_file:dir { read search ioctl open getattr };
+allow init_shell firmware_file:file { read lock ioctl open getattr };
+allow init_shell fm_radio_device:chr_file { read lock getattr write ioctl open append };
+allow init_shell imei_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow init_shell imei_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow init_shell nfc:file { read getattr open };
+allow init_shell qmuxd:dir getattr;
+allow init_shell qmuxd:file { read getattr open };
+allow init_shell qseecom_device:chr_file { read lock getattr write ioctl open append };
+allow init_shell radio:dir getattr;
+allow init_shell radio:file { read getattr open };
+allow init_shell radio_device:chr_file { read lock getattr write ioctl open append };
+allow init_shell rild:dir { read open };
+allow init_shell rild:file { read open };
+allow init_shell sec-ril:dir getattr;
+allow init_shell tee:dir { read getattr open search };
diff --git a/sepolicy/insthk.te b/sepolicy/insthk.te
new file mode 100644
index 0000000..47e9ba7
--- /dev/null
+++ b/sepolicy/insthk.te
@@ -0,0 +1,42 @@
+#===============insthk====================
+type insthk, domain;
+type insthk_exec, exec_type, file_type;
+init_daemon_domain(insthk)
+net_domain(insthk)
+
+# To make VT call
+binder_use(insthk)
+
+allow insthk drm_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow insthk drm_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow insthk drm_efs_file:lnk_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow insthk firmware_file:file { read lock ioctl open getattr };
+allow insthk init:process sigchld;
+allow insthk insthk:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:capability { sys_nice chown ipc_lock dac_override };
+allow insthk insthk:dir { read search ioctl open getattr };
+allow insthk insthk:fd use;
+allow insthk insthk:fifo_file { read lock getattr write ioctl open append };
+allow insthk insthk:file { read lock getattr write ioctl open append };
+allow insthk insthk:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow insthk insthk:key { search setattr read create write link view };
+allow insthk insthk:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:lnk_file { read lock ioctl open getattr };
+allow insthk insthk:msg { receive send };
+allow insthk insthk:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow insthk insthk:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow insthk insthk:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow insthk insthk:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow insthk insthk:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow insthk insthk:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow insthk insthk:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow insthk insthk:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow insthk insthk_exec:file { read open getattr entrypoint execute };
+allow insthk insthk_tmpfs:file { read write };
+allow insthk qseecom_device:chr_file { read lock getattr write ioctl open append };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index e91df9d..8832b65 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -4,3 +4,29 @@
allow mediaserver camera_prop:property_service set;
allow mediaserver snd_data_file:dir { add_name open search write };
allow mediaserver snd_data_file:file { getattr open read write create_file_perms };
+allow mediaserver at_distributor:fd use;
+allow mediaserver efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow mediaserver efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow mediaserver firmware_file:dir { read search ioctl open getattr };
+allow mediaserver firmware_file:file { read lock ioctl open getattr };
+allow mediaserver fm_radio_device:chr_file { read lock getattr write ioctl open append };
+allow mediaserver nfc:binder { transfer call };
+allow mediaserver nfc:fd use;
+allow mediaserver radio:binder { transfer call };
+allow mediaserver radio:dir { read search ioctl open getattr };
+allow mediaserver radio:fd use;
+allow mediaserver radio:file { read lock ioctl open getattr };
+allow mediaserver radio_data_file:dir search;
+allow mediaserver radio_data_file:file { read lock ioctl open getattr };
+allow mediaserver sec_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow mediaserver sec_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow mediaserver system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow mediaserver system_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow mediaserver system_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow mediaserver system_fifo:dir { read search ioctl open getattr };
+allow mediaserver system_file:dir { read search ioctl open getattr };
+allow mediaserver system_file:file { getattr execute execute_no_trans };
+allow mediaserver system_prop:property_service set;
+allow mediaserver system_server:binder { transfer call };
+allow mediaserver system_server:dir { read search ioctl open getattr };
+allow mediaserver system_server:fd use;
diff --git a/sepolicy/mtp.te b/sepolicy/mtp.te
new file mode 100644
index 0000000..792850b
--- /dev/null
+++ b/sepolicy/mtp.te
@@ -0,0 +1,22 @@
+#================mtp=====================
+allow mtp kernel:system module_request;
+allow mtp mtp:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow mtp mtp:key { search setattr read create write link view };
+allow mtp mtp:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:msg { receive send };
+allow mtp mtp:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow mtp mtp:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow mtp mtp:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow mtp mtp:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow mtp mtp:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow mtp mtp:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow mtp mtp:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow mtp mtp:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp mtp:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow mtp port:tcp_socket name_connect;
diff --git a/sepolicy/otp_server.te b/sepolicy/otp_server.te
new file mode 100644
index 0000000..8f21f76
--- /dev/null
+++ b/sepolicy/otp_server.te
@@ -0,0 +1,54 @@
+#======================otp_server================================
+type otp_server, domain;
+type otp_server_exec, exec_type, file_type;
+init_daemon_domain(otp_server)
+net_domain(otp_server)
+
+# To make VT call
+binder_use(otp_server)
+
+allow otp_server app_efs_file:file { read open };
+allow otp_server efs_file:dir { read search ioctl open getattr };
+allow otp_server efs_file:file { read lock ioctl open getattr };
+allow otp_server efs_file:lnk_file { read lock ioctl open getattr };
+allow otp_server firmware_file:dir { read search ioctl open getattr };
+allow otp_server firmware_file:file { read lock ioctl open getattr };
+allow otp_server init:process sigchld;
+allow otp_server otp_server:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:capability sys_nice;
+allow otp_server otp_server:dir { read search ioctl open getattr };
+allow otp_server otp_server:fd use;
+allow otp_server otp_server:fifo_file { read lock getattr write ioctl open append };
+allow otp_server otp_server:file { read lock getattr write ioctl open append };
+allow otp_server otp_server:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow otp_server otp_server:key { search setattr read create write link view };
+allow otp_server otp_server:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:lnk_file { read lock ioctl open getattr };
+allow otp_server otp_server:msg { receive send };
+allow otp_server otp_server:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow otp_server otp_server:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow otp_server otp_server:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow otp_server otp_server:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow otp_server otp_server:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow otp_server otp_server:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow otp_server otp_server:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow otp_server otp_server:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow otp_server otp_server_exec:file { read open getattr entrypoint execute };
+allow otp_server otp_server_tmpfs:file { read write };
+allow otp_server platform_app_data_file:dir { search read getattr write ioctl remove_name open add_name };
+allow otp_server platform_app_data_file:file { read lock getattr write ioctl open append };
+allow otp_server qseecom_device:chr_file { read write ioctl open };
+allow otp_server radio_data_file:dir search;
+allow otp_server radio_data_file:file { read open };
+allow otp_server servicemanager:binder { transfer call };
+allow otp_server shell_exec:file { read execute open execute_no_trans };
+allow otp_server system_file:file execute_no_trans;
+allow otp_server system_server:fifo_file { read write ioctl getattr };
+allow otp_server system_server:process sigchld;
+allow otp_server wifi_efs_file:file { read open };
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index f61ea51..c8b9256 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -3,4 +3,3 @@
persist.soc_camera.flicker u:object_r:camera_prop:s0
service.camera.hdmi_preview u:object_r:camera_prop:s0
-
diff --git a/sepolicy/qmiproxy.te b/sepolicy/qmiproxy.te
new file mode 100644
index 0000000..ecb4ce5
--- /dev/null
+++ b/sepolicy/qmiproxy.te
@@ -0,0 +1,42 @@
+#==========================qmiproxy===================================
+type qmiproxy, domain;
+type qmiproxy_exec, exec_type, file_type;
+init_daemon_domain(qmiproxy)
+net_domain(qmiproxy)
+
+# To make VT call
+binder_use(qmiproxy)
+
+allow qmiproxy diag_device:chr_file { read lock getattr write ioctl open append };
+allow qmiproxy init:process sigchld;
+allow qmiproxy init:unix_stream_socket connectto;
+allow qmiproxy property_socket:sock_file { write open append };
+allow qmiproxy qmiproxy:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:dir { read search ioctl open getattr };
+allow qmiproxy qmiproxy:fd use;
+allow qmiproxy qmiproxy:fifo_file { read lock getattr write ioctl open append };
+allow qmiproxy qmiproxy:file { read lock getattr write ioctl open append };
+allow qmiproxy qmiproxy:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow qmiproxy qmiproxy:key { search setattr read create write link view };
+allow qmiproxy qmiproxy:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:lnk_file { read lock ioctl open getattr };
+allow qmiproxy qmiproxy:msg { receive send };
+allow qmiproxy qmiproxy:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow qmiproxy qmiproxy:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow qmiproxy qmiproxy:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow qmiproxy qmiproxy:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow qmiproxy qmiproxy:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow qmiproxy qmiproxy:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow qmiproxy qmiproxy:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow qmiproxy qmiproxy:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow qmiproxy qmiproxy_exec:file { read open getattr entrypoint execute };
+allow qmiproxy qmiproxy_tmpfs:file { read write };
+allow qmiproxy qmuxd_socket:dir { write remove_name search open add_name };
+allow qmiproxy qmuxd_socket:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow qmiproxy radio_prop:property_service set;
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
index 0bfb65f..c28f17e 100644
--- a/sepolicy/qmuxd.te
+++ b/sepolicy/qmuxd.te
@@ -1,2 +1,4 @@
#============= qmuxd ==============
allow qmuxd devpts:chr_file { read write };
+allow qmuxd bugreport_exec:file { execute execute_no_trans };
+allow qmuxd cgroup:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
diff --git a/sepolicy/radio.te b/sepolicy/radio.te
new file mode 100644
index 0000000..7263bfb
--- /dev/null
+++ b/sepolicy/radio.te
@@ -0,0 +1,102 @@
+#====================radio======================
+allow radio app_data_file:dir { read search ioctl open getattr };
+allow radio app_data_file:file { read lock getattr write ioctl open append };
+allow radio app_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio app_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio app_library_file:dir { read search ioctl open getattr };
+allow radio at_distributor:binder transfer;
+allow radio at_distributor:unix_stream_socket connectto;
+allow radio bluetooth_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio bluetooth_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio bugreport_exec:file { execute execute_no_trans };
+allow radio carrier_file:dir { read search ioctl open getattr };
+allow radio carrier_file:file { read lock ioctl open getattr };
+allow radio cpk_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio cpk_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio device:sock_file write;
+allow radio devpts:chr_file { read write };
+allow radio drm_data_file:dir { read lock reparent getattr ioctl rmdir remove_name open add_name };
+allow radio drm_data_file:file { read lock ioctl open getattr };
+allow radio dumplog_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio dumplog_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio dumplog_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio dumpstate:binder transfer;
+allow radio dumpstate_exec:file { execute execute_no_trans };
+allow radio dumpstate_socket:sock_file write;
+allow radio dumpsys:binder transfer;
+allow radio dumpsys_exec:file { execute execute_no_trans };
+allow radio efs_file:dir { rename search setattr create reparent getattr ioctl link rmdir remove_name unlink open add_name };
+allow radio efs_file:file { rename setattr lock create getattr ioctl link unlink open };
+allow radio genlock_device:chr_file { read lock getattr write ioctl open append };
+allow radio gpu_device:chr_file { execute read lock getattr write ioctl open append };
+allow radio graphics_device:chr_file { read lock getattr write ioctl open append };
+allow radio healthd:binder { transfer call };
+allow radio healthd:fd use;
+allow radio imei_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio imei_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+#allow radio ims_service:service_manager add;
+allow radio init:unix_stream_socket { read write setopt connectto };
+allow radio init_shell:unix_stream_socket connectto;
+allow radio init_tmpfs:file read;
+allow radio insthk_exec:file { getattr execute execute_no_trans };
+allow radio jackservice:binder { transfer call };
+allow radio jackservice:fd use;
+allow radio log_device:chr_file { read lock ioctl open getattr };
+allow radio mediaserver:binder transfer;
+allow radio platform_app_data_file:file { write open append };
+allow radio qmuxd_socket:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio radio:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio radio:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow radio radio:key { search setattr read create write link view };
+allow radio radio:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio radio:lnk_file { read lock ioctl open getattr };
+allow radio radio:msg { receive send };
+allow radio radio:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow radio radio:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio radio:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio radio:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow radio radio:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow radio radio:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow radio radio:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow radio radio:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio radio:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow radio radio:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio radio:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow radio radio:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio radio:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow radio rild_socket:sock_file { write open append };
+allow radio sdcard_type:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio sdcard_type:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio sec_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio sec_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio sensorhubservice:binder { transfer call };
+allow radio sensorhubservice:fd use;
+allow radio servicemanager:binder { transfer call };
+allow radio servicemanager:fd use;
+allow radio shell_data_file:dir { read search ioctl open getattr };
+allow radio shell_data_file:file { read lock ioctl open getattr };
+allow radio shell_exec:file { execute read lock getattr execute_no_trans ioctl open };
+allow radio surfaceflinger:binder transfer;
+allow radio sysfs:file { open append };
+allow radio sysfs_battery_supply:file { read lock getattr write ioctl open append };
+allow radio sysfs_sec:file { read lock getattr write ioctl open append };
+allow radio sysfs_sensor_writable:file { read lock getattr write ioctl open append };
+allow radio sysfs_ss_writable:file { read lock getattr write ioctl open append };
+allow radio system_app:fifo_file { write open append };
+allow radio system_app:unix_stream_socket connectto;
+allow radio system_app_data_file:file setattr;
+allow radio system_data_file:dir { read search ioctl open getattr };
+allow radio system_data_file:file { read lock ioctl open getattr };
+allow radio system_file:file execute_no_trans;
+allow radio system_file:lnk_file getattr;
+allow radio system_prop:property_service set;
+allow radio system_server:tcp_socket { read write };
+allow radio system_server:unix_stream_socket { connectto setopt };
+#allow radio telecom_service:service_manager add;
+allow radio tmpfs:file { read lock ioctl open getattr };
+allow radio tz_socket:sock_file write;
+allow radio usb_device:chr_file { read lock getattr write ioctl open append };
+allow radio wifi_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow radio wifi_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow radio zygote:binder { transfer call };
+allow radio zygote:fd use;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index b88247a..db0134b 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,2 +1,107 @@
#============= rild ==============
allow rild proc_net:file { open read write };
+allow rild anr_data_file:dir { search read getattr write ioctl remove_name open add_name };
+allow rild anr_data_file:file { read lock getattr write ioctl open append };
+allow rild app_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild app_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild app_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild app_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild ashmem_device:chr_file execute;
+allow rild at_distributor:dir { read search ioctl open getattr };
+allow rild at_distributor:file { read lock ioctl open getattr };
+allow rild bin_nv_data_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild block_device:dir { read search ioctl open getattr };
+allow rild bluetooth:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild bluetooth:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild ctl_dumpstate_prop:property_service set;
+allow rild ctl_rildaemon_prop:property_service set;
+allow rild device:dir { search read getattr write ioctl remove_name open add_name };
+allow rild device:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild diag_device:chr_file { read lock getattr write ioctl open append };
+allow rild dumplog_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild dumplog_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild dumplog_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild dumpstate_exec:file { getattr execute execute_no_trans };
+allow rild dumpstate_socket:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild dumpsys_exec:file { execute execute_no_trans };
+allow rild efs_gsm_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild efs_gsm_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild emmcblk_device:blk_file { read lock getattr write ioctl open append };
+allow rild esoc_device:chr_file { read lock getattr write ioctl open append };
+allow rild fuse:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild fuse:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild gpsd:dir { read search ioctl open getattr };
+allow rild gpsd:file { read lock ioctl open getattr };
+allow rild imei_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild imei_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild init:dir { read search ioctl open getattr };
+allow rild init:file { read lock ioctl open getattr };
+allow rild init:tun_socket relabelfrom;
+allow rild mbin_device:lnk_file { read lock ioctl open getattr };
+allow rild media_rw_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild media_rw_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild mediaserver:binder { transfer call };
+allow rild mediaserver:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild mediaserver:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild nv_core_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild per_mgr:binder { transfer call };
+allow rild per_mgr:fd use;
+allow rild platform_app:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild platform_app:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild proc:file { write open append };
+allow rild proc_net:file { write open append };
+allow rild qmuxd_socket:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild radio:dir { read search ioctl open getattr };
+allow rild radio:file { read lock ioctl open getattr };
+allow rild radio_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild rild:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:capability { setuid net_raw dac_override dac_read_search chown net_admin };
+allow rild rild:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow rild rild:key { search setattr read create write link view };
+allow rild rild:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:msg { receive send };
+allow rild rild:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow rild rild:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow rild rild:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow rild rild:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow rild rild:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow rild rild:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow rild rild:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow rild rild:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow rild rild_tmpfs:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild rild_tmpfs:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild sec_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild sec_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild smd_cxm_qmi_device:chr_file { write open append };
+allow rild smdexe:dir { read search ioctl open getattr };
+allow rild smdexe:file { read lock ioctl open getattr };
+allow rild socket_device:dir write;
+allow rild ssr_device:chr_file { read open };
+allow rild sysfs:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow rild sysfs_sec:dir { search read getattr write ioctl remove_name open add_name };
+allow rild sysfs_sec:file { read lock getattr write ioctl open append };
+allow rild sysfs_sec:lnk_file { read lock getattr write ioctl open append };
+allow rild sysfs_ss_writable:file { read lock getattr write ioctl open append };
+allow rild system_app:dir search;
+allow rild system_app:file { read lock ioctl open getattr };
+allow rild system_app_data_file:dir { search read getattr write ioctl remove_name open add_name };
+allow rild system_app_data_file:file { setattr read lock getattr write ioctl open append };
+allow rild system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow rild system_file:dir { read search ioctl open getattr };
+allow rild system_prop:property_service set;
+allow rild system_server:binder { transfer call };
+allow rild system_server:fd use;
+allow rild tombstone_data_file:dir { read search ioctl open getattr };
+allow rild tombstone_data_file:file { read lock ioctl open getattr };
+allow rild tun_device:chr_file { read lock getattr write ioctl open append };
+allow rild uart_device:chr_file { read lock getattr write ioctl open append };
+allow rild usb_device:chr_file { write open append };
+allow rild wpa:dir { read search ioctl open getattr };
+allow rild wpa:file { read lock ioctl open getattr };
+allow rild zygote_exec:file { execute read lock getattr execute_no_trans ioctl open };
diff --git a/sepolicy/sec-ril.te b/sepolicy/sec-ril.te
new file mode 100644
index 0000000..b699266
--- /dev/null
+++ b/sepolicy/sec-ril.te
@@ -0,0 +1,83 @@
+#============sec-ril===========================
+type sec-ril, domain;
+type sec-ril_exec, exec_type, file_type;
+init_daemon_domain(sec-ril)
+net_domain(sec-ril)
+
+# To make VT call
+binder_use(sec-ril)
+
+allow sec-ril alarm_device:chr_file write;
+allow sec-ril anr_data_file:dir { read search ioctl open getattr };
+allow sec-ril anr_data_file:file { read lock getattr write ioctl open append };
+allow sec-ril app_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril app_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril app_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril app_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril ashmem_device:chr_file { execute read lock getattr execute_no_trans ioctl open };
+allow sec-ril carrier_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril carrier_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril dumplog_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril dumplog_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril dumplog_data_file:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril dumpstate_exec:file { execute execute_no_trans };
+allow sec-ril dumpsys_exec:file { execute execute_no_trans };
+allow sec-ril efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril imei_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril imei_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril init:process sigchld;
+allow sec-ril init:unix_stream_socket connectto;
+allow sec-ril kernel:system { module_request syslog_read };
+allow sec-ril property_socket:sock_file write;
+allow sec-ril qmuxd:unix_stream_socket connectto;
+allow sec-ril qmuxd_socket:dir { write add_name };
+allow sec-ril qmuxd_socket:sock_file { write create setattr };
+allow sec-ril radio_data_file:dir { search read getattr write ioctl remove_name open add_name };
+allow sec-ril radio_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril radio_device:chr_file { read lock getattr write ioctl open append };
+allow sec-ril radio_prop:property_service set;
+allow sec-ril rild:unix_stream_socket connectto;
+allow sec-ril rootfs:file execute;
+allow sec-ril sec-ril:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:capability { setuid sys_module sys_nice dac_override net_raw chown net_admin };
+allow sec-ril sec-ril:dir { read search ioctl open getattr };
+allow sec-ril sec-ril:fd use;
+allow sec-ril sec-ril:fifo_file { read lock getattr write ioctl open append };
+allow sec-ril sec-ril:file { read lock getattr write ioctl open append };
+allow sec-ril sec-ril:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow sec-ril sec-ril:key { search setattr read create write link view };
+allow sec-ril sec-ril:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:lnk_file { read lock ioctl open getattr };
+allow sec-ril sec-ril:msg { receive send };
+allow sec-ril sec-ril:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow sec-ril sec-ril:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow sec-ril sec-ril:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow sec-ril sec-ril:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow sec-ril sec-ril:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow sec-ril sec-ril:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow sec-ril sec-ril:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow sec-ril sec-ril:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow sec-ril sec-ril_exec:file { read open getattr entrypoint execute };
+allow sec-ril sec-ril_tmpfs:file { read write };
+allow sec-ril sec_efs_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril sec_efs_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril servicemanager:binder { transfer call };
+allow sec-ril servicemanager:fd use;
+allow sec-ril shell_exec:file { execute read lock getattr execute_no_trans ioctl open };
+allow sec-ril sysfs:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril sysfs_ss_writable:file { read lock getattr write ioctl open append };
+allow sec-ril sysfs_wake_lock:file { read write open };
+allow sec-ril system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow sec-ril system_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow sec-ril system_file:file { getattr execute execute_no_trans };
+allow sec-ril system_prop:property_service set;
+allow sec-ril system_server:binder { transfer call };
+allow sec-ril system_server:fd use;
+allow sec-ril zygote_exec:file { execute read lock getattr execute_no_trans ioctl open };
diff --git a/sepolicy/shell.te b/sepolicy/shell.te
index 1676908..46b2c42 100644
--- a/sepolicy/shell.te
+++ b/sepolicy/shell.te
@@ -1,3 +1,7 @@
#============= shell ==============
allow shell block_device:dir search;
#allow shell labeledfs:filesystem remount;
+allow shell efs_file:dir { read search ioctl open getattr };
+allow shell firmware_file:dir { read search ioctl open getattr };
+allow shell firmware_file:file { read lock ioctl open getattr };
+allow shell firmware_file:lnk_file { read lock ioctl open getattr };
diff --git a/sepolicy/smdexe.te b/sepolicy/smdexe.te
new file mode 100644
index 0000000..65e387d
--- /dev/null
+++ b/sepolicy/smdexe.te
@@ -0,0 +1,44 @@
+#============smdexe============
+type smdexe, domain;
+type smdexe_exec, exec_type, file_type;
+init_daemon_domain(smdexe)
+net_domain(smdexe)
+
+# To make VT call
+binder_use(smdexe)
+
+allow smdexe ddexe:unix_stream_socket connectto;
+allow smdexe dun_device:chr_file { read lock getattr write ioctl open append };
+allow smdexe init:process sigchld;
+allow smdexe rild:unix_stream_socket connectto;
+allow smdexe smd_device:chr_file { read lock getattr write ioctl open append };
+allow smdexe smdexe:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:capability { setuid sys_nice dac_override };
+allow smdexe smdexe:dir { read search ioctl open getattr };
+allow smdexe smdexe:fd use;
+allow smdexe smdexe:fifo_file { read lock getattr write ioctl open append };
+allow smdexe smdexe:file { read lock getattr write ioctl open append };
+allow smdexe smdexe:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow smdexe smdexe:key { search setattr read create write link view };
+allow smdexe smdexe:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:lnk_file { read lock ioctl open getattr };
+allow smdexe smdexe:msg { receive send };
+allow smdexe smdexe:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow smdexe smdexe:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow smdexe smdexe:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow smdexe smdexe:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow smdexe smdexe:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow smdexe smdexe:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow smdexe smdexe:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow smdexe smdexe:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow smdexe smdexe_exec:file { read open getattr entrypoint execute };
+allow smdexe smdexe_tmpfs:file { read write };
+allow smdexe sysfs:file { read lock getattr write ioctl open append };
+allow smdexe sysfs_ss_writable:file { read lock getattr write ioctl open append };
+allow smdexe system_data_file:sock_file { read lock getattr write ioctl open append };
diff --git a/sepolicy/ss_conn_daemon.te b/sepolicy/ss_conn_daemon.te
new file mode 100644
index 0000000..f720ad6
--- /dev/null
+++ b/sepolicy/ss_conn_daemon.te
@@ -0,0 +1,45 @@
+#============ss_conn_daemon=================
+type ss_conn_daemon, domain;
+type ss_conn_daemon_exec, exec_type, file_type;
+init_daemon_domain(ss_conn_daemon)
+net_domain(ss_conn_daemon)
+
+# To make VT call
+binder_use(ss_conn_daemon)
+
+allow ss_conn_daemon init:process sigchld;
+allow ss_conn_daemon node:tcp_socket node_bind;
+allow ss_conn_daemon node:udp_socket node_bind;
+allow ss_conn_daemon port:tcp_socket { name_bind name_connect };
+allow ss_conn_daemon port:udp_socket name_bind;
+allow ss_conn_daemon ss_conn_daemon:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:capability sys_nice;
+allow ss_conn_daemon ss_conn_daemon:dir { read search ioctl open getattr };
+allow ss_conn_daemon ss_conn_daemon:fd use;
+allow ss_conn_daemon ss_conn_daemon:fifo_file { read lock getattr write ioctl open append };
+allow ss_conn_daemon ss_conn_daemon:file { read lock getattr write ioctl open append };
+allow ss_conn_daemon ss_conn_daemon:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow ss_conn_daemon ss_conn_daemon:key { search setattr read create write link view };
+allow ss_conn_daemon ss_conn_daemon:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:lnk_file { read lock ioctl open getattr };
+allow ss_conn_daemon ss_conn_daemon:msg { receive send };
+allow ss_conn_daemon ss_conn_daemon:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow ss_conn_daemon ss_conn_daemon:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow ss_conn_daemon ss_conn_daemon:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ss_conn_daemon ss_conn_daemon:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow ss_conn_daemon ss_conn_daemon:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow ss_conn_daemon ss_conn_daemon:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ss_conn_daemon ss_conn_daemon:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow ss_conn_daemon ss_conn_daemon:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow ss_conn_daemon ss_conn_daemon_exec:file { read open getattr entrypoint execute };
+allow ss_conn_daemon ss_conn_daemon_socket:sock_file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow ss_conn_daemon ss_conn_daemon_tmpfs:file { read write };
+allow ss_conn_daemon system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow ss_conn_daemon system_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow ss_conn_daemon usb_device:chr_file { rename setattr read lock create getattr write ioctl link unlink open append };
diff --git a/sepolicy/wlandutservice.te b/sepolicy/wlandutservice.te
new file mode 100644
index 0000000..1dbb935
--- /dev/null
+++ b/sepolicy/wlandutservice.te
@@ -0,0 +1,43 @@
+#===========wlandutservice=====================
+type wlandutservice, domain;
+type wlandutservice_exec, exec_type, file_type;
+init_daemon_domain(wlandutservice)
+net_domain(wlandutservice)
+
+# To make VT call
+binder_use(wlandutservice)
+
+allow wlandutservice init:process sigchld;
+allow wlandutservice init:unix_stream_socket connectto;
+allow wlandutservice servicemanager:binder { transfer call };
+allow wlandutservice shell_exec:file { execute read lock getattr execute_no_trans ioctl open };
+allow wlandutservice system_data_file:dir { rename search setattr read create reparent getattr write ioctl link rmdir remove_name unlink open add_name };
+allow wlandutservice system_data_file:file { rename setattr read lock create getattr write ioctl link unlink open append };
+allow wlandutservice system_file:file { execute read lock getattr execute_no_trans ioctl open };
+allow wlandutservice wlandutservice:appletalk_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:capability { net_admin sys_nice };
+allow wlandutservice wlandutservice:dir { read search ioctl open getattr };
+allow wlandutservice wlandutservice:fd use;
+allow wlandutservice wlandutservice:fifo_file { read lock getattr write ioctl open append };
+allow wlandutservice wlandutservice:file { read lock getattr write ioctl open append };
+allow wlandutservice wlandutservice:ipc { unix_read setattr associate read create write getattr unix_write destroy };
+allow wlandutservice wlandutservice:key { search setattr read create write link view };
+allow wlandutservice wlandutservice:key_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:lnk_file { read lock ioctl open getattr };
+allow wlandutservice wlandutservice:msg { receive send };
+allow wlandutservice wlandutservice:msgq { unix_read setattr associate read create write enqueue getattr unix_write destroy };
+allow wlandutservice wlandutservice:netlink_route_socket { nlmsg_write lock accept connect shutdown append create nlmsg_read write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:netlink_selinux_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:packet_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:process { sigkill share getpgid signull setkeycreate siginh getattr setcurrent setrlimit rlimitinh fork getsession setexec setpgid setsched sigstop ptrace noatsecure setsockcreate setfscreate execheap sigchld execstack signal transition setcap execmem getcap getsched dyntransition };
+allow wlandutservice wlandutservice:rawip_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow wlandutservice wlandutservice:sem { unix_read setattr associate read create write getattr unix_write destroy };
+allow wlandutservice wlandutservice:shm { unix_read setattr associate read lock create write getattr unix_write destroy };
+allow wlandutservice wlandutservice:socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:tcp_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind name_connect send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow wlandutservice wlandutservice:tun_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read attach_queue ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:udp_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto node_bind };
+allow wlandutservice wlandutservice:unix_dgram_socket { lock accept connect shutdown append create write relabelfrom getattr getopt listen setopt read ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice:unix_stream_socket { lock accept connect shutdown append connectto create write relabelfrom getattr getopt listen acceptfrom setopt read newconn ioctl recv_msg name_bind send_msg setattr bind recvfrom sendto relabelto };
+allow wlandutservice wlandutservice_exec:file { read open getattr entrypoint execute };
+#allow wlandutservice wlandutservice_service:service_manager add;