upload android base code part6

android/device/softwinner/common/sepolicy/private/service_contexts

@@ -0,0 +1,2 @@
+background                                u:object_r:background_service:s0
+aw_display                                u:object_r:surfaceflinger_service:s0

android/device/softwinner/common/sepolicy/vendor/adbd.te

@@ -0,0 +1,3 @@
+#============= adbd ==============
+allow adbd vendor_file:file { execute getattr open read };
+

android/device/softwinner/common/sepolicy/vendor/audioserver.te

@@ -0,0 +1 @@
+#============= audioserver ==============

android/device/softwinner/common/sepolicy/vendor/awdisplay.te

@@ -0,0 +1,31 @@
+# awdisplay - awdisplay service
+type awdisplay, domain;
+type awdisplay_exec, exec_type, file_type;
+init_daemon_domain(awdisplay)
+
+typeattribute awdisplay coredomain;
+typeattribute awdisplay mlstrustedsubject;
+typeattribute awdisplay display_service_server;
+
+#read_runtime_log_tags(surfaceflinger)
+
+# Perform HwBinder IPC.
+hal_client_domain(awdisplay, hal_graphics_allocator)
+hal_client_domain(awdisplay, hal_graphics_composer)
+hal_client_domain(awdisplay, hal_configstore)
+allow awdisplay hidl_token_hwservice:hwservice_manager find;
+
+# Perform Binder IPC.
+binder_use(awdisplay)
+binder_call(awdisplay, binderservicedomain)
+binder_call(awdisplay, appdomain)
+binder_call(awdisplay, bootanim)
+binder_service(awdisplay)
+
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(awdisplay, adbd)
+
+# Set properties.
+set_prop(awdisplay, system_prop)
+
+allow awdisplay surfaceflinger_service:service_manager { add find };

android/device/softwinner/common/sepolicy/vendor/awinit.te

@@ -0,0 +1 @@
+type awinit, domain;

android/device/softwinner/common/sepolicy/vendor/bluetooth.te

@@ -0,0 +1,2 @@
+#============= bluetooth ==============
+allow bluetooth vendor_file:file { execute getattr open read };

android/device/softwinner/common/sepolicy/vendor/bootanim.te

@@ -0,0 +1,2 @@
+allow bootanim vendor_file:file { execute getattr open read };
+allow bootanim sysfs:file write;

android/device/softwinner/common/sepolicy/vendor/cameraserver.te

@@ -0,0 +1,3 @@
+#============= cameraserver ==============
+allow cameraserver vendor_file:file { execute getattr open read };
+allow cameraserver hal_allocator_server:fd use;

android/device/softwinner/common/sepolicy/vendor/crash_dump.te

@@ -0,0 +1,2 @@
+#===========crash_dump ==============
+

android/device/softwinner/common/sepolicy/vendor/device.te

@@ -0,0 +1,2 @@
+type cedar_device, dev_type;
+type private_block_device, dev_type;

android/device/softwinner/common/sepolicy/vendor/e2fs.te

@@ -0,0 +1,8 @@
+#============= e2fs ==============
+#allow e2fs block_device:blk_file read;
+allow e2fs cache_block_device:blk_file { getattr ioctl open read write };
+allow e2fs userdata_block_device:blk_file  { getattr ioctl read write };
+allow e2fs devpts:chr_file { getattr ioctl read write };
+allow e2fs sysfs_fs_ext4_features:dir search;
+allow e2fs system_block_device:blk_file getattr;
+allow e2fs dm_device:blk_file getattr;

android/device/softwinner/common/sepolicy/vendor/file_contexts

@@ -0,0 +1,76 @@
+# label graphics device with a new type, we need
+# to allow write operation from appdomain
+
+# gpu device labeling
+/dev/mali             u:object_r:gpu_device:s0
+/dev/mali0             u:object_r:gpu_device:s0
+#/system/bin/service_atw      u:object_r:surfaceflinger_exec:s0
+
+# graphics device labeling
+/dev/disp               u:object_r:graphics_device:s0
+/dev/transform          u:object_r:graphics_device:s0
+/dev/g2d                u:object_r:graphics_device:s0
+/dev/sw_sync            u:object_r:graphics_device:s0
+
+# cedar_dev
+/dev/cedar_dev             u:object_r:cedar_device:s0
+/dev/googlevp9_dev         u:object_r:cedar_device:s0
+
+# Block labeling
+/dev/block/mmcblk0              u:object_r:root_block_device:s0
+/dev/block/by-name/boot         u:object_r:boot_block_device:s0
+/dev/block/by-name/system       u:object_r:system_block_device:s0
+/dev/block/by-name/recovery     u:object_r:recovery_block_device:s0
+#/dev/block/by-name/userdata    u:object_r:userdata_block_device:s0
+/dev/block/by-name/UDISK        u:object_r:userdata_block_device:s0
+/dev/block/by-name/alog         u:object_r:userdata_block_device:s0
+/dev/block/by-name/metadata     u:object_r:metadata_block_device:s0
+/dev/block/by-name/cache        u:object_r:cache_block_device:s0
+/dev/block/by-name/misc         u:object_r:misc_block_device:s0
+/dev/block/by-name/private      u:object_r:private_block_device:s0
+# factory reset protection partition
+/dev/block/by-name/frp          u:object_r:frp_block_device:s0
+# zram
+/dev/block/zram0                u:object_r:swap_block_device:s0
+
+# Bluetooth
+/dev/ttyS1              u:object_r:hci_attach_dev:s0
+/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+
+#widevine
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service.widevine    u:object_r:hal_drm_widevine_default_exec:s0
+
+# optee
+/dev/tee0               u:object_r:tee_device:s0
+/dev/teepriv0           u:object_r:tee_device:s0
+/data/tee(/.*)?         u:object_r:tee_data_file:s0
+/(vendor|system/vendor)/bin/hw/tee_supplicant     u:object_r:optee_exec:s0
+
+# rild
+/dev/ttyUSB[0-4]  u:object_r:radio_device:s0
+/dev/ttyACM[0-4]  u:object_r:radio_device:s0
+
+# radio_monitor
+/vendor/bin/hw/radio_monitor u:object_r:radio_monitor_exec:s0
+
+# macprog
+/vendor/xbin/macprog\.sh u:object_r:macprog-sh_exec:s0
+
+#memtrack
+/sys/kernel/debug/ion/heaps/cma      u:object_r:sysfs_cma_readable:s0
+
+#sw_sync
+/sys/kernel/debug/sync/sw_sync       u:object_r:sysfs_debugfs_swsync:s0
+
+#vold
+/system/bin/ntfs-3g.probe       u:object_r:fsck_exec:s0
+
+#fs_mgr
+/system/bin/make_ext4fs      u:object_r:e2fs_exec:s0
+
+# awdisplay
+/system/bin/displayservice  u:object_r:awdisplay_exec:s0
+
+# camera
+/dev/media0                 u:object_r:camera_device:s0
+/dev/v4l-subdev[0-8]            u:object_r:camera_device:s0

android/device/softwinner/common/sepolicy/vendor/fsck_untrusted.te

@@ -0,0 +1 @@
+allow fsck_untrusted self:capability sys_admin;

android/device/softwinner/common/sepolicy/vendor/gatekeeperd.te

@@ -0,0 +1 @@
+#============= gatekeeperd ==============

android/device/softwinner/common/sepolicy/vendor/genfs_contexts

@@ -0,0 +1 @@
+genfscon fuseblk / u:object_r:vfat:s0

android/device/softwinner/common/sepolicy/vendor/hal_audio_default.te

@@ -0,0 +1,5 @@
+#===============hal_audio_default ==============
+allow hal_audio_default node:tcp_socket node_bind;
+allow hal_audio_default port:tcp_socket name_bind;
+#allow hal_audio_default self:tcp_socket { accept bind create listen setopt };
+allow hal_audio_default sysfs:file { open read };

android/device/softwinner/common/sepolicy/vendor/hal_bluetooth_default.te

@@ -0,0 +1,14 @@
+
+#============= hal_bluetooth_default ==============
+#allow hal_bluetooth_default self:udp_socket create;
+allow hal_bluetooth_default serial_device:chr_file { read write open };
+allow hal_bluetooth_default sysfs:file rw_file_perms;
+allow hal_bluetooth_default media_rw_data_file:dir { write search create add_name };
+allow hal_bluetooth_default media_rw_data_file:file { write create open };
+allow hal_bluetooth_default storage_stub_file:dir getattr;
+allow hal_bluetooth_default tmpfs:dir { write };
+allow hal_bluetooth_default bluetooth_data_file:dir search;
+allow hal_bluetooth_default bluetooth_data_file:file open;
+allow hal_bluetooth_default bluetooth_data_file:file read;
+allow hal_bluetooth_default proc:file open;
+allow hal_bluetooth_default proc:file write;

android/device/softwinner/common/sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,5 @@
+#============= hal_camera_default ==============
+allow hal_camera_default cedar_device:chr_file { ioctl open read write };
+allow hal_camera_default vndbinder_device:chr_file { ioctl open read write };
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_camera_default camera_device:chr_file{ read write };

android/device/softwinner/common/sepolicy/vendor/hal_cas_default.te

@@ -0,0 +1,2 @@
+#============= hal_cas_default ==============
+allow hal_cas_default vndbinder_device:chr_file { ioctl open read write };

android/device/softwinner/common/sepolicy/vendor/hal_configstore_default.te

@@ -0,0 +1 @@
+#============= hal_configstore_default ==============

android/device/softwinner/common/sepolicy/vendor/hal_drm_default.te

@@ -0,0 +1,2 @@
+#============= hal_drm_default ==============
+allow hal_drm_default vndbinder_device:chr_file { ioctl open read write };

android/device/softwinner/common/sepolicy/vendor/hal_drm_widevine_default.te

@@ -0,0 +1,9 @@
+type hal_drm_widevine_default, domain;
+hal_server_domain(hal_drm_widevine_default, hal_drm)
+
+type hal_drm_widevine_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine_default)
+
+allow hal_drm_widevine_default vndbinder_device:chr_file { ioctl open read write };
+allow hal_drm_widevine_default untrusted_app_25:fd { use };
+allow hal_drm_widevine_default untrusted_app:fd { use };

android/device/softwinner/common/sepolicy/vendor/hal_graphics_allocator_default.te

@@ -0,0 +1 @@
+#============= hal_graphics_allocator_default ==============

android/device/softwinner/common/sepolicy/vendor/hal_graphics_composer_default.te

@@ -0,0 +1,17 @@
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
+#allow hal_graphics_composer_default device:chr_file { read write };
+allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_composer_default hal_graphics_allocator_default:binder call;
+allow hal_graphics_composer_default ion_device:chr_file write;
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create;
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket setopt;
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket bind;
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket read;
+allow hal_graphics_composer_default init:unix_stream_socket connectto;
+allow hal_graphics_composer_default property_socket:sock_file write;
+allow hal_graphics_composer_default sysfs:file read;
+allow hal_graphics_composer_default sysfs:file open;
+allow hal_graphics_composer_default sysfs:file write;
+type sysfs_debugfs_swsync, fs_type, debugfs_type;
+allow hal_graphics_composer_default sysfs_debugfs_swsync:file { ioctl open read write };

android/device/softwinner/common/sepolicy/vendor/hal_keymaster_default.te

@@ -0,0 +1,2 @@
+#============= hal_keymaster_default ==============
+

android/device/softwinner/common/sepolicy/vendor/hal_light_default.te

@@ -0,0 +1 @@
+allow hal_light_default graphics_device:chr_file { read open ioctl };

android/device/softwinner/common/sepolicy/vendor/hal_memtrack_default.te

@@ -0,0 +1,18 @@
+#============= hal_memtrack_default ==============
+#allow hal_memtrack_default hal_allocator_default:dir search;
+#allow hal_memtrack_default hal_allocator_default:file { getattr open read };
+allow hal_memtrack_default hal_configstore_default:dir search;
+allow hal_memtrack_default hal_configstore_default:file { open read };
+allow hal_memtrack_default hal_keymaster_default:dir search;
+allow hal_memtrack_default hal_keymaster_default:file { getattr open read };
+allow hal_memtrack_default hwservicemanager:dir search;
+allow hal_memtrack_default hwservicemanager:file { getattr open read };
+allow hal_memtrack_default servicemanager:dir search;
+allow hal_memtrack_default servicemanager:file { getattr open read };
+allow hal_memtrack_default system_app:dir search;
+allow hal_memtrack_default system_app:file { getattr open read };
+allow hal_memtrack_default vndservicemanager:dir search;
+allow hal_memtrack_default vndservicemanager:file { getattr open read };
+
+type sysfs_cma_readable, fs_type, debugfs_type;
+allow hal_memtrack_default sysfs_cma_readable:file rw_file_perms;

android/device/softwinner/common/sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,5 @@
+
+#============= hal_power_default ==============
+allow hal_power_default sysfs:file rw_file_perms;
+allow hal_power_default sysfs_devices_system_cpu:file write;
+

android/device/softwinner/common/sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,9 @@
+set_prop(hal_sensors_default, system_prop)
+
+allow hal_sensors_default init:unix_stream_socket connectto;
+allow hal_sensors_default input_device:chr_file { ioctl open read };
+allow hal_sensors_default input_device:dir { open read };
+allow hal_sensors_default input_device:dir search;
+allow hal_sensors_default property_socket:sock_file write;
+allow hal_sensors_default sysfs:dir { open read };
+allow hal_sensors_default sysfs:file { open read write };

android/device/softwinner/common/sepolicy/vendor/hal_wifi_default.te

@@ -0,0 +1,8 @@
+#============= hal_wifi_default ==============
+allow hal_wifi_default kernel:system module_request;
+allow hal_wifi_default self:capability sys_module;
+allow hal_wifi_default vendor_file:system module_load;
+allow hal_wifi_default wifi_data_file:file {open read write create setattr};
+allow hal_wifi_default sysfs:file write;
+allow hal_wifi_default hal_wifi_default:netlink_kobject_uevent_socket {read create setopt bind};
+allow hal_wifi_default wifi_data_file:dir {search write add_name remove_name};

android/device/softwinner/common/sepolicy/vendor/hal_wifi_supplicant_default.te

@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default proc_net:file write;

android/device/softwinner/common/sepolicy/vendor/healthd.te

@@ -0,0 +1,3 @@
+#============= healthd ==============
+allow healthd self:capability { dac_override dac_read_search };
+allow healthd self:capability2 wake_alarm;

android/device/softwinner/common/sepolicy/vendor/hwservicemanager.te

@@ -0,0 +1 @@
+#============= hwservicemanager ==============

android/device/softwinner/common/sepolicy/vendor/init.te

@@ -0,0 +1,23 @@
+#============= init ==============
+allow init block_device:blk_file write;
+allow init userdata_block_device:blk_file write;
+allow init cache_block_device:blk_file write;
+allow init configfs:file write;
+allow init configfs:lnk_file create;
+allow init kernel:system module_request;
+allow init self:capability sys_module;
+dontaudit init self:capability sys_module;
+allow init tmpfs:lnk_file create;
+allow init ram_device:blk_file write;
+allow init { vendor_file rootfs }:system module_load;
+allow init kmsg_device:chr_file write;
+#allow init rootfs:file { create read write };
+allow init cgroup:file create;
+allow init proc:dir { write add_name };
+allow init proc:file create;
+allow init proc_drop_caches:file write;
+allow init metadata_block_device:lnk_file relabelto;
+allow init sysfs:dir add_name;
+allow init sysfs:file create;
+allow init sysfs_zram:dir { write add_name };
+allow init sysfs_zram:file create;

android/device/softwinner/common/sepolicy/vendor/installd.te

@@ -0,0 +1 @@
+#============= installd ==============

android/device/softwinner/common/sepolicy/vendor/isolated_app.te

@@ -0,0 +1 @@
+allow isolated_app app_data_file:dir getattr;

android/device/softwinner/common/sepolicy/vendor/kernel.te

@@ -0,0 +1,25 @@
+#============= kernel ==============
+allow kernel rootfs:file execute;
+#allow kernel rootfs:file execute_no_trans;
+allow kernel device:dir write;
+allow kernel device:dir add_name;
+allow kernel device:chr_file create;
+allow kernel device:chr_file setattr;
+allow kernel self:capability mknod;
+allow kernel kernel:netlink_route_socket create;
+allow kernel device:dir create;
+#==== for rild & radio_monitor =====
+allow kernel device:blk_file create;
+allow kernel device:blk_file getattr;
+allow kernel device:blk_file setattr;
+allow kernel device:blk_file unlink;
+allow kernel device:chr_file create;
+allow kernel device:chr_file getattr;
+allow kernel device:chr_file setattr;
+allow kernel device:chr_file unlink;
+allow kernel device:dir remove_name;
+allow kernel device:dir rmdir;
+
+#==== for wifi driver access /data/misc/wifi/wifimac.txt =====
+allow kernel wifi_data_file:file { open read };
+allow kernel wifi_data_file:dir search;

android/device/softwinner/common/sepolicy/vendor/keystore.te

@@ -0,0 +1 @@
+#============= keystore ==============

android/device/softwinner/common/sepolicy/vendor/macprog-sh.te

@@ -0,0 +1,29 @@
+#========= macprog ===========
+type macprog-sh, domain;
+type macprog-sh_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(macprog-sh)
+
+allow macprog-sh bluetooth_prop:file { getattr open read };
+allow macprog-sh vendor_shell_exec:file { getattr read };
+allow macprog-sh vendor_toolbox_exec:file execute_no_trans;
+allow macprog-sh self:capability { dac_override dac_read_search };
+
+allow macprog-sh wifi_data_file:file open;
+allow macprog-sh wifi_data_file:file create;
+allow macprog-sh wifi_data_file:file { getattr write };
+allow macprog-sh wifi_data_file:file setattr;
+
+allow macprog-sh wifi_data_file:dir search;
+allow macprog-sh wifi_data_file:dir write;
+allow macprog-sh wifi_data_file:dir add_name;
+
+allow macprog-sh bluetooth_data_file:file open;
+allow macprog-sh bluetooth_data_file:file create;
+allow macprog-sh bluetooth_data_file:file { getattr write };
+allow macprog-sh bluetooth_data_file:file setattr;
+
+allow macprog-sh bluetooth_data_file:dir search;
+allow macprog-sh bluetooth_data_file:dir write;
+allow macprog-sh bluetooth_data_file:dir add_name;
+
+allow macprog-sh rootfs:dir { open read };

android/device/softwinner/common/sepolicy/vendor/mediacodec.te

@@ -0,0 +1,4 @@
+#============= mediacodec ==============
+allow mediacodec cedar_device:chr_file { open ioctl read write };
+allow mediacodec system_file:dir { open read };
+allow mediacodec tee_device:chr_file { open ioctl read write };

android/device/softwinner/common/sepolicy/vendor/mediaprovider.te

@@ -0,0 +1,6 @@
+#============= mediaprovider ==============
+allow mediaprovider vendor_file:file { execute getattr open read};
+allow mediaprovider unlabeled:dir { read getattr open search };
+allow mediaprovider unlabeled:file getattr;
+allow mediaprovider cache_private_backup_file:dir getattr;
+allow mediaprovider storage_stub_file:dir getattr;

android/device/softwinner/common/sepolicy/vendor/mediaserver.te

@@ -0,0 +1,12 @@
+set_prop(mediaserver, system_prop)
+
+allow mediaserver cedar_device:chr_file rw_file_perms;
+allow mediaserver vendor_file:file { r_file_perms execute };
+allow mediaserver cameraserver:dir search;
+allow mediaserver cameraserver:file r_file_perms;
+allow mediaserver untrusted_app:dir search;
+allow mediaserver untrusted_app:file { read open };
+allow mediaserver untrusted_app_25:dir search;
+allow mediaserver untrusted_app_25:file { read open };
+allow mediaserver system_app_data_file:file { read getattr write };
+allow mediaserver unlabeled:file { read getattr };

android/device/softwinner/common/sepolicy/vendor/netd.te

@@ -0,0 +1,6 @@
+#============= netd ==============
+allow netd kernel:system module_request;
+allow netd self:capability sys_module;
+allow netd proc:file write;
+allow netd proc_net:dir create_dir_perms;
+allow netd proc_net:file create;

android/device/softwinner/common/sepolicy/vendor/optee.te

@@ -0,0 +1,17 @@
+type optee, domain;
+type optee_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(optee)
+
+allow shell optee_exec:file getattr;
+allow optee system_data_file:dir { write remove_name add_name create getattr };
+allow optee self:capability { dac_override };
+allow optee tee_device:chr_file { read write open ioctl };
+allow optee tee_data_file:dir { remove_name rmdir search add_name write read open create };
+allow optee tee_data_file:file { link unlink write read open create };
+allow optee self:netlink_socket create_socket_perms_no_ioctl;
+allow optee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow optee ion_device:chr_file r_file_perms;
+r_dir_file(optee, sysfs_type)
+
+allow optee system_data_file:file { getattr read };
+allow optee system_data_file:lnk_file r_file_perms;

android/device/softwinner/common/sepolicy/vendor/platform_app.te

@@ -0,0 +1,6 @@
+#============platform_app ==============
+allow platform_app vendor_file:file { execute getattr open read };
+allow platform_app unlabeled:dir { getattr open read search write };
+allow platform_app unlabeled:file { getattr open read write setattr };
+allow platform_app unlabeled:filesystem getattr;
+allow platform_app recovery_service:service_manager find;

android/device/softwinner/common/sepolicy/vendor/priv_app.te

@@ -0,0 +1,11 @@
+
+#============= priv_app ==============
+allow priv_app vendor_file:file { execute getattr open read };
+allow priv_app proc_modules:file { read getattr open };
+allow priv_app zygote:dir search;
+allow priv_app zygote:file { read open };
+allow priv_app device:dir { read open };
+allow priv_app proc_interrupts:file { read open };
+allow priv_app unlabeled:dir { search getattr };
+allow priv_app net_dns_prop:file read;
+allow priv_app wifi_prop:file read;

android/device/softwinner/common/sepolicy/vendor/proc_net.te

@@ -0,0 +1 @@
+allow proc_net proc:filesystem associate;

android/device/softwinner/common/sepolicy/vendor/property_contexts

@@ -0,0 +1,6 @@
+mediasw.stopscaner                    u:object_r:system_prop:s0
+media.boost.pref                      u:object_r:system_prop:s0
+persist.display.smart_backlight       u:object_r:system_prop:s0
+persist.display.enhance_mode          u:object_r:system_prop:s0
+persist.display.reading_mode          u:object_r:system_prop:s0
+persist.display.color_temperature     u:object_r:system_prop:s0

android/device/softwinner/common/sepolicy/vendor/radio.te

@@ -0,0 +1,6 @@
+allow radio system_app_data_file:dir getattr;
+allow radio vendor_file:file read;
+allow radio vendor_file:file open;
+allow radio vendor_file:file getattr;
+allow radio vendor_file:file execute;
+allow system_server radio:file write;

android/device/softwinner/common/sepolicy/vendor/radio_monitor.te

@@ -0,0 +1,15 @@
+#========= radio_monitor ===========
+type radio_monitor, domain;
+type radio_monitor_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(radio_monitor)
+
+allow radio_monitor self:capability net_admin;
+allow radio_monitor self:netlink_kobject_uevent_socket { bind create read setopt };
+allow radio_monitor sysfs:dir { open read };
+allow radio_monitor sysfs:file { open read write };
+allow radio_monitor usb_device:chr_file { ioctl open read write };
+allow radio_monitor usb_device:dir { open read };
+allow radio_monitor usb_device:dir search;
+allow radio_monitor vendor_file:file execute_no_trans;
+allow radio_monitor vendor_shell_exec:file execute_no_trans;
+

android/device/softwinner/common/sepolicy/vendor/recovery.te

@@ -0,0 +1,28 @@
+#============= recovery ==============
+allow recovery devpts:chr_file { open read write };
+allow recovery kmsg_device:chr_file { open read write };
+allow recovery boottime_prop:file { getattr open };
+#allow recovery firstboot_prop:file { getattr open };
+allow recovery overlay_prop:file { getattr open };
+allow recovery persistent_properties_ready_prop:file { getattr open };
+allow recovery wifi_prop:file getattr;
+allow recovery device_logging_prop:file { getattr open };
+allow recovery mmc_prop:file { getattr open };
+allow recovery net_dns_prop:file open;
+#allow recovery netd_stable_secret_prop:file { getattr open };
+allow recovery safemode_prop:file { getattr open };
+allow recovery wifi_prop:file open;
+allow recovery bluetooth_prop:file { getattr open };
+allow recovery dumpstate_options_prop:file { getattr open };
+allow recovery logpersistd_logging_prop:file { getattr open };
+allow recovery net_dns_prop:file getattr;
+allow recovery proc_drop_caches:file read;
+#allow recovery firstboot_prop:file getattr;
+#allow recovery netd_stable_secret_prop:file { getattr open };
+allow recovery proc_drop_caches:file getattr;
+allow recovery vfat:dir { open read search };
+allow recovery vfat:file { getattr open read };
+#allow recovery disp_prop:file { getattr open };
+#allow recovery hdmi_prop:file { getattr open };
+allow recovery media_rw_data_file:dir {search open};
+allow recovery media_rw_data_file:file {read open getattr};

android/device/softwinner/common/sepolicy/vendor/rild.te

@@ -0,0 +1,67 @@
+set_prop(rild, system_prop)
+
+set_prop(rild, net_radio_prop)
+
+allow rild sysfs:file write;
+allow rild usb_device:dir r_dir_perms;
+allow rild usb_device:chr_file {open read write ioctl relabelfrom};
+allow rild ppp_exec:file {getattr execute read open execute_no_trans};
+allow rild ppp_device:chr_file rw_file_perms;
+allow rild kernel:dir {search getattr open read};
+allow rild kernel:file{open read};
+allow rild init:dir {search getattr};
+allow rild init:file {open read};
+allow rild init:lnk_file {read};
+allow rild ueventd:dir {search getattr};
+allow rild ueventd:file {open read};
+allow rild ueventd:lnk_file {open read};
+allow rild ueventd:chr_file { relabelfrom };
+allow rild sdcardd:dir {read search getattr};
+allow rild logd:dir {read search getattr};
+allow rild lmkd:dir {search getattr};
+allow rild lmkd:file {open read};
+allow rild healthd:dir {search getattr};
+allow rild healthd:file {open read};
+allow rild servicemanager:dir {search getattr};
+allow rild servicemanager:file{open read};
+allow rild vold:dir {search getattr};
+allow rild vold:file {open read};
+allow rild shell:dir {search getattr};
+allow rild shell:file {open read};
+allow rild netd:dir {search getattr};
+allow rild netd:file{open read};
+allow rild radio:dir {search getattr};
+allow rild radio:file {open read};
+allow rild system_server:dir {search getattr};
+allow rild system_app:dir {search getattr};
+allow rild system_app:file {read open};
+allow rild platform_app:dir {search getattr};
+allow rild platform_app:file {open read};
+allow rild untrusted_app:dir {search getattr};
+allow rild untrusted_app:file rw_file_perms;
+allow rild surfaceflinger:dir {search getattr};
+allow rild surfaceflinger:file {open read};
+allow rild logd:file {open read};
+allow rild sdcardd:file {open read};
+allow rild drmserver:dir {search getattr};
+allow rild drmserver:file{open read};
+allow rild mediaserver:dir {search getattr};
+allow rild mediaserver:file {open read};
+allow rild installd:dir {search getattr};
+allow rild installd:file {open read};
+allow rild keystore:dir {search getattr};
+allow rild keystore:file {open read};
+allow rild zygote:dir {search getattr};
+allow rild zygote:file {open read};
+allow rild system_server:file {open read};
+allow rild self:capability { dac_override setgid setuid fowner chown sys_module};
+allow rild rootfs:file {getattr execute execute_no_trans};
+allow rild kernel:lnk_file read;
+allow rild toolbox_exec:file { execute getattr read open execute_no_trans};
+
+allow rild system_file:file execute_no_trans;
+allow rild vendor_file:file execute_no_trans;
+allow rild vendor_toolbox_exec:file execute_no_trans;
+allow rild rootfs:dir read;
+allow rild rootfs:dir open;
+allow rild vendor_shell_exec:file execute_no_trans;

android/device/softwinner/common/sepolicy/vendor/sdcardd.te

@@ -0,0 +1,3 @@
+#============= sdcardd ==============
+allow sdcardd unlabeled:dir { getattr open read search };
+allow sdcardd unlabeled:file { getattr open read };

android/device/softwinner/common/sepolicy/vendor/service.te

@@ -0,0 +1,2 @@
+type htserver_service, system_api_service, system_server_service, service_manager_type;
+type background_service,        app_api_service, ephemeral_app_api_service, service_manager_type;

android/device/softwinner/common/sepolicy/vendor/shell.te

@@ -0,0 +1,7 @@
+allow shell vendor_file:file { r_file_perms execute execute_no_trans};
+allow shell background_service:service_manager add;
+allow shell sysfs_cma_readable:file { read getattr open };
+allow shell sysfs_zram:dir search;
+allow shell sysfs_zram:file { read getattr open };
+allow shell hal_memtrack_default:binder call;
+allow shell untrusted_app_25:process getsched;

android/device/softwinner/common/sepolicy/vendor/surfaceflinger.te

@@ -0,0 +1,7 @@
+allow surfaceflinger sysfs:file write;
+allow surfaceflinger self:unix_stream_socket ioctl;
+allow surfaceflinger htserver_service:service_manager find;
+allow surfaceflinger activity_service:service_manager find;
+allow surfaceflinger awinit:binder call;
+allow surfaceflinger self:capability { net_admin dac_override };
+allow surfaceflinger vendor_file:file { execute getattr open read };

android/device/softwinner/common/sepolicy/vendor/system_app.te

@@ -0,0 +1,4 @@
+allow system_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow system_app { cache_file cache_recovery_file }:file create_file_perms;
+allow system_app vendor_file:file { execute getattr open read execute_no_trans };
+allow system_app unlabeled:filesystem getattr;

android/device/softwinner/common/sepolicy/vendor/system_server.te

@@ -0,0 +1,16 @@
+allow system_server mediaprovider:file write;
+allow system_server platform_app:file write;
+allow system_server priv_app:file write;
+allow system_server system_app:file write;
+allow system_server untrusted_app:file write;
+allow system_server untrusted_app_25:file write;
+allow system_server vendor_file:file { execute getattr open read };
+allow system_server proc:file write;
+allow system_server bluetooth:file write;
+allow system_server nfc:file write;
+allow system_server background_service:service_manager find;
+allow system_server shell:file write;
+allow system_server isolated_app:file write;
+allow system_server unlabeled:dir setattr;
+allow system_server storage_stub_file:dir getattr;
+allow system_server kernel:system syslog_read;

android/device/softwinner/common/sepolicy/vendor/thermalserviced.te

@@ -0,0 +1 @@
+#============= thermalserviced ==============

android/device/softwinner/common/sepolicy/vendor/toolbox.te

@@ -0,0 +1,4 @@
+#============= toolbox ==============
+allow toolbox ram_device:blk_file { read write };
+allow toolbox ram_device:blk_file open;
+allow toolbox ram_device:blk_file getattr;

android/device/softwinner/common/sepolicy/vendor/ueventd.te

@@ -0,0 +1,2 @@
+allow ueventd usb_device:chr_file { relabelfrom  relabelto };
+allow ueventd radio_device:chr_file { relabelfrom  relabelto };

android/device/softwinner/common/sepolicy/vendor/uncrypt.te

@@ -0,0 +1,4 @@
+#============= uncrypt ==============
+allow uncrypt cache_file:dir getattr;
+allow uncrypt cache_file:file getattr;
+allow uncrypt cache_file:file read;

android/device/softwinner/common/sepolicy/vendor/unlabeled.te

@@ -0,0 +1 @@
+allow unlabeled self:filesystem associate;

android/device/softwinner/common/sepolicy/vendor/untrusted_app.te

@@ -0,0 +1,10 @@
+#============= untrusted_app_25 ==============
+allow untrusted_app vendor_file:file { read execute getattr open };
+allow untrusted_app sysfs_zram:dir search;
+allow untrusted_app sysfs_zram:file { read getattr open };
+allow untrusted_app rootfs:dir { read open };
+allow untrusted_app unlabeled:dir { open read search getattr setattr };
+allow untrusted_app unlabeled:filesystem getattr;
+allow untrusted_app device:dir { open read };
+allow untrusted_app storage_stub_file:dir getattr;
+allow untrusted_app block_device:dir { read open search };

android/device/softwinner/common/sepolicy/vendor/untrusted_app_25.te

@@ -0,0 +1,23 @@
+#============= untrusted_app_25 ==============
+allow untrusted_app_25 vendor_file:file { read execute getattr open };
+allow untrusted_app_25 cgroup:dir { read open };
+allow untrusted_app_25 init_exec:file getattr;
+allow untrusted_app_25 mnt_media_rw_file:dir getattr;
+allow untrusted_app_25 rootfs:dir { read open };
+allow untrusted_app_25 rootfs:file getattr;
+allow untrusted_app_25 sysfs:dir { read open };
+allow untrusted_app_25 sysfs:file { read open getattr };
+allow untrusted_app_25 unlabeled:dir { getattr open search read write add_name setattr };
+allow untrusted_app_25 unlabeled:file { getattr read };
+allow untrusted_app_25 unlabeled:filesystem getattr;
+allow untrusted_app_25 proc:file { getattr };
+allow untrusted_app_25 proc_stat:file { read getattr open };
+allow untrusted_app_25 su_exec:file getattr;
+allow untrusted_app_25 init:dir search;
+allow untrusted_app_25 init:file { open read };
+allow untrusted_app_25 kernel:dir { getattr search };
+allow untrusted_app_25 kernel:file { open read };
+allow untrusted_app_25 node:rawip_socket node_bind;
+allow untrusted_app_25 self:udp_socket ioctl;
+allow untrusted_app_25 wifi_prop:file { getattr open };
+allow untrusted_app_25 platform_app:dir search;

android/device/softwinner/common/sepolicy/vendor/vold.te

@@ -0,0 +1,10 @@
+allow vold kernel:system module_request;
+allow vold self:capability { setgid setuid };
+allow vold fuse_device:chr_file { getattr read write open };
+allow vold swap_block_device:blk_file getattr;
+allow vold storage_stub_file:dir { read open search };
+allow vold block_device:blk_file getattr;
+allow vold unlabeled:filesystem { mount unmount };
+allow vold cache_block_device:blk_file getattr;
+allow vold system_block_device:blk_file getattr;
+allow vold mnt_media_rw_stub_file:dir {getattr read write open ioctl};

android/device/softwinner/common/sepolicy/vendor/webview_zygote.te

@@ -0,0 +1,3 @@
+#============= webview_zygote ==============
+allow webview_zygote proc:file read;
+allow webview_zygote tombstoned_crash_socket:sock_file write;

android/device/softwinner/common/sepolicy/vendor/wificond.te

@@ -0,0 +1,2 @@
+#============= wificond ==============
+allow wificond kernel:system module_request;

android/device/softwinner/common/sepolicy/vendor/zygote.te

@@ -0,0 +1,3 @@
+#============= zygote ==============
+allow zygote cgroup:file create;
+allow zygote vendor_file:file { execute getattr open read };