diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS
new file mode 100644
index 0000000..5232bc3
--- /dev/null
+++ b/sepolicy/OWNERS
@@ -0,0 +1,4 @@
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
+
diff --git a/sepolicy/bluetooth/file_contexts b/sepolicy/bluetooth/file_contexts
new file mode 100644
index 0000000..5560dc7
--- /dev/null
+++ b/sepolicy/bluetooth/file_contexts
@@ -0,0 +1,10 @@
+# Bluetooth HAL service
+/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti  u:object_r:hal_bluetooth_default_exec:s0
+
+# Bluetooth Vendor nodes
+/dev/btpower                                    u:object_r:bt_device:s0
+/dev/ttySAC18                                   u:object_r:hci_attach_dev:s0
+
+# Bluetooth Debuggable HAL nodes
+/dev/logbuffer_btpower                          u:object_r:logbuffer_device:s0
+/dev/logbuffer_tty18                            u:object_r:logbuffer_device:s0
diff --git a/sepolicy/bluetooth/genfs_contexts b/sepolicy/bluetooth/genfs_contexts
new file mode 100644
index 0000000..2b2d437
--- /dev/null
+++ b/sepolicy/bluetooth/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
diff --git a/sepolicy/bluetooth/grilservice_app.te b/sepolicy/bluetooth/grilservice_app.te
new file mode 100644
index 0000000..770244c
--- /dev/null
+++ b/sepolicy/bluetooth/grilservice_app.te
@@ -0,0 +1 @@
+binder_call(grilservice_app, hal_bluetooth_default)
diff --git a/sepolicy/bluetooth/hal_bluetooth_default.te b/sepolicy/bluetooth/hal_bluetooth_default.te
new file mode 100644
index 0000000..d78de58
--- /dev/null
+++ b/sepolicy/bluetooth/hal_bluetooth_default.te
@@ -0,0 +1,12 @@
+allow hal_bluetooth_default bt_device:chr_file rw_file_perms;
+
+add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice)
+
+userdebug_or_eng(`
+  allow hal_bluetooth_default logbuffer_device:chr_file r_file_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:file create_file_perms;
+  set_prop(hal_bluetooth_default, vendor_ssrdump_prop)
+')
diff --git a/sepolicy/bluetooth/hwservice.te b/sepolicy/bluetooth/hwservice.te
new file mode 100644
index 0000000..8a5ae49
--- /dev/null
+++ b/sepolicy/bluetooth/hwservice.te
@@ -0,0 +1,2 @@
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
diff --git a/sepolicy/bluetooth/hwservice_contexts b/sepolicy/bluetooth/hwservice_contexts
new file mode 100644
index 0000000..edd952b
--- /dev/null
+++ b/sepolicy/bluetooth/hwservice_contexts
@@ -0,0 +1,3 @@
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
diff --git a/sepolicy/lynx-sepolicy.mk b/sepolicy/lynx-sepolicy.mk
new file mode 100644
index 0000000..4c770e4
--- /dev/null
+++ b/sepolicy/lynx-sepolicy.mk
@@ -0,0 +1,3 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/vendor
+BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/tracking_denials
diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map
new file mode 100644
index 0000000..2e6daa3
--- /dev/null
+++ b/sepolicy/tracking_denials/bug_map
@@ -0,0 +1,2 @@
+kernel vendor_charger_debugfs dir b/305600791
+hal_bluetooth_default vendor_data_file dir b/318453067
diff --git a/sepolicy/vendor/README.txt b/sepolicy/vendor/README.txt
new file mode 100644
index 0000000..67a320f
--- /dev/null
+++ b/sepolicy/vendor/README.txt
@@ -0,0 +1,2 @@
+This folder holds sepolicy exclusively for one device. For example, genfs_contexts
+paths that are affected by device tree.
diff --git a/sepolicy/vendor/cnss-daemon.te b/sepolicy/vendor/cnss-daemon.te
new file mode 100644
index 0000000..e6ea641
--- /dev/null
+++ b/sepolicy/vendor/cnss-daemon.te
@@ -0,0 +1,20 @@
+# cnss-daemon service
+type cnss-daemon, domain;
+type cnss-daemon_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(cnss-daemon)
+
+net_domain(cnss-daemon)
+
+allow cnss-daemon self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow cnss-daemon self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+# /data/vendor/wifi/
+allow cnss-daemon vendor_wifi_vendor_data_file:dir create_dir_perms;
+allow cnss-daemon vendor_wifi_vendor_data_file:file create_file_perms;
+
+# /proc/sys/net/ipv4/tcp_adv_win_scal
+allow cnss-daemon proc_net:file rw_file_perms;
+
+# /sys/class/remoteproc
+allow cnss-daemon sysfs_cnss_daemon:dir r_dir_perms;
+allow cnss-daemon sysfs_cnss_daemon:file r_file_perms;
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..3e16875
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,2 @@
+# Wifi
+type vendor_wlan_device, dev_type;
\ No newline at end of file
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
new file mode 100644
index 0000000..7f9aa22
--- /dev/null
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1,7 @@
+type vendor_location_data_file, file_type, data_file_type;
+type vendor_location_socket, file_type;
+type vendor_wifi_vendor_data_file, file_type, data_file_type;
+type vendor_wifihal_socket, file_type;
+type vendor_location_sysfs, fs_type, sysfs_type;
+type vendor_proc_wifi_dbg, fs_type, proc_type;
+type sysfs_cnss_daemon, fs_type, sysfs_type;
\ No newline at end of file
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..bc7e2fc
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,18 @@
+# Devices
+/dev/lwis-act-lc898129                                                      u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898129                                                   u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx712                                             u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx712-uw                                          u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898129                                                      u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx712                                                     u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx712-uw                                                  u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx787                                                     u:object_r:lwis_device:s0
+
+# Wifi
+/data/vendor/wifi(/.*)?                 u:object_r:vendor_wifi_vendor_data_file:s0
+/dev/wlan                               u:object_r:vendor_wlan_device:s0
+/dev/socket/location(/.*)?              u:object_r:vendor_location_socket:s0
+/dev/socket/wifihal(/.*)?               u:object_r:vendor_wifihal_socket:s0
+/vendor/bin/loc_launcher                u:object_r:vendor_location_exec:s0
+/vendor/bin/lowi-server                 u:object_r:lowi_server_exec:s0
+/vendor/bin/cnss-daemon                 u:object_r:cnss-daemon_exec:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..2ced4b3
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,20 @@
+# Wifi
+genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
+genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net    u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net    u:object_r:sysfs_net:s0
+genfscon sysfs /class/remoteproc     u:object_r:sysfs_cnss_daemon:s0
+
+# BMS
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061                  u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply     u:object_r:sysfs_batteryinfo:s0
+
+# System Suspend
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply/wireless/wakeup     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/wakeup                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup                                       u:object_r:sysfs_wakeup:s0
+
+# PowerStats
+genfscon sysfs /kernel/wifi/power_stats    u:object_r:sysfs_power_stats:s0
diff --git a/sepolicy/vendor/hal_dumpstate_default.te b/sepolicy/vendor/hal_dumpstate_default.te
new file mode 100644
index 0000000..d513b88
--- /dev/null
+++ b/sepolicy/vendor/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/267839070
+dontaudit hal_dumpstate_default sysfs:dir { read };
diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te
new file mode 100644
index 0000000..24527f9
--- /dev/null
+++ b/sepolicy/vendor/hal_power_stats_default.te
@@ -0,0 +1,2 @@
+# Needed to detect wifi on/off
+get_prop(hal_power_stats_default, wifi_hal_prop)
diff --git a/sepolicy/vendor/hal_radioext_default.te b/sepolicy/vendor/hal_radioext_default.te
new file mode 100644
index 0000000..1620f2b
--- /dev/null
+++ b/sepolicy/vendor/hal_radioext_default.te
@@ -0,0 +1 @@
+binder_call(hal_radioext_default, hal_bluetooth_default)
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..418aba5
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -0,0 +1,19 @@
+allow hal_wifi_default vendor_wlan_device:chr_file w_file_perms;
+allow hal_wifi_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_default vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_default vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_default vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_default lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms;
+
+# allow hal_wifi to write into /proc/debugdriver/driverdump
+r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg);
+
+# Write wlan driver/fw version into property
+set_prop(hal_wifi_default, vendor_wifi_version)
diff --git a/sepolicy/vendor/hal_wifi_ext.te b/sepolicy/vendor/hal_wifi_ext.te
new file mode 100644
index 0000000..fbe187d
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_ext.te
@@ -0,0 +1,16 @@
+allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;
+allow hal_wifi_ext vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_ext vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_ext lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms;
+
+# allow hal_wifi to write into /proc/debugdriver/driverdump
+r_dir_file(hal_wifi_ext, vendor_proc_wifi_dbg);
diff --git a/sepolicy/vendor/hal_wifi_hostapd.te b/sepolicy/vendor/hal_wifi_hostapd.te
new file mode 100644
index 0000000..f081558
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_hostapd.te
@@ -0,0 +1 @@
+allow hal_wifi_hostapd_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/hal_wifi_supplicant.te b/sepolicy/vendor/hal_wifi_supplicant.te
new file mode 100644
index 0000000..78993ca
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_supplicant.te
@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/ioctl_macros b/sepolicy/vendor/ioctl_macros
new file mode 100644
index 0000000..1646edf
--- /dev/null
+++ b/sepolicy/vendor/ioctl_macros
@@ -0,0 +1,9 @@
+define(`lowi_server_ioctls', `{
+SIOCGIFINDEX
+SIOCGIFHWADDR
+SIOCGIFFLAGS
+SIOCIWFIRSTPRIV_05
+SIOCIWFIRSTPRIV_11
+SIOCIWFIRSTPRIV_13
+SIOCDEVPRIVATE_1
+}')
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
new file mode 100644
index 0000000..4be1265
--- /dev/null
+++ b/sepolicy/vendor/kernel.te
@@ -0,0 +1 @@
+dontaudit kernel vendor_battery_debugfs:dir search;
diff --git a/sepolicy/vendor/logger_app.te b/sepolicy/vendor/logger_app.te
new file mode 100644
index 0000000..26c0cc6
--- /dev/null
+++ b/sepolicy/vendor/logger_app.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow logger_app vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
diff --git a/sepolicy/vendor/lowi_server.te b/sepolicy/vendor/lowi_server.te
new file mode 100644
index 0000000..21dfb81
--- /dev/null
+++ b/sepolicy/vendor/lowi_server.te
@@ -0,0 +1,36 @@
+# lowi_server service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type lowi_server, domain;
+type lowi_server_exec, exec_type, vendor_file_type, file_type;
+
+hwbinder_use(lowi_server)
+allow lowi_server self:udp_socket create_socket_perms;
+allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl;
+
+## lowi-server
+##############
+allow lowi_server vendor_location:fd use;
+allow lowi_server vendor_location:unix_dgram_socket {sendto read write};
+
+# some additional network access
+allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allowxperm lowi_server self:udp_socket ioctl lowi_server_ioctls;
+
+# /data/vendor/wifi
+allow lowi_server vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# /data/vendor/wifi/wpa
+allow lowi_server wpa_data_file:dir rw_dir_perms;
+allow lowi_server wpa_data_file:sock_file create_file_perms;
+allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto;
+
+# /dev/socket/wifihal
+allow lowi_server vendor_wifihal_socket:dir rw_dir_perms;
+allow lowi_server vendor_wifihal_socket:sock_file create_file_perms;
+allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto;
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_default);
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext);
+
+# /dev/socket/vendor_location
+allow lowi_server vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow lowi_server vendor_location_socket:dir rw_dir_perms;
diff --git a/sepolicy/vendor/tcpdump_logger.te b/sepolicy/vendor/tcpdump_logger.te
new file mode 100644
index 0000000..9f00bb7
--- /dev/null
+++ b/sepolicy/vendor/tcpdump_logger.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow tcpdump_logger vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..cc2e3ad
--- /dev/null
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,2 @@
+# Camera
+set_prop(vendor_init, vendor_camera_prop)
diff --git a/sepolicy/vendor/vendor_location.te b/sepolicy/vendor/vendor_location.te
new file mode 100644
index 0000000..b41c6a8
--- /dev/null
+++ b/sepolicy/vendor/vendor_location.te
@@ -0,0 +1,20 @@
+# loc_launcher service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type vendor_location, domain;
+type vendor_location_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_location)
+
+# execute permission for vendor_location daemons in /vendor/bin/
+domain_auto_trans(vendor_location, lowi_server_exec, lowi_server)
+
+# /dev/socket/vendor_location
+allow vendor_location vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow vendor_location vendor_location_socket:dir rw_dir_perms;
+
+# /sys/devices/soc0/soc_id
+allow vendor_location vendor_location_sysfs:file create_file_perms;
+
+# /dev/socket/location/mq/*
+allow vendor_location lowi_server:unix_dgram_socket {sendto read write};
+allow vendor_location hal_wifi_default:unix_dgram_socket {sendto read write};
+allow vendor_location hal_wifi_ext:unix_dgram_socket {sendto read write};
diff --git a/sepolicy/vendor/wifi_perf_diag.te b/sepolicy/vendor/wifi_perf_diag.te
new file mode 100644
index 0000000..b49c0da
--- /dev/null
+++ b/sepolicy/vendor/wifi_perf_diag.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow wifi_perf_diag vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
diff --git a/sepolicy/vendor/wifi_sniffer.te b/sepolicy/vendor/wifi_sniffer.te
new file mode 100644
index 0000000..c1e5cfa
--- /dev/null
+++ b/sepolicy/vendor/wifi_sniffer.te
@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+  allow wifi_sniffer self:capability { setuid setgid };
+  allow wifi_sniffer vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')