From f60a67678a47d1ba6012791421e8de18ad0ff46f Mon Sep 17 00:00:00 2001
From: Bill Rassieur <rassb@google.com>
Date: Wed, 13 Oct 2021 10:14:46 -0700
Subject: [PATCH 01/60] Initial empty repository


From 401c431fcd51cfdfadf066509728b39be8175b19 Mon Sep 17 00:00:00 2001
From: Cyan_Hsieh <cyanhsieh@google.com>
Date: Wed, 20 Oct 2021 18:15:20 +0800
Subject: [PATCH 02/60] Initial device lynx sepolicy

Bug: 202250383
Change-Id: I7b096bdb87ea45760bbcf929cd5757e159952e75
---
 OWNERS            | 11 +++++++++++
 lynx-sepolicy.mk  |  2 ++
 vendor/README.txt |  2 ++
 3 files changed, 15 insertions(+)
 create mode 100644 OWNERS
 create mode 100644 lynx-sepolicy.mk
 create mode 100644 vendor/README.txt

diff --git a/OWNERS b/OWNERS
new file mode 100644
index 0000000..a24d5fb
--- /dev/null
+++ b/OWNERS
@@ -0,0 +1,11 @@
+adamshih@google.com
+alanstokes@google.com
+bowgotsai@google.com
+jbires@google.com
+jeffv@google.com
+jgalenson@google.com
+jiyong@google.com
+rurumihong@google.com
+sspatil@google.com
+smoreland@google.com
+trong@google.com
diff --git a/lynx-sepolicy.mk b/lynx-sepolicy.mk
new file mode 100644
index 0000000..6efe95c
--- /dev/null
+++ b/lynx-sepolicy.mk
@@ -0,0 +1,2 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/vendor
diff --git a/vendor/README.txt b/vendor/README.txt
new file mode 100644
index 0000000..67a320f
--- /dev/null
+++ b/vendor/README.txt
@@ -0,0 +1,2 @@
+This folder holds sepolicy exclusively for one device. For example, genfs_contexts
+paths that are affected by device tree.

From 45b906133f3c70eeccdffac04238e4a7d909f037 Mon Sep 17 00:00:00 2001
From: Cheney Ni <cheneyni@google.com>
Date: Fri, 24 Sep 2021 03:43:44 +0800
Subject: [PATCH 03/60] Bluetooth: Add Sepolicy for QTI default HAL (1/2)

Bug: 202113218
Test: manually
Change-Id: I589b5c1df9fad6541799c1ba370fe2359cc31831
---
 bluetooth/device.te                | 1 +
 bluetooth/file_contexts            | 5 +++++
 bluetooth/genfs_contexts           | 1 +
 bluetooth/hal_bluetooth_default.te | 9 +++++++++
 bluetooth/hwservice.te             | 2 ++
 bluetooth/hwservice_contexts       | 3 +++
 6 files changed, 21 insertions(+)
 create mode 100644 bluetooth/device.te
 create mode 100644 bluetooth/file_contexts
 create mode 100644 bluetooth/genfs_contexts
 create mode 100644 bluetooth/hal_bluetooth_default.te
 create mode 100644 bluetooth/hwservice.te
 create mode 100644 bluetooth/hwservice_contexts

diff --git a/bluetooth/device.te b/bluetooth/device.te
new file mode 100644
index 0000000..7ed13ad
--- /dev/null
+++ b/bluetooth/device.te
@@ -0,0 +1 @@
+type bt_device, dev_type;
diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
new file mode 100644
index 0000000..da02008
--- /dev/null
+++ b/bluetooth/file_contexts
@@ -0,0 +1,5 @@
+# Bluetooth
+/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti  u:object_r:hal_bluetooth_default_exec:s0
+
+/dev/btpower                                    u:object_r:bt_device:s0
+/dev/ttySAC18                                   u:object_r:hci_attach_dev:s0
diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts
new file mode 100644
index 0000000..2b2d437
--- /dev/null
+++ b/bluetooth/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /devices/platform/odm/odm:btqcom/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te
new file mode 100644
index 0000000..dcd2b7f
--- /dev/null
+++ b/bluetooth/hal_bluetooth_default.te
@@ -0,0 +1,9 @@
+allow hal_bluetooth_default bt_device:chr_file rw_file_perms;
+
+add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice)
+
+userdebug_or_eng(`
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms };
+  set_prop(hal_bluetooth_default, vendor_ssrdump_prop)
+')
diff --git a/bluetooth/hwservice.te b/bluetooth/hwservice.te
new file mode 100644
index 0000000..8a5ae49
--- /dev/null
+++ b/bluetooth/hwservice.te
@@ -0,0 +1,2 @@
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts
new file mode 100644
index 0000000..edd952b
--- /dev/null
+++ b/bluetooth/hwservice_contexts
@@ -0,0 +1,3 @@
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0

From 99f01b584dd409c806e5d1f6bda44d9665e73b8d Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Tue, 21 Dec 2021 07:38:55 -0800
Subject: [PATCH 04/60] Include core policy OWNERS

Test: None
Change-Id: I75f26e14abc35f1bc5fb143491ce9419d4cd13f4
---
 OWNERS | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/OWNERS b/OWNERS
index a24d5fb..791abb4 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,11 +1,3 @@
-adamshih@google.com
-alanstokes@google.com
-bowgotsai@google.com
-jbires@google.com
-jeffv@google.com
-jgalenson@google.com
-jiyong@google.com
+include platform/system/sepolicy:/OWNERS
+
 rurumihong@google.com
-sspatil@google.com
-smoreland@google.com
-trong@google.com

From a069c079721cd5a91df54f134d947f2a9ef6bedd Mon Sep 17 00:00:00 2001
From: horngchuang <horngchuang@google.com>
Date: Fri, 7 Jan 2022 16:16:46 +0800
Subject: [PATCH 05/60] Add l10 specific camera component sepolicy settings

Also, move those settings from whitechapel_pro common folder

Bug: 210598444
Test: build okay
Change-Id: Ie96dd9e6da5bdddd62d2ed9f920cb49daa1d74eb
---
 vendor/file_contexts | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 vendor/file_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
new file mode 100644
index 0000000..30e57a0
--- /dev/null
+++ b/vendor/file_contexts
@@ -0,0 +1,9 @@
+# Devices
+/dev/lwis-act-lc898129                                                      u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898129                                                   u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx712                                             u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx712-uw                                          u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898129                                                      u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx712                                                     u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx712-uw                                                  u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx787                                                     u:object_r:lwis_device:s0

From 069de3333d40551420547333b179cd78d7534b19 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Thu, 6 Jan 2022 10:36:23 +0800
Subject: [PATCH 06/60] wifi: Add sepolicy for qcom driver control interface

01-06 11:55:38.816   796   796 I auditd  : type=1400 audit(0.0:281): avc: denied { write } for comm="wifi_ext@1.0-se" name="wlan" dev="tmpfs" ino=984 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
01-06 11:55:38.820   796   796 I auditd  : type=1400 audit(0.0:282): avc: denied { open } for comm="wifi_ext@1.0-se" path="/dev/wlan" dev="tmpfs" ino=984 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Bug: 209934729
Test: Basic function tests, SSR tests
Change-Id: Id6afd0580f8792eeb7ef8a25d42724ec79696875
---
 vendor/device.te       | 2 ++
 vendor/file_contexts   | 3 +++
 vendor/hal_wifi_ext.te | 1 +
 3 files changed, 6 insertions(+)
 create mode 100644 vendor/device.te
 create mode 100644 vendor/hal_wifi_ext.te

diff --git a/vendor/device.te b/vendor/device.te
new file mode 100644
index 0000000..3e16875
--- /dev/null
+++ b/vendor/device.te
@@ -0,0 +1,2 @@
+# Wifi
+type vendor_wlan_device, dev_type;
\ No newline at end of file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 30e57a0..46faec0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -7,3 +7,6 @@
 /dev/lwis-sensor-imx712                                                     u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx712-uw                                                  u:object_r:lwis_device:s0
 /dev/lwis-sensor-imx787                                                     u:object_r:lwis_device:s0
+
+# Wifi
+/dev/wlan                               u:object_r:vendor_wlan_device:s0
diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te
new file mode 100644
index 0000000..c5cf260
--- /dev/null
+++ b/vendor/hal_wifi_ext.te
@@ -0,0 +1 @@
+allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;

From 1663eff382957781f41d02b01f9c57713e5d4485 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Mon, 7 Mar 2022 11:27:09 +0800
Subject: [PATCH 07/60] Setup sysfs_vibrator

Bug: 220068530
Test: dumpsys android.hardware.vibrator.IVibrator/default
Change-Id: Icd8a7d5db2277c72be9a72723434145db4eecb02
---
 vendor/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 vendor/genfs_contexts

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
new file mode 100644
index 0000000..caf2581
--- /dev/null
+++ b/vendor/genfs_contexts
@@ -0,0 +1,2 @@
+# Haptics
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u:object_r:sysfs_vibrator:s0

From 374602a5597f489482546cc0a5e3544a0c2051ea Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Mon, 14 Mar 2022 17:00:59 +0800
Subject: [PATCH 08/60] wifi: Add sepolicy for LOWI tools

Add sepolicy rules for LOWI tools including loc_launcher and
lowi-server which are necessary for NAN and RTT

Bug: 223296149
Test: loc_launcher and lowi-server start automatically
Change-Id: I915be13fa715de85de91c30e0605f1e8e9d578f4
---
 vendor/file.te                |  5 +++++
 vendor/file_contexts          |  5 +++++
 vendor/genfs_contexts         |  3 +++
 vendor/hal_wifi_ext.te        | 11 +++++++++++
 vendor/hal_wifi_hostapd.te    |  1 +
 vendor/hal_wifi_supplicant.te |  1 +
 vendor/ioctl_macros           |  9 +++++++++
 vendor/lowi_server.te         | 35 +++++++++++++++++++++++++++++++++++
 vendor/vendor_location.te     | 15 +++++++++++++++
 9 files changed, 85 insertions(+)
 create mode 100644 vendor/file.te
 create mode 100644 vendor/hal_wifi_hostapd.te
 create mode 100644 vendor/hal_wifi_supplicant.te
 create mode 100644 vendor/ioctl_macros
 create mode 100644 vendor/lowi_server.te
 create mode 100644 vendor/vendor_location.te

diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..2553c74
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,5 @@
+type vendor_location_data_file, file_type, data_file_type;
+type vendor_location_socket, file_type;
+type vendor_wifi_vendor_data_file, file_type, data_file_type;
+type vendor_wifihal_socket, file_type;
+type vendor_location_sysfs, fs_type, sysfs_type;
\ No newline at end of file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 46faec0..d692577 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,4 +9,9 @@
 /dev/lwis-sensor-imx787                                                     u:object_r:lwis_device:s0
 
 # Wifi
+/data/vendor/wifi(/.*)?                 u:object_r:vendor_wifi_vendor_data_file:s0
 /dev/wlan                               u:object_r:vendor_wlan_device:s0
+/dev/socket/location(/.*)?              u:object_r:vendor_location_socket:s0
+/dev/socket/wifihal(/.*)?               u:object_r:vendor_wifihal_socket:s0
+/vendor/bin/loc_launcher                u:object_r:vendor_location_exec:s0
+/vendor/bin/lowi-server                 u:object_r:lowi_server_exec:s0
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index caf2581..b51cb91 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -1,2 +1,5 @@
 # Haptics
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u:object_r:sysfs_vibrator:s0
+
+# Wifi
+genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te
index c5cf260..a16d595 100644
--- a/vendor/hal_wifi_ext.te
+++ b/vendor/hal_wifi_ext.te
@@ -1 +1,12 @@
 allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_ext vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_ext lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms;
diff --git a/vendor/hal_wifi_hostapd.te b/vendor/hal_wifi_hostapd.te
new file mode 100644
index 0000000..f081558
--- /dev/null
+++ b/vendor/hal_wifi_hostapd.te
@@ -0,0 +1 @@
+allow hal_wifi_hostapd_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
\ No newline at end of file
diff --git a/vendor/hal_wifi_supplicant.te b/vendor/hal_wifi_supplicant.te
new file mode 100644
index 0000000..78993ca
--- /dev/null
+++ b/vendor/hal_wifi_supplicant.te
@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
\ No newline at end of file
diff --git a/vendor/ioctl_macros b/vendor/ioctl_macros
new file mode 100644
index 0000000..1646edf
--- /dev/null
+++ b/vendor/ioctl_macros
@@ -0,0 +1,9 @@
+define(`lowi_server_ioctls', `{
+SIOCGIFINDEX
+SIOCGIFHWADDR
+SIOCGIFFLAGS
+SIOCIWFIRSTPRIV_05
+SIOCIWFIRSTPRIV_11
+SIOCIWFIRSTPRIV_13
+SIOCDEVPRIVATE_1
+}')
diff --git a/vendor/lowi_server.te b/vendor/lowi_server.te
new file mode 100644
index 0000000..c1281f9
--- /dev/null
+++ b/vendor/lowi_server.te
@@ -0,0 +1,35 @@
+# lowi_server service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type lowi_server, domain;
+type lowi_server_exec, exec_type, vendor_file_type, file_type;
+
+hwbinder_use(lowi_server)
+allow lowi_server self:udp_socket create_socket_perms;
+allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl;
+
+## lowi-server
+##############
+allow lowi_server vendor_location:fd use;
+allow lowi_server vendor_location:unix_dgram_socket sendto;
+
+# some additional network access
+allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allowxperm lowi_server self:udp_socket ioctl lowi_server_ioctls;
+
+# /data/vendor/wifi
+allow lowi_server vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# /data/vendor/wifi/wpa
+allow lowi_server wpa_data_file:dir rw_dir_perms;
+allow lowi_server wpa_data_file:sock_file create_file_perms;
+allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto;
+
+# /dev/socket/wifihal
+allow lowi_server vendor_wifihal_socket:dir rw_dir_perms;
+allow lowi_server vendor_wifihal_socket:sock_file create_file_perms;
+allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto;
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext);
+
+# /dev/socket/vendor_location
+allow lowi_server vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow lowi_server vendor_location_socket:dir rw_dir_perms;
diff --git a/vendor/vendor_location.te b/vendor/vendor_location.te
new file mode 100644
index 0000000..cefcd49
--- /dev/null
+++ b/vendor/vendor_location.te
@@ -0,0 +1,15 @@
+# loc_launcher service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type vendor_location, domain;
+type vendor_location_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_location)
+
+# execute permission for vendor_location daemons in /vendor/bin/
+domain_auto_trans(vendor_location, lowi_server_exec, lowi_server)
+
+# /dev/socket/vendor_location
+allow vendor_location vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow vendor_location vendor_location_socket:dir rw_dir_perms;
+
+# /sys/devices/soc0/soc_id
+allow vendor_location vendor_location_sysfs:file create_file_perms;

From 63cd5c61432834c5cd717a115cabcad29b0603d6 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Mon, 25 Apr 2022 11:43:29 +0800
Subject: [PATCH 09/60] Add sepolicy for pixellogger

04-25 11:36:17.795  4101  4101 I auditd  : type=1400 audit(0.0:6339): avc: denied { search } for comm="LoggingService" name="wifi" dev="dm-40" ino=338 scontext=u:r:logger_app:s0:c229,c256,c512,c768 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.pixellogger
04-25 11:36:17.799   863   863 I auditd  : type=1400 audit(0.0:6340): avc: denied { search } for comm="wifi_ext@1.0-se" name="wifi" dev="dm-40" ino=338 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir permissive=1

Bug: 230280450
Test: Pixelloger can collect WLAN logs
Change-Id: Id95e4132f2814deb1fbfb307568a4ece87a28611
---
 vendor/hal_wifi_ext.te | 1 +
 vendor/logger_app.te   | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 vendor/logger_app.te

diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te
index a16d595..b26ff32 100644
--- a/vendor/hal_wifi_ext.te
+++ b/vendor/hal_wifi_ext.te
@@ -1,4 +1,5 @@
 allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;
+allow hal_wifi_ext vendor_wifi_vendor_data_file:dir rw_dir_perms;
 
 # write to files owned by location daemon
 allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms;
diff --git a/vendor/logger_app.te b/vendor/logger_app.te
new file mode 100644
index 0000000..26c0cc6
--- /dev/null
+++ b/vendor/logger_app.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow logger_app vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')

From 7a86c2d697fbde4391060535c05e05f767cee065 Mon Sep 17 00:00:00 2001
From: sukiliu <sukiliu@google.com>
Date: Mon, 30 May 2022 14:06:55 +0800
Subject: [PATCH 10/60] Update avc error on ROM 8659812

Bug: 234311757
Bug: 234311798
Bug: 234311675
Bug: 234311758
Test: forrest with boot test w/ SELinux check
Change-Id: I809cd16ca133fcbe5dbac6c7b8f089897fab300c
---
 tracking_denials/bug_map | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 tracking_denials/bug_map

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
new file mode 100644
index 0000000..78a4044
--- /dev/null
+++ b/tracking_denials/bug_map
@@ -0,0 +1,4 @@
+hal_health_default sysfs file b/234311757
+hal_radioext_default hal_bluetooth_default binder b/234311798
+init-insmod-sh init-insmod-sh capability b/234311675
+system_suspend sysfs dir b/234311758

From 2d50edbc64862c5e2ca2f47ef119084392a0c83e Mon Sep 17 00:00:00 2001
From: Jack Wu <wjack@google.com>
Date: Tue, 31 May 2022 12:59:43 +0800
Subject: [PATCH 11/60] Add sepolicy for P9222 WLC power_supply

05-30 05:13:03.096   836   836 I auditd  : type=1400 audit(0.0:6): avc: denied { getattr } for comm="android.hardwar" path="/sys/devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/capacity" dev="sysfs" ino=71270 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
05-30 05:13:03.100   836   836 I auditd  : type=1400 audit(0.0:7): avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs" ino=71272 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 234311757
Test: build ok, no avc denied
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I0fb296a9472eda7ff5f2babfea1c769caea525e1
---
 vendor/genfs_contexts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index b51cb91..11766e5 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -3,3 +3,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u
 
 # Wifi
 genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
+
+# BMS
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0

From 07f8ea39a14586ecc76b908da70fc348703f9a06 Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Mon, 6 Jun 2022 11:06:10 +0800
Subject: [PATCH 12/60] sepolicy: label more paths for sysfs_wakeup

Bug: 234311758
Test: forrest apct/device_boot_health_check_extra
Change-Id: I6dab109733062b32e09cfddcbf43cbdc515c07ba
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 tracking_denials/bug_map | 1 -
 vendor/genfs_contexts    | 6 ++++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 78a4044..47b165b 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,3 @@
 hal_health_default sysfs file b/234311757
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
-system_suspend sysfs dir b/234311758
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 11766e5..9419ac4 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -7,3 +7,9 @@ genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
 # BMS
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+
+# System Suspend
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup                                       u:object_r:sysfs_wakeup:s0

From d4e9442a2eb49d42999b548480f0d3c44a838da0 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 8 Jun 2022 08:11:22 +0800
Subject: [PATCH 13/60] Update error on ROM 8693966

bug: 234311798
bug: 235281134
bug: 235281415
Test: SELinuxUncheckedDenialBootTest
Change-Id: Ib6da45ce6d0c8d0d2668fcc2b3b41cf450c953d2
---
 lynx-sepolicy.mk                | 1 +
 tracking_denials/bug_map        | 1 -
 tracking_denials/lowi_server.te | 2 ++
 3 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 tracking_denials/lowi_server.te

diff --git a/lynx-sepolicy.mk b/lynx-sepolicy.mk
index 6efe95c..4c770e4 100644
--- a/lynx-sepolicy.mk
+++ b/lynx-sepolicy.mk
@@ -1,2 +1,3 @@
 # sepolicy that are shared among devices using whitechapel
 BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/vendor
+BOARD_SEPOLICY_DIRS += device/google/lynx-sepolicy/tracking_denials
diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 47b165b..a51827c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,2 @@
-hal_health_default sysfs file b/234311757
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
diff --git a/tracking_denials/lowi_server.te b/tracking_denials/lowi_server.te
new file mode 100644
index 0000000..d3c1bd5
--- /dev/null
+++ b/tracking_denials/lowi_server.te
@@ -0,0 +1,2 @@
+# b/235281415
+dontaudit lowi_server vendor_location:unix_dgram_socket { read write };

From 9a67905169b726faa7618706d9387ca5898e6cab Mon Sep 17 00:00:00 2001
From: timothywang <timothywang@google.com>
Date: Tue, 14 Jun 2022 10:30:10 +0800
Subject: [PATCH 14/60] Add sepolicy to enable camera vendor property

Bug: 234324271
Test: adb shell getprop
Change-Id: I6a0b344880deeb767df97136c42b2fb86668f39d
---
 vendor/vendor_init.te | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 vendor/vendor_init.te

diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te
new file mode 100644
index 0000000..6d9b469
--- /dev/null
+++ b/vendor/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_camera_prop)

From 101db9756d5eff6840c748893e96e9153665cd89 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Fri, 24 Jun 2022 17:07:25 +0800
Subject: [PATCH 15/60] Add sepolicy for lowi-server

06-24 16:58:55.724  9519  9519 I lowi-server: type=1400 audit(0.0:1980):
avc: denied { read write } for path="socket:[69473]" dev="sockfs" ino=69473
scontext=u:r:lowi_server:s0 tcontext=u:r:vendor_location:s0
tclass=unix_dgram_socket permissive=1

Bug: 235281415
Test: avc error is gone
Change-Id: I93615b98c08f6e6e5c3cc182bddcff30e452e103
---
 tracking_denials/lowi_server.te | 2 --
 vendor/lowi_server.te           | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)
 delete mode 100644 tracking_denials/lowi_server.te

diff --git a/tracking_denials/lowi_server.te b/tracking_denials/lowi_server.te
deleted file mode 100644
index d3c1bd5..0000000
--- a/tracking_denials/lowi_server.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/235281415
-dontaudit lowi_server vendor_location:unix_dgram_socket { read write };
diff --git a/vendor/lowi_server.te b/vendor/lowi_server.te
index c1281f9..e107cf2 100644
--- a/vendor/lowi_server.te
+++ b/vendor/lowi_server.te
@@ -10,7 +10,7 @@ allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl;
 ## lowi-server
 ##############
 allow lowi_server vendor_location:fd use;
-allow lowi_server vendor_location:unix_dgram_socket sendto;
+allow lowi_server vendor_location:unix_dgram_socket {sendto read write};
 
 # some additional network access
 allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl;

From b9be0516dc5652794e190911c9fe4c17a66846ff Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 29 Jun 2022 09:48:35 +0800
Subject: [PATCH 16/60] update error on ROM 8769316

Bug: 237467750
Test: SELinuxUncheckedDenialBootTest
Change-Id: I0ad1b8cc2f0d298143de177f49e45418dfd857ac
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index a51827c..b252b1b 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,2 +1,3 @@
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
+vendor_location lowi_server unix_dgram_socket b/237467750

From 4d4fd451a6de766398829c205d02cff0a89f4a69 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Wed, 29 Jun 2022 15:01:15 +0800
Subject: [PATCH 17/60] Add sepolicy for vendor_location

06-25 21:59:57.532  3922  3922 I auditd  : type=1400 audit(0.0:11):
avc: denied { sendto } for comm="loc_mq_clnt"
path="/dev/socket/location/mq/LOWI-SERVER"
scontext=u:r:vendor_location:s0 tcontext=u:r:lowi_server:s0
tclass=unix_dgram_socket permissive=0
06-29 04:30:11.188  8182  8182 I auditd  : type=1400 audit(0.0:1517):
avc: denied { sendto } for comm="loc_mq_clnt"
path="/dev/socket/location/mq/7b2e9924f8-LC"
scontext=u:r:vendor_location:s0 tcontext=u:r:hal_wifi_ext:s0
tclass=unix_dgram_socket permissive=0

Bug: 237467750
Test: avc error is gone
Change-Id: Ic4ff2bdf30b042c08c38b134c6af086d7033511f
---
 tracking_denials/bug_map  | 1 -
 vendor/vendor_location.te | 4 ++++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index b252b1b..a51827c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,2 @@
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
-vendor_location lowi_server unix_dgram_socket b/237467750
diff --git a/vendor/vendor_location.te b/vendor/vendor_location.te
index cefcd49..05f55a6 100644
--- a/vendor/vendor_location.te
+++ b/vendor/vendor_location.te
@@ -13,3 +13,7 @@ allow vendor_location vendor_location_socket:dir rw_dir_perms;
 
 # /sys/devices/soc0/soc_id
 allow vendor_location vendor_location_sysfs:file create_file_perms;
+
+# /dev/socket/location/mq/*
+allow vendor_location lowi_server:unix_dgram_socket {sendto read write};
+allow vendor_location hal_wifi_ext:unix_dgram_socket {sendto read write};

From d734865c1ba9e42397d3e679e6c887866324da03 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 6 Jul 2022 02:58:26 +0000
Subject: [PATCH 18/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 238143398
Change-Id: Ic30fa2201c37296a031d0e9ddc518c47c49ccaa2
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index a51827c..f5d871f 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,2 +1,3 @@
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
+kernel vendor_regmap_debugfs dir b/238143398

From 683104a6a861c9eae96dfe19a43fef184bed4eca Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 13 Jul 2022 14:37:17 +0800
Subject: [PATCH 19/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 238837168
Change-Id: Ic852fa8e8c1a8832699bc7f001abc7769ba67394
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index f5d871f..35420f7 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,4 @@
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
 kernel vendor_regmap_debugfs dir b/238143398
+crash_dump vendor_slog_file dir b/238837168

From c6daa1aa2e294e0c77716a64de1cf4078d6f0c65 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Thu, 14 Jul 2022 06:47:13 +0000
Subject: [PATCH 20/60] Update SELinux error

Bug: 234547283
Change-Id: I9caeeee12b5c8f29d9962cfc93d4902115c99b90
---
 tracking_denials/bug_map | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 35420f7..60f870f 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,4 @@
+crash_dump vendor_slog_file dir b/238837168
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
 kernel vendor_regmap_debugfs dir b/238143398
-crash_dump vendor_slog_file dir b/238837168

From 74af0fe9e61b85f0e6a929307a311b7b91359f2f Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 18 Jul 2022 10:55:40 +0800
Subject: [PATCH 21/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 239364745
Change-Id: I65e5ac420fe7c94cfb08d4a9e1f1191152b49754
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 60f870f..e794e28 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,5 @@
 crash_dump vendor_slog_file dir b/238837168
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
+init-insmod-sh vendor_ready_prop property_service b/239364745
 kernel vendor_regmap_debugfs dir b/238143398

From b51016a53f260e35457a21c9a7e7598851ff9f3a Mon Sep 17 00:00:00 2001
From: Robin Peng <robinpeng@google.com>
Date: Mon, 18 Jul 2022 22:25:04 +0800
Subject: [PATCH 22/60] Revert "Update SELinux error"

This reverts commit 74af0fe9e61b85f0e6a929307a311b7b91359f2f.

Reason to revert: issue has been fixed
Bug: 239364576
Bug: 239364745
Signed-off-by: Robin Peng <robinpeng@google.com>
Change-Id: Iaef3454b376a7d5266b72f242b0ca94c77e1c1fe
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index e794e28..60f870f 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,4 @@
 crash_dump vendor_slog_file dir b/238837168
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
-init-insmod-sh vendor_ready_prop property_service b/239364745
 kernel vendor_regmap_debugfs dir b/238143398

From 49a3cfae3a31fcc1346fb988d10a1c74269a8a24 Mon Sep 17 00:00:00 2001
From: Cheney Ni <cheneyni@google.com>
Date: Mon, 18 Jul 2022 17:36:31 +0000
Subject: [PATCH 23/60] Bluetooth: Allow QTI HAL service to access its
 logbuffer

Bug: 229691092
Test: Pass file permission check
Change-Id: Ic97bf3b23c452d20e5e32f3bafe2f6b2c5d2be3b
---
 bluetooth/file_contexts            | 7 ++++++-
 bluetooth/hal_bluetooth_default.te | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
index da02008..5560dc7 100644
--- a/bluetooth/file_contexts
+++ b/bluetooth/file_contexts
@@ -1,5 +1,10 @@
-# Bluetooth
+# Bluetooth HAL service
 /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti  u:object_r:hal_bluetooth_default_exec:s0
 
+# Bluetooth Vendor nodes
 /dev/btpower                                    u:object_r:bt_device:s0
 /dev/ttySAC18                                   u:object_r:hci_attach_dev:s0
+
+# Bluetooth Debuggable HAL nodes
+/dev/logbuffer_btpower                          u:object_r:logbuffer_device:s0
+/dev/logbuffer_tty18                            u:object_r:logbuffer_device:s0
diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te
index dcd2b7f..8bbfa77 100644
--- a/bluetooth/hal_bluetooth_default.te
+++ b/bluetooth/hal_bluetooth_default.te
@@ -3,6 +3,7 @@ allow hal_bluetooth_default bt_device:chr_file rw_file_perms;
 add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice)
 
 userdebug_or_eng(`
+  allow hal_bluetooth_default logbuffer_device:chr_file r_file_perms;
   allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms;
   allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms };
   set_prop(hal_bluetooth_default, vendor_ssrdump_prop)

From 20deb31861974cee99d79d28e4ee8e37f5cc75ff Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 22 Jul 2022 10:34:53 +0800
Subject: [PATCH 24/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 239887174
Change-Id: I4034d5ae64004142e312fd534d436014bfc0fe5b
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 60f870f..0a70c41 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,5 @@
 crash_dump vendor_slog_file dir b/238837168
 hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
+kernel vendor_charger_debugfs dir b/239887174
 kernel vendor_regmap_debugfs dir b/238143398

From 0c59021e5887202fbfa7305f8ed9d22e48733101 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Wed, 27 Jul 2022 13:35:04 +0800
Subject: [PATCH 25/60] Add sepolicy for hal_wifi_ext

07-27 11:58:09.569   869   869 I auditd  : type=1400 audit(0.0:2682598):
avc: denied { read } for comm="wifi_ext@1.0-se" name="driverdump" dev="proc"
ino=4026535980 scontext=u:r:hal_wifi_ext:s0 tcontext=u:object_r:proc:s0
tclass=file permissive=0

Bug: 239656339
Test: avc error is gone
Change-Id: Icf816897780fecc1bb35696e492e6fa2661abc20
---
 vendor/file.te         | 3 ++-
 vendor/genfs_contexts  | 1 +
 vendor/hal_wifi_ext.te | 3 +++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/vendor/file.te b/vendor/file.te
index 2553c74..b70b548 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -2,4 +2,5 @@ type vendor_location_data_file, file_type, data_file_type;
 type vendor_location_socket, file_type;
 type vendor_wifi_vendor_data_file, file_type, data_file_type;
 type vendor_wifihal_socket, file_type;
-type vendor_location_sysfs, fs_type, sysfs_type;
\ No newline at end of file
+type vendor_location_sysfs, fs_type, sysfs_type;
+type vendor_proc_wifi_dbg, fs_type, proc_type;
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 9419ac4..dd1b196 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -3,6 +3,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u
 
 # Wifi
 genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
+genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
 
 # BMS
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222                 u:object_r:sysfs_wlc:s0
diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te
index b26ff32..fbe187d 100644
--- a/vendor/hal_wifi_ext.te
+++ b/vendor/hal_wifi_ext.te
@@ -11,3 +11,6 @@ allow hal_wifi_ext lowi_server:unix_dgram_socket sendto;
 unix_socket_connect(hal_wifi, vendor_location, vendor_location)
 allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms;
 allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms;
+
+# allow hal_wifi to write into /proc/debugdriver/driverdump
+r_dir_file(hal_wifi_ext, vendor_proc_wifi_dbg);

From 4e2b651fdccffb369ad937258dec6a3486a11e2e Mon Sep 17 00:00:00 2001
From: Darren Hsu <darrenhsu@google.com>
Date: Thu, 28 Jul 2022 10:16:55 +0800
Subject: [PATCH 26/60] sepolicy: allow hal_power_stats to read wifi sysfs and
 property

avc: denied { read } for name="power_stats" dev="sysfs"
ino=114517 scontext=u:r:hal_power_stats_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

avc: denied { read } for name="u:object_r:wifi_hal_prop:s0"
dev="tmpfs" ino=371 scontext=u:r:hal_power_stats_default:s0
tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=0

Bug: 240391946
Test: get bugreport and make sure no avc denials related to
Test: hal_power_stats
Change-Id: I3be32eb4e61926c3abd24c67e7dab9b4056bf00a
Signed-off-by: Darren Hsu <darrenhsu@google.com>
---
 vendor/genfs_contexts             | 3 +++
 vendor/hal_power_stats_default.te | 2 ++
 2 files changed, 5 insertions(+)
 create mode 100644 vendor/hal_power_stats_default.te

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index dd1b196..4f547fd 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -14,3 +14,6 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wir
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup                                       u:object_r:sysfs_wakeup:s0
+
+# PowerStats
+genfscon sysfs /kernel/wifi/power_stats    u:object_r:sysfs_power_stats:s0
diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te
new file mode 100644
index 0000000..24527f9
--- /dev/null
+++ b/vendor/hal_power_stats_default.te
@@ -0,0 +1,2 @@
+# Needed to detect wifi on/off
+get_prop(hal_power_stats_default, wifi_hal_prop)

From f2a76321060290b11a659ef880de46e03e845721 Mon Sep 17 00:00:00 2001
From: chungkai <chungkai@google.com>
Date: Fri, 29 Jul 2022 04:45:27 +0000
Subject: [PATCH 27/60] genfs_contexts: fix path for i2c peripheral device

paths are changed when we enable parallel module loading and
reorder the initializtaion of devices.

Test: without avc denial on L10 when booting
Bug: 240641235
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: I411ceaa02cb6fb36fc767937a62f945685c4a019
---
 vendor/genfs_contexts | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 4f547fd..9f8526d 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -6,13 +6,46 @@ genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
 genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
 
 # BMS
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222                 u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
 
 # System Suspend
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup                                       u:object_r:sysfs_wakeup:s0
 
 # PowerStats

From 9ac637312bb4ab73f1998d3b71ec6ab76e638864 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Tue, 2 Aug 2022 16:39:19 +0800
Subject: [PATCH 28/60] wifi: correct label wlan0/p2p0/wifi-aware0 device as
 sysfs_net

Bug: 239657967
Test: NetdSELinuxTest#CheckProperMTULabels
Change-Id: I31db1d2110b2c18cf12a5cfa9b13e8c6dff09d59
---
 vendor/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 4f547fd..8f929cb 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -4,6 +4,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u
 # Wifi
 genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
 genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net    u:object_r:sysfs_net:s0
 
 # BMS
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222                 u:object_r:sysfs_wlc:s0

From 11348d7e76e679950e663c5ea70281061736255c Mon Sep 17 00:00:00 2001
From: Aaron Tsai <tsaiaaron@google.com>
Date: Thu, 4 Aug 2022 07:19:10 +0800
Subject: [PATCH 29/60] Fix avc denied for hal_radioext_default

05-30 13:13:30.868   867   867 I auditd  : type=1400 audit(0.0:21): avc: denied { call } for comm="HwBinder:867_1" scontext=u:r:hal_radioext_default:s0 tcontext=u:r:hal_bluetooth_default:s0 tclass=binder permissive=0

Bug: 234311798
Test: verified with the forrest ROM and error log gone
Change-Id: I0195fe2d8e81ea0149255524cfc047540159281b
---
 tracking_denials/bug_map       | 1 -
 vendor/hal_radioext_default.te | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 vendor/hal_radioext_default.te

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 0a70c41..6602977 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,4 @@
 crash_dump vendor_slog_file dir b/238837168
-hal_radioext_default hal_bluetooth_default binder b/234311798
 init-insmod-sh init-insmod-sh capability b/234311675
 kernel vendor_charger_debugfs dir b/239887174
 kernel vendor_regmap_debugfs dir b/238143398
diff --git a/vendor/hal_radioext_default.te b/vendor/hal_radioext_default.te
new file mode 100644
index 0000000..1620f2b
--- /dev/null
+++ b/vendor/hal_radioext_default.te
@@ -0,0 +1 @@
+binder_call(hal_radioext_default, hal_bluetooth_default)

From e465f1a8563e2710d41395429ec7c0e8614f0f16 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Thu, 25 Aug 2022 10:04:19 +0800
Subject: [PATCH 30/60] Add sepolicy for wifi_sniffer and wifi_perf_diag

avc: denied { search } for name="wifi" dev="dm-38" ino=329 scontext=u:r:wifi_sniffer:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir
avc: denied { setuid } for capability=7 scontext=u:r:wifi_sniffer:s0 tcontext=u:r:wifi_sniffer:s0 tclass=capability
avc: denied { setgid } for capability=6 scontext=u:r:wifi_sniffer:s0 tcontext=u:r:wifi_sniffer:s0 tclass=capability
avc: denied { search } for comm="wifi_perf_diag" name="wifi" dev="dm-38" ino=329 scontext=u:r:wifi_perf_diag:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir

Bug: 243727673
Test: PixelLogger works normally
Change-Id: Idd0bb1ffeb198eea855b717a745fd93fecfe2251
---
 vendor/wifi_perf_diag.te | 3 +++
 vendor/wifi_sniffer.te   | 4 ++++
 2 files changed, 7 insertions(+)
 create mode 100644 vendor/wifi_perf_diag.te
 create mode 100644 vendor/wifi_sniffer.te

diff --git a/vendor/wifi_perf_diag.te b/vendor/wifi_perf_diag.te
new file mode 100644
index 0000000..b49c0da
--- /dev/null
+++ b/vendor/wifi_perf_diag.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow wifi_perf_diag vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')
diff --git a/vendor/wifi_sniffer.te b/vendor/wifi_sniffer.te
new file mode 100644
index 0000000..c1e5cfa
--- /dev/null
+++ b/vendor/wifi_sniffer.te
@@ -0,0 +1,4 @@
+userdebug_or_eng(`
+  allow wifi_sniffer self:capability { setuid setgid };
+  allow wifi_sniffer vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')

From ea80cb501622f35602e8b5f3fa041c736864de9f Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Thu, 25 Aug 2022 16:56:44 +0800
Subject: [PATCH 31/60] Add sepolicy for tcpdump_logger

avc: denied { search } for name="wifi" dev="dm-44" ino=329 scontext=u:r:tcpdump_logger:s0 tcontext=u:object_r:vendor_wifi_vendor_data_file:s0 tclass=dir

Bug: 243764714
Test: PixelLogger works normally
Change-Id: I4ee93dbe10bae08e01053656a8429c57bb3651c8
---
 vendor/tcpdump_logger.te | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 vendor/tcpdump_logger.te

diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te
new file mode 100644
index 0000000..9f00bb7
--- /dev/null
+++ b/vendor/tcpdump_logger.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+  allow tcpdump_logger vendor_wifi_vendor_data_file:dir rw_dir_perms;
+')

From b2c724f0edfa43dcd6f9521e0546c2f79dc9f02b Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Fri, 14 Oct 2022 14:24:09 +0800
Subject: [PATCH 32/60] Add sepolicy rules for hal_wifi_default

In PDK build, it uses default wifi hal instead
wifi_ext hal. Need to add rules for hal_wifi_default
as well as we added for hal_wifi_ext

Bug: 253544307
Test: Wifi can be enabled in PDK builds
Change-Id: I57ad330c2467ae99b9c5190fbdc2f02e998b2fc1
---
 vendor/hal_wifi_default.te | 19 +++++++++++++++++++
 vendor/lowi_server.te      |  1 +
 vendor/vendor_location.te  |  1 +
 3 files changed, 21 insertions(+)
 create mode 100644 vendor/hal_wifi_default.te

diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..418aba5
--- /dev/null
+++ b/vendor/hal_wifi_default.te
@@ -0,0 +1,19 @@
+allow hal_wifi_default vendor_wlan_device:chr_file w_file_perms;
+allow hal_wifi_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_default vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_default vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_default vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_default lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms;
+
+# allow hal_wifi to write into /proc/debugdriver/driverdump
+r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg);
+
+# Write wlan driver/fw version into property
+set_prop(hal_wifi_default, vendor_wifi_version)
diff --git a/vendor/lowi_server.te b/vendor/lowi_server.te
index e107cf2..21dfb81 100644
--- a/vendor/lowi_server.te
+++ b/vendor/lowi_server.te
@@ -28,6 +28,7 @@ allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto;
 allow lowi_server vendor_wifihal_socket:dir rw_dir_perms;
 allow lowi_server vendor_wifihal_socket:sock_file create_file_perms;
 allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto;
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_default);
 unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext);
 
 # /dev/socket/vendor_location
diff --git a/vendor/vendor_location.te b/vendor/vendor_location.te
index 05f55a6..b41c6a8 100644
--- a/vendor/vendor_location.te
+++ b/vendor/vendor_location.te
@@ -16,4 +16,5 @@ allow vendor_location vendor_location_sysfs:file create_file_perms;
 
 # /dev/socket/location/mq/*
 allow vendor_location lowi_server:unix_dgram_socket {sendto read write};
+allow vendor_location hal_wifi_default:unix_dgram_socket {sendto read write};
 allow vendor_location hal_wifi_ext:unix_dgram_socket {sendto read write};

From cf6ebcdd6f63f2c2e1fd631b4744efa327595ff7 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Fri, 28 Oct 2022 12:35:02 +0800
Subject: [PATCH 33/60] Fix avc denied for init-insmod-sh

qrtr.ko doesn't request net_admin permission now
05-30 05:12:58.524   492   492 I auditd  : type=1400 audit(0.0:4):
avc: denied { net_admin } for comm="modprobe" capability=12
scontext=u:r:init-insmod-sh:s0 tcontext=u:r:init-insmod-sh:s0
tclass=capability permissive=0

Bug: 234311675
Test: verified with the forrest ROM and error log gone
Change-Id: I72fb5441b977b6ba67d19416049a2776c3aebd12
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 6602977..cc9e88c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,4 +1,3 @@
 crash_dump vendor_slog_file dir b/238837168
-init-insmod-sh init-insmod-sh capability b/234311675
 kernel vendor_charger_debugfs dir b/239887174
 kernel vendor_regmap_debugfs dir b/238143398

From b5eec482fddc6f16ce368ad868ab87d83f30439d Mon Sep 17 00:00:00 2001
From: Chris Paulo <chrispaulo@google.com>
Date: Fri, 16 Sep 2022 23:54:10 +0000
Subject: [PATCH 34/60] device-sepolicy: Add sepolicy for vibrator hal

Added sepolicy for vibrator hal specific to device

uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=vibrator.adaptive_haptics.enabled pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1'
avc: denied { open } for comm="odrefresh" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:odrefresh:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="odrefresh" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:odrefresh:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1
avc: denied { map } for comm="odrefresh" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:odrefresh:s0 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1
avc: denied { write } for comm="android.hardwar" name="chre" dev="tmpfs" ino=1094 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for comm="android.hardwar" path="/dev/socket/chre" scontext=u:r:hal_vibrator_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1
avc: denied { open } for comm="binder:8084_3" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1 app=com.google.android.gms
avc: denied { getattr } for comm="binder:8084_3" path="/dev/__properties__/u:object_r:adaptive_haptics_prop:s0" dev="tmpfs" ino=80 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:adaptive_haptics_prop:s0 tclass=file permissive=1 app=com.google.android.gms

Bug: 198239103
Test: Verified functionality
Signed-off-by: Chris Paulo <chrispaulo@google.com>
Change-Id: Ib118b553eab1db6f9fadaebeae0d57eb329294e3
---
 vendor/file_contexts           | 3 +++
 vendor/hal_vibrator_default.te | 3 +++
 vendor/property_contexts       | 2 ++
 vendor/vendor_init.te          | 4 ++++
 4 files changed, 12 insertions(+)
 create mode 100644 vendor/hal_vibrator_default.te
 create mode 100644 vendor/property_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index d692577..1b1cd08 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -15,3 +15,6 @@
 /dev/socket/wifihal(/.*)?               u:object_r:vendor_wifihal_socket:s0
 /vendor/bin/loc_launcher                u:object_r:vendor_location_exec:s0
 /vendor/bin/lowi-server                 u:object_r:lowi_server_exec:s0
+
+# Haptics
+/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-private-lynx   u:object_r:hal_vibrator_default_exec:s0
\ No newline at end of file
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
new file mode 100644
index 0000000..b5c7202
--- /dev/null
+++ b/vendor/hal_vibrator_default.te
@@ -0,0 +1,3 @@
+# Allow Vibrator HAL to communicate with daemon via socket
+allow hal_vibrator_default chre:unix_stream_socket connectto;
+allow hal_vibrator_default chre_socket:sock_file write;
\ No newline at end of file
diff --git a/vendor/property_contexts b/vendor/property_contexts
new file mode 100644
index 0000000..75cbb36
--- /dev/null
+++ b/vendor/property_contexts
@@ -0,0 +1,2 @@
+# Haptics
+persist.vendor.vibrator.hal.             u:object_r:vendor_vibrator_prop:s0
diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te
index 6d9b469..440c30c 100644
--- a/vendor/vendor_init.te
+++ b/vendor/vendor_init.te
@@ -1 +1,5 @@
+# Camera
 set_prop(vendor_init, vendor_camera_prop)
+
+# Haptics
+get_prop(vendor_init, adaptive_haptics_prop)

From 5b9f54e76dd35225c2ea1cf9052667f431fa460b Mon Sep 17 00:00:00 2001
From: Vic Huang <vich@google.com>
Date: Fri, 2 Dec 2022 11:48:18 +0000
Subject: [PATCH 35/60] No avc denied in SELinuxUncheckedDenialBootTest

DeviceBootTest.DeviceBootTest.SELinuxUncheckedDenialBootTest

avc: denied { call } for comm="oid.grilservice" scontext=u:r:grilservice_app:s0:c227,c256,c512,c768 tcontext=u:r:hal_bluetooth_default:s0 tclass=binder permissive=0 app=com.google.android.grilservice

Bug: 259198345
Change-Id: Ie3800e3197f04b83ba8789c82518cbb721e1fe37
---
 tracking_denials/grilservice_app.te | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 tracking_denials/grilservice_app.te

diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te
new file mode 100644
index 0000000..cf98a89
--- /dev/null
+++ b/tracking_denials/grilservice_app.te
@@ -0,0 +1 @@
+dontaudit grilservice_app hal_bluetooth_default:binder call;

From c70f56e2dfe6f45613aba527bc53925929ba45d2 Mon Sep 17 00:00:00 2001
From: Ken Yang <yangken@google.com>
Date: Fri, 16 Dec 2022 05:52:28 +0000
Subject: [PATCH 36/60] WLC: Add device specific sepolicy for wireless_charger

Bug: 237600973
Change-Id: I9d219c3abf02266cc8200c70840a65aedb17ee7b
Signed-off-by: Ken Yang <yangken@google.com>
---
 vendor/platform_app.te | 2 ++
 vendor/system_app.te   | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 vendor/platform_app.te
 create mode 100644 vendor/system_app.te

diff --git a/vendor/platform_app.te b/vendor/platform_app.te
new file mode 100644
index 0000000..6ac0514
--- /dev/null
+++ b/vendor/platform_app.te
@@ -0,0 +1,2 @@
+allow platform_app hal_wireless_charger_service:service_manager find;
+binder_call(platform_app, hal_wireless_charger)
diff --git a/vendor/system_app.te b/vendor/system_app.te
new file mode 100644
index 0000000..ca56668
--- /dev/null
+++ b/vendor/system_app.te
@@ -0,0 +1,2 @@
+allow system_app hal_wireless_charger_service:service_manager find;
+binder_call(system_app, hal_wireless_charger)

From e5a1cde5d486cbbd8988af8f5bc151a527de114c Mon Sep 17 00:00:00 2001
From: Myles Watson <mylesgw@google.com>
Date: Tue, 10 Jan 2023 06:28:45 -0800
Subject: [PATCH 37/60] Lynx: Use common sepolicy for bt_device

Bug: 205758693
Test: build
Ignore-AOSP-First: Some devices in internal define bt_device
Change-Id: Ic1b7469d64c79285d9d7993befbe173c9bca34aa
---
 bluetooth/device.te | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 bluetooth/device.te

diff --git a/bluetooth/device.te b/bluetooth/device.te
deleted file mode 100644
index 7ed13ad..0000000
--- a/bluetooth/device.te
+++ /dev/null
@@ -1 +0,0 @@
-type bt_device, dev_type;

From 966927efa328db7b9c26e6a8dc42272299a1577b Mon Sep 17 00:00:00 2001
From: Myles Watson <mylesgw@google.com>
Date: Tue, 10 Jan 2023 06:28:45 -0800
Subject: [PATCH 38/60] Lynx: Use common sepolicy for bt_device

Bug: 205758693
Test: build
Ignore-AOSP-First: Some devices in internal define bt_device
Change-Id: Ic1b7469d64c79285d9d7993befbe173c9bca34aa
(cherry picked from commit e5a1cde5d486cbbd8988af8f5bc151a527de114c)
Merged-In: Ic1b7469d64c79285d9d7993befbe173c9bca34aa
---
 bluetooth/device.te | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 bluetooth/device.te

diff --git a/bluetooth/device.te b/bluetooth/device.te
deleted file mode 100644
index 7ed13ad..0000000
--- a/bluetooth/device.te
+++ /dev/null
@@ -1 +0,0 @@
-type bt_device, dev_type;

From fa9c88aef83d59b8f0eca2c0cc1142c5a4fa44d8 Mon Sep 17 00:00:00 2001
From: Ken Yang <yangken@google.com>
Date: Fri, 6 Jan 2023 19:29:58 +0000
Subject: [PATCH 39/60] WLC: Cleanup the sysfs_wlc policies

Bug: 263830018
Change-Id: I6b31c6127e01b946c51200683b511853f2d304b4
Signed-off-by: Ken Yang <yangken@google.com>
---
 vendor/platform_app.te | 2 --
 vendor/system_app.te   | 2 --
 2 files changed, 4 deletions(-)
 delete mode 100644 vendor/platform_app.te
 delete mode 100644 vendor/system_app.te

diff --git a/vendor/platform_app.te b/vendor/platform_app.te
deleted file mode 100644
index 6ac0514..0000000
--- a/vendor/platform_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow platform_app hal_wireless_charger_service:service_manager find;
-binder_call(platform_app, hal_wireless_charger)
diff --git a/vendor/system_app.te b/vendor/system_app.te
deleted file mode 100644
index ca56668..0000000
--- a/vendor/system_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow system_app hal_wireless_charger_service:service_manager find;
-binder_call(system_app, hal_wireless_charger)

From 53746d95466a594b3e3edb5eb1adc448b968253e Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Mon, 13 Feb 2023 17:24:16 +0800
Subject: [PATCH 40/60] wlan: add cnss-daemon and related libraries

cnss-daemon is necessary for CHRE function

Bug: 264524963
Test: Regression Test
Change-Id: Ic7b63617e30a9e6427b0ac280bf4763f9cc19f6e
---
 vendor/cnss-daemon.te | 20 ++++++++++++++++++++
 vendor/file.te        |  1 +
 vendor/file_contexts  |  1 +
 vendor/genfs_contexts |  1 +
 4 files changed, 23 insertions(+)
 create mode 100644 vendor/cnss-daemon.te

diff --git a/vendor/cnss-daemon.te b/vendor/cnss-daemon.te
new file mode 100644
index 0000000..e6ea641
--- /dev/null
+++ b/vendor/cnss-daemon.te
@@ -0,0 +1,20 @@
+# cnss-daemon service
+type cnss-daemon, domain;
+type cnss-daemon_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(cnss-daemon)
+
+net_domain(cnss-daemon)
+
+allow cnss-daemon self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow cnss-daemon self:qipcrtr_socket create_socket_perms_no_ioctl;
+
+# /data/vendor/wifi/
+allow cnss-daemon vendor_wifi_vendor_data_file:dir create_dir_perms;
+allow cnss-daemon vendor_wifi_vendor_data_file:file create_file_perms;
+
+# /proc/sys/net/ipv4/tcp_adv_win_scal
+allow cnss-daemon proc_net:file rw_file_perms;
+
+# /sys/class/remoteproc
+allow cnss-daemon sysfs_cnss_daemon:dir r_dir_perms;
+allow cnss-daemon sysfs_cnss_daemon:file r_file_perms;
diff --git a/vendor/file.te b/vendor/file.te
index b70b548..7f9aa22 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -4,3 +4,4 @@ type vendor_wifi_vendor_data_file, file_type, data_file_type;
 type vendor_wifihal_socket, file_type;
 type vendor_location_sysfs, fs_type, sysfs_type;
 type vendor_proc_wifi_dbg, fs_type, proc_type;
+type sysfs_cnss_daemon, fs_type, sysfs_type;
\ No newline at end of file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1b1cd08..c224e48 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -15,6 +15,7 @@
 /dev/socket/wifihal(/.*)?               u:object_r:vendor_wifihal_socket:s0
 /vendor/bin/loc_launcher                u:object_r:vendor_location_exec:s0
 /vendor/bin/lowi-server                 u:object_r:lowi_server_exec:s0
+/vendor/bin/cnss-daemon                 u:object_r:cnss-daemon_exec:s0
 
 # Haptics
 /vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-private-lynx   u:object_r:hal_vibrator_default_exec:s0
\ No newline at end of file
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 8f929cb..0ee732e 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -5,6 +5,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u
 genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
 genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net    u:object_r:sysfs_net:s0
+genfscon sysfs /class/remoteproc     u:object_r:sysfs_cnss_daemon:s0
 
 # BMS
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222                 u:object_r:sysfs_wlc:s0

From 02be088bc56db96b395b177935ebed3509fbb650 Mon Sep 17 00:00:00 2001
From: Tai Kuo <taikuo@google.com>
Date: Thu, 16 Feb 2023 18:44:24 +0800
Subject: [PATCH 41/60] Revert "device-sepolicy: Add sepolicy for vibrator hal"

This reverts commit b5eec482fddc6f16ce368ad868ab87d83f30439d.

Bug: 198239103
Test: build pass on git_tm-qpr-dev-plus-aosp
Change-Id: Iee9305e6ba5abbc8df9b353ed5bbfeaa64f0b43b
---
 vendor/file_contexts           | 3 ---
 vendor/hal_vibrator_default.te | 3 ---
 vendor/property_contexts       | 2 --
 vendor/vendor_init.te          | 3 ---
 4 files changed, 11 deletions(-)
 delete mode 100644 vendor/hal_vibrator_default.te
 delete mode 100644 vendor/property_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index c224e48..bc7e2fc 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -16,6 +16,3 @@
 /vendor/bin/loc_launcher                u:object_r:vendor_location_exec:s0
 /vendor/bin/lowi-server                 u:object_r:lowi_server_exec:s0
 /vendor/bin/cnss-daemon                 u:object_r:cnss-daemon_exec:s0
-
-# Haptics
-/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-private-lynx   u:object_r:hal_vibrator_default_exec:s0
\ No newline at end of file
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
deleted file mode 100644
index b5c7202..0000000
--- a/vendor/hal_vibrator_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Allow Vibrator HAL to communicate with daemon via socket
-allow hal_vibrator_default chre:unix_stream_socket connectto;
-allow hal_vibrator_default chre_socket:sock_file write;
\ No newline at end of file
diff --git a/vendor/property_contexts b/vendor/property_contexts
deleted file mode 100644
index 75cbb36..0000000
--- a/vendor/property_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Haptics
-persist.vendor.vibrator.hal.             u:object_r:vendor_vibrator_prop:s0
diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te
index 440c30c..cc2e3ad 100644
--- a/vendor/vendor_init.te
+++ b/vendor/vendor_init.te
@@ -1,5 +1,2 @@
 # Camera
 set_prop(vendor_init, vendor_camera_prop)
-
-# Haptics
-get_prop(vendor_init, adaptive_haptics_prop)

From f446026014d9fe35f3b0f9629824b6814099a10a Mon Sep 17 00:00:00 2001
From: Yen-Chao Chen <davidycchen@google.com>
Date: Fri, 24 Feb 2023 15:05:52 +0800
Subject: [PATCH 42/60] Suppress avc denials of sysfs

Bug: 267839070
Test: adb bugreport

Change-Id: I8d4aed4aba15efa0cc38574565e4a66bc3049321
Signed-off-by: Yen-Chao Chen <davidycchen@google.com>
---
 vendor/hal_dumpstate_default.te | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 vendor/hal_dumpstate_default.te

diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
new file mode 100644
index 0000000..d513b88
--- /dev/null
+++ b/vendor/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/267839070
+dontaudit hal_dumpstate_default sysfs:dir { read };

From 90d58d25533b2aef11c4767641e9a868f2d31788 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 24 Mar 2023 11:11:28 +0800
Subject: [PATCH 43/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 275002086
Test: scanBugreport
Bug: 239887174
Test: scanAvcDeniedLogRightAfterReboot
Bug: 239887174
Change-Id: I9a0a1b3ef0642700a4555258c9e8aff7ec82e084
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index cc9e88c..a364f18 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,5 @@
 crash_dump vendor_slog_file dir b/238837168
+hal_camera_default boot_status_prop file b/275002086
+hal_camera_default edgetpu_app_service service_manager b/275002086
 kernel vendor_charger_debugfs dir b/239887174
 kernel vendor_regmap_debugfs dir b/238143398

From c1c6e069f6af9a202577ee4fd62909fc7128d7c7 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Fri, 7 Apr 2023 15:08:57 +0800
Subject: [PATCH 44/60] Update error on ROM 9892479

Bug: 277155327
Bug: 277300226
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I2690bcd7b3ae0d869f39851d5fb692378cbb6e9a
---
 tracking_denials/dumpstate.te            | 2 ++
 tracking_denials/hal_vibrator_default.te | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 tracking_denials/dumpstate.te
 create mode 100644 tracking_denials/hal_vibrator_default.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
new file mode 100644
index 0000000..13af0d5
--- /dev/null
+++ b/tracking_denials/dumpstate.te
@@ -0,0 +1,2 @@
+# b/277155327
+dontaudit dumpstate default_android_service:service_manager { find };
diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
new file mode 100644
index 0000000..ece806d
--- /dev/null
+++ b/tracking_denials/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+# b/277300226
+dontaudit hal_vibrator_default default_android_service:service_manager { find };

From 2f42af0095c84aa706d3f9f83bb677350a54bb31 Mon Sep 17 00:00:00 2001
From: JohnnLee <johnnlee@google.com>
Date: Wed, 10 May 2023 16:12:48 +0800
Subject: [PATCH 45/60] Remove obsolete entries

Test: adb bugreport
Bug: 238143398
Bug: 239887174
Change-Id: I4d9d3f82be1d7a9b28d4476f4f7c4c3bc745f98e
---
 tracking_denials/bug_map | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index a364f18..81e616c 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,3 @@
 crash_dump vendor_slog_file dir b/238837168
 hal_camera_default boot_status_prop file b/275002086
 hal_camera_default edgetpu_app_service service_manager b/275002086
-kernel vendor_charger_debugfs dir b/239887174
-kernel vendor_regmap_debugfs dir b/238143398

From 8215756c51f6e3675d2f3c0497dae62659f88250 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 12 May 2023 02:29:04 +0000
Subject: [PATCH 46/60] introduce a new sepolicy owner

Bug: 281631102
Test: N/A
Change-Id: Id22629dfca9559bb82d1953a41a40c723244e9de
---
 OWNERS | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/OWNERS b/OWNERS
index 791abb4..5232bc3 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
-include platform/system/sepolicy:/OWNERS
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
 
-rurumihong@google.com

From 493713ddf69ecf96dd82ae261b7c2e19b6537195 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 15 May 2023 15:32:40 +0800
Subject: [PATCH 47/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 282626814
Bug: 281814849
Change-Id: I8c7dc143a15caa0f815620aacb6099830fea43e1
---
 tracking_denials/bug_map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 81e616c..030cfc6 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,5 @@
+cat_engine_service_app system_app_data_file dir b/282626814
 crash_dump vendor_slog_file dir b/238837168
 hal_camera_default boot_status_prop file b/275002086
 hal_camera_default edgetpu_app_service service_manager b/275002086
+kernel vendor_charger_debugfs dir b/281814849

From d66388d676b77c9cec9a16267194263fa305210f Mon Sep 17 00:00:00 2001
From: feiyuchen <feiyuchen@google.com>
Date: Fri, 26 May 2023 15:59:18 +0000
Subject: [PATCH 48/60] Remove two hal_camera_default errors from
 tracking_denials/bug_map

Bug: 275002086
Test: mm
Change-Id: I53ee15bbb2bbb19f5b62cdae5994ce1605683568
---
 tracking_denials/bug_map | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 030cfc6..f9bdf53 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,5 +1,3 @@
 cat_engine_service_app system_app_data_file dir b/282626814
 crash_dump vendor_slog_file dir b/238837168
-hal_camera_default boot_status_prop file b/275002086
-hal_camera_default edgetpu_app_service service_manager b/275002086
 kernel vendor_charger_debugfs dir b/281814849

From 72e0e7fa38a517bf3296967552931c63e879391e Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Tue, 30 May 2023 14:13:04 +0000
Subject: [PATCH 49/60] Add sepolicy for grilservice

Bug: 282685427
Test: make; manual
Change-Id: Idcdc23d21a383e37541f346434c237c6dc9e366f
---
 bluetooth/grilservice_app.te | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 bluetooth/grilservice_app.te

diff --git a/bluetooth/grilservice_app.te b/bluetooth/grilservice_app.te
new file mode 100644
index 0000000..770244c
--- /dev/null
+++ b/bluetooth/grilservice_app.te
@@ -0,0 +1 @@
+binder_call(grilservice_app, hal_bluetooth_default)

From 776b24d44b61a4c40d440fcbeefcd21389cad1ae Mon Sep 17 00:00:00 2001
From: DesmondH <desmondh@google.com>
Date: Wed, 31 May 2023 01:20:20 +0000
Subject: [PATCH 50/60] Remove obsolete entries

Fix: 238837168
Change-Id: I405a6fa33c57189bf94d21428b081f3422564eb1
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index f9bdf53..44f3a0e 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,3 +1,2 @@
 cat_engine_service_app system_app_data_file dir b/282626814
-crash_dump vendor_slog_file dir b/238837168
 kernel vendor_charger_debugfs dir b/281814849

From 677f144d5336fea295ad5b73b52f89f9c93b24db Mon Sep 17 00:00:00 2001
From: changyan <changyan@google.com>
Date: Mon, 22 May 2023 06:35:37 +0000
Subject: [PATCH 51/60] Remove the tracking_denials entry as the issue

Bug: 282626814
Change-Id: Iccaca867eaef5dc615d1e0e2d79a69503c36ca01
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 44f3a0e..66a58f1 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1,2 +1 @@
-cat_engine_service_app system_app_data_file dir b/282626814
 kernel vendor_charger_debugfs dir b/281814849

From 6598f659e6b2cf0e7aae52429526bd4133fa0c4e Mon Sep 17 00:00:00 2001
From: DesmondH <desmondh@google.com>
Date: Wed, 14 Jun 2023 16:43:49 +0000
Subject: [PATCH 52/60] Remove fixed or obsolete entries

Bug: 277155327
Fix: 277300226
Change-Id: If846fee353fd4f28fdfeda4a2e61e22b84c90e08
---
 tracking_denials/dumpstate.te            | 2 --
 tracking_denials/grilservice_app.te      | 1 -
 tracking_denials/hal_vibrator_default.te | 2 --
 3 files changed, 5 deletions(-)
 delete mode 100644 tracking_denials/dumpstate.te
 delete mode 100644 tracking_denials/grilservice_app.te
 delete mode 100644 tracking_denials/hal_vibrator_default.te

diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
deleted file mode 100644
index 13af0d5..0000000
--- a/tracking_denials/dumpstate.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/277155327
-dontaudit dumpstate default_android_service:service_manager { find };
diff --git a/tracking_denials/grilservice_app.te b/tracking_denials/grilservice_app.te
deleted file mode 100644
index cf98a89..0000000
--- a/tracking_denials/grilservice_app.te
+++ /dev/null
@@ -1 +0,0 @@
-dontaudit grilservice_app hal_bluetooth_default:binder call;
diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
deleted file mode 100644
index ece806d..0000000
--- a/tracking_denials/hal_vibrator_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# b/277300226
-dontaudit hal_vibrator_default default_android_service:service_manager { find };

From 3e3f8080aa8d3d3b11a1f640803628cfbf00dcfb Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 19 Jun 2023 11:40:12 +0800
Subject: [PATCH 53/60] Supress kernel avc log before SELinux initialized

Fix: 281814849
Change-Id: Ie83557668ded8ab17bf77e60ed21db33e9f4f580
---
 vendor/kernel.te | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 vendor/kernel.te

diff --git a/vendor/kernel.te b/vendor/kernel.te
new file mode 100644
index 0000000..4be1265
--- /dev/null
+++ b/vendor/kernel.te
@@ -0,0 +1 @@
+dontaudit kernel vendor_battery_debugfs:dir search;

From 1ec8a5c75dd5a8167cfde19a937fa157b84fff7f Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Wed, 21 Jun 2023 14:37:14 +0800
Subject: [PATCH 54/60] Remove obsolete bug_map

Fix: 281814849
Change-Id: I21c76488e184213d3e1df4a3a9843d57fc6a64b8
---
 tracking_denials/bug_map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 66a58f1..e69de29 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1 +0,0 @@
-kernel vendor_charger_debugfs dir b/281814849

From 378e0dc8e3556a21e8b4ccb564bb44cac01094fb Mon Sep 17 00:00:00 2001
From: Vic Huang <vich@google.com>
Date: Wed, 26 Jul 2023 02:25:57 +0000
Subject: [PATCH 55/60] L10 sepolicy update for ssr coredump

Update hal_bluetooth_default sepolicy to dump crash info to Android
Subsystem Coredump collection directory

Bug: 279858654
Test: Manual
Change-Id: I14095753c1305f2d6e473adb5ff4ac1e20597902
---
 bluetooth/hal_bluetooth_default.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/bluetooth/hal_bluetooth_default.te b/bluetooth/hal_bluetooth_default.te
index 8bbfa77..d78de58 100644
--- a/bluetooth/hal_bluetooth_default.te
+++ b/bluetooth/hal_bluetooth_default.te
@@ -4,7 +4,9 @@ add_hwservice(hal_bluetooth_default, hal_bluetooth_coexistence_hwservice)
 
 userdebug_or_eng(`
   allow hal_bluetooth_default logbuffer_device:chr_file r_file_perms;
-  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir rw_dir_perms;
-  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file { create_file_perms };
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow hal_bluetooth_default sscoredump_vendor_data_coredump_file:file create_file_perms;
   set_prop(hal_bluetooth_default, vendor_ssrdump_prop)
 ')

From fe5397ebc703069c3fc40275c2d469249e708dfb Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Mon, 16 Oct 2023 12:19:34 +0800
Subject: [PATCH 56/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 305600996
Bug: 305600635
Bug: 305600791
Change-Id: I0ec67adb8fab1f8121313a47d47667dea1ff83b7
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index e69de29..377d3a2 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -0,0 +1 @@
+kernel vendor_charger_debugfs dir b/305600791

From cadc3a71b6f90376031c6e81f8929d92d28521e6 Mon Sep 17 00:00:00 2001
From: Hsiu-Chang Chen <hsiuchangchen@google.com>
Date: Mon, 4 Dec 2023 15:37:05 +0800
Subject: [PATCH 57/60] wifi: genfs_contexts: fix path for wifi device

Bug: 313754855
Test: without avc denial when booting
Change-Id: I0d94aa3c766c2d98748f53223e45fdb32caa38ba
---
 vendor/genfs_contexts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index d85e7b7..5d889b4 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -5,6 +5,7 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u
 genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
 genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/net    u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net    u:object_r:sysfs_net:s0
 genfscon sysfs /class/remoteproc     u:object_r:sysfs_cnss_daemon:s0
 
 # BMS

From 8e6298f772b2281882e975b680720090d1f948c3 Mon Sep 17 00:00:00 2001
From: Limon Mia <limonmia@google.com>
Date: Thu, 4 Jan 2024 04:40:48 +0000
Subject: [PATCH 58/60] Update SELinux error

Test: SELinuxUncheckedDenialBootTest
Bug: 318453067
Change-Id: Ifd636317f28da1b2ca12a417de7443780eba7b2d
---
 tracking_denials/bug_map | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map
index 377d3a2..2e6daa3 100644
--- a/tracking_denials/bug_map
+++ b/tracking_denials/bug_map
@@ -1 +1,2 @@
 kernel vendor_charger_debugfs dir b/305600791
+hal_bluetooth_default vendor_data_file dir b/318453067

From fe3d38fe373aaa1a1a89e77fe0810c9bce7a8f5e Mon Sep 17 00:00:00 2001
From: Jenny Ho <hsiufangho@google.com>
Date: Tue, 16 Jan 2024 13:44:37 +0800
Subject: [PATCH 59/60] sepolicy: lynx: add wireless path permission

I auditd  : type=1400 audit(0.0:4402): avc:  denied  { read } for  comm="UeventThread" name="voltage_now" dev="sysfs" ino=66900 scontext=u:r:hal_wireless_charger:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
I auditd  : type=1400 audit(0.0:3924): avc:  denied  { read } for  comm="binder:531_2" name="wakeup82" dev="sysfs" ino=83487 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0

Bug: 320193504
Change-Id: I98e3c48f9c6eaaab2d303721bdb473fc72884738
Signed-off-by: Jenny Ho <hsiufangho@google.com>
---
 vendor/genfs_contexts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 5d889b4..3a70c6e 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -27,6 +27,7 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222                 u:object_r:sysfs_wlc:s0
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0061                    u:object_r:sysfs_wlc:s0
 
 # System Suspend
 genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
@@ -50,6 +51,7 @@ genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/wakeup
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup                                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0061/wakeup/wakeup                      u:object_r:sysfs_wakeup:s0
 
 # PowerStats
 genfscon sysfs /kernel/wifi/power_stats    u:object_r:sysfs_power_stats:s0

From 1cce81f773c01f38f9c813c6b5e716c721edd495 Mon Sep 17 00:00:00 2001
From: Jacky Liu <qsliu@google.com>
Date: Mon, 5 Feb 2024 21:02:48 +0800
Subject: [PATCH 60/60] Update i2c device paths

Update i2c device paths with static bus numbers.
Remove entries which are already in gs201-sepolicy.

Bug: 323447554
Test: Boot to home
Change-Id: I8d204e099f7a37422259c0ccac2bf25a082c2fcf
---
 vendor/genfs_contexts | 45 ++++---------------------------------------
 1 file changed, 4 insertions(+), 41 deletions(-)

diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index 3a70c6e..2ced4b3 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -1,6 +1,3 @@
-# Haptics
-genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u:object_r:sysfs_vibrator:s0
-
 # Wifi
 genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
 genfscon proc /debugdriver/driverdump    u:object_r:vendor_proc_wifi_dbg:s0
@@ -9,49 +6,15 @@ genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:0
 genfscon sysfs /class/remoteproc     u:object_r:sysfs_cnss_daemon:s0
 
 # BMS
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222                 u:object_r:sysfs_wlc:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply    u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0061                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061                  u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply     u:object_r:sysfs_batteryinfo:s0
 
 # System Suspend
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-0/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-1/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-2/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/power_supply/wireless/wakeup    u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9222/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply/wireless/wakeup     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/wakeup                           u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/qcom,cnss-qca6490/wakeup                                       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0061/wakeup/wakeup                      u:object_r:sysfs_wakeup:s0
 
 # PowerStats
 genfscon sysfs /kernel/wifi/power_stats    u:object_r:sysfs_power_stats:s0