zenfone9: Enforce Sepolicy
Change-Id: If24f98a402b195c099f08593714c9509a3139ed9
diff --git a/BoardConfig.mk b/BoardConfig.mk
index e68354b..8fb2a32 100755
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -234,7 +234,6 @@
include vendor/omni/sepolicy/sepolicy.mk
include device/qcom/sepolicy_vendor/SEPolicy.mk
BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private
# VNDK
NEED_AIDL_NDK_PLATFORM_BACKEND := true
diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts
deleted file mode 100644
index 4a8d172..0000000
--- a/sepolicy/private/service_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-# IMS
-vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:vendor_hal_telephony_service:s0
-vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:vendor_hal_telephony_service:s0
-vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot1 u:object_r:vendor_hal_telephony_service:s0
-vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot2 u:object_r:vendor_hal_telephony_service:s0
-vendor.qti.hardware.radio.am.IQcRilAudio/slot1 u:object_r:vendor_hal_telephony_service:s0
-vendor.qti.hardware.radio.am.IQcRilAudio/slot2 u:object_r:vendor_hal_telephony_service:s0
diff --git a/sepolicy/private/vendor_qtelephony.te b/sepolicy/private/vendor_qtelephony.te
deleted file mode 100644
index 82cadc5..0000000
--- a/sepolicy/private/vendor_qtelephony.te
+++ /dev/null
@@ -1 +0,0 @@
-allow vendor_qtelephony vendor_hal_telephony_service:service_manager find;
diff --git a/sepolicy/vendor/ASensorsService.te b/sepolicy/vendor/ASensorsService.te
new file mode 100644
index 0000000..80653cf
--- /dev/null
+++ b/sepolicy/vendor/ASensorsService.te
@@ -0,0 +1,34 @@
+type ASensorsService, domain;
+type ASensorsService_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(ASensorsService)
+
+get_prop(ASensorsService, hwservicemanager_prop)
+
+get_prop(ASensorsService, vendor_alsp_prop)
+set_prop(ASensorsService, vendor_alsp_prop)
+
+get_prop(ASensorsService, vendor_asus_prop)
+set_prop(ASensorsService, vendor_asus_prop)
+
+get_prop(ASensorsService, vendor_mag_prop)
+set_prop(ASensorsService, vendor_mag_prop)
+
+allow ASensorsService init:unix_stream_socket connectto;
+
+allow ASensorsService input_device:chr_file {ioctl read open };
+allow ASensorsService input_device:dir { read open search };
+
+allow ASensorsService mnt_vendor_file:file r_file_perms;
+
+allow ASensorsService property_socket:sock_file write;
+
+allow ASensorsService self:qipcrtr_socket create_socket_perms_no_ioctl;
+allow ASensorsService sensor_device:chr_file rw_file_perms;
+allow ASensorsService sysfs:file rw_file_perms;
+
+allow ASensorsService unlabeled:file r_file_perms;
+allow ASensorsService unlabeled:dir search;
+
+allow ASensorsService vendor_toolbox_exec:file execute_no_trans;
diff --git a/sepolicy/vendor/asus_camera_app.te b/sepolicy/vendor/asus_camera_app.te
deleted file mode 100644
index ba8cca5..0000000
--- a/sepolicy/vendor/asus_camera_app.te
+++ /dev/null
@@ -1,52 +0,0 @@
-type asus_camera_app, domain, coredomain;
-
-app_domain(asus_camera_app)
-net_domain(asus_camera_app)
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow asus_camera_app privapp_data_file:file { r_file_perms execute };
-allow asus_camera_app app_data_file:file { r_file_perms execute };
-auditallow asus_camera_app app_data_file:file execute;
-
-# Allow handling of less common filesystem objects.
-allow asus_camera_app app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow asus_camera_app system_app_data_file:file { read write getattr };
-allow asus_camera_app system_app_data_file:dir r_dir_perms;
-
-allow asus_camera_app activity_service:service_manager find;
-allow asus_camera_app activity_task_service:service_manager find;
-allow asus_camera_app audio_service:service_manager find;
-allow asus_camera_app audioserver_service:service_manager find;
-allow asus_camera_app autofill_service:service_manager find;
-allow asus_camera_app cameraserver_service:service_manager find;
-allow asus_camera_app content_capture_service:service_manager find;
-allow asus_camera_app game_service:service_manager find;
-allow asus_camera_app gpu_service:service_manager find;
-allow asus_camera_app hardware_properties_service:service_manager find;
-allow asus_camera_app hint_service:service_manager find;
-allow asus_camera_app mediaserver_service:service_manager find;
-allow asus_camera_app mediaextractor_service:service_manager find;
-allow asus_camera_app mediametrics_service:service_manager find;
-allow asus_camera_app radio_service:service_manager find;
-allow asus_camera_app sensorservice_service:service_manager find;
-allow asus_camera_app surfaceflinger_service:service_manager find;
-allow asus_camera_app telecom_service:service_manager find;
-allow asus_camera_app tethering_service:service_manager find;
-allow asus_camera_app thermal_service:service_manager find;
-allow asus_camera_app trust_service:service_manager find;
-allow asus_camera_app device_state_service:service_manager find;
-
-binder_call(asus_camera_app, gpuservice)
-binder_call(asus_camera_app, vendor_hal_qspmhal_default)
-allow asus_camera_app vendor_camera_data_file:dir { rw_dir_perms setattr };
-allow asus_camera_app vendor_camera_data_file:file create_file_perms;
-allow asus_camera_app build_bootimage_prop:file { getattr map open read };
-allow asus_camera_app rs_exec:file rx_file_perms;
-
-get_prop(asus_camera_app, vendor_asus_build_prop)
-get_prop(asus_camera_app, vendor_asus_camera_prop)
diff --git a/sepolicy/vendor/asus_fingerprint.te b/sepolicy/vendor/asus_fingerprint.te
new file mode 100644
index 0000000..ef94465
--- /dev/null
+++ b/sepolicy/vendor/asus_fingerprint.te
@@ -0,0 +1,14 @@
+type asus_fingerprint, domain;
+type asus_fingerprint_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(asus_fingerprint)
+
+get_prop(asus_fingerprint, vendor_gx_fpd_prop)
+set_prop(asus_fingerprint, vendor_gx_fpd_prop)
+
+allow asus_fingerprint property_socket:sock_file write;
+allow asus_fingerprint vendor_shell_exec:file entrypoint;
+allow asus_fingerprint vendor_toolbox_exec:file { execute_no_trans entrypoint };
+allow asus_fingerprint mnt_vendor_file:dir search;
+allow asus_fingerprint mnt_vendor_file:file r_file_perms;
diff --git a/sepolicy/vendor/asus_touch.te b/sepolicy/vendor/asus_touch.te
new file mode 100644
index 0000000..89ca932
--- /dev/null
+++ b/sepolicy/vendor/asus_touch.te
@@ -0,0 +1,11 @@
+type asus_touch, domain;
+type asus_touch_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(asus_touch)
+
+get_prop(asus_touch, exported_system_prop)
+get_prop(asus_touch, vendor_asus_prop)
+get_prop(asus_touch, vendor_default_prop)
+
+allow asus_touch vendor_sysfs_touch:file rw_file_perms;
diff --git a/sepolicy/vendor/batinfo.te b/sepolicy/vendor/batinfo.te
new file mode 100644
index 0000000..dcd581c
--- /dev/null
+++ b/sepolicy/vendor/batinfo.te
@@ -0,0 +1,9 @@
+type batinfo, domain;
+type batinfo_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(batinfo)
+
+allow batinfo proc_batinfo:file rw_file_perms;
+allow batinfo bat_file:dir rw_dir_perms;
+allow batinfo bat_file:file rw_file_perms;
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
index cfc2dc5..532db6c 100644
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -3,3 +3,7 @@
# Fingerprint
type fingerprintd_device, dev_type;
+
+# Asus Sensor
+type sensor_device, dev_type;
+type ois_device, dev_type;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index a7eeea9..580ea9f 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,5 +1,5 @@
-# Camera
-type vendor_proc_camera, fs_type, proc_type;
+# Battery
+type proc_batinfo, fs_type, proc_type;
# Display
type vendor_proc_graphics, fs_type, proc_type;
@@ -17,4 +17,6 @@
# Fingerprint
type vendor_goodix_data_file, file_type, data_file_type;
-type vendor_proc_fingerprint, fs_type, proc_type;
+
+# Thermal
+type vendor_sysfs_asuslib , fs_type, sysfs_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 2ad9d6f..7313c74 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -6,31 +6,65 @@
/dev/block/platform/soc/1d84000\.ufshc/by-name/asdf u:object_r:asdf_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/batinfo u:object_r:asus_block_device:s0
+# Audio
+/(vendor|system/vendor)/bin/dongle u:object_r:zf_dongle_exec:s0
+
+# Battery
+/(vendor|system/vendor)/bin/bat_bs u:object_r:batinfo_exec:s0
+/(vendor|system/vendor)/bin/bat_sd_bs u:object_r:batinfo_exec:s0
+/(vendor|system/vendor)/bin/bat_safety u:object_r:batinfo_exec:s0
+/(vendor|system/vendor)/bin/bat_percent u:object_r:batinfo_exec:s0
+/(vendor|system/vendor)/bin/bat_sd_percent u:object_r:batinfo_exec:s0
+
# Camera
+/(vendor|system/vendor)/lib(64)?/DataSet/ispDB/ParameterDB\.db u:object_r:vendor_public_lib_file:s0
/(vendor|system/vendor)/lib(64)?/libipebpsstriping\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libxditk_ditBSP_JNI\.so u:object_r:same_process_hal_file:s0
# Display (Pixelworks)
-/(vendor|system/vendor)/bin/hw/vendor\.pixelworks\.hardware\.display\.iris-service u:object_r:hal_graphics_composer_default_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.pixelworks\.hardware\.feature\.irisfeature-service u:object_r:hal_graphics_composer_default_exec:s0
-/(vendor|system/vendor)/bin/irisConfig u:object_r:iris_config_exec:s0
+/sys/devices/virtual/extcon-asus/battery/name u:object_r:vendor_sysfs_graphics:s0
+/sys/devices/virtual/extcon-asus/battery_id/state u:object_r:vendor_sysfs_graphics:s0
+/sys/devices/virtual/extcon-asus/usb_connector/state u:object_r:vendor_sysfs_graphics:s0
+/sys/devices/virtual/extcon-asus/quick_charging/state u:object_r:vendor_sysfs_graphics:s0
+/(vendor|system/vendor)/bin/hw/vendor\.pixelworks\.hardware\.display\.iris-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.pixelworks\.hardware\.feature\.irisfeature-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/irisConfig u:object_r:iris_config_exec:s0
# Files in rootfs
-/ADF(/.*)? u:object_r:demoapp_file:s0
-/APD(/.*)? u:object_r:demoapp_file:s0
-/asdf(/.*)? u:object_r:log_file:s0
-/batinfo(/.*)? u:object_r:bat_file:s0
+/ADF(/.*)? u:object_r:demoapp_file:s0
+/APD(/.*)? u:object_r:demoapp_file:s0
+/asdf(/.*)? u:object_r:log_file:s0
+/batinfo(/.*)? u:object_r:bat_file:s0
# Fingerprint
-/data/vendor/goodix/gf_data(/.*)? u:object_r:vendor_goodix_data_file:s0
-/dev/goodix_fp u:object_r:fingerprintd_device:s0
+/data/vendor/goodix/gf_data(/.*)? u:object_r:vendor_goodix_data_file:s0
+/dev/goodix_fp u:object_r:fingerprintd_device:s0
+/(vendor|system/vendor)/bin/cali_check u:object_r:asus_fingerprint_exec:s0
+/(vendor|system/vendor)/bin/cali_shipping_check u:object_r:asus_fingerprint_exec:s0
+/(vendor|system/vendor)/bin/fp_cali_mv u:object_r:asus_fingerprint_exec:s0
+/(vendor|system/vendor)/bin/gf_ver.sh u:object_r:asus_fingerprint_exec:s0
# NFC
-/dev/pn553 u:object_r:nfc_device:s0
+/dev/pn553 u:object_r:nfc_device:s0
# Power
-/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service-qti u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service-qti u:object_r:hal_power_default_exec:s0
# Sensors
-/dev/asus2ndAccelSensor u:object_r:sensors_device:s0
-/dev/asus2ndGyroSensor u:object_r:sensors_device:s0
+/dev/asusLightSensor u:object_r:sensor_device:s0
+/dev/asusProxSensor u:object_r:sensor_device:s0
+/dev/OIS u:object_r:ois_device:s0
+/(vendor|system/vendor)/bin/asus_native_sensor u:object_r:ASensorsService_exec:s0
+/(vendor|system/vendor)/bin/magnetometer_accessory_installed.sh u:object_r:ASensorsService_exec:s0
+/(vendor|system/vendor)/bin/magnetometer_accessory_removed.sh u:object_r:ASensorsService_exec:s0
+/(vendor|system/vendor)/bin/magnetometer_accessory2_installed.sh u:object_r:ASensorsService_exec:s0
+/(vendor|system/vendor)/bin/proximity_report_status.sh u:object_r:ASensorsService_exec:s0
+/(vendor|system/vendor)/bin/sensors_factory_init.sh u:object_r:ASensorsService_exec:s0
+/(vendor|system/vendor)/bin/ssr_setup u:object_r:vendor_ssr_setup_exec:s0
+
+# Storage
+/(vendor|system/vendor)/bin/ufs_info.sh u:object_r:vendor_asus_storage_exec:s0
+/(vendor|system/vendor)/bin/ddr_info.sh u:object_r:vendor_asus_storage_exec:s0
+
+# Touch
+/(vendor|system/vendor)/bin/touch_ver.sh u:object_r:asus_touch_exec:s0
diff --git a/sepolicy/vendor/fsck_untrusted.te b/sepolicy/vendor/fsck_untrusted.te
new file mode 100644
index 0000000..f05d089
--- /dev/null
+++ b/sepolicy/vendor/fsck_untrusted.te
@@ -0,0 +1,2 @@
+allow fsck_untrusted vendor_sysfs_usb_node:dir search;
+allow fsck_untrusted vendor_sysfs_usb_node:file r_file_perms;
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
index 94067c3..8b212af 100644
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -1,10 +1,15 @@
-# Camera
-genfscon proc /driver/dualcam_cali u:object_r:vendor_proc_camera:s0
-genfscon proc /driver/ois_af_state u:object_r:vendor_proc_camera:s0
-genfscon proc /driver/ois_i2c_rw u:object_r:vendor_proc_camera:s0
+# Battery
+genfscon proc /Batt_Cycle_Count/bat_bs_wr u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/bat_percent_wr u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/bat_safety_wr u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/bat_sd_bs_wr u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/bat_sd_percent_wr u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/batt_safety u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/batt_safety_csc u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/condition_value u:object_r:proc_batinfo:s0
+genfscon proc /Batt_Cycle_Count/cycle_count u:object_r:proc_batinfo:s0
# Display
-genfscon proc /globalHbm u:object_r:vendor_proc_graphics:s0
genfscon proc /driver/swipeup u:object_r:vendor_proc_graphics:s0
genfscon proc /driver/gesture_type u:object_r:vendor_proc_graphics:s0
genfscon proc /driver/glove u:object_r:vendor_proc_graphics:s0
@@ -14,27 +19,17 @@
genfscon proc /lcd_unique_id u:object_r:asus_display_proc_exec:s0
genfscon proc /hbm_mode u:object_r:asus_display_proc_exec:s0
-genfscon sysfs /class/drm/fod_touched u:object_r:vendor_sysfs_graphics:s0
-genfscon sysfs /class/drm/hdr_mode u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /devices/virtual/extcon-asus/ u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /class/extcon-asus/ u:object_r:vendor_sysfs_graphics:s0
# EVT
genfscon proc /asusevtlog u:object_r:vendor_proc_evt:s0
-# Fingerprint
-genfscon proc /driver/fp_xy u:object_r:vendor_proc_fingerprint:s0
-
-# Performance
-genfscon sysfs /devices/platform/soc/1d84000.ufshc/clkgate_enable u:object_r:vendor_sysfs_msm_perf:s0
-
-# Sensors
-genfscon sysfs /class/icm206xx u:object_r:vendor_sysfs_sensors:s0
-genfscon sysfs /devices/virtual/sensors u:object_r:vendor_sysfs_sensors:s0
-
# Thermal
-genfscon sysfs /class/asuslib/set_virtualthermal u:object_r:sysfs_thermal:s0
+genfscon sysfs /class/asuslib/set_virtualthermal u:object_r:vendor_sysfs_asuslib:s0
-# Vibrator
-genfscon sysfs /devices/platform/soc/998000.i2c/i2c-2/2-005a u:object_r:sysfs_vibrator:s0
+# Touch
+genfscon sysfs /devices/platform/soc/990000.i2c/i2c-0/0-0038/fts_fw_version u:object_r:vendor_sysfs_touch:s0
# Wakeup
genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys6/wakeup u:object_r:sysfs_wakeup:s0
@@ -61,6 +56,7 @@
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys10/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pm8350b@3:qcom,amoled/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pmk8350@0:rtc@6100/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:goodix_gf3626@0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys3/wakeup u:object_r:sysfs_wakeup:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
index b2b393f..110a5ac 100644
--- a/sepolicy/vendor/hal_audio_default.te
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -1,3 +1,5 @@
+get_prop(hal_audio_default, vendor_asus_prop)
+
set_prop(hal_audio_default, vendor_audio_prop)
allow hal_audio_default mnt_vendor_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
index 6619105..2204c1e 100644
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -1,15 +1,15 @@
-add_hwservice(hal_camera_default, asus_bspcam_hwservice)
-
binder_call(hal_camera_default, system_server)
+
+get_prop(hal_camera_default, vendor_asus_prop)
+set_prop(hal_camera_default, vendor_asus_prop)
+
get_prop(hal_camera_default, vendor_camera_prop)
set_prop(hal_camera_default, vendor_camera_prop)
allow hal_camera_default mnt_vendor_file:dir w_dir_perms;
allow hal_camera_default mnt_vendor_file:file create_file_perms;
-allow hal_camera_default vendor_proc_camera:file rw_file_perms;
-
-allow hal_camera_default vendor_asus_camera_prop:file { getattr map open read };
-set_prop(hal_camera_default, vendor_asus_camera_prop)
# for /vendor/lib64/DataSet/ispDB/ParameterDB.db
allow hal_camera_default vendor_file:file lock;
+
+allow hal_camera_default proc:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
index 09b4de4..4133f24 100644
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -3,17 +3,12 @@
allow hal_fingerprint_default fingerprintd_device:chr_file rw_file_perms;
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
-allow hal_fingerprint_default asus_display_proc_exec:file { read write getattr open };
-allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
-
-allow hal_fingerprint_default input_device:dir r_dir_perms;
-allow hal_fingerprint_default input_device:chr_file rw_file_perms;
-
-allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;
allow hal_fingerprint_default vendor_goodix_data_file:file create_file_perms;
allow hal_fingerprint_default vendor_goodix_data_file:dir create_dir_perms;
-allow hal_fingerprint_default vendor_proc_fingerprint:file rw_file_perms;
-allow hal_fingerprint_default vendor_proc_graphics:file rw_file_perms;
allow hal_fingerprint_default vendor_sysfs_battery_supply:dir search;
allow hal_fingerprint_default vendor_sysfs_battery_supply:file r_file_perms;
+allow hal_fingerprint_default proc:file r_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default vendor_dmabuf_qseecom_heap_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
index e121aa9..d05c06f 100644
--- a/sepolicy/vendor/hal_nfc_default.te
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -1,6 +1,3 @@
allow hal_nfc_default hal_nfc_hwservice:hwservice_manager find;
-allow hal_nfc_default vendor_nfc_prop:file read;
-
-set_prop(hal_nfc_default, vendor_nfc_prop)
r_dir_file(hal_nfc_default, vendor_nfc_vendor_data_file)
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
index 88ccddb..c3c7751 100644
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -1,4 +1,10 @@
-set_prop(hal_sensors_default, vendor_sensors_prop)
+get_prop(hal_sensors_default, vendor_asus_prop)
+set_prop(hal_sensors_default, vendor_asus_prop)
-allow hal_sensors_default sensors_device:chr_file rw_file_perms;
+get_prop(hal_sensors_default, vendor_alsp_prop)
+set_prop(hal_sensors_default, vendor_alsp_prop)
+
+set_prop(hal_sensors_default, vendor_mag_prop)
+
+allow hal_sensors_default sensor_device:chr_file rw_file_perms;
allow hal_sensors_default vendor_sysfs_sensors:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te
deleted file mode 100644
index de8f78b..0000000
--- a/sepolicy/vendor/hal_thermal_default.te
+++ /dev/null
@@ -1 +0,0 @@
-get_prop(hal_thermal_default, vendor_thermal_prop)
diff --git a/sepolicy/vendor/hal_usb_gadget_default.te b/sepolicy/vendor/hal_usb_gadget_default.te
new file mode 100644
index 0000000..f49161e
--- /dev/null
+++ b/sepolicy/vendor/hal_usb_gadget_default.te
@@ -0,0 +1 @@
+allow hal_usb_gadget_default functionfs:dir { watch watch_reads };
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
index 87090a8..34e32ff 100644
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@@ -1,4 +1,3 @@
-vendor.asus.bspcam::IAsusBspCameraInterface u:object_r:asus_bspcam_hwservice:s0
vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0
vendor.pixelworks.hardware.display::IIris u:object_r:hal_display_iris_hwservice:s0
vendor.pixelworks.hardware.feature::IIrisFeature u:object_r:hal_display_iris_hwservice:s0
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index eb990d7..7c34ac6 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -2,7 +2,7 @@
demoapp_file
log_file
bat_file
-}:dir mounton;
+}:dir { create mounton relabelto };
allow init vendor_proc_graphics:file { rw_file_perms setattr };
allow init vendor_file:file { execute };
diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te
index 0e64346..3e66ede 100644
--- a/sepolicy/vendor/platform_app.te
+++ b/sepolicy/vendor/platform_app.te
@@ -1,2 +1,5 @@
-allow platform_app vendor_camera_prop:file { getattr map open read };
-allow platform_app vendor_asus_build_prop:file { getattr map open read };
+get_prop(platform_app, vendor_asus_prop)
+
+get_prop(platform_app, vendor_camera_prop)
+
+allow platform_app ois_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te
new file mode 100644
index 0000000..1071dac
--- /dev/null
+++ b/sepolicy/vendor/priv_app.te
@@ -0,0 +1,3 @@
+get_prop(priv_app, vendor_asus_prop)
+
+allow priv_app ois_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
index c222034..a901d60 100644
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -1,8 +1,8 @@
-# Build
-vendor_public_prop(vendor_asus_build_prop)
+# Asus Prop
+vendor_public_prop(vendor_asus_prop);
# Camera
-vendor_public_prop(vendor_asus_camera_prop)
+system_restricted_prop(vendor_set_camera_prop)
# Fingerprint
vendor_internal_prop(vendor_gx_fpd_prop)
@@ -10,8 +10,16 @@
# GPS
vendor_internal_prop(vendor_gps_prop)
-# NFC
-vendor_internal_prop(vendor_nfc_prop)
+# Sensors
+vendor_restricted_prop(vendor_alsp_prop);
+vendor_restricted_prop(vendor_mag_prop);
-# Thermal
-vendor_internal_prop(vendor_thermal_prop)
+# Storage
+vendor_public_prop(vendor_asus_storage_prop);
+vendor_public_prop(vendor_asus_storage_prop_2);
+
+# Usb
+system_restricted_prop(vendor_asus_usb_prop);
+
+# Zram
+vendor_restricted_prop(vendor_asus_zram_prop);
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 4136aae..a87f956 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -1,60 +1,74 @@
+# Asus
+ro.vendor.build.asus. u:object_r:vendor_asus_prop:s0
+
# Audio
-vendor.use.audio.eu.parameters u:object_r:vendor_audio_prop:s0
+vendor.use.audio.eu.parameters u:object_r:vendor_audio_prop:s0
# Camera
-ro.vendor.build.asus. u:object_r:vendor_asus_build_prop:s0
-ro.vendor.camera.sound.forced u:object_r:vendor_asus_camera_prop:s0
-ro.vendor.config.versatility u:object_r:vendor_asus_camera_prop:s0
-vendor.asus.dis_flash_light u:object_r:vendor_asus_camera_prop:s0
-vendor.camera. u:object_r:vendor_asus_camera_prop:s0
-vendor.camera.set.apk. u:object_r:vendor_asus_camera_prop:s0
+ro.vendor.camera. u:object_r:vendor_camera_prop:s0
+vendor.camera. u:object_r:vendor_camera_prop:s0
+vendor.camera.disableubwc u:object_r:vendor_set_camera_prop:s0
+vendor.camera.set.apk.usingname u:object_r:vendor_set_camera_prop:s0
+vendor.camera.set.apk.activity u:object_r:vendor_set_camera_prop:s0
+vendor.asus.dis_flash_light u:object_r:vendor_set_camera_prop:s0
# DRM
-vendor.drm.keystatus u:object_r:vendor_display_prop:s0
+vendor.drm.keystatus u:object_r:vendor_display_prop:s0
# Fingerprint
-vendor.goodix. u:object_r:vendor_gx_fpd_prop:s0
+vendor.goodix.sensor.status u:object_r:vendor_asus_prop:s0
+
+ro.hardware.fp_position u:object_r:vendor_gx_fpd_prop:s0
+ro.hardware.fp_shape u:object_r:vendor_gx_fpd_prop:s0
+vendor.fp.cali.factory.check u:object_r:vendor_gx_fpd_prop:s0
+vendor.fp.cali.ready u:object_r:vendor_gx_fpd_prop:s0
vendor.fp.version.driver u:object_r:vendor_gx_fpd_prop:s0
vendor.gf.debug.dump_data u:object_r:vendor_gx_fpd_prop:s0
vendor.gf.debug.whitebox.enabled u:object_r:vendor_gx_fpd_prop:s0
-vendor.fp.cali.factory.check u:object_r:vendor_gx_fpd_prop:s0
-vendor.fp.cali.ready u:object_r:vendor_gx_fpd_prop:s0
-ro.hardware.fp_position u:object_r:vendor_gx_fpd_prop:s0
-ro.hardware.fp_shape u:object_r:vendor_gx_fpd_prop:s0
-persist.vendor.asus.fp.wakeup u:object_r:vendor_gx_fpd_prop:s0
-vendor.fp.cali.shipping.check u:object_r:vendor_gx_fpd_prop:s0
-vendor.screen.rotation u:object_r:vendor_gx_fpd_prop:s0
-vendor.asus.touch_control_ u:object_r:vendor_gx_fpd_prop:s0
-
+vendor.goodix.service.ready u:object_r:vendor_gx_fpd_prop:s0
+vendor.goodix.version.pack u:object_r:vendor_gx_fpd_prop:s0
+vendor.goodix.sensor.id u:object_r:vendor_gx_fpd_prop:s0
# GPS
-persist.vendor.asus.agps. u:object_r:vendor_gps_prop:s0
-persist.vendor.asus.gps. u:object_r:vendor_gps_prop:s0
-vendor.gps. u:object_r:vendor_gps_prop:s0
-
-# NFC
-persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0
+persist.vendor.asus.agps. u:object_r:vendor_gps_prop:s0
+persist.vendor.asus.gps. u:object_r:vendor_gps_prop:s0
+vendor.gps. u:object_r:vendor_gps_prop:s0
# RIL
+vendor.asus.tel.antenna u:object_r:vendor_asus_prop:s0
ro.vendor.csc.modemhash u:object_r:vendor_radio_prop:s0
vendor.asus.operator.iso-country u:object_r:vendor_radio_prop:s0
# Sensors
-persist.vendor.asus.gyrosensor2calibx u:object_r:vendor_sensors_prop:s0
-persist.vendor.asus.gyrosensor2caliby u:object_r:vendor_sensors_prop:s0
-persist.vendor.asus.gyrosensor2calibz u:object_r:vendor_sensors_prop:s0
-persist.vendor.asus.gyrosensor2calibtime u:object_r:vendor_sensors_prop:s0
-vendor.proximity. u:object_r:vendor_sensors_prop:s0
+vendor.asus.mag.accessory u:object_r:vendor_mag_prop:s0
+vendor.light. u:object_r:vendor_alsp_prop:s0
+vendor.proximity. u:object_r:vendor_alsp_prop:s0
+
+# Storage
+persist.vendor.asus.exfatck.timeout u:object_r:vendor_asus_storage_prop_2:s0
+ro.vendor.atd.memvendor u:object_r:vendor_asus_storage_prop:s0
+ro.vendor.atd.datafmt u:object_r:vendor_asus_storage_prop:s0
+vendor.asus.ddr_info u:object_r:vendor_asus_storage_prop_2:s0
+vendor.asus.update.storage.status u:object_r:vendor_asus_storage_prop:s0
+vendor.asus.storage.primary.status u:object_r:vendor_asus_storage_prop_2:s0
+vendor.asus.storage.primary.type u:object_r:vendor_asus_storage_prop_2:s0
+vendor.asus.storage.primary.size u:object_r:vendor_asus_storage_prop:s0
+vendor.asus.storage.primary.health u:object_r:vendor_asus_storage_prop:s0
+vendor.asus.storage.primary.healthtypeA u:object_r:vendor_asus_storage_prop:s0
+vendor.asus.storage.primary.healthtypeB u:object_r:vendor_asus_storage_prop:s0
+vendor.asus.storage.primary.ufs_info u:object_r:vendor_asus_storage_prop_2:s0
+vendor.asus.storage.primary.vendor u:object_r:vendor_asus_storage_prop:s0
# Thermal
-vendor.asus.virtualtherm u:object_r:vendor_thermal_prop:s0
-vendor.asus.thermal_config_id u:object_r:vendor_thermal_prop:s0
-vendor.asus.thermalfan u:object_r:vendor_thermal_prop:s0
-vendor.thermal. u:object_r:vendor_thermal_prop:s0
-vendor.thermal_ u:object_r:vendor_thermal_prop:s0
-persist.vendor.asus.thermal.config u:object_r:vendor_thermal_prop:s0
+vendor.thermal. u:object_r:vendor_asus_prop:s0
+vendor.asus.thermal.speuser u:object_r:vendor_asus_prop:s0
+vendor.asus.thermal.cdn_load u:object_r:vendor_asus_prop:s0
+
+# Usb
+persist.vendor.asus.usb.diag u:object_r:vendor_asus_usb_prop:s0
+vendor.asus.usb.diag u:object_r:vendor_asus_usb_prop:s0
+vendor.asus.usb.fullspeed u:object_r:vendor_asus_usb_prop:s0
# ZRAM
-persist.vendor.zram u:object_r:vendor_mpctl_prop:s0
-vendor.asus.zram u:object_r:vendor_mpctl_prop:s0
-vendor.zram. u:object_r:vendor_mpctl_prop:s0
+persist.vendor.zram.disksize u:object_r:vendor_asus_zram_prop:s0
+vendor.init.zram.enable u:object_r:vendor_asus_zram_prop:s0
diff --git a/sepolicy/vendor/seapp_contexts b/sepolicy/vendor/seapp_contexts
deleted file mode 100644
index b001985..0000000
--- a/sepolicy/vendor/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Camera
-user=_app isPrivApp=true seinfo=platform name=com.asus.camera domain=asus_camera_app type=app_data_file levelFrom=all
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index 271504c..d3aa005 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -3,3 +3,8 @@
allow system_app sysfs_zram:file r_file_perms;
allow system_app vendor_proc_graphics:file { rw_file_perms setattr };
+
+get_prop(system_app, vendor_asus_prop)
+
+get_prop(system_app, vendor_asus_usb_prop)
+allow system_app vendor_asus_usb_prop:property_service set;
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
index c785f83..7d0f8b8 100644
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -1,2 +1,6 @@
allow system_server vendor_proc_graphics:file rw_file_perms;
allow system_server app_zygote:process getpgid;
+
+get_prop(system_server, vendor_asus_prop)
+
+get_prop(system_server, vendor_alsp_prop)
diff --git a/sepolicy/vendor/vendor_agmservice_qti.te b/sepolicy/vendor/vendor_agmservice_qti.te
new file mode 100644
index 0000000..89740d6
--- /dev/null
+++ b/sepolicy/vendor/vendor_agmservice_qti.te
@@ -0,0 +1,8 @@
+allow vendor_agmservice_qti mnt_vendor_file:dir search;
+allow vendor_agmservice_qti mnt_vendor_file:file r_file_perms;
+
+allow vendor_agmservice_qti vendor_sysfs_adsp_ssr:file rw_file_perms;
+
+allow vendor_agmservice_qti debugfs:dir { read write open };
+allow vendor_agmservice_qti sysfs:dir read;
+
diff --git a/sepolicy/vendor/vendor_asus_storage.te b/sepolicy/vendor/vendor_asus_storage.te
new file mode 100644
index 0000000..3b454eb
--- /dev/null
+++ b/sepolicy/vendor/vendor_asus_storage.te
@@ -0,0 +1,12 @@
+type vendor_asus_storage, domain, mlstrustedsubject;
+type vendor_asus_storage_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(vendor_asus_storage)
+
+allow vendor_asus_storage property_socket:sock_file write;
+
+get_prop(vendor_asus_storage, vendor_asus_storage_prop)
+set_prop(vendor_asus_storage, vendor_asus_storage_prop)
+get_prop(vendor_asus_storage, vendor_asus_storage_prop_2)
+set_prop(vendor_asus_storage, vendor_asus_storage_prop_2)
diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te
index 69eb3c0..0591fa0 100644
--- a/sepolicy/vendor/vendor_hal_perf_default.te
+++ b/sepolicy/vendor/vendor_hal_perf_default.te
@@ -1,7 +1,9 @@
r_dir_file(vendor_hal_perf_default, sysfs_dm)
-set_prop(vendor_hal_perf_default, vendor_asus_camera_prop)
+
+get_prop(vendor_hal_perf_default, vendor_asus_prop)
+set_prop(vendor_hal_perf_default, vendor_asus_prop)
+
set_prop(vendor_hal_perf_default, vendor_camera_prop)
-set_prop(vendor_hal_perf_default, vendor_thermal_prop)
allow vendor_hal_perf_default sysfs_dm:file rw_file_perms;
allow vendor_hal_perf_default sysfs_thermal:file w_file_perms;
diff --git a/sepolicy/vendor/vendor_hal_usb_qti.te b/sepolicy/vendor/vendor_hal_usb_qti.te
new file mode 100644
index 0000000..fc2e813
--- /dev/null
+++ b/sepolicy/vendor/vendor_hal_usb_qti.te
@@ -0,0 +1 @@
+get_prop(vendor_hal_usb_qti, vendor_asus_usb_prop)
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 130fcdb..64f9511 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -1,16 +1,20 @@
allow vendor_init cgroup:file getattr;
allow vendor_init asus_display_proc_exec:file { read write getattr open };
-get_prop(vendor_init, vendor_thermal_prop)
-set_prop(vendor_init, vendor_thermal_prop)
+get_prop(vendor_init, vendor_asus_prop)
+set_prop(vendor_init, vendor_asus_prop)
get_prop(vendor_init, vendor_gx_fpd_prop)
set_prop(vendor_init, vendor_gx_fpd_prop)
+
set_prop(vendor_init, vendor_camera_prop)
-get_prop(vendor_init, vendor_asus_camera_prop)
-set_prop(vendor_init, vendor_asus_camera_prop)
+get_prop(vendor_init, vendor_asus_zram_prop)
allow vendor_init vendor_goodix_data_file:file create_file_perms;
allow vendor_init vendor_goodix_data_file:dir create_dir_perms;
-allow vendor_init vendor_proc_camera:file rw_file_perms;
+
+get_prop(vendor_init, vendor_asus_usb_prop)
+
+get_prop(vendor_init, vendor_asus_storage_prop_2)
+set_prop(vendor_init, vendor_asus_storage_prop_2)
diff --git a/sepolicy/vendor/vendor_qlogd.te b/sepolicy/vendor/vendor_qlogd.te
new file mode 100644
index 0000000..473be9a
--- /dev/null
+++ b/sepolicy/vendor/vendor_qlogd.te
@@ -0,0 +1,2 @@
+allow vendor_qlogd mnt_user_file:lnk_file read;
+allow vendor_qlogd mnt_user_file:dir search;
diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te
index fec2bee..f5953cd 100644
--- a/sepolicy/vendor/vendor_qti_init_shell.te
+++ b/sepolicy/vendor/vendor_qti_init_shell.te
@@ -2,5 +2,21 @@
allow vendor_qti_init_shell proc_cmdline:file r_file_perms;
allow vendor_qti_init_shell proc_page_cluster:file w_file_perms;
allow vendor_qti_init_shell vendor_file:file execute_no_trans;
-get_prop(vendor_qti_init_shell, vendor_asus_camera_prop)
set_prop(vendor_qti_init_shell, ctl_start_prop)
+
+set_prop(vendor_qti_init_shell, vendor_asus_prop)
+
+get_prop(vendor_qti_init_shell, vendor_asus_storage_prop)
+set_prop(vendor_qti_init_shell, vendor_asus_storage_prop)
+get_prop(vendor_qti_init_shell, vendor_asus_storage_prop_2)
+set_prop(vendor_qti_init_shell, vendor_asus_storage_prop_2)
+
+get_prop(vendor_qti_init_shell, vendor_asus_zram_prop)
+set_prop(vendor_qti_init_shell, vendor_asus_zram_prop)
+
+get_prop(vendor_qti_init_shell, vendor_ssr_prop)
+allow vendor_qti_init_shell vendor_ssr_prop:property_service set;
+
+allow vendor_qti_init_shell configfs:dir setattr;
+allow vendor_qti_init_shell vendor_sysfs_qdss_dev:file w_file_perms;
+
diff --git a/sepolicy/vendor/vendor_subsystem_ramdump.te b/sepolicy/vendor/vendor_subsystem_ramdump.te
new file mode 100644
index 0000000..a09bf6b
--- /dev/null
+++ b/sepolicy/vendor/vendor_subsystem_ramdump.te
@@ -0,0 +1,2 @@
+get_prop(vendor_subsystem_ramdump, vendor_ssr_prop)
+set_prop(vendor_subsystem_ramdump, vendor_ssr_prop)
diff --git a/sepolicy/vendor/vendor_thermal-engine.te b/sepolicy/vendor/vendor_thermal-engine.te
index 72efc4a..fde1eb7 100644
--- a/sepolicy/vendor/vendor_thermal-engine.te
+++ b/sepolicy/vendor/vendor_thermal-engine.te
@@ -1,7 +1,8 @@
get_prop(vendor_thermal-engine, vendor_camera_prop)
-set_prop(vendor_thermal-engine, vendor_thermal_prop)
-get_prop(vendor_thermal-engine, vendor_asus_camera_prop)
-set_prop(vendor_thermal-engine, vendor_asus_camera_prop)
+get_prop(vendor_thermal-engine, vendor_asus_prop)
+set_prop(vendor_thermal-engine, vendor_asus_prop)
allow vendor_thermal-engine self:capability { fowner fsetid kill };
+
+allow vendor_thermal-engine vendor_sysfs_asuslib:file rw_file_perms;
diff --git a/sepolicy/vendor/zf_dongle.te b/sepolicy/vendor/zf_dongle.te
new file mode 100644
index 0000000..685a035
--- /dev/null
+++ b/sepolicy/vendor/zf_dongle.te
@@ -0,0 +1,25 @@
+type zf_dongle, domain;
+type zf_dongle_exec, exec_type, vendor_file_type, file_type;
+
+# Started by init
+init_daemon_domain(zf_dongle)
+
+r_dir_file(zf_dongle, mnt_vendor_file)
+
+r_dir_file(zf_dongle, sysfs)
+allow zf_dongle sysfs:lnk_file read;
+allow zf_dongle sysfs:file rw_file_perms;
+
+allow zf_dongle vendor_file:system module_load;
+allow zf_dongle vendor_file:file execute_no_trans;
+
+r_dir_file(zf_dongle, vendor_data_file)
+allow zf_dongle vendor_data_file:file rw_file_perms;
+
+r_dir_file(zf_dongle, usb_device)
+allow zf_dongle usb_device:chr_file rw_file_perms;
+
+r_dir_file(zf_dongle, vendor_sysfs_usb_node)
+allow zf_dongle vendor_sysfs_usb_node:file rw_file_perms;
+
+allow zf_dongle self:qipcrtr_socket create_socket_perms_no_ioctl;