zenfone8: Enforce SELinux.
[micky387] added few selinux
Change-Id: Idbface1ffbfd73eb146f7d87d2bc6a1dd03b84c7
diff --git a/BoardConfig.mk b/BoardConfig.mk
index edba777..3cd1352 100755
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -86,6 +86,7 @@
BUILD_BROKEN_DUP_RULES := true
BUILD_BROKEN_ELF_PREBUILT_PRODUCT_COPY_FILES := true
BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true
+BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true # For the selinux context
# charger
BOARD_CHARGER_DISABLE_INIT_BLANK := true
@@ -316,6 +317,7 @@
include vendor/omni/sepolicy/sepolicy.mk
include device/qcom/sepolicy_vndr/SEPolicy.mk
BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private
# WiFi
BOARD_WLAN_DEVICE := qcwcn
diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts
new file mode 100644
index 0000000..4a8d172
--- /dev/null
+++ b/sepolicy/private/service_contexts
@@ -0,0 +1,7 @@
+# IMS
+vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:vendor_hal_telephony_service:s0
+vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:vendor_hal_telephony_service:s0
+vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot1 u:object_r:vendor_hal_telephony_service:s0
+vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot2 u:object_r:vendor_hal_telephony_service:s0
+vendor.qti.hardware.radio.am.IQcRilAudio/slot1 u:object_r:vendor_hal_telephony_service:s0
+vendor.qti.hardware.radio.am.IQcRilAudio/slot2 u:object_r:vendor_hal_telephony_service:s0
diff --git a/sepolicy/private/vendor_qtelephony.te b/sepolicy/private/vendor_qtelephony.te
new file mode 100644
index 0000000..82cadc5
--- /dev/null
+++ b/sepolicy/private/vendor_qtelephony.te
@@ -0,0 +1 @@
+allow vendor_qtelephony vendor_hal_telephony_service:service_manager find;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 03d1b9d..db9efa3 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,5 +1,14 @@
+# Camera
+type vendor_proc_camera, fs_type, proc_type;
+
+# Display
+type vendor_proc_graphics, fs_type, proc_type;
+
+# EVT
+type vendor_proc_evt, fs_type, proc_type;
+
# Files in proc
-type asus_display_proc_exec, proc_type;
+type asus_display_proc_exec, fs_type, proc_type;
# Files in rootfs
type bat_file, file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 5e87938..3f12b94 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -6,6 +6,9 @@
/dev/block/platform/soc/1d84000\.ufshc/by-name/asdf u:object_r:asdf_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/batinfo u:object_r:asus_block_device:s0
+# Camera
+/(vendor|system/vendor)/lib(64)?/libipebpsstriping\.so u:object_r:same_process_hal_file:s0
+
# Devices
/dev/goodix_fp u:object_r:fingerprintd_device:s0
@@ -23,3 +26,6 @@
# Sensors
/dev/asus2ndAccelSensor u:object_r:sensors_device:s0
/dev/asus2ndGyroSensor u:object_r:sensors_device:s0
+/sys/devices/virtual/sensors/psensor/switch u:object_r:vendor_sysfs_sensors:s0
+/sys/class/icm206xx/gyro2_poll_delay u:object_r:vendor_sysfs_sensors:s0
+/sys/class/icm206xx/accel2_poll_delay u:object_r:vendor_sysfs_sensors:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
index bb977ae..58854ce 100644
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -1,4 +1,13 @@
+# Camera
+genfscon proc /driver/dualcam_cali u:object_r:vendor_proc_camera:s0
+genfscon proc /driver/ois_af_state u:object_r:vendor_proc_camera:s0
+genfscon proc /driver/ois_i2c_rw u:object_r:vendor_proc_camera:s0
+
# Display
+genfscon proc /driver/swipeup u:object_r:vendor_proc_graphics:s0
+genfscon proc /driver/gesture_type u:object_r:vendor_proc_graphics:s0
+genfscon proc /driver/glove u:object_r:vendor_proc_graphics:s0
+genfscon proc /driver/dclick u:object_r:vendor_proc_graphics:s0
genfscon proc /lcd_dimming_speed u:object_r:asus_display_proc_exec:s0
genfscon proc /lcd_brightness u:object_r:asus_display_proc_exec:s0
genfscon proc /lcd_unique_id u:object_r:asus_display_proc_exec:s0
@@ -6,3 +15,69 @@
genfscon sysfs /class/drm/fod_touched u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /class/drm/hdr_mode u:object_r:vendor_sysfs_graphics:s0
+
+# EVT
+genfscon proc /asusevtlog u:object_r:vendor_proc_evt:s0
+
+# Thermal
+genfscon sysfs /class/asuslib/set_virtualthermal u:object_r:sysfs_thermal:s0
+
+# Vibrator
+genfscon sysfs /devices/platform/soc/998000.i2c/i2c-2/2-005a u:object_r:sysfs_vibrator:s0
+
+# Wakeup
+genfscon sysfs /devices/platform/dummy_hcd.0/usb1/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys6/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/188101c.qcom,spss/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/1103_00.01.00/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1e00000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys8/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4080000.qcom,mss/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys7/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/884000.i2c/i2c-4/4-0028/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/890000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/894000.i2c/i2c-6/6-0068/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/98900000.qcom,turing/subsys4/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/98900000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a600000.ssusb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys9/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys10/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/abb0000.qcom,evass/subsys1/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/abb0000.qcom,evass/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys9/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/subsys10/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6490/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pm8350b@3:qcom,amoled/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pmk8350@0:rtc@6100/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,pmic_glink/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,pmic_glink_log/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-dsps/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-nsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,trustedvm@d0800000/subsys2/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,trustedvm@d0800000/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_aac/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_alac/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrnb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrwb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrwbplus/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_ape/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_evrc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_g711alaw/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_mp3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_qcelp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_wma/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_wmapro/wakeup u:object_r:sysfs_wakeup:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..b2b393f
--- /dev/null
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1,3 @@
+set_prop(hal_audio_default, vendor_audio_prop)
+
+allow hal_audio_default mnt_vendor_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
index da92a91..a3057af 100644
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -1,5 +1,12 @@
add_hwservice(hal_camera_default, asus_bspcam_hwservice)
-binder_call(hal_camera_default, system_server)
-allow hal_camera_default mnt_vendor_file:file { read getattr open };
-allow hal_camera_default mnt_vendor_file:dir { search };
+binder_call(hal_camera_default, system_server)
+get_prop(hal_camera_default, vendor_camera_prop)
+set_prop(hal_camera_default, vendor_camera_prop)
+
+allow hal_camera_default mnt_vendor_file:dir w_dir_perms;
+allow hal_camera_default mnt_vendor_file:file create_file_perms;
+allow hal_camera_default vendor_proc_camera:file rw_file_perms;
+
+# for /vendor/lib64/DataSet/ispDB/ParameterDB.db
+allow hal_camera_default vendor_file:file lock;
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index 56f7ced..61c6680 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -8,3 +8,5 @@
add_hwservice(hal_graphics_composer_default, hal_display_iris_hwservice)
set_prop(hal_graphics_composer_default, vendor_display_prop)
+
+allow hal_graphics_composer_default sysfs_devices_system_cpu:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..44776df
--- /dev/null
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -0,0 +1,5 @@
+allow hal_nfc_default hal_nfc_hwservice:hwservice_manager find;
+
+allow hal_nfc_default vendor_nfc_prop:file read;
+
+set_prop(hal_nfc_default, vendor_nfc_prop)
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
new file mode 100644
index 0000000..aa65a61
--- /dev/null
+++ b/sepolicy/vendor/hal_power_default.te
@@ -0,0 +1 @@
+allow hal_sensors_default vendor_proc_evt:file { append };
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..88ccddb
--- /dev/null
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1,4 @@
+set_prop(hal_sensors_default, vendor_sensors_prop)
+
+allow hal_sensors_default sensors_device:chr_file rw_file_perms;
+allow hal_sensors_default vendor_sysfs_sensors:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te
new file mode 100644
index 0000000..de8f78b
--- /dev/null
+++ b/sepolicy/vendor/hal_thermal_default.te
@@ -0,0 +1 @@
+get_prop(hal_thermal_default, vendor_thermal_prop)
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..c6580df
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -0,0 +1 @@
+allow hal_wifi_default self:capability sys_module;
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
index be37185..467471c 100644
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@@ -2,3 +2,5 @@
vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0
vendor.pixelworks.hardware.display::IIris u:object_r:hal_display_iris_hwservice:s0
vendor.pixelworks.hardware.feature::IIrisFeature u:object_r:hal_display_iris_hwservice:s0
+
+vendor.nxp.nxpnfclegacy::INxpNfcLegacy u:object_r:hal_nfc_hwservice:s0
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index ba77118..e591582 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -3,3 +3,5 @@
log_file
bat_file
}:dir mounton;
+
+allow init vendor_proc_graphics:file { rw_file_perms setattr };
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
index 4c7a31f..a53ca30 100644
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -1 +1,10 @@
vendor_internal_prop(vendor_gx_fpd_prop)
+
+# GPS
+vendor_internal_prop(vendor_gps_prop)
+
+# NFC
+vendor_internal_prop(vendor_nfc_prop)
+
+# Thermal
+vendor_internal_prop(vendor_thermal_prop)
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index fde0560..a2e0710 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -1,2 +1,47 @@
-vendor.camera. u:object_r:vendor_camera_prop:s0
-vendor.goodix. u:object_r:vendor_gx_fpd_prop:s0
+# Audio
+sys.audio.system.brand u:object_r:vendor_audio_prop:s0
+vendor.use.audio.eu.parameters u:object_r:vendor_audio_prop:s0
+
+# Camera
+persist.camera.apk.usingname u:object_r:vendor_camera_prop:s0
+ro.camera.req.fmq.size u:object_r:vendor_camera_prop:s0
+ro.camera.res.fmq.size u:object_r:vendor_camera_prop:s0
+vendor.camera. u:object_r:vendor_camera_prop:s0
+
+# Display (Pixelworks)
+persist.sys.display.iris u:object_r:vendor_display_prop:s0
+
+# Fingerprint
+vendor.goodix. u:object_r:vendor_gx_fpd_prop:s0
+
+# GPS
+persist.vendor.asus.agps. u:object_r:vendor_gps_prop:s0
+persist.vendor.asus.gps. u:object_r:vendor_gps_prop:s0
+vendor.gps. u:object_r:vendor_gps_prop:s0
+
+# NFC
+persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0
+
+# RIL
+ro.vendor.csc.modemhash u:object_r:vendor_radio_prop:s0
+vendor.asus.operator.iso-country u:object_r:vendor_radio_prop:s0
+
+# Sensors
+persist.vendor.asus.gyrosensor2calibx u:object_r:vendor_sensors_prop:s0
+persist.vendor.asus.gyrosensor2caliby u:object_r:vendor_sensors_prop:s0
+persist.vendor.asus.gyrosensor2calibz u:object_r:vendor_sensors_prop:s0
+persist.vendor.asus.gyrosensor2calibtime u:object_r:vendor_sensors_prop:s0
+vendor.proximity. u:object_r:vendor_sensors_prop:s0
+
+# Thermal
+vendor.asus.virtualtherm u:object_r:vendor_thermal_prop:s0
+vendor.asus.thermal_config_id u:object_r:vendor_thermal_prop:s0
+vendor.asus.thermalfan u:object_r:vendor_thermal_prop:s0
+vendor.thermal. u:object_r:vendor_thermal_prop:s0
+vendor.thermal_ u:object_r:vendor_thermal_prop:s0
+persist.vendor.asus.thermal.config u:object_r:vendor_thermal_prop:s0
+
+# ZRAM
+persist.vendor.zram u:object_r:vendor_mpctl_prop:s0
+vendor.asus.zram u:object_r:vendor_mpctl_prop:s0
+vendor.zram. u:object_r:vendor_mpctl_prop:s0
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
new file mode 100644
index 0000000..2134976
--- /dev/null
+++ b/sepolicy/vendor/rild.te
@@ -0,0 +1,5 @@
+set_prop(rild, log_prop)
+set_prop(rild, vendor_gps_prop)
+set_prop(rild, vendor_radio_prop)
+
+allow rild vendor_proc_evt:file rw_file_perms;
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
new file mode 100644
index 0000000..d3eb995
--- /dev/null
+++ b/sepolicy/vendor/system_app.te
@@ -0,0 +1 @@
+allow system_app vendor_proc_graphics:file { rw_file_perms setattr };
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
new file mode 100644
index 0000000..35f4043
--- /dev/null
+++ b/sepolicy/vendor/system_server.te
@@ -0,0 +1 @@
+allow system_server vendor_proc_graphics:file rw_file_perms;
diff --git a/sepolicy/vendor/vendor_hal_gnss_qti.te b/sepolicy/vendor/vendor_hal_gnss_qti.te
new file mode 100644
index 0000000..db0190e
--- /dev/null
+++ b/sepolicy/vendor/vendor_hal_gnss_qti.te
@@ -0,0 +1,3 @@
+set_prop(vendor_hal_gnss_qti, vendor_gps_prop)
+
+allow vendor_hal_gnss_qti vendor_proc_evt:file rw_file_perms;
diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te
new file mode 100644
index 0000000..2ba2b9d
--- /dev/null
+++ b/sepolicy/vendor/vendor_hal_perf_default.te
@@ -0,0 +1,6 @@
+r_dir_file(vendor_hal_perf_default, sysfs_dm)
+set_prop(vendor_hal_perf_default, vendor_camera_prop)
+set_prop(vendor_hal_perf_default, vendor_thermal_prop)
+
+allow vendor_hal_perf_default sysfs_dm:file rw_file_perms;
+allow vendor_hal_perf_default sysfs_thermal:file w_file_perms;
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 4db6a99..04a762f 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -1,2 +1,7 @@
allow vendor_init cgroup:file getattr;
allow vendor_init asus_display_proc_exec:file { read write getattr open };
+
+get_prop(vendor_init, vendor_thermal_prop)
+set_prop(vendor_init, vendor_camera_prop)
+
+allow vendor_init vendor_proc_camera:file rw_file_perms;
diff --git a/sepolicy/vendor/vendor_location.te b/sepolicy/vendor/vendor_location.te
new file mode 100644
index 0000000..6eb5243
--- /dev/null
+++ b/sepolicy/vendor/vendor_location.te
@@ -0,0 +1 @@
+set_prop(vendor_location, vendor_gps_prop)
diff --git a/sepolicy/vendor/vendor_qtelephony.te b/sepolicy/vendor/vendor_qtelephony.te
new file mode 100644
index 0000000..85fcaad
--- /dev/null
+++ b/sepolicy/vendor/vendor_qtelephony.te
@@ -0,0 +1,3 @@
+set_prop(vendor_qtelephony, radio_prop)
+
+allow vendor_qtelephony vendor_hal_datafactory_hwservice:hwservice_manager find;
diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te
index 4f0b90b..9fa83bf 100644
--- a/sepolicy/vendor/vendor_qti_init_shell.te
+++ b/sepolicy/vendor/vendor_qti_init_shell.te
@@ -1 +1,2 @@
allow vendor_qti_init_shell kmsg_device:chr_file w_file_perms;
+allow vendor_qti_init_shell proc_cmdline:file r_file_perms;
diff --git a/sepolicy/vendor/vendor_thermal-engine.te b/sepolicy/vendor/vendor_thermal-engine.te
new file mode 100644
index 0000000..9d0fefd
--- /dev/null
+++ b/sepolicy/vendor/vendor_thermal-engine.te
@@ -0,0 +1,4 @@
+get_prop(vendor_thermal-engine, vendor_camera_prop)
+set_prop(vendor_thermal-engine, vendor_thermal_prop)
+
+allow vendor_thermal-engine self:capability { fowner fsetid kill };