Merge "shamp: Create soong config variable for vendors" into main
diff --git a/aoc/dump_aoc.cpp b/aoc/dump_aoc.cpp
index b3827c8..baf056e 100644
--- a/aoc/dump_aoc.cpp
+++ b/aoc/dump_aoc.cpp
@@ -29,9 +29,10 @@
runCommand("AoC logging wake", "timeout 0.1 cat /sys/devices/platform/*.aoc/control/logging_wakeup");
runCommand("AoC hotword wake", "timeout 0.1 cat /sys/devices/platform/*.aoc/control/hotword_wakeup");
runCommand("AoC memory exception wake", "timeout 0.1 cat /sys/devices/platform/*.aoc/control/memory_exception");
- runCommand("AoC memory votes", "timeout 0.1 cat /sys/devices/platform/*.aoc/control/memory_votes_a32");
- runCommand("AoC memory votes", "timeout 0.1 cat /sys/devices/platform/*.aoc/control/memory_votes_ff1");
+ runCommand("AoC memory votes", "timeout 0.5 cat /sys/devices/platform/*.aoc/control/memory_votes_a32");
+ runCommand("AoC memory votes", "timeout 0.5 cat /sys/devices/platform/*.aoc/control/memory_votes_ff1");
runCommand("clean AoC buffer","echo ' ' > /dev/acd-debug; timeout 0.1 cat /dev/acd-debug");
+ runCommand("AoC DVFS (A32)", "echo 'dbg info -c 1 DVFSA32' > /dev/acd-debug; timeout 0.1 cat /dev/acd-debug");
runCommand("AoC DVFS (FF1)", "echo 'dbg info -c 2 DVFSFF1' > /dev/acd-debug; timeout 0.1 cat /dev/acd-debug");
runCommand("AoC Monitor Mode Status", "echo 'monitor_mode status' > /dev/acd-debug; timeout 0.1 cat /dev/acd-debug");
return 0;
diff --git a/audio/sepolicy/aidl/hal_audio_default.te b/audio/sepolicy/aidl/hal_audio_default.te
index 2512a17..1ae90c7 100644
--- a/audio/sepolicy/aidl/hal_audio_default.te
+++ b/audio/sepolicy/aidl/hal_audio_default.te
@@ -1 +1,4 @@
add_service(hal_audio_default, hal_audio_ext_service)
+# Allow audio-hal to register battery_mitigation service
+allow hal_audio_default hal_battery_mitigation_service:service_manager find;
+binder_call(hal_audio_default, battery_mitigation)
diff --git a/audio/sepolicy/common/hal_audio_default.te b/audio/sepolicy/common/hal_audio_default.te
index bfe72b1..fac4f1a 100644
--- a/audio/sepolicy/common/hal_audio_default.te
+++ b/audio/sepolicy/common/hal_audio_default.te
@@ -12,6 +12,8 @@
allow hal_audio_default amcs_device:file rw_file_perms;
allow hal_audio_default amcs_device:chr_file rw_file_perms;
allow hal_audio_default sysfs_pixelstats:file rw_file_perms;
+allow hal_audio_default sysfs_extcon:dir search;
+allow hal_audio_default sysfs_extcon:file r_file_perms;
#allow access to aoc and kernel boottime
allow hal_audio_default sysfs_aoc:dir { search };
diff --git a/battery_mitigation/sepolicy/vendor/battery_mitigation.te b/battery_mitigation/sepolicy/vendor/battery_mitigation.te
index 7552bd2..3133ab5 100644
--- a/battery_mitigation/sepolicy/vendor/battery_mitigation.te
+++ b/battery_mitigation/sepolicy/vendor/battery_mitigation.te
@@ -31,3 +31,5 @@
wakelock_use(battery_mitigation)
# Allow battery_mitigation to run aidl service
add_service(battery_mitigation, hal_battery_mitigation_service)
+# Allow battery_mitigation to run audio mitigation callback
+binder_call(battery_mitigation, hal_audio_default)
diff --git a/bcmbt/bluetooth.mk b/bcmbt/bluetooth.mk
index eb6a29b..49c52c0 100644
--- a/bcmbt/bluetooth.mk
+++ b/bcmbt/bluetooth.mk
@@ -1,6 +1,7 @@
PRODUCT_SOONG_NAMESPACES += vendor/broadcom/bluetooth
PRODUCT_PACKAGES += \
android.hardware.bluetooth-V1-ndk.so \
+ android.hardware.bluetooth.finder-V1-ndk.so \
android.hardware.bluetooth-service.bcmbtlinux \
vendor.google.bluetooth_ext-V1-ndk.so \
bt_vendor.conf \
diff --git a/bcmbt/compatibility_matrix.xml b/bcmbt/compatibility_matrix.xml
index 1a63ccf..65b0c6d 100644
--- a/bcmbt/compatibility_matrix.xml
+++ b/bcmbt/compatibility_matrix.xml
@@ -6,7 +6,6 @@
<name>IBluetoothFinder</name>
<instance>default</instance>
</interface>
- <fqname>IBluetoothFinder/default</fqname>
<interface>
<name>IBluetoothCcc</name>
<instance>default</instance>
diff --git a/bcmbt/manifest_bluetooth.xml b/bcmbt/manifest_bluetooth.xml
index f14112c..9401d71 100644
--- a/bcmbt/manifest_bluetooth.xml
+++ b/bcmbt/manifest_bluetooth.xml
@@ -5,6 +5,11 @@
<fqname>IBluetoothHci/default</fqname>
</hal>
<hal format="aidl">
+ <name>android.hardware.bluetooth.finder</name>
+ <version>1</version>
+ <fqname>IBluetoothFinder/default</fqname>
+ </hal>
+ <hal format="aidl">
<name>vendor.google.bluetooth_ext</name>
<version>1</version>
<fqname>IBTChannelAvoidance/default</fqname>
diff --git a/betterbug/betterbug.mk b/betterbug/betterbug.mk
new file mode 100644
index 0000000..f3ae647
--- /dev/null
+++ b/betterbug/betterbug.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += BetterBugStub
+PRODUCT_PACKAGES_DEBUG += BetterBug
+
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/private
diff --git a/betterbug/sepolicy/product/private/better_bug_app.te b/betterbug/sepolicy/product/private/better_bug_app.te
new file mode 100644
index 0000000..26e0565
--- /dev/null
+++ b/betterbug/sepolicy/product/private/better_bug_app.te
@@ -0,0 +1,47 @@
+typeattribute better_bug_app coredomain;
+
+app_domain(better_bug_app)
+net_domain(better_bug_app)
+
+allow better_bug_app app_api_service:service_manager find;
+allow better_bug_app mediaserver_service:service_manager find;
+allow better_bug_app radio_service:service_manager find;
+allow better_bug_app system_api_service:service_manager find;
+
+allow better_bug_app privapp_data_file:file execute;
+allow better_bug_app privapp_data_file:lnk_file r_file_perms;
+allow better_bug_app shell_data_file:file r_file_perms;
+allow better_bug_app shell_data_file:dir r_dir_perms;
+
+# Allow traceur to pass file descriptors through a content provider to betterbug
+allow better_bug_app trace_data_file:file { getattr read };
+
+# Allow betterbug to read profile reports generated by profcollect.
+userdebug_or_eng(`
+ allow better_bug_app profcollectd_data_file:file r_file_perms;
+')
+
+# Allow BetterBug access to WM traces attributes
+allow better_bug_app wm_trace_data_file:dir r_dir_perms;
+allow better_bug_app wm_trace_data_file:file getattr;
+
+# Allow the bug reporting frontend to read the presence and timestamp of the
+# trace attached to the bugreport (but not its contents, which will go in the
+# usual bugreport .zip file). This is used by the bug reporting UI to tell if
+# the bugreport will contain a system trace or not while the bugreport is still
+# in progress.
+allow better_bug_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
+allow better_bug_app perfetto_traces_bugreport_data_file:file { getattr };
+
+# Allow BetterBug to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow better_bug_app perfetto:fd use;
+allow better_bug_app perfetto_traces_data_file:file { read getattr };
+
+# Allow BetterBug to set property to start vendor.touch_dumpstate
+set_prop(better_bug_app, ctl_start_prop)
+
+# Allow BetterBug to read system boot reason
+get_prop(better_bug_app, system_boot_reason_prop)
diff --git a/betterbug/sepolicy/product/private/seapp_contexts b/betterbug/sepolicy/product/private/seapp_contexts
new file mode 100644
index 0000000..77fe3e1
--- /dev/null
+++ b/betterbug/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,2 @@
+# BetterBug
+user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=privapp_data_file levelFrom=user
diff --git a/betterbug/sepolicy/product/public/better_bug_app.te b/betterbug/sepolicy/product/public/better_bug_app.te
new file mode 100644
index 0000000..9a14782
--- /dev/null
+++ b/betterbug/sepolicy/product/public/better_bug_app.te
@@ -0,0 +1 @@
+type better_bug_app, domain;
diff --git a/edgetpu/sepolicy/device.te b/edgetpu/sepolicy/device.te
index 9296ba5..78e918a 100644
--- a/edgetpu/sepolicy/device.te
+++ b/edgetpu/sepolicy/device.te
@@ -1,2 +1,2 @@
# EdgeTPU device (DarwiNN)
-type edgetpu_device, dev_type, mlstrustedobject;
+type edgetpu_device, dev_type, mlstrustedobject, isolated_compute_allowed_device;
diff --git a/edgetpu/sepolicy/edgetpu_app_service.te b/edgetpu/sepolicy/edgetpu_app_service.te
index 271805e..838f476 100644
--- a/edgetpu/sepolicy/edgetpu_app_service.te
+++ b/edgetpu/sepolicy/edgetpu_app_service.te
@@ -38,3 +38,12 @@
# Allow EdgeTPU service to log to stats service. (metrics)
allow edgetpu_app_server fwk_stats_service:service_manager find;
+
+# Allow mlock without size restriction
+allow edgetpu_app_server self:capability ipc_lock;
+
+# Need to effectively read file mapped file when mmap + mlocked.
+allow edgetpu_app_server privapp_data_file:file { map read};
+
+# For shell level testing of mlock
+allow edgetpu_app_server shell_data_file:file { map read};
diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts
index 0cada88..06f0a89 100644
--- a/edgetpu/sepolicy/file_contexts
+++ b/edgetpu/sepolicy/file_contexts
@@ -15,7 +15,7 @@
/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0
/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
# EdgeTPU runtime libraries
-/vendor/lib64/com\.google\.edgetpu_app_service-V[1-3]-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so u:object_r:same_process_hal_file:s0
/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
# EdgeTPU data files
diff --git a/edgetpu/sepolicy/service.te b/edgetpu/sepolicy/service.te
index b1a5409..5ea2006 100644
--- a/edgetpu/sepolicy/service.te
+++ b/edgetpu/sepolicy/service.te
@@ -4,4 +4,4 @@
type edgetpu_tachyon_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
# EdgeTPU binder service type declaration.
-type edgetpu_app_service, service_manager_type;
+type edgetpu_app_service, service_manager_type, isolated_compute_allowed_service;
diff --git a/gps/brcm/device.mk b/gps/brcm/device.mk
index 3065542..45b4eb0 100644
--- a/gps/brcm/device.mk
+++ b/gps/brcm/device.mk
@@ -1,14 +1,12 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/brcm/sepolicy
PRODUCT_SOONG_NAMESPACES += vendor/broadcom/gps/bcm47765
-
-SOONG_CONFIG_NAMESPACES += gpssdk
-SOONG_CONFIG_gpssdk += sdkv1
-SOONG_CONFIG_gpssdk_sdkv1 ?= false
-
-SOONG_CONFIG_NAMESPACES += gpssdk
-SOONG_CONFIG_gpssdk += gpsmcuversion
-SOONG_CONFIG_gpssdk_gpsmcuversion ?= gpsv2_$(TARGET_BUILD_VARIANT)
+ifeq (,$(call soong_config_get,gpssdk,sdkv1))
+ $(call soong_config_set,gpssdk,sdkv1,false)
+endif
+ifeq (,$(call soong_config_get,gpssdk,gpsmcuversion))
+ $(call soong_config_set,gpssdk,gpsmcuversion,gpsv2_$(TARGET_BUILD_VARIANT))
+endif
PRODUCT_PACKAGES += \
bcm47765_gps_package \
diff --git a/gps/lsi/s5400.mk b/gps/lsi/s5400.mk
deleted file mode 100644
index 1bfc88e..0000000
--- a/gps/lsi/s5400.mk
+++ /dev/null
@@ -1,19 +0,0 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/lsi/sepolicy
-
-PRODUCT_SOONG_NAMESPACES += \
- vendor/samsung_slsi/gps/s5400
-
-PRODUCT_PACKAGES += \
- android.hardware.location.gps.prebuilt.xml \
- gnssd \
- android.hardware.gnss-service \
- ca.pem \
- gnss_check.sh \
- kepler.bin
-
-ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
- PRODUCT_VENDOR_PROPERTIES += vendor.gps.aol.enabled=true
-endif
-
-# Enable Pixel GNSS HAL
-include device/google/gs-common/gps/pixel/pixel_gnss_hal.mk
\ No newline at end of file
diff --git a/gps/lsi/sepolicy/gnssd.te b/gps/lsi/sepolicy/gnssd.te
index 8450253..56ab51f 100644
--- a/gps/lsi/sepolicy/gnssd.te
+++ b/gps/lsi/sepolicy/gnssd.te
@@ -25,3 +25,9 @@
allow gnssd sysfs_soc:file r_file_perms;
allow gnssd sysfs_gps:file rw_file_perms;
+
+# Allow gnssd to set GPS property
+set_prop(gnssd, vendor_gps_prop)
+
+# Read RIL property
+get_prop(gnssd, vendor_rild_prop)
diff --git a/gps/pixel/device_framework_matrix_product.xml b/gps/pixel/device_framework_matrix_product.xml
deleted file mode 100644
index 2c93444..0000000
--- a/gps/pixel/device_framework_matrix_product.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<compatibility-matrix version="1.0" type="framework" level="8">
- <hal format="aidl" optional="true">
- <name>android.hardware.gnss</name>
- <version>3</version>
- <interface>
- <name>IGnss</name>
- <instance>vendor</instance>
- </interface>
- </hal>
-</compatibility-matrix>
diff --git a/gps/pixel/pixel_gnss_hal.mk b/gps/pixel/pixel_gnss_hal.mk
deleted file mode 100644
index b0edff7..0000000
--- a/gps/pixel/pixel_gnss_hal.mk
+++ /dev/null
@@ -1,15 +0,0 @@
-# Include this file to enable Pixel GNSS HAL
-
-$(call soong_config_set, pixel_gnss, enable_pixel_gnss_aidl_service, true)
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/pixel/sepolicy
-
-PRODUCT_PACKAGES += \
- android.hardware.gnss-service.pixel
-
-PRODUCT_VENDOR_PROPERTIES += \
- persist.vendor.gps.hal.service.name=vendor
-
-# Compatibility matrix
-DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += \
- device/google/gs-common/gps/pixel/device_framework_matrix_product.xml
diff --git a/gps/pixel/sepolicy/file.te b/gps/pixel/sepolicy/file.te
deleted file mode 100644
index 79e95ab..0000000
--- a/gps/pixel/sepolicy/file.te
+++ /dev/null
@@ -1 +0,0 @@
-type sysfs_modem_state, sysfs_type, fs_type;
diff --git a/gpu/gpu.mk b/gpu/gpu.mk
index d1c3a6d..b87e7ad 100644
--- a/gpu/gpu.mk
+++ b/gpu/gpu.mk
@@ -1,3 +1,16 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy
PRODUCT_PACKAGES += gpu_probe
+
+USE_MAPPER5 := false
+
+PRODUCT_PACKAGES += pixel_gralloc_allocator
+PRODUCT_PACKAGES += pixel_gralloc_mapper
+
+ifeq ($(USE_MAPPER5), true)
+$(call soong_config_set,arm_gralloc,mapper_version,mapper5)
+$(call soong_config_set,aion_buffer,mapper_version,mapper5)
+else
+$(call soong_config_set,arm_gralloc,mapper_version,mapper4)
+$(call soong_config_set,aion_buffer,mapper_version,mapper4)
+endif
diff --git a/gpu/sepolicy/service_contexts b/gpu/sepolicy/service_contexts
new file mode 100644
index 0000000..88ee08c
--- /dev/null
+++ b/gpu/sepolicy/service_contexts
@@ -0,0 +1,4 @@
+# Note that native/passthrough HALs use the "{type}/{instance}" pattern from
+# SEPolicy perspective and are looked up via the corresponding filename
+# "{type}.{instance}.so".
+mapper/pixel u:object_r:hal_graphics_mapper_service:s0
diff --git a/gyotaku_app/gyotaku.mk b/gyotaku_app/gyotaku.mk
index c6c41d5..8a6bb10 100644
--- a/gyotaku_app/gyotaku.mk
+++ b/gyotaku_app/gyotaku.mk
@@ -6,7 +6,7 @@
BOARD_SEPOLICY_DIRS += device/google/gs-common/gyotaku_app/sepolicy/
# Pixel 5a (barbet) does not support Pixel dump
- ifneq ($(TARGET_PRODUCT), barbet)
+ ifeq (,$(filter barbet%,$(TARGET_PRODUCT)))
PRODUCT_PACKAGES_DEBUG += dump_gyotaku
BOARD_SEPOLICY_DIRS += device/google/gs-common/gyotaku_app/dump
endif
diff --git a/insmod/insmod.sh b/insmod/insmod.sh
index 03843f5..8cac37e 100755
--- a/insmod/insmod.sh
+++ b/insmod/insmod.sh
@@ -66,6 +66,17 @@
"insmod") insmod $arg ;;
"setprop") setprop $arg 1 ;;
"enable") echo 1 > $arg ;;
+ "condinsmod")
+ prop=$(echo $arg | cut -d '|' -f 1)
+ module1=$(echo $arg | cut -d '|' -f 2)
+ module2=$(echo $arg | cut -d '|' -f 3)
+ value=$(getprop $prop)
+ if [[ ${value} == "true" ]]; then
+ insmod ${vendor_modules_dir}/${module1}
+ else
+ insmod ${vendor_modules_dir}/${module2}
+ fi
+ ;;
"modprobe")
case ${arg} in
"system -b *" | "system -b")
diff --git a/mte/OWNERS b/mte/OWNERS
new file mode 100644
index 0000000..929e941
--- /dev/null
+++ b/mte/OWNERS
@@ -0,0 +1,4 @@
+eugenis@google.com
+pcc@google.com
+mitchp@google.com
+fmayer@google.com
diff --git a/mte/fullmte-pixel.mk b/mte/fullmte-pixel.mk
index da4e7b9..ac2aba8 100644
--- a/mte/fullmte-pixel.mk
+++ b/mte/fullmte-pixel.mk
@@ -1,5 +1,5 @@
include build/make/target/product/fullmte.mk
+
+PRODUCT_MODULE_BUILD_FROM_SOURCE := true
+
BOARD_KERNEL_CMDLINE += bootloader.pixel.MTE_FORCE_ON
-# TODO(b/324412910): Remove this when the stack-buffer-overflow is fixed.
-PRODUCT_PRODUCT_PROPERTIES += \
- arm64.memtag.process.android.hardware.composer.hwc3-service.pixel=off
\ No newline at end of file
diff --git a/pixelsupport/pixelsupport.mk b/pixelsupport/pixelsupport.mk
new file mode 100644
index 0000000..068c94f
--- /dev/null
+++ b/pixelsupport/pixelsupport.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += PixelSupportPrebuilt
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/pixelsupport/sepolicy/product/private
diff --git a/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
new file mode 100644
index 0000000..40c874d
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgIVAJriiL3+mR75mIC8e0Xqoz59LduNMA0GCSqGSIb3DQEBCwUAMIGSMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNVBAMMJWNvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwIBcNMjIxMjEyMTM1MDA3WhgPMjA1MjEyMTIx
+MzUwMDdaMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91
+bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxLjAsBgNV
+BAMMJWNvbV9nb29nbGVfYW5kcm9pZF9hcHBzX3BpeGVsX3N1cHBvcnQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCSWvRumhZOIAZmWKcuVjc1l3OIIWc/nSRVnsfdzeRqK0jwVFcTqMDs
+kmZtEj/UTW+N91ExRzWvAQ027AcE7TGF3X2iKKAfpSB0fpVQato5RIzOrRbwgAzsIvBdVtExqSNk
+5vh8xJ0azHt6Jn77gW03Mq7AL55Si5q3vU1meeGBPD/YWeqd/oNhPfe0kAHdNnnTOnN6SBxSeO8r
+YukV4XYJ3BxgWD1sm2NI8kZ+OGAooBFflZYXoY6NVfLXm6jsqWnooAok7CrNxZc/wstiwd8yYX6f
+6R1Trox3a9xOy7E+6Rig0XhbWm4pbp3Zu0OLArUalbQ1cjd1qFy6q9maieBn14ad+UtLNOUjCx91
+hLWg/mdpYCvArQb3bBDJdjYfdoo7Q8F9QW3JrFrbIeBezM4TTdK9v/sM4+1OxEo6vwMKQM9Ata/H
+Mn89a4nFHgRqGIMKK8zh0Eob+OwiBakviVhAI1o7IONujcJ2hfuyHNPZb8sT0Rewxtw2fD/Jwj+l
+ADmlXWw553geFcwP1SqOC6j/XOeazSvV4ccCME2VZqIE4pmL+RUr+cgAyQHXPZnet74C7K9sNRV6
+JluS6inqP4lKp7gSFuVrQNYHawNPVinbeTLYEu+df3m3yrHAUpaSvsSUC6qQVWCs0sI8PC6A1+bV
+DXMsIYRvrSnmtN75vOECaQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTODyZ1S/is
+Y/2ZuMl8B1M6kFiJwDAfBgNVHSMEGDAWgBTODyZ1S/isY/2ZuMl8B1M6kFiJwDANBgkqhkiG9w0B
+AQsFAAOCAgEAL26IGjeu8Q5tn/b4vfYa+7bRUwozAJA9Buyduw/4wVG6rIAkpEsghkgnoOvyjD72
+ncbCkDoBV3a1PLw2W/bMQWfZvYScOzc2yFwcR9LdQIiEYmtgnwuJHnqc2MDsh+MDeclblyBYfIQQ
+bpZ0JArKalSmDyul0QIcfHq+RKmGAzC3bx0xigclIZJxXEG4tyQylttnqNodAEqYdhMMRajI3w9t
+61QwqNv1KTGJt1sC2Q7NyzbZJo02Kwu711Dw6KnVgHaGKC2sRIixsvjm2s6f9/CcVasuLopkJnyl
+epPeD2jHwHdE4/c2K5ZVQeZ+R0pIOEBKwg1AVkn+/UTbhpjYCkEGP09e8T45Y+//eMlrbORJAbji
+H5cfD9aSO2z4slN4B4w+Fw9Kn+a7bsN2xhv7lvAgQ92aq9g/YS1YysZ7kSoCpmKl7rN+0V/RGRVP
+ab2Cb0C3+JewTnOAF30e7zVs9Vaq3oTAV4XFYNiDRUBU/rvv8EIZKcBdufFJmCGYUpmm1EQQdsTt
+mFMPEh5I4Qd0sy+HKvLjThcMGHqDX0bCeXkbFZdj0GXPOOt5LX8NZBdnsbVgENrZml318uLEj3ZU
+DlojsfsTlVcs5eIPX6Dkx0OdgVcMAXnLF+vjP/ygWuLqiPFPCrZD1b+2g2P9Yip3e221tuyca42b
+q3bvQEBwOsA=
+-----END CERTIFICATE-----
diff --git a/pixelsupport/sepolicy/product/private/keys.conf b/pixelsupport/sepolicy/product/private/keys.conf
new file mode 100644
index 0000000..eff6067
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/keys.conf
@@ -0,0 +1,2 @@
+[@PIXELSUPPORT]
+ALL : device/google/gs-common/pixelsupport/sepolicy/product/private/certs/pixelsupport.x509.pem
diff --git a/pixelsupport/sepolicy/product/private/mac_permissions.xml b/pixelsupport/sepolicy/product/private/mac_permissions.xml
new file mode 100644
index 0000000..cb8d42a
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag.
+ * A signer tag may contain a seinfo tag and multiple package stanzas.
+ * A default tag is allowed that can contain policy for all apps not signed with a
+ previously listed cert. It may not contain any inner package stanzas.
+ * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process.
+ * When a package is installed the following logic is used to determine what seinfo
+ value, if any, is assigned.
+ - All signatures used to sign the app are checked first.
+ - If a signer stanza has inner package stanzas, those stanza will be checked
+ to try and match the package name of the app. If the package name matches
+ then that seinfo tag is used. If no inner package matches then the outer
+ seinfo tag is assigned.
+ - The default tag is consulted last if needed.
+-->
+ <!-- PixelSupport app key -->
+ <signer signature="@PIXELSUPPORT" >
+ <seinfo value="PixelSupport" />
+ </signer>
+</policy>
diff --git a/pixelsupport/sepolicy/product/private/pixelsupport_app.te b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
new file mode 100644
index 0000000..be6f7dd
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/pixelsupport_app.te
@@ -0,0 +1,11 @@
+typeattribute pixelsupport_app coredomain;
+
+app_domain(pixelsupport_app)
+# Access the network.
+net_domain(pixelsupport_app)
+# Access bluetooth.
+bluetooth_domain(pixelsupport_app)
+
+allow pixelsupport_app app_api_service:service_manager find;
+allow pixelsupport_app radio_service:service_manager find;
+
diff --git a/pixelsupport/sepolicy/product/private/seapp_contexts b/pixelsupport/sepolicy/product/private/seapp_contexts
new file mode 100644
index 0000000..f16a054
--- /dev/null
+++ b/pixelsupport/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,2 @@
+# Pixel Support App
+user=_app seinfo=PixelSupport name=com.google.android.apps.pixel.support domain=pixelsupport_app type=app_data_file isPrivApp=true levelFrom=user
diff --git a/pixelsupport/sepolicy/product/public/pixelsupport_app.te b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
new file mode 100644
index 0000000..1846ac9
--- /dev/null
+++ b/pixelsupport/sepolicy/product/public/pixelsupport_app.te
@@ -0,0 +1,2 @@
+type pixelsupport_app, domain;
+
diff --git a/pixelsupport/sepolicy/vendor/pixelsupport_app.te b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
new file mode 100644
index 0000000..e3b380c
--- /dev/null
+++ b/pixelsupport/sepolicy/vendor/pixelsupport_app.te
@@ -0,0 +1,2 @@
+set_prop(pixelsupport_app, vendor_gti_prop)
+
diff --git a/radio/sepolicy/file.te b/radio/sepolicy/file.te
index 02d0209..95b24c0 100644
--- a/radio/sepolicy/file.te
+++ b/radio/sepolicy/file.te
@@ -1,6 +1,9 @@
# Data
type tcpdump_vendor_data_file, file_type, data_file_type;
+# Modem
+type sysfs_modem_state, sysfs_type, fs_type;
+
userdebug_or_eng(`
typeattribute tcpdump_vendor_data_file mlstrustedobject;
')
diff --git a/gps/pixel/sepolicy/genfs_contexts b/radio/sepolicy/genfs_contexts
similarity index 98%
rename from gps/pixel/sepolicy/genfs_contexts
rename to radio/sepolicy/genfs_contexts
index 494aa97..039f329 100644
--- a/gps/pixel/sepolicy/genfs_contexts
+++ b/radio/sepolicy/genfs_contexts
@@ -1,2 +1,3 @@
# modem state node
genfscon sysfs /devices/platform/cpif/modem_state u:object_r:sysfs_modem_state:s0
+
diff --git a/sota_app/factoryota-watch.mk b/sota_app/factoryota-watch.mk
new file mode 100644
index 0000000..3107a1c
--- /dev/null
+++ b/sota_app/factoryota-watch.mk
@@ -0,0 +1,4 @@
+PRODUCT_PACKAGES += \
+ FactoryOtaWearPrebuilt
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext
diff --git a/thermal/OWNERS b/thermal/OWNERS
new file mode 100644
index 0000000..5538b5f
--- /dev/null
+++ b/thermal/OWNERS
@@ -0,0 +1 @@
+include platform/hardware/google/pixel:/thermal/OWNERS
diff --git a/thermal/dump/dump_thermal.sh b/thermal/dump/dump_thermal.sh
index 288d34d..bd3aad9 100644
--- a/thermal/dump/dump_thermal.sh
+++ b/thermal/dump/dump_thermal.sh
@@ -34,6 +34,8 @@
echo 'TMU state:'
cat /sys/module/gs_thermal/parameters/tmu_reg_dump_state
+echo 'TMU intpend:'
+cat /sys/module/gs_thermal/parameters/tmu_reg_dump_intpend
echo 'TMU current temperature:'
cat /sys/module/gs_thermal/parameters/tmu_reg_dump_current_temp
echo 'TMU_TOP rise thresholds:'
diff --git a/thermal/dump/thermal.mk b/thermal/dump/thermal.mk
index 03b1dfa..4bb0344 100644
--- a/thermal/dump/thermal.mk
+++ b/thermal/dump/thermal.mk
@@ -1,3 +1,3 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/thermal/sepolicy/dump
-PRODUCT_PACKAGES += dump/dump_thermal.sh
+PRODUCT_PACKAGES += dump_thermal.sh
diff --git a/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te b/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te
index a6430f1..df699fc 100644
--- a/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te
+++ b/thermal/sepolicy/thermal_hal/pixel-thermal-control.sh.te
@@ -9,5 +9,5 @@
allow pixel-thermal-control-sh sysfs_thermal:file rw_file_perms;
allow pixel-thermal-control-sh sysfs_thermal:lnk_file r_file_perms;
allow pixel-thermal-control-sh thermal_link_device:dir r_dir_perms;
- get_prop(pixel-thermal-control-sh, vendor_thermal_prop)
+ set_prop(pixel-thermal-control-sh, vendor_thermal_prop)
')
diff --git a/touch/gti/Android.bp b/touch/gti/Android.bp
index c066d0d..7f2eb66 100644
--- a/touch/gti/Android.bp
+++ b/touch/gti/Android.bp
@@ -17,3 +17,19 @@
vendor: true,
sub_dir: "dump",
}
+
+cc_binary {
+ name: "touch_gti_ical",
+ srcs: ["touch_gti_ical.cpp"],
+ cflags: [
+ "-Wall",
+ "-Wextra",
+ "-Werror",
+ ],
+ shared_libs: [
+ "libbase",
+ "libcutils",
+ "liblog",
+ ],
+ vendor: true,
+}
diff --git a/touch/gti/gti.mk b/touch/gti/gti.mk
index 171534f..a2c7cf7 100644
--- a/touch/gti/gti.mk
+++ b/touch/gti/gti.mk
@@ -1,3 +1,4 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/gti/sepolicy
PRODUCT_PACKAGES += dump_gti0.sh
+PRODUCT_PACKAGES += touch_gti_ical
diff --git a/touch/gti/init.touch.gti0.rc b/touch/gti/init.touch.gti0.rc
index 31856ea..5f8318e 100644
--- a/touch/gti/init.touch.gti0.rc
+++ b/touch/gti/init.touch.gti0.rc
@@ -24,3 +24,15 @@
chown system system /proc/goog_touch_interface/gti.0/ss_base
chown system system /proc/goog_touch_interface/gti.0/ss_diff
chown system system /proc/goog_touch_interface/gti.0/ss_raw
+
+on property:vendor.touch.gti0.ical=*
+ setprop vendor.touch.gti0.ical.state init
+ start touch_gti0_ical
+ wait_for_prop vendor.touch.gti0.ical.state done
+
+service touch_gti0_ical /vendor/bin/touch_gti_ical 0 ${vendor.touch.gti0.ical}
+ class main
+ user system
+ group system shell
+ disabled
+ oneshot
diff --git a/touch/gti/init.touch.gti1.rc b/touch/gti/init.touch.gti1.rc
index a4de328..ba99210 100644
--- a/touch/gti/init.touch.gti1.rc
+++ b/touch/gti/init.touch.gti1.rc
@@ -24,3 +24,15 @@
chown system system /proc/goog_touch_interface/gti.1/ss_base
chown system system /proc/goog_touch_interface/gti.1/ss_diff
chown system system /proc/goog_touch_interface/gti.1/ss_raw
+
+on property:vendor.touch.gti1.ical=*
+ setprop vendor.touch.gti1.ical.state init
+ start touch_gti1_ical
+ wait_for_prop vendor.touch.gti1.ical.state done
+
+service touch_gti1_ical /vendor/bin/touch_gti_ical 1 ${vendor.touch.gti1.ical}
+ class main
+ user system
+ group system shell
+ disabled
+ oneshot
diff --git a/touch/gti/sepolicy/file_contexts b/touch/gti/sepolicy/file_contexts
index 5c429b7..37e3733 100644
--- a/touch/gti/sepolicy/file_contexts
+++ b/touch/gti/sepolicy/file_contexts
@@ -1,2 +1,2 @@
/vendor/bin/dump/dump_gti0\.sh u:object_r:dump_gti_exec:s0
-
+/vendor/bin/touch_gti_ical u:object_r:gti_ical_exec:s0
diff --git a/touch/gti/sepolicy/gti_ical.te b/touch/gti/sepolicy/gti_ical.te
new file mode 100644
index 0000000..228782c
--- /dev/null
+++ b/touch/gti/sepolicy/gti_ical.te
@@ -0,0 +1,8 @@
+type gti_ical, domain;
+type gti_ical_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(gti_ical)
+
+allow gti_ical sysfs_touch_gti:file rw_file_perms;
+allow gti_ical sysfs_touch_gti:dir search;
+
+set_prop(gti_ical, vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property.te b/touch/gti/sepolicy/property.te
new file mode 100644
index 0000000..2a71d74
--- /dev/null
+++ b/touch/gti/sepolicy/property.te
@@ -0,0 +1 @@
+system_public_prop(vendor_gti_prop)
diff --git a/touch/gti/sepolicy/property_contexts b/touch/gti/sepolicy/property_contexts
new file mode 100644
index 0000000..e3badcd
--- /dev/null
+++ b/touch/gti/sepolicy/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti0. u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/sepolicy/vendor_init.te b/touch/gti/sepolicy/vendor_init.te
new file mode 100644
index 0000000..ed0ebda
--- /dev/null
+++ b/touch/gti/sepolicy/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_gti_prop)
diff --git a/touch/gti/sepolicy_gti_dual/property_contexts b/touch/gti/sepolicy_gti_dual/property_contexts
new file mode 100644
index 0000000..c3530ff
--- /dev/null
+++ b/touch/gti/sepolicy_gti_dual/property_contexts
@@ -0,0 +1 @@
+vendor.touch.gti1. u:object_r:vendor_gti_prop:s0
diff --git a/touch/gti/touch_gti_ical.cpp b/touch/gti/touch_gti_ical.cpp
new file mode 100644
index 0000000..0aabd9e
--- /dev/null
+++ b/touch/gti/touch_gti_ical.cpp
@@ -0,0 +1,101 @@
+/*
+ ** Copyright 2024, The Android Open Source Project
+ **
+ ** Licensed under the Apache License, Version 2.0 (the "License");
+ ** you may not use this file except in compliance with the License.
+ ** You may obtain a copy of the License at
+ **
+ ** http://www.apache.org/licenses/LICENSE-2.0
+ **
+ ** Unless required by applicable law or agreed to in writing, software
+ ** distributed under the License is distributed on an "AS IS" BASIS,
+ ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ** See the License for the specific language governing permissions and
+ ** limitations under the License.
+ */
+#define LOG_TAG "touch_gti_ical"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef __ANDROID__
+#include <cutils/properties.h>
+#include <cutils/log.h>
+#else
+#define property_set
+#define property_get
+#define ALOGI printf
+#define ALOGW printf
+#endif
+
+int main(int argc, char *argv[])
+{
+ char *line = NULL;
+ size_t len = 0;
+ FILE *ical_fd;
+ const char *ical_state_prop[2] = {
+ [0] = "vendor.touch.gti0.ical.state",
+ [1] = "vendor.touch.gti1.ical.state",
+ };
+ const char *ical_result_prop[2] = {
+ [0] = "vendor.touch.gti0.ical.result",
+ [1] = "vendor.touch.gti1.ical.result",
+ };
+ const char *ical_sysfs[2] = {
+ [0] = "/sys/devices/virtual/goog_touch_interface/gti.0/interactive_calibrate",
+ [1] = "/sys/devices/virtual/goog_touch_interface/gti.1/interactive_calibrate",
+ };
+ const char *ical_state_prop_path = ical_state_prop[0];
+ const char *ical_result_prop_path = ical_result_prop[0];
+ const char *ical_sysfs_path = ical_sysfs[0];
+
+ if (argc < 3) {
+ ALOGW("No target dev or command for interactive_calibrate sysfs.\n");
+ property_set(ical_state_prop[0], "done");
+ property_set(ical_state_prop[1], "done");
+ return 0;
+ }
+
+ if (strncmp(argv[1], "1", strlen(argv[1])) == 0 ||
+ strncmp(argv[1], "gti1", strlen(argv[1])) == 0 ||
+ strncmp(argv[1], "gti.1", strlen(argv[1])) == 0) {
+ ical_state_prop_path = ical_state_prop[1];
+ ical_result_prop_path = ical_result_prop[1];
+ ical_sysfs_path = ical_sysfs[1];
+ }
+
+ property_set(ical_result_prop_path, "na");
+ property_set(ical_state_prop_path, "running");
+ if (access(ical_sysfs_path, F_OK | R_OK | W_OK)) {
+ ALOGW("Can't access %s\n", ical_sysfs_path);
+ property_set(ical_state_prop_path, "done");
+ return 0;
+ }
+
+ ical_fd = fopen(ical_sysfs_path, "r+");
+ if (ical_fd == NULL) {
+ ALOGW("Can't fopen %s\n", ical_sysfs_path);
+ property_set(ical_state_prop_path, "done");
+ return 0;
+ }
+
+ if (strncmp(argv[2], "read", strlen(argv[2])) == 0) {
+ getline(&line, &len, ical_fd);
+ if (line != NULL) {
+ property_set(ical_state_prop_path, "read");
+ property_set(ical_result_prop_path, line);
+ ALOGI("read: %s => %s", ical_sysfs_path, line);
+ free(line);
+ }
+ } else {
+ property_set(ical_state_prop_path, argv[2]);
+ fwrite(argv[2], 1, strlen(argv[2]), ical_fd);
+ ALOGI("write: %s => %s\n", argv[2], ical_sysfs_path);
+ }
+ property_set(ical_state_prop_path, "done");
+
+ fclose(ical_fd);
+ return 0;
+}
+
diff --git a/touch/twoshay/sepolicy/device.te b/touch/twoshay/sepolicy/device.te
new file mode 100644
index 0000000..d3ce622
--- /dev/null
+++ b/touch/twoshay/sepolicy/device.te
@@ -0,0 +1 @@
+type touch_offload_device, dev_type;
diff --git a/touch/twoshay/sepolicy/dumpstate.te b/touch/twoshay/sepolicy/dumpstate.te
new file mode 100644
index 0000000..90f14b8
--- /dev/null
+++ b/touch/twoshay/sepolicy/dumpstate.te
@@ -0,0 +1,2 @@
+allow dumpstate touch_context_service:service_manager find;
+binder_call(dumpstate, twoshay)
diff --git a/touch/twoshay/sepolicy/file_contexts b/touch/twoshay/sepolicy/file_contexts
new file mode 100644
index 0000000..09728be
--- /dev/null
+++ b/touch/twoshay/sepolicy/file_contexts
@@ -0,0 +1,2 @@
+/dev/touch_offload u:object_r:touch_offload_device:s0
+/vendor/bin/twoshay u:object_r:twoshay_exec:s0
diff --git a/touch/twoshay/sepolicy/hal_dumpstate_default.te b/touch/twoshay/sepolicy/hal_dumpstate_default.te
new file mode 100644
index 0000000..81edc36
--- /dev/null
+++ b/touch/twoshay/sepolicy/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+allow hal_dumpstate_default touch_context_service:service_manager find;
+binder_call(hal_dumpstate_default, twoshay)
diff --git a/touch/twoshay/sepolicy/platform_app.te b/touch/twoshay/sepolicy/platform_app.te
new file mode 100644
index 0000000..ac997a9
--- /dev/null
+++ b/touch/twoshay/sepolicy/platform_app.te
@@ -0,0 +1,4 @@
+allow platform_app gril_antenna_tuning_service:service_manager find;
+allow platform_app screen_protector_detector_service:service_manager find;
+allow platform_app touch_context_service:service_manager find;
+binder_call(platform_app, twoshay)
diff --git a/touch/twoshay/sepolicy/service.te b/touch/twoshay/sepolicy/service.te
new file mode 100644
index 0000000..4aa064d
--- /dev/null
+++ b/touch/twoshay/sepolicy/service.te
@@ -0,0 +1,3 @@
+type gril_antenna_tuning_service, service_manager_type, hal_service_type;
+type screen_protector_detector_service, service_manager_type, hal_service_type;
+type touch_context_service, service_manager_type, hal_service_type;
diff --git a/touch/twoshay/sepolicy/service_contexts b/touch/twoshay/sepolicy/service_contexts
new file mode 100644
index 0000000..f6aa1db
--- /dev/null
+++ b/touch/twoshay/sepolicy/service_contexts
@@ -0,0 +1,3 @@
+com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0
+com.google.input.algos.gril.IGrilAntennaTuningService/default u:object_r:gril_antenna_tuning_service:s0
+com.google.input.algos.spd.IScreenProtectorDetectorService/default u:object_r:screen_protector_detector_service:s0
diff --git a/touch/twoshay/sepolicy/touchflow_debug/file_contexts b/touch/twoshay/sepolicy/touchflow_debug/file_contexts
new file mode 100644
index 0000000..17dfe62
--- /dev/null
+++ b/touch/twoshay/sepolicy/touchflow_debug/file_contexts
@@ -0,0 +1,2 @@
+/vendor/bin/hw/android\.hardware\.input\.processor-reflector u:object_r:hal_input_processor_default_exec:s0
+/vendor/bin/twoshay_touchflow u:object_r:twoshay_exec:s0
diff --git a/touch/twoshay/sepolicy/twoshay.te b/touch/twoshay/sepolicy/twoshay.te
new file mode 100644
index 0000000..cd317a0
--- /dev/null
+++ b/touch/twoshay/sepolicy/twoshay.te
@@ -0,0 +1,27 @@
+type twoshay, domain;
+type twoshay_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(twoshay)
+
+allow twoshay touch_offload_device:chr_file rw_file_perms;
+allow twoshay twoshay:capability sys_nice;
+
+binder_use(twoshay)
+add_service(twoshay, gril_antenna_tuning_service)
+add_service(twoshay, screen_protector_detector_service)
+add_service(twoshay, touch_context_service)
+
+binder_call(twoshay, platform_app)
+
+allow twoshay fwk_stats_service:service_manager find;
+binder_call(twoshay, stats_service_server)
+
+# Allow dumpsys output in bugreports.
+allow twoshay dumpstate:fd use;
+allow twoshay dumpstate:fifo_file write;
+
+# b/198755236
+dontaudit twoshay twoshay:capability dac_override;
+
+# b/226830650
+dontaudit twoshay boot_status_prop:file read;
diff --git a/touch/twoshay/twoshay.mk b/touch/twoshay/twoshay.mk
new file mode 100644
index 0000000..20bf1ba
--- /dev/null
+++ b/touch/twoshay/twoshay.mk
@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/twoshay/sepolicy
+PRODUCT_PACKAGES += twoshay
+PRODUCT_SOONG_NAMESPACES += vendor/google/input/twoshay
diff --git a/trusty/rpmb_dev/rpmb_dev.mk b/trusty/rpmb_dev/rpmb_dev.mk
new file mode 100644
index 0000000..31c68ef
--- /dev/null
+++ b/trusty/rpmb_dev/rpmb_dev.mk
@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/trusty/rpmb_dev/sepolicy
+
+PRODUCT_PACKAGES += rpmb_dev
diff --git a/trusty/rpmb_dev/sepolicy/file_contexts b/trusty/rpmb_dev/sepolicy/file_contexts
new file mode 100644
index 0000000..1a44f7d
--- /dev/null
+++ b/trusty/rpmb_dev/sepolicy/file_contexts
@@ -0,0 +1,2 @@
+# Binaries
+/vendor/bin/rpmb_dev u:object_r:rpmb_dev_exec:s0
diff --git a/trusty/rpmb_dev/sepolicy/rpmb_dev.te b/trusty/rpmb_dev/sepolicy/rpmb_dev.te
new file mode 100644
index 0000000..0f46e03
--- /dev/null
+++ b/trusty/rpmb_dev/sepolicy/rpmb_dev.te
@@ -0,0 +1,4 @@
+type rpmb_dev, domain;
+type rpmb_dev_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(rpmb_dev)