Merge "Add eSIM directory and disable bootstrap when bootloader is unlocked in user build" into main
diff --git a/audio/aidl/device_framework_matrix_product.xml b/audio/aidl/device_framework_matrix_product.xml
index 3079aab..0e7e998 100644
--- a/audio/aidl/device_framework_matrix_product.xml
+++ b/audio/aidl/device_framework_matrix_product.xml
@@ -9,7 +9,7 @@
     </hal>
     <hal format="aidl">
         <name>vendor.google.whitechapel.audio.extension</name>
-        <version>2</version>
+        <version>3</version>
         <interface>
             <name>IAudioExtension</name>
             <instance>default</instance>
diff --git a/audio/common.mk b/audio/common.mk
index edf7b6a..a691f0a 100644
--- a/audio/common.mk
+++ b/audio/common.mk
@@ -3,8 +3,15 @@
 #Audio Vendor libraries
 PRODUCT_PACKAGES += \
 	libfvsam_prm_parser \
-	libmahalcontroller \
+	libmahalcontroller
+
+ifeq ($(USE_MAM_V4_ABOVE),true)
+PRODUCT_PACKAGES += \
+	libMAM_Google_Pixel_Android
+else
+PRODUCT_PACKAGES += \
 	libAlgFx_HiFi3z
+endif
 
 ifneq ($(USE_AUDIO_HAL_AIDL),true)
 ## AudioHAL Configurations
diff --git a/battery_mitigation/sepolicy/vendor/dumpstate.te b/battery_mitigation/sepolicy/vendor/dumpstate.te
index b3bb1d4..8248254 100644
--- a/battery_mitigation/sepolicy/vendor/dumpstate.te
+++ b/battery_mitigation/sepolicy/vendor/dumpstate.te
@@ -1,3 +1,20 @@
 # To call battery_mitigation hal
 allow dumpstate hal_battery_mitigation_service:service_manager find;
 binder_call(dumpstate, battery_mitigation);
+
+allow hal_dumpstate_default sysfs_acpm_stats:dir { read open search };
+allow hal_dumpstate_default sysfs_acpm_stats:file { read open getattr };
+allow hal_dumpstate_default sysfs_cpu:file { read open getattr };
+allow hal_dumpstate_default sysfs_batteryinfo:dir { read open search };
+allow hal_dumpstate_default sysfs_batteryinfo:file { read open getattr };
+allow hal_dumpstate_default logbuffer_device:chr_file { read open getattr };
+allow hal_dumpstate_default mitigation_vendor_data_file:dir { search };
+allow hal_dumpstate_default sysfs_bcl:dir { read open search };
+allow hal_dumpstate_default sysfs_bcl:file { read open getattr };
+allow hal_dumpstate_default vendor_file:file { execute_no_trans };
+allow hal_dumpstate_default battery_history_device:chr_file { read };
+
+
+userdebug_or_eng(`
+  allow hal_dumpstate_default vendor_pm_genpd_debugfs:file { read open getattr };
+')
diff --git a/bootctrl/aidl/BootControl.cpp b/bootctrl/aidl/BootControl.cpp
index 83deb72..8655929 100644
--- a/bootctrl/aidl/BootControl.cpp
+++ b/bootctrl/aidl/BootControl.cpp
@@ -384,7 +384,7 @@
         *_aidl_return = true;
         return ScopedAStatus::ok();
     }
-    if (in_slot >= slots)
+    if (in_slot < 0 || in_slot >= slots)
         return ScopedAStatus::fromServiceSpecificErrorWithMessage(
                 INVALID_SLOT, (std::string("Invalid slot ") + std::to_string(in_slot)).c_str());
 
diff --git a/camera/lyric.mk b/camera/lyric.mk
index 30e06d1..c886138 100644
--- a/camera/lyric.mk
+++ b/camera/lyric.mk
@@ -14,8 +14,13 @@
 $(call soong_config_set,gch,hwl_library,lyric)
 endif
 
-# Check if we're in the internal build
-ifneq ($(wildcard vendor/google/camera),)
+# Use build-time flag to select whether to build from source
+# or ingest prebuilt-apex.  We would want the development teams
+# using release configuration: (trunk-staging) to build from source.
+# All shipping releases will switch to prebuilts (trunk+)
+# if this condition is not true, then build from source.
+
+ifneq ($(RELEASE_PIXEL_CAMERA_ENABLE_PREBUILT),true)
 
 PRODUCT_SOONG_NAMESPACES += \
     vendor/google/camera \
@@ -36,8 +41,7 @@
 # Calibration tool for debug builds
 PRODUCT_PACKAGES_DEBUG += tarasque_test
 PRODUCT_PACKAGES_DEBUG += ProtoCalibGenerator
-
-endif  # vendor/google/camera check
+endif  # RELEASE_PIXEL_CAMERA_ENABLE_PREBUILT check
 
 # Init-time log settings for Google 3A
 PRODUCT_PACKAGES += libg3a_standalone_gabc_rc
diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk
index 188d9f9..c1cf0e0 100644
--- a/dauntless/gsc.mk
+++ b/dauntless/gsc.mk
@@ -20,4 +20,76 @@
                           nugget_targeted_tests \
                           CitadelProvision \
                           nugget_aidl_test_weaver
+
+# Assign default value for RELEASE_GOOGLE_DAUNTLESS_DIR if no trunk flags support
+RELEASE_GOOGLE_DAUNTLESS_DIR ?= vendor/google_nos/prebuilts/dauntless
+
+# The production Dauntless firmware will be of flavors evt and d3m2.
+# There are also several flavors of pre-release chips. Each flavor
+# (production and pre-release) requires the firmware to be signed differently.
+DAUNTLESS_FIRMWARE_SIZE := 1048576
+
+# The nearly-production Dauntless chips are "proto1.1"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+$(error GSC firmware size check fail)
 endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/proto11.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# The production Dauntless chips are "evt"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/evt.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# New 2023 production Dauntless chips are "d3m2"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/d3m2.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# Intermediate image artifacts are published, but aren't included in /vendor/firmware/dauntless
+# in PRODUCT_COPY_FILES
+# This is because intermediate images aren't needed on user devices, but the published artifact
+# is useful for flashstation purposes.
+
+# proto11 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin)
+endif
+# evt chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin)
+endif
+# d3m2 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin)
+endif
+
+endif # $(wildcard vendor)
diff --git a/display/dump_display.cpp b/display/dump_display.cpp
index b811889..2df6b4b 100644
--- a/display/dump_display.cpp
+++ b/display/dump_display.cpp
@@ -25,6 +25,6 @@
     dumpFileContent("Primary panel name", "/sys/devices/platform/exynos-drm/primary-panel/panel_name");
     dumpFileContent("Primary panel extra info", "/sys/devices/platform/exynos-drm/primary-panel/panel_extinfo");
     dumpFileContent("Primary panel power Vreg", "/sys/devices/platform/exynos-drm/primary-panel/panel_pwr_vreg");
+    dumpFileContent("Primary panel power mode register", "/sys/devices/platform/exynos-drm/primary-panel/power_mode");
     return 0;
-}
-
+}
\ No newline at end of file
diff --git a/display/dump_second_display.cpp b/display/dump_second_display.cpp
index a6f2665..80ea909 100644
--- a/display/dump_second_display.cpp
+++ b/display/dump_second_display.cpp
@@ -20,6 +20,7 @@
     dumpFileContent("CRTC-1 event log", "/sys/kernel/debug/dri/0/crtc-1/event");
     dumpFileContent("Secondary panel name", "/sys/devices/platform/exynos-drm/secondary-panel/panel_name");
     dumpFileContent("Secondary panel extra info", "/sys/devices/platform/exynos-drm/secondary-panel/panel_extinfo");
+    dumpFileContent("Secondary panel power mode register", "/sys/devices/platform/exynos-drm/secondary-panel/power_mode");
     return 0;
 }
 
diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te
index cc63702..e3e4d92 100644
--- a/gps/pixel/sepolicy/hal_gnss_pixel.te
+++ b/gps/pixel/sepolicy/hal_gnss_pixel.te
@@ -10,6 +10,9 @@
 # Allow access to CHRE multiclient HAL.
 get_prop(hal_gnss_pixel, vendor_chre_hal_prop)
 
+# Allow read vendor gps prop.
+get_prop(hal_gnss_pixel, vendor_gps_prop)
+
 # Allow binder to CHRE.
 binder_call(hal_gnss_pixel, hal_contexthub_default)
 allow hal_gnss_pixel hal_contexthub_service:service_manager find;
diff --git a/gpu/MK_OWNERS b/gpu/MK_OWNERS
new file mode 100644
index 0000000..1d0be18
--- /dev/null
+++ b/gpu/MK_OWNERS
@@ -0,0 +1,4 @@
+jessehall@google.com
+spyffe@google.com
+jorwag@google.com
+jeremykemp@google.com
diff --git a/gpu/OWNERS b/gpu/OWNERS
new file mode 100644
index 0000000..259dd93
--- /dev/null
+++ b/gpu/OWNERS
@@ -0,0 +1,2 @@
+per-file gpu.mk=set noparent
+per-file gpu.mk=file:MK_OWNERS
diff --git a/gpu/gpu.mk b/gpu/gpu.mk
index b87e7ad..4b11e13 100644
--- a/gpu/gpu.mk
+++ b/gpu/gpu.mk
@@ -2,15 +2,15 @@
 
 PRODUCT_PACKAGES += gpu_probe
 
-USE_MAPPER5 := false
+USE_MAPPER5 := true
 
 PRODUCT_PACKAGES += pixel_gralloc_allocator
 PRODUCT_PACKAGES += pixel_gralloc_mapper
 
 ifeq ($(USE_MAPPER5), true)
-$(call soong_config_set,arm_gralloc,mapper_version,mapper5)
+$(call soong_config_set,pixel_gralloc,mapper_version,mapper5)
 $(call soong_config_set,aion_buffer,mapper_version,mapper5)
 else
-$(call soong_config_set,arm_gralloc,mapper_version,mapper4)
+$(call soong_config_set,pixel_gralloc,mapper_version,mapper4)
 $(call soong_config_set,aion_buffer,mapper_version,mapper4)
 endif
diff --git a/gs_watchdogd/init.gs_watchdogd.rc b/gs_watchdogd/init.gs_watchdogd.rc
index 23d5fb2..ba3354f 100644
--- a/gs_watchdogd/init.gs_watchdogd.rc
+++ b/gs_watchdogd/init.gs_watchdogd.rc
@@ -1,5 +1,6 @@
 # Pet watchdog timer every half of its timeout period.
 service gs_watchdogd /system_ext/bin/gs_watchdogd
+    user root
     class core
     oneshot
     seclabel u:r:gs_watchdogd:s0
diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te
index 2c5d1cb..8022675 100644
--- a/mediacodec/vpu/sepolicy/mediacodec_google.te
+++ b/mediacodec/vpu/sepolicy/mediacodec_google.te
@@ -7,7 +7,10 @@
 
 hal_client_domain(mediacodec_google, hal_graphics_allocator)
 
+add_service(mediacodec_google, eco_service)
+
 allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediacodec_google video_device:chr_file { read write open ioctl map };
 
 # mediacodec_google should never execute any executable without a domain transition
 neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
@@ -18,3 +21,11 @@
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
 neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+# Allow HAL to send trace packets to Perfetto
+userdebug_or_eng(`perfetto_producer(mediacodec_google)')
+
+userdebug_or_eng(`
+ allow mediacodec_google vendor_media_data_file:dir rw_dir_perms;
+ allow mediacodec_google vendor_media_data_file:file create_file_perms;
+')
diff --git a/modem/dump_modemlog/Android.bp b/modem/dump_modemlog/Android.bp
index aca7b20..f509320 100644
--- a/modem/dump_modemlog/Android.bp
+++ b/modem/dump_modemlog/Android.bp
@@ -1,12 +1,12 @@
 package {
-    default_applicable_licenses: [ "Android-Apache-2.0" ],
+    default_applicable_licenses: ["Android-Apache-2.0"],
 }
 
-sh_binary {
-    name: "dump_modem.sh",
-    src: "dump_modem.sh",
+rust_binary {
+    name: "dump_modem",
+    srcs: ["dump_modem.rs"],
     vendor: true,
-    sub_dir: "dump",
+    relative_install_path: "dump",
 }
 
 // Modem Log Dumper
@@ -30,10 +30,10 @@
 
 cc_library {
     name: "modem_log_dumper",
-    srcs: [ "modem_log_dumper.cpp" ],
-    defaults: [ "modem_log_dumper_defaults" ],
+    srcs: ["modem_log_dumper.cpp"],
+    defaults: ["modem_log_dumper_defaults"],
     export_shared_lib_headers: modem_log_dumper_public_deps,
-    export_include_dirs: [ "include" ],
+    export_include_dirs: ["include"],
     vendor_available: true,
 }
 
@@ -41,7 +41,7 @@
 
 cc_binary {
     name: "dump_modemlog",
-    srcs: [ "dump_modemlog.cpp" ],
+    srcs: ["dump_modemlog.cpp"],
     cflags: [
         "-Wall",
         "-Wextra",
@@ -60,7 +60,7 @@
 
 cc_test {
     name: "dump_modemlog_test",
-    srcs: [ "modem_log_dumper_test.cpp" ],
+    srcs: ["modem_log_dumper_test.cpp"],
     defaults: [
         "modem_log_dumper_defaults",
         "modem_android_property_manager_fake_defaults",
diff --git a/modem/dump_modemlog/dump_modem.rs b/modem/dump_modemlog/dump_modem.rs
new file mode 100644
index 0000000..d9af7eb
--- /dev/null
+++ b/modem/dump_modemlog/dump_modem.rs
@@ -0,0 +1,109 @@
+// Copyright 2024 Google LLC
+
+//! The dump_modem binary is used to capture kernel/userspace logs in bugreport
+
+use std::fs;
+
+const MODEM_STAT: &str = "/data/vendor/modem_stat/debug.txt";
+const SSRDUMP_DIR: &str = "/data/vendor/ssrdump";
+const RFSD_ERR_LOG_DIR: &str = "/data/vendor/log/rfsd";
+const WAKEUP_EVENTS: &str = "/sys/devices/platform/cpif/wakeup_events";
+const CPIF_LOGBUFFER: &str = "/dev/logbuffer_cpif";
+const PCIE_EVENT_STATS: &str = "/sys/devices/platform/cpif/modem/pcie_event_stats";
+
+fn handle_io_error(file: &str, err: std::io::Error) {
+    match err.kind() {
+        std::io::ErrorKind::NotFound => println!("{file} not found!"),
+        std::io::ErrorKind::PermissionDenied => println!("Permission denied to access {file}"),
+        _ => println!("I/O error accessing {file}: {err}"),
+    }
+}
+
+fn print_file(file: &str) -> Result<(), std::io::Error> {
+    fs::metadata(file)?;
+
+    let data = fs::read_to_string(file)?;
+
+    if data.is_empty() {
+        println!("{file} is empty");
+    } else {
+        print!("{data}");
+    }
+
+    Ok(())
+}
+
+fn print_file_and_handle_error(file: &str) {
+    if let Err(err) = print_file(file) {
+        handle_io_error(file, err);
+    }
+}
+
+fn print_matching_files_in_dir(dir: &str, filename: &str) {
+    let Ok(entries) = fs::read_dir(dir) else {
+        return println!("Cannot open directory {dir}");
+    };
+
+    for entry in entries {
+        let Ok(entry) = entry else {
+            continue;
+        };
+        if entry.path().is_file() && entry.file_name().to_string_lossy().starts_with(filename) {
+            if let Some(path_str) = entry.path().to_str() {
+                println!("{}", path_str);
+                print_file_and_handle_error(path_str);
+            }
+        }
+    }
+}
+
+// Capture modem stat log if it exists
+fn modem_stat() {
+    println!("------ Modem Stat ------");
+    print_file_and_handle_error(MODEM_STAT);
+    println!();
+}
+
+// Capture crash signatures from all modem crashes
+fn modem_ssr_history() {
+    println!("------ Modem SSR history ------");
+    print_matching_files_in_dir(SSRDUMP_DIR, "crashinfo_modem");
+    println!();
+}
+
+// Capture rfsd error logs from all existing log files
+fn rfsd_error_log() {
+    println!("------ RFSD error log ------");
+    print_matching_files_in_dir(RFSD_ERR_LOG_DIR, "rfslog");
+    println!();
+}
+
+// Capture modem wakeup events if the sysfs attribute exists
+fn wakeup_events() {
+    println!("------ Wakeup event counts ------");
+    print_file_and_handle_error(WAKEUP_EVENTS);
+    println!();
+}
+
+// Capture kernel driver logbuffer if it exists
+fn cpif_logbuffer() {
+    println!("------ CPIF Logbuffer ------");
+    print_file_and_handle_error(CPIF_LOGBUFFER);
+    println!();
+}
+
+// Capture modem pcie stats if the sysfs attribute exists
+fn pcie_event_stats() {
+    println!("------ PCIe event stats ------");
+    print_file_and_handle_error(PCIE_EVENT_STATS);
+    println!();
+}
+
+fn main() {
+    modem_stat();
+    modem_ssr_history();
+    rfsd_error_log();
+    wakeup_events();
+    cpif_logbuffer();
+    pcie_event_stats();
+}
diff --git a/modem/dump_modemlog/dump_modem.sh b/modem/dump_modemlog/dump_modem.sh
deleted file mode 100644
index d1a535d..0000000
--- a/modem/dump_modemlog/dump_modem.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/vendor/bin/sh
-
-WAKEUP_EVENTS_FILE=/sys/devices/platform/cpif/wakeup_events
-CPIF_LOGBUFFER=/dev/logbuffer_cpif
-PCIE_EVENT_STATS=/sys/devices/platform/cpif/modem/pcie_event_stats
-
-echo "------ Modem Stat ------"
-cat /data/vendor/modem_stat/debug.txt
-
-echo "\n------ Modem SSR history ------"
-for f in $(ls /data/vendor/ssrdump/crashinfo_modem*); do
-  echo $f
-  cat $f
-done
-
-echo "\n------ RFSD error log ------"
-for f in $(ls /data/vendor/log/rfsd/rfslog_*); do
-  echo $f
-  cat $f
-done
-
-if [ -e $WAKEUP_EVENTS_FILE ]
-then
-  echo "\n------ Wakeup event counts ------"
-  echo $WAKEUP_EVENTS_FILE
-  cat $WAKEUP_EVENTS_FILE
-fi
-
-if [ -e $CPIF_LOGBUFFER ]
-then
-  echo "\n------ CPIF Logbuffer ------"
-  echo $CPIF_LOGBUFFER
-  cat $CPIF_LOGBUFFER
-fi
-
-if [ -e $PCIE_EVENT_STATS ]
-then
-  echo "\n------ PCIe event stats ------"
-  echo $PCIE_EVENT_STATS
-  cat $PCIE_EVENT_STATS
-fi
diff --git a/modem/dump_modemlog/dump_modemlog.mk b/modem/dump_modemlog/dump_modemlog.mk
index 5e91ab7..c96e729 100644
--- a/modem/dump_modemlog/dump_modemlog.mk
+++ b/modem/dump_modemlog/dump_modemlog.mk
@@ -1,5 +1,5 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/dump_modemlog/sepolicy
 
-PRODUCT_PACKAGES += dump_modem.sh
+PRODUCT_PACKAGES += dump_modem
 PRODUCT_PACKAGES += dump_modemlog
 
diff --git a/modem/dump_modemlog/sepolicy/file_contexts b/modem/dump_modemlog/sepolicy/file_contexts
index 29315e9..6d5c082 100644
--- a/modem/dump_modemlog/sepolicy/file_contexts
+++ b/modem/dump_modemlog/sepolicy/file_contexts
@@ -1,3 +1,3 @@
-/vendor/bin/dump/dump_modem\.sh      u:object_r:dump_modem_exec:s0
+/vendor/bin/dump/dump_modem          u:object_r:dump_modem_exec:s0
 /vendor/bin/dump/dump_modemlog       u:object_r:dump_modemlog_exec:s0
 
diff --git a/modem/radio_ext/sepolicy/grilservice_app.te b/modem/radio_ext/sepolicy/grilservice_app.te
new file mode 100644
index 0000000..9bd8c8e
--- /dev/null
+++ b/modem/radio_ext/sepolicy/grilservice_app.te
@@ -0,0 +1,2 @@
+allow grilservice_app hal_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_radio_ext)
diff --git a/nfc/sepolicy_st21nfc/file_contexts b/nfc/sepolicy_st21nfc/file_contexts
new file mode 100644
index 0000000..a06842a
--- /dev/null
+++ b/nfc/sepolicy_st21nfc/file_contexts
@@ -0,0 +1,2 @@
+/dev/st21nfc                                                                u:object_r:nfc_device:s0
+/vendor/bin/hw/android\.hardware\.nfc-service\.st                           u:object_r:hal_nfc_default_exec:s0
diff --git a/nfc/sepolicy_st54spi/file.te b/nfc/sepolicy_st54spi/file.te
new file mode 100644
index 0000000..5f9a80d
--- /dev/null
+++ b/nfc/sepolicy_st54spi/file.te
@@ -0,0 +1,3 @@
+# SecureElement SPI device
+type st54spi_device, dev_type;
+
diff --git a/nfc/sepolicy_st54spi/file_contexts b/nfc/sepolicy_st54spi/file_contexts
new file mode 100644
index 0000000..f2762f3
--- /dev/null
+++ b/nfc/sepolicy_st54spi/file_contexts
@@ -0,0 +1,3 @@
+/dev/st54spi                                                                u:object_r:st54spi_device:s0
+/vendor/bin/hw/android\.hardware\.secure_element-service\.thales            u:object_r:hal_secure_element_st54spi_aidl_exec:s0
+
diff --git a/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te
new file mode 100644
index 0000000..f2051e0
--- /dev/null
+++ b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te
@@ -0,0 +1,9 @@
+# sepolicy for ST54L secure element
+type hal_secure_element_st54spi_aidl, domain;
+type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi_aidl)
+hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element)
+allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop)
+
diff --git a/nfc/sepolicy_st54spi/property.te b/nfc/sepolicy_st54spi/property.te
new file mode 100644
index 0000000..1ac5526
--- /dev/null
+++ b/nfc/sepolicy_st54spi/property.te
@@ -0,0 +1,3 @@
+# SecureElement vendor property
+vendor_internal_prop(vendor_secure_element_prop)
+
diff --git a/nfc/sepolicy_st54spi/property_contexts b/nfc/sepolicy_st54spi/property_contexts
new file mode 100644
index 0000000..2067a86
--- /dev/null
+++ b/nfc/sepolicy_st54spi/property_contexts
@@ -0,0 +1,2 @@
+# SecureElement vendor property
+persist.vendor.se.                         u:object_r:vendor_secure_element_prop:s0
diff --git a/nfc/sepolicy_st54spi/vendor_init.te b/nfc/sepolicy_st54spi/vendor_init.te
new file mode 100644
index 0000000..91e5cdb
--- /dev/null
+++ b/nfc/sepolicy_st54spi/vendor_init.te
@@ -0,0 +1,2 @@
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)
diff --git a/nfc/st21nfc.mk b/nfc/st21nfc.mk
new file mode 100644
index 0000000..c30ecce
--- /dev/null
+++ b/nfc/st21nfc.mk
@@ -0,0 +1,2 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st21nfc
+PRODUCT_PACKAGES += android.hardware.nfc-service.st
diff --git a/nfc/st54spi.mk b/nfc/st54spi.mk
new file mode 100644
index 0000000..046de87
--- /dev/null
+++ b/nfc/st54spi.mk
@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st54spi
+PRODUCT_PACKAGES += android.hardware.secure_element-service.thales
+
diff --git a/performance/sepolicy/file.te b/performance/sepolicy/file.te
index 8e16bbf..e79f9b2 100644
--- a/performance/sepolicy/file.te
+++ b/performance/sepolicy/file.te
@@ -1,2 +1,8 @@
+# proactive kill
 type sysfs_pakills, fs_type, sysfs_type;
+
+# bts dump
 type vendor_bts_debugfs, fs_type, debugfs_type;
+
+# proc_compaction_proactiveness type
+type proc_compaction_proactiveness, fs_type, proc_type;
diff --git a/performance/sepolicy/genfs_contexts b/performance/sepolicy/genfs_contexts
index 041021c..57e3634 100644
--- a/performance/sepolicy/genfs_contexts
+++ b/performance/sepolicy/genfs_contexts
@@ -1,3 +1,4 @@
 genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0
 genfscon sysfs /kernel/vendor_mm/pa_kill u:object_r:sysfs_pakills:s0
 genfscon debugfs /bts u:object_r:vendor_bts_debugfs:s0
+genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0
diff --git a/performance/sepolicy/vendor_init.te b/performance/sepolicy/vendor_init.te
index fefecb1..188984f 100644
--- a/performance/sepolicy/vendor_init.te
+++ b/performance/sepolicy/vendor_init.te
@@ -1,3 +1,3 @@
 # MM
 allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms;
-
+allow vendor_init proc_compaction_proactiveness:file w_file_perms;
diff --git a/sepolicy/Android.bp b/sepolicy/Android.bp
new file mode 100644
index 0000000..160e494
--- /dev/null
+++ b/sepolicy/Android.bp
@@ -0,0 +1,5 @@
+se_flags {
+    name: "usb_udc_sysfs_selinux_flags",
+    flags: ["RELEASE_USB_UDC_SYSFS_SELINUX_POLICY_ENABLED"],
+    export_to: ["all_selinux_flags"],
+}
diff --git a/storage/sepolicy/device.te b/storage/sepolicy/device.te
index e0968f9..1252ee0 100644
--- a/storage/sepolicy/device.te
+++ b/storage/sepolicy/device.te
@@ -1,2 +1,11 @@
 # Userdata Exp block device.
 type userdata_exp_block_device, dev_type;
+
+# Block Devices
+type persist_block_device, dev_type;
+type efs_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+
+# Storage firmware upgrade
+type ufs_internal_block_device, dev_type;
+
diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te
index c280cb7..464b4ce 100644
--- a/storage/sepolicy/e2fs.te
+++ b/storage/sepolicy/e2fs.te
@@ -1 +1,9 @@
+# fix mkfs
 allow e2fs userdata_exp_block_device:blk_file rw_file_perms;
+allow e2fs efs_block_device:blk_file rw_file_perms;
+allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts
index ff863db..1ef5a67 100644
--- a/storage/sepolicy/file_contexts
+++ b/storage/sepolicy/file_contexts
@@ -1,6 +1,9 @@
+# storage
 /vendor/bin/dump/dump_storage      u:object_r:dump_storage_exec:s0
-/sys/devices/platform/[0-9]+\.ufs/pixel/enable_pixel_ufs_logging  u:object_r:sysfs_scsi_devices_0000:s0
+/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging  u:object_r:sysfs_scsi_devices_0000:s0
 /dev/sg[0-9]                       u:object_r:sg_device:s0
 /data/vendor/storage(/.*)?         u:object_r:dump_storage_data_file:s0
 /vendor/bin/sg_read_buffer         u:object_r:sg_util_exec:s0
 /dev/block/by-name/userdata_exp.*  u:object_r:userdata_exp_block_device:s0
+/vendor/bin/ufs_firmware_update\.sh                                  u:object_r:ufs_firmware_update_exec:s0
+
diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te
index 2043199..88efb35 100644
--- a/storage/sepolicy/fsck.te
+++ b/storage/sepolicy/fsck.te
@@ -1 +1,6 @@
+# fix fsck
 allow fsck userdata_exp_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/storage/sepolicy/ufs_firmware_update.te b/storage/sepolicy/ufs_firmware_update.te
new file mode 100644
index 0000000..2313121
--- /dev/null
+++ b/storage/sepolicy/ufs_firmware_update.te
@@ -0,0 +1,11 @@
+# support ufs ffu via ota
+init_daemon_domain(ufs_firmware_update)
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
+
+# support ufs ffu via ota
+allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
+allow ufs_firmware_update block_device:dir { search };
+allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms;
+allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te
index 3d35589..87387a7 100644
--- a/storage/sepolicy/vold.te
+++ b/storage/sepolicy/vold.te
@@ -1,3 +1,4 @@
+# ufs hagc
 allow vold sysfs_scsi_devices_0000:file rw_file_perms;
 
 # Access userdata_exp block device.
@@ -6,3 +7,7 @@
 
 dontaudit vold dumpstate:fifo_file rw_file_perms;
 dontaudit vold dumpstate:fd use ;
+
+# fix idle-maint
+allow vold efs_block_device:blk_file { getattr };
+allow vold modem_userdata_block_device:blk_file { getattr };
diff --git a/touch/gti/ical/sepolicy/property.te b/touch/gti/ical/sepolicy/property.te
index 2a71d74..94fa3fc 100644
--- a/touch/gti/ical/sepolicy/property.te
+++ b/touch/gti/ical/sepolicy/property.te
@@ -1 +1,2 @@
 system_public_prop(vendor_gti_prop)
+typeattribute vendor_gti_prop         touch_property_type;
diff --git a/widevine/sepolicy/file.te b/widevine/sepolicy/file.te
new file mode 100644
index 0000000..a1e4e0e
--- /dev/null
+++ b/widevine/sepolicy/file.te
@@ -0,0 +1,3 @@
+# Widevine DRM
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
diff --git a/widevine/sepolicy/file_contexts b/widevine/sepolicy/file_contexts
new file mode 100644
index 0000000..92aed3c
--- /dev/null
+++ b/widevine/sepolicy/file_contexts
@@ -0,0 +1,5 @@
+/vendor/bin/hw/android\.hardware\.drm-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
+/vendor/bin/hw/android\.hardware\.drm-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
+
+# Data
+/data/vendor/mediadrm(/.*)?                                      u:object_r:mediadrm_vendor_data_file:s0
diff --git a/widevine/sepolicy/hal_drm_clearkey.te b/widevine/sepolicy/hal_drm_clearkey.te
new file mode 100644
index 0000000..fff4f0d
--- /dev/null
+++ b/widevine/sepolicy/hal_drm_clearkey.te
@@ -0,0 +1,6 @@
+# sepolicy for DRM clearkey
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)
diff --git a/widevine/sepolicy/hal_drm_widevine.te b/widevine/sepolicy/hal_drm_widevine.te
new file mode 100644
index 0000000..9b4792e
--- /dev/null
+++ b/widevine/sepolicy/hal_drm_widevine.te
@@ -0,0 +1,13 @@
+# sepolicy for DRM widevine
+type hal_drm_widevine, domain;
+type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+#L1
+#TODO(snehalreddy@) : Add L1 permissions
diff --git a/widevine/sepolicy/service_contexts b/widevine/sepolicy/service_contexts
new file mode 100644
index 0000000..6989dde
--- /dev/null
+++ b/widevine/sepolicy/service_contexts
@@ -0,0 +1 @@
+android.hardware.drm.IDrmFactory/widevine    u:object_r:hal_drm_service:s0
diff --git a/widevine/widevine_v2.mk b/widevine/widevine_v2.mk
new file mode 100644
index 0000000..5cd914b
--- /dev/null
+++ b/widevine/widevine_v2.mk
@@ -0,0 +1,2 @@
+include device/google/gs-common/widevine/widevine.mk
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/widevine/sepolicy/
\ No newline at end of file