Allow suspend_control to access xHCI wakeup node am: a506ed1e06 am: 43bde53275
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/16370946
Change-Id: I6b86ed75839021c860f8f556f25caedd4443fc84
diff --git a/ambient/exo_app.te b/ambient/exo_app.te
new file mode 100644
index 0000000..3a88eeb
--- /dev/null
+++ b/ambient/exo_app.te
@@ -0,0 +1,21 @@
+type exo_app, coredomain, domain;
+
+app_domain(exo_app)
+net_domain(exo_app)
+
+allow exo_app app_api_service:service_manager find;
+allow exo_app audioserver_service:service_manager find;
+allow exo_app cameraserver_service:service_manager find;
+allow exo_app mediaserver_service:service_manager find;
+allow exo_app radio_service:service_manager find;
+allow exo_app fwk_stats_service:service_manager find;
+allow exo_app mediametrics_service:service_manager find;
+allow exo_app virtual_device_service:service_manager find;
+allow exo_app gpu_device:dir search;
+
+allow exo_app uhid_device:chr_file rw_file_perms;
+
+binder_call(exo_app, statsd)
+binder_use(exo_app)
+
+get_prop(exo_app, device_config_runtime_native_boot_prop)
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
new file mode 100644
index 0000000..8024688
--- /dev/null
+++ b/ambient/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for Exo app
+user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
diff --git a/bluetooth/device.te b/bluetooth/device.te
new file mode 100644
index 0000000..a256332
--- /dev/null
+++ b/bluetooth/device.te
@@ -0,0 +1,3 @@
+# Bt Wifi Coexistence device
+type wb_coexistence_dev, dev_type;
+
diff --git a/bluetooth/file_contexts b/bluetooth/file_contexts
new file mode 100644
index 0000000..d4681db
--- /dev/null
+++ b/bluetooth/file_contexts
@@ -0,0 +1,6 @@
+# Bluetooth
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0
+
+/dev/wbrc u:object_r:wb_coexistence_dev:s0
+/dev/ttySAC16 u:object_r:hci_attach_dev:s0
+
diff --git a/bluetooth/genfs_contexts b/bluetooth/genfs_contexts
new file mode 100644
index 0000000..607e146
--- /dev/null
+++ b/bluetooth/genfs_contexts
@@ -0,0 +1,7 @@
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0
+
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/bluetooth/hal_bluetooth_btlinux.te
similarity index 100%
rename from whitechapel/vendor/google/hal_bluetooth_btlinux.te
rename to bluetooth/hal_bluetooth_btlinux.te
diff --git a/bluetooth/hwservice.te b/bluetooth/hwservice.te
new file mode 100644
index 0000000..5e36cd0
--- /dev/null
+++ b/bluetooth/hwservice.te
@@ -0,0 +1,3 @@
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
+
diff --git a/bluetooth/hwservice_contexts b/bluetooth/hwservice_contexts
new file mode 100644
index 0000000..df77e6f
--- /dev/null
+++ b/bluetooth/hwservice_contexts
@@ -0,0 +1,5 @@
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0
+
diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts
index dcaacdc..04f8491 100644
--- a/edgetpu/file_contexts
+++ b/edgetpu/file_contexts
@@ -6,12 +6,12 @@
# EdgeTPU service binaries and libraries
/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
# EdgeTPU vendor service
/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
# EdgeTPU runtime libraries
/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te
index b45a705..1896071 100644
--- a/edgetpu/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/hal_neuralnetworks_darwinn.te
@@ -43,3 +43,7 @@
# Allows the logging service to access /sys/class/edgetpu
allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms;
allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms;
+
+# Allows the NNAPI HAL to access the edgetpu_app_service
+allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find;
+binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server);
diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 989bb70..d8b1968 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -23,20 +23,16 @@
# Dauntless (uses Citadel policy currently)
BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
-# Wifi
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext
-
# PowerStats HAL
BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
# sscoredump
BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump
-# Sniffer Logger
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer
-
-# Wifi Logger
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
-
# Public
PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
+
+# pKVM
+ifeq ($(TARGET_PKVM_ENABLED),true)
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm
+endif
diff --git a/pkvm/file_contexts b/pkvm/file_contexts
new file mode 100644
index 0000000..310aad4
--- /dev/null
+++ b/pkvm/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/pkvm_enabler u:object_r:vendor_misc_writer_exec:s0
diff --git a/pkvm/vendor_misc_writer.te b/pkvm/vendor_misc_writer.te
new file mode 100644
index 0000000..b9b4ceb
--- /dev/null
+++ b/pkvm/vendor_misc_writer.te
@@ -0,0 +1,2 @@
+# Allow pkvm_enabler to execute misc_writer.
+allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans;
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index fa20f24..3968de3 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -1,2 +1,3 @@
# b/177389198
dontaudit gmscore_app adbd_prop:file *;
+dontaudit gmscore_app sysfs_vendor_sched:file write;
diff --git a/private/priv_app.te b/private/priv_app.te
index 2ef1f96..de2a4f2 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -17,3 +17,4 @@
dontaudit priv_app ab_update_gki_prop:file { map };
dontaudit priv_app adbd_prop:file { open };
dontaudit priv_app adbd_prop:file { getattr };
+dontaudit priv_app sysfs_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 7cd2c7f..94ec0bb 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -1,21 +1,16 @@
# Block Devices
-type efs_block_device, dev_type, bdev_type;
-type fat_block_device, dev_type, bdev_type;
-type modem_block_device, dev_type, bdev_type;
-type modem_userdata_block_device, dev_type, bdev_type;
-type persist_block_device, dev_type, bdev_type;
-type vendor_block_device, dev_type, bdev_type;
-type sda_block_device, dev_type, bdev_type;
-type mfg_data_block_device, dev_type, bdev_type;
+type efs_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type sda_block_device, dev_type;
+type mfg_data_block_device, dev_type;
# Exynos devices
-type vendor_m2m1shot_device, dev_type;
type vendor_gnss_device, dev_type;
-type vendor_nanohub_device, dev_type;
-type vendor_secmem_device, dev_type;
type vendor_toe_device, dev_type;
-type custom_ab_block_device, dev_type, bdev_type;
-type devinfo_block_device, dev_type, bdev_type;
+type custom_ab_block_device, dev_type;
+type devinfo_block_device, dev_type;
# usbpd
type logbuffer_device, dev_type;
@@ -23,9 +18,6 @@
#cpuctl
type cpuctl_device, dev_type;
-# Bt Wifi Coexistence device
-type wb_coexistence_dev, dev_type;
-
# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
type lwis_device, dev_type;
@@ -56,3 +48,7 @@
# Raw HID device
type hidraw_device, dev_type;
+# SecureElement SPI device
+type st54spi_device, dev_type;
+type st33spi_device, dev_type;
+
diff --git a/whitechapel/vendor/google/euiccpixel_app.te b/whitechapel/vendor/google/euiccpixel_app.te
index 32f958b..db71a87 100644
--- a/whitechapel/vendor/google/euiccpixel_app.te
+++ b/whitechapel/vendor/google/euiccpixel_app.te
@@ -15,8 +15,11 @@
userdebug_or_eng(`
net_domain(euiccpixel_app)
- # Access to directly upgrade firmware on secure_element used for engineering devices
- typeattribute secure_element_device mlstrustedobject;
- allow euiccpixel_app secure_element_device:chr_file rw_file_perms;
+ # Access to directly upgrade firmware on st54spi_device used for engineering devices
+ typeattribute st54spi_device mlstrustedobject;
+ allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
+ # Access to directly upgrade firmware on st33spi_device used for engineering devices
+ typeattribute st33spi_device mlstrustedobject;
+ allow euiccpixel_app st33spi_device:chr_file rw_file_perms;
')
diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te
index f9d09d9..d6cf731 100644
--- a/whitechapel/vendor/google/fastbootd.te
+++ b/whitechapel/vendor/google/fastbootd.te
@@ -1,6 +1,6 @@
# Required by the bootcontrol HAL for the 'set_active' command.
recovery_only(`
-allow fastbootd secure_element_device:chr_file rw_file_perms;
+allow fastbootd st54spi_device:chr_file rw_file_perms;
allow fastbootd devinfo_block_device:blk_file rw_file_perms;
allow fastbootd sda_block_device:blk_file rw_file_perms;
allow fastbootd sysfs_ota:file rw_file_perms;
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
index e2baeca..9009824 100644
--- a/whitechapel/vendor/google/file.te
+++ b/whitechapel/vendor/google/file.te
@@ -78,7 +78,7 @@
type mediadrm_vendor_data_file, file_type, data_file_type;
# Storage Health HAL
-type sysfs_scsi_devices_0000, sysfs_type, fs_type, sysfs_block_type;
+type sysfs_scsi_devices_0000, sysfs_type, fs_type;
type debugfs_f2fs, debugfs_type, fs_type;
type proc_f2fs, proc_type, fs_type;
@@ -203,3 +203,6 @@
userdebug_or_eng(`
typeattribute sysfs_sjtag mlstrustedobject;
')
+
+# SecureElement
+type sysfs_st33spi, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index a708d8d..70a37ee 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -42,13 +42,11 @@
/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/fat u:object_r:fat_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/modem u:object_r:modem_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/vendor u:object_r:vendor_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0
/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0
@@ -86,9 +84,6 @@
/dev/bbd_control u:object_r:vendor_gnss_device:s0
/dev/bbd_pwrstat u:object_r:power_stats_device:s0
/dev/ttyBCM u:object_r:vendor_gnss_device:s0
-/dev/nanohub u:object_r:vendor_nanohub_device:s0
-/dev/nanohub_comms u:object_r:vendor_nanohub_device:s0
-/dev/m2m1shot_scaler0 u:object_r:vendor_m2m1shot_device:s0
/dev/radio0 u:object_r:radio_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
/dev/fimg2d u:object_r:graphics_device:s0
@@ -131,7 +126,6 @@
# GPU device
/dev/mali0 u:object_r:gpu_device:s0
-/dev/s5p-smem u:object_r:vendor_secmem_device:s0
#
# Exynos Daemon Exec
@@ -196,6 +190,8 @@
/dev/lwis-eeprom-m24c64s u:object_r:lwis_device:s0
/dev/lwis-eeprom-m24c64s-imx355-inner u:object_r:lwis_device:s0
/dev/lwis-eeprom-m24c64s-imx355-outer u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-rear u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-front u:object_r:lwis_device:s0
/dev/lwis-eeprom-m24c64x u:object_r:lwis_device:s0
/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0
/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0
@@ -222,6 +218,8 @@
/dev/lwis-sensor-imx355 u:object_r:lwis_device:s0
/dev/lwis-sensor-imx355-inner u:object_r:lwis_device:s0
/dev/lwis-sensor-imx355-outer u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-rear u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-front u:object_r:lwis_device:s0
/dev/lwis-sensor-imx363 u:object_r:lwis_device:s0
/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0
/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0
@@ -251,7 +249,7 @@
/dev/aoc u:object_r:aoc_device:s0
# Contexthub
-/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0
/dev/socket/chre u:object_r:chre_socket:s0
@@ -289,19 +287,14 @@
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
# SecureElement
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_default_exec:s0
-/dev/st54j_se u:object_r:secure_element_device:s0
-/dev/st54spi u:object_r:secure_element_device:s0
-/dev/st33spi u:object_r:secure_element_device:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0
+/dev/st54spi u:object_r:st54spi_device:s0
+/dev/st33spi u:object_r:st33spi_device:s0
# Bluetooth
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0
-/dev/wbrc u:object_r:wb_coexistence_dev:s0
-/dev/ttySAC16 u:object_r:hci_attach_dev:s0
-/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0
+/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0
/dev/logbuffer_tty16 u:object_r:logbuffer_device:s0
# Audio
@@ -367,9 +360,6 @@
/dev/dit2 u:object_r:vendor_toe_device:s0
/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service u:object_r:hal_tetheroffload_default_exec:s0
-# pixelstats binary
-/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0
-
# battery history
/dev/battery_history u:object_r:battery_history_device:s0
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
index 626e91b..f066380 100644
--- a/whitechapel/vendor/google/genfs_contexts
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -23,6 +23,7 @@
genfscon sysfs /devices/platform/google,cpm/power_supply u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/platform/google,cpm/ u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/platform/10d50000.hsi2c u:object_r:sysfs_batteryinfo:s0
# Slider
@@ -62,6 +63,7 @@
genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0
genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0
genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0
# Networking / Tethering
genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee802154/phy0/net u:object_r:sysfs_net:s0
@@ -99,6 +101,7 @@
genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
@@ -108,6 +111,17 @@
genfscon proc /fts/driver_test u:object_r:proc_touch:s0
genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0
genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/virtual/input/input2 u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/virtual/input/input3 u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/virtual/input/nvt_touch u:object_r:sysfs_touch:s0
+genfscon proc /nvt_baseline u:object_r:proc_touch:s0
+genfscon proc /nvt_cc_uniformity u:object_r:proc_touch:s0
+genfscon proc /nvt_diff u:object_r:proc_touch:s0
+genfscon proc /nvt_fw_version u:object_r:proc_touch:s0
+genfscon proc /nvt_heatmap u:object_r:proc_touch:s0
+genfscon proc /nvt_pen_diff u:object_r:proc_touch:s0
+genfscon proc /nvt_raw u:object_r:proc_touch:s0
+genfscon proc /nvt_selftest u:object_r:proc_touch:s0
# GPS
genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0
@@ -126,12 +140,6 @@
# Bluetooth
genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0
# ODPM
genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0
@@ -324,3 +332,12 @@
genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0
genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0
genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0
+
+# Extcon
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0
+
+# SecureElement
+genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi u:object_r:sysfs_st33spi:s0
+genfscon sysfs /devices/platform/175c0000.spi/spi_master/spi15/spi15.0/st33spi u:object_r:sysfs_st33spi:s0
+
diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te
index b647792..174b538 100644
--- a/whitechapel/vendor/google/hal_nfc_default.te
+++ b/whitechapel/vendor/google/hal_nfc_default.te
@@ -10,4 +10,3 @@
# Access uwb cal for SecureRanging Applet
allow hal_nfc_default uwb_data_vendor:dir r_dir_perms;
allow hal_nfc_default uwb_data_vendor:file r_file_perms;
-
diff --git a/whitechapel/vendor/google/hal_secure_element_default.te b/whitechapel/vendor/google/hal_secure_element_default.te
index dc04874..17a679d 100644
--- a/whitechapel/vendor/google/hal_secure_element_default.te
+++ b/whitechapel/vendor/google/hal_secure_element_default.te
@@ -1,7 +1,5 @@
allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
-allow hal_secure_element_default nfc_device:chr_file rw_file_perms;
set_prop(hal_secure_element_default, vendor_secure_element_prop)
-set_prop(hal_secure_element_default, vendor_nfc_prop)
set_prop(hal_secure_element_default, vendor_modem_prop)
# Allow hal_secure_element_default to access rild
diff --git a/whitechapel/vendor/google/hal_secure_element_st33spi.te b/whitechapel/vendor/google/hal_secure_element_st33spi.te
new file mode 100644
index 0000000..a5978f2
--- /dev/null
+++ b/whitechapel/vendor/google/hal_secure_element_st33spi.te
@@ -0,0 +1,8 @@
+type hal_secure_element_st33spi, domain;
+hal_server_domain(hal_secure_element_st33spi, hal_secure_element)
+type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type;
+
+allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st33spi, vendor_secure_element_prop)
+
+init_daemon_domain(hal_secure_element_st33spi)
diff --git a/whitechapel/vendor/google/hal_secure_element_st54spi.te b/whitechapel/vendor/google/hal_secure_element_st54spi.te
new file mode 100644
index 0000000..7f6ea41
--- /dev/null
+++ b/whitechapel/vendor/google/hal_secure_element_st54spi.te
@@ -0,0 +1,9 @@
+type hal_secure_element_st54spi, domain;
+hal_server_domain(hal_secure_element_st54spi, hal_secure_element)
+type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type;
+allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi, vendor_secure_element_prop)
+set_prop(hal_secure_element_st54spi, vendor_nfc_prop)
+set_prop(hal_secure_element_st54spi, vendor_modem_prop)
+init_daemon_domain(hal_secure_element_st54spi)
diff --git a/whitechapel/vendor/google/hal_uwb_vendor_default.te b/whitechapel/vendor/google/hal_uwb_vendor_default.te
index 9361687..f72e879 100644
--- a/whitechapel/vendor/google/hal_uwb_vendor_default.te
+++ b/whitechapel/vendor/google/hal_uwb_vendor_default.te
@@ -8,4 +8,4 @@
binder_call(hal_uwb_vendor_default, uwb_vendor_app)
allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms;
-allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
\ No newline at end of file
+allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms;
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
index 7ac9857..a3a3ead 100644
--- a/whitechapel/vendor/google/hwservice.te
+++ b/whitechapel/vendor/google/hwservice.te
@@ -16,9 +16,6 @@
# WLC
type hal_wlc_hwservice, hwservice_manager_type;
-# Bluetooth HAL extension
-type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
-
# Fingerprint
type hal_fingerprint_ext_hwservice, hwservice_manager_type;
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
index 0bcb1f6..3020777 100644
--- a/whitechapel/vendor/google/hwservice_contexts
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -23,11 +23,6 @@
# Wireless charger hal
vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0
-# Bluetooth HAL extension
-hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0
-hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0
-
# Fingerprint
vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
index 8c8f519..d091cff 100644
--- a/whitechapel/vendor/google/logger_app.te
+++ b/whitechapel/vendor/google/logger_app.te
@@ -25,4 +25,5 @@
dontaudit logger_app default_prop:file { read };
dontaudit logger_app sysfs_vendor_sched:dir search;
+ dontaudit logger_app sysfs_vendor_sched:file write;
')
diff --git a/whitechapel/vendor/google/mediaprovider.te b/whitechapel/vendor/google/mediaprovider.te
index a1b629f..835593f 100644
--- a/whitechapel/vendor/google/mediaprovider.te
+++ b/whitechapel/vendor/google/mediaprovider.te
@@ -1 +1,2 @@
dontaudit mediaprovider sysfs_vendor_sched:dir search;
+dontaudit mediaprovider sysfs_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/ofl_app.te b/whitechapel/vendor/google/ofl_app.te
index e3f6140..a949816 100644
--- a/whitechapel/vendor/google/ofl_app.te
+++ b/whitechapel/vendor/google/ofl_app.te
@@ -11,7 +11,10 @@
allow ofl_app radio_service:service_manager find;
allow ofl_app surfaceflinger_service:service_manager find;
- # Access to directly update firmware on secure_element
- typeattribute secure_element_device mlstrustedobject;
- allow ofl_app secure_element_device:chr_file rw_file_perms;
+ # Access to directly update firmware on st54spi_device
+ typeattribute st54spi_device mlstrustedobject;
+ allow ofl_app st54spi_device:chr_file rw_file_perms;
+ # Access to directly update firmware on st33spi_device
+ typeattribute st33spi_device mlstrustedobject;
+ allow ofl_app st33spi_device:chr_file rw_file_perms;
')
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
index 96bd932..f0cca68 100644
--- a/whitechapel/vendor/google/pixelstats_vendor.te
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -1,9 +1,3 @@
-# pixelstats vendor
-type pixelstats_vendor, domain;
-
-type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(pixelstats_vendor)
-
unix_socket_connect(pixelstats_vendor, chre, chre)
get_prop(pixelstats_vendor, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
index 18a6059..ac82914 100644
--- a/whitechapel/vendor/google/property_contexts
+++ b/whitechapel/vendor/google/property_contexts
@@ -60,6 +60,7 @@
vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0
vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0
vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0
+vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0
# for display
diff --git a/whitechapel/vendor/google/recovery.te b/whitechapel/vendor/google/recovery.te
index 4687a43..1974ebb 100644
--- a/whitechapel/vendor/google/recovery.te
+++ b/whitechapel/vendor/google/recovery.te
@@ -1,4 +1,4 @@
recovery_only(`
allow recovery sysfs_ota:file rw_file_perms;
- allow recovery secure_element_device:chr_file rw_file_perms;
+ allow recovery st54spi_device:chr_file rw_file_perms;
')
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
index aa4dfa4..abc2f2c 100644
--- a/whitechapel/vendor/google/shell.te
+++ b/whitechapel/vendor/google/shell.te
@@ -7,3 +7,4 @@
')
dontaudit shell sysfs_vendor_sched:dir search;
+dontaudit shell sysfs_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index 04229ff..dda8154 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -3,3 +3,4 @@
allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;
dontaudit untrusted_app_all sysfs_vendor_sched:dir search;
+dontaudit untrusted_app_all sysfs_vendor_sched:file write;
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index c1db5e4..321da07 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -18,6 +18,7 @@
allow vendor_init proc_sched:file write;
allow vendor_init bootdevice_sysdev:file create_file_perms;
allow vendor_init block_device:lnk_file setattr;
+allow vendor_init sysfs_st33spi:file w_file_perms;
userdebug_or_eng(`
set_prop(vendor_init, logpersistd_logging_prop)