aboutsummaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/private/file_contexts2
-rw-r--r--sepolicy/public/attributes3
-rw-r--r--sepolicy/public/property.te5
-rw-r--r--sepolicy/public/property_contexts6
-rw-r--r--sepolicy/vendor/adsprpcd.te1
-rw-r--r--sepolicy/vendor/app.te1
-rw-r--r--sepolicy/vendor/batterysecret.te49
-rw-r--r--sepolicy/vendor/device.te8
-rw-r--r--sepolicy/vendor/file.te17
-rw-r--r--sepolicy/vendor/file_contexts56
-rw-r--r--sepolicy/vendor/genfs_contexts58
-rw-r--r--sepolicy/vendor/hal_audio_default.te13
-rw-r--r--sepolicy/vendor/hal_bluetooth_default.te6
-rw-r--r--sepolicy/vendor/hal_bootctl_default.te1
-rw-r--r--sepolicy/vendor/hal_camera_default.te2
-rw-r--r--sepolicy/vendor/hal_fingerprint_default.te37
-rw-r--r--sepolicy/vendor/hal_health_default.te2
-rw-r--r--sepolicy/vendor/hal_ir_default.te1
-rw-r--r--sepolicy/vendor/hal_mlipay.te22
-rw-r--r--sepolicy/vendor/hal_nfc_default.te2
-rw-r--r--sepolicy/vendor/hal_perf_default.te5
-rw-r--r--sepolicy/vendor/hal_power_default.te3
-rw-r--r--sepolicy/vendor/hal_sensors_default.te10
-rw-r--r--sepolicy/vendor/hal_wifi_default.te1
-rw-r--r--sepolicy/vendor/hwservice_contexts15
-rw-r--r--sepolicy/vendor/mi_thermald.te35
-rw-r--r--sepolicy/vendor/property.te5
-rw-r--r--sepolicy/vendor/property_contexts26
-rw-r--r--sepolicy/vendor/qti_init_shell.te1
-rw-r--r--sepolicy/vendor/recovery.te1
-rw-r--r--sepolicy/vendor/sensors.te1
-rw-r--r--sepolicy/vendor/system_app.te2
-rw-r--r--sepolicy/vendor/tee.te2
-rw-r--r--sepolicy/vendor/thermal-engine.te11
-rw-r--r--sepolicy/vendor/vendor_modprobe.te4
-rw-r--r--sepolicy/vendor/vendor_qti_init_shell.te4
36 files changed, 418 insertions, 0 deletions
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
new file mode 100644
index 0000000..3ffbc81
--- /dev/null
+++ b/sepolicy/private/file_contexts
@@ -0,0 +1,2 @@
+# Dev nodes
+/dev/stune(/.*)? u:object_r:cgroup:s0
diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes
new file mode 100644
index 0000000..c5a79e7
--- /dev/null
+++ b/sepolicy/public/attributes
@@ -0,0 +1,3 @@
+attribute hal_mlipay;
+attribute hal_mlipay_client;
+attribute hal_mlipay_server;
diff --git a/sepolicy/public/property.te b/sepolicy/public/property.te
new file mode 100644
index 0000000..72d3996
--- /dev/null
+++ b/sepolicy/public/property.te
@@ -0,0 +1,5 @@
+# Fingerprint
+vendor_public_prop(vendor_fp_prop)
+
+# Mlipay
+vendor_public_prop(vendor_mlipay_prop)
diff --git a/sepolicy/public/property_contexts b/sepolicy/public/property_contexts
new file mode 100644
index 0000000..3d3b2d6
--- /dev/null
+++ b/sepolicy/public/property_contexts
@@ -0,0 +1,6 @@
+# Camera
+camera. u:object_r:vendor_camera_prop:s0
+
+# Fingerprint
+sys.fp.vendor u:object_r:vendor_fp_prop:s0
+
diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te
new file mode 100644
index 0000000..58fe3e7
--- /dev/null
+++ b/sepolicy/vendor/adsprpcd.te
@@ -0,0 +1 @@
+r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics)
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
new file mode 100644
index 0000000..60325ab
--- /dev/null
+++ b/sepolicy/vendor/app.te
@@ -0,0 +1 @@
+get_prop({ appdomain -isolated_app }, vendor_mlipay_prop)
diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te
new file mode 100644
index 0000000..b55fc19
--- /dev/null
+++ b/sepolicy/vendor/batterysecret.te
@@ -0,0 +1,49 @@
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(batterysecret)
+
+r_dir_file(batterysecret, cgroup)
+r_dir_file(batterysecret, mnt_vendor_file)
+r_dir_file(batterysecret, vendor_sysfs_battery_supply)
+r_dir_file(batterysecret, sysfs_batteryinfo)
+r_dir_file(batterysecret, sysfs_type)
+r_dir_file(batterysecret, vendor_sysfs_usb_supply)
+r_dir_file(batterysecret, vendor_sysfs_usbpd_device)
+
+allow batterysecret {
+ mnt_vendor_file
+ persist_subsys_file
+ rootfs
+}:dir rw_dir_perms;
+
+allow batterysecret {
+ persist_subsys_file
+ sysfs
+ vendor_sysfs_battery_supply
+ sysfs_usb
+ vendor_sysfs_usb_supply
+ vendor_sysfs_usbpd_device
+}:file w_file_perms;
+
+allow batterysecret kmsg_device:chr_file rw_file_perms;
+
+allow batterysecret self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+allow batterysecret self:global_capability_class_set {
+ sys_tty_config
+ sys_boot
+};
+
+allow batterysecret self:capability {
+ chown
+ fsetid
+};
+
+allow batterysecret {
+ system_suspend_hwservice
+ hidl_manager_hwservice
+}:hwservice_manager find;
+
+binder_call(batterysecret, system_suspend_server)
+
+wakelock_use(batterysecret) \ No newline at end of file
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..99f0186
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,8 @@
+# Audio device
+type sound_device, dev_type;
+
+# Fingerprint device
+type vendor_fingerprint_device, dev_type;
+
+# IR device
+type ir_spi_device, dev_type;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
new file mode 100644
index 0000000..8faaa33
--- /dev/null
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1,17 @@
+# Audio
+type audio_socket, file_type;
+
+# Battery
+type persist_subsys_file, vendor_persist_type, file_type;
+
+# Camera
+type camera_persist_file, vendor_persist_type, file_type;
+
+# Fingerprint
+type vendor_fingerprint_data_file, data_file_type, file_type;
+
+# Thermal
+type thermal_data_file, data_file_type, file_type;
+
+# Touchpanel
+type proc_touchpanel, fs_type, proc_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..7afaa3a
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,56 @@
+ # Audio
+/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
+/dev/elliptic(.*)? u:object_r:sound_device:s0
+/mnt/vendor/persist/audio/cali_test.bin u:object_r:vendor_persist_audio_file:s0
+/mnt/vendor/persist/audio/fsm_calib.bin u:object_r:vendor_persist_audio_file:s0
+/mnt/vendor/persist/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0
+
+# Battery
+/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0
+/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0
+
+# Bluetooth
+/vendor/bin/init\.mi\.btmac\.sh u:object_r:vendor_qti_init_shell_exec:s0
+
+# Camera
+/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
+
+# Fingerprint
+/dev/goodix_fp u:object_r:vendor_fingerprint_device:s0
+/dev/silead_fp u:object_r:vendor_fingerprint_device:s0
+/dev/silead_s.* u:object_r:vendor_fingerprint_device:s0
+/dev/silead_stub u:object_r:vendor_fingerprint_device:s0
+/dev/spidev.* u:object_r:vendor_fingerprint_device:s0
+/mnt/vendor/persist/silead(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/mnt/vendor/persist/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpdump(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix/gf_data(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/silead(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.1-service\.xiaomi_holi u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service u:object_r:hal_fingerprint_default_exec:s0
+
+# IR
+/dev/ir_spi u:object_r:ir_spi_device:s0
+
+# Mlipay
+/vendor/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
+
+# NFC
+/dev/pn553 u:object_r:nfc_device:s0
+/dev/pn54x u:object_r:nfc_device:s0
+
+# Sensors
+/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal u:object_r:hal_sensors_default_exec:s0
+
+# Thermal
+/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
+/vendor/bin/mi_thermald u:object_r:mi_thermald_exec:s0
+
+# Vibrator
+/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi u:object_r:hal_vibrator_default_exec:s0
+
+# Xiaomi MAC
+/data/vendor/mac_addr(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0
+/data/vendor/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..80aa773
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,58 @@
+# Battery
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply u:object_r:vendor_sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/battery u:object_r:vendor_sysfs_battery_supply:s0
+
+# Fingerprint
+genfscon sysfs /devices/platform/soc/soc:fpc1020 u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:goodix_fp u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:silead_fp u:object_r:vendor_sysfs_fingerprint:s0
+
+# SSR
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
+
+# Touchpanel
+genfscon proc /tp_gesture u:object_r:proc_touchpanel:s0
+
+# Wakeup nodes
+genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-06/1c40000.qcom,spmi:qcom,pmk8350@0:rtc@6100/wakeup u:object_r:sysfs_wakeup:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..7e6e5a4
--- /dev/null
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1,13 @@
+# Allow hal_audio_default to read vendor_persist_audio_file
+r_dir_file(hal_audio_default, vendor_persist_audio_file)
+
+r_dir_file(hal_audio_default, sysfs)
+
+binder_call(hal_audio_default, system_suspend_server)
+
+allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
+
+set_prop(hal_audio_default, vendor_audio_prop)
+
+allow hal_audio_default audio_socket:sock_file rw_file_perms;
+allow hal_audio_default sound_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te
new file mode 100644
index 0000000..82c6ef2
--- /dev/null
+++ b/sepolicy/vendor/hal_bluetooth_default.te
@@ -0,0 +1,6 @@
+# Allow hal_bluetooth_default to read files in vendor_wifi_vendor_data_file
+r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file)
+allow hal_bluetooth_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
+allow hal_bluetooth_default vendor_wifi_vendor_data_file:file create_file_perms;
+
+get_prop(hal_bluetooth_default, vendor_wifi_prop)
diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..e5c73b6
--- /dev/null
+++ b/sepolicy/vendor/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..d97b6ee
--- /dev/null
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,2 @@
+r_dir_file(hal_camera_default, camera_persist_file)
+set_prop(hal_camera_default, vendor_camera_sensor_prop)
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
new file mode 100644
index 0000000..55c920f
--- /dev/null
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,37 @@
+# Binder
+allow hal_fingerprint_default vendor_hal_perf_default:binder call;
+allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;
+
+# Props
+set_prop(hal_fingerprint_default, vendor_fp_prop)
+get_prop(system_server, vendor_fp_prop);
+
+# Sysfs
+allow hal_fingerprint_default {
+ sysfs_rtc
+ vendor_sysfs_fingerprint
+ vendor_sysfs_spss
+}: file rw_file_perms;
+
+allow hal_fingerprint_default {
+ input_device
+ sysfs_rtc
+ vendor_sysfs_fingerprint
+ vendor_sysfs_spss
+}: dir r_dir_perms;
+
+# Dev nodes
+allow hal_fingerprint_default {
+ input_device
+ tee_device
+ uhid_device
+ vendor_fingerprint_device
+}: chr_file rw_file_perms;
+
+# Data
+allow hal_fingerprint_default vendor_fingerprint_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+
+r_dir_file(hal_fingerprint_default, firmware_file)
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..6cecf70
--- /dev/null
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1,2 @@
+allow hal_health_default sysfs_wakeup:dir r_dir_perms;
+allow hal_health_default sysfs_wakeup:file r_file_perms;
diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te
new file mode 100644
index 0000000..46663b7
--- /dev/null
+++ b/sepolicy/vendor/hal_ir_default.te
@@ -0,0 +1 @@
+allow hal_ir_default ir_spi_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te
new file mode 100644
index 0000000..5f4787f
--- /dev/null
+++ b/sepolicy/vendor/hal_mlipay.te
@@ -0,0 +1,22 @@
+type hal_mlipay_hwservice, hwservice_manager_type;
+
+type hal_mlipay_default, domain;
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+
+type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_mlipay_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_mlipay_client, hal_mlipay_server)
+
+# Add hwservice related rules
+add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)
+allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find;
+
+allow hal_mlipay_default tee_device:chr_file rw_file_perms;
+allow hal_mlipay_default ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_mlipay_default, firmware_file)
+set_prop(hal_mlipay_default, vendor_mlipay_prop);
+
+get_prop(hal_mlipay_default, vendor_fp_prop)
diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..9486137
--- /dev/null
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -0,0 +1,2 @@
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_perf_default.te b/sepolicy/vendor/hal_perf_default.te
new file mode 100644
index 0000000..5d19e84
--- /dev/null
+++ b/sepolicy/vendor/hal_perf_default.te
@@ -0,0 +1,5 @@
+allow vendor_hal_perf_default hal_audio_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_audio_default:file r_file_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms;
+allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms;
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
new file mode 100644
index 0000000..d9ef52d
--- /dev/null
+++ b/sepolicy/vendor/hal_power_default.te
@@ -0,0 +1,3 @@
+# Allow hal_power_default to write to dt2w node
+allow hal_power_default proc_touchpanel:dir search;
+allow hal_power_default proc_touchpanel:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..1d3339e
--- /dev/null
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1,10 @@
+binder_call(hal_sensors_default, hal_audio_default)
+
+hal_client_domain(hal_sensors_default, hal_audio)
+
+allow hal_sensors_default audio_socket:sock_file rw_file_perms;
+allow hal_sensors_default socket_device:sock_file rw_file_perms;
+allow hal_sensors_default sound_device:chr_file rw_file_perms;
+allow hal_sensors_default iio_device:chr_file rw_file_perms;
+
+get_prop(hal_sensors_default, vendor_adsprpc_prop)
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..c6580df
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -0,0 +1 @@
+allow hal_wifi_default self:capability sys_module;
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..7af07e3
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,15 @@
+# Fingerprint
+com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt u:object_r:hal_fingerprint_hwservice:s0
+vendor.silead.hardware.fingerprintext::ISileadFingerprint u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint u:object_r:hal_fingerprint_hwservice:s0
+
+# Mlipay
+vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
+
+# NFC
+vendor.nxp.nxpnfc::INxpNfc u:object_r:hal_nfc_hwservice:s0
+vendor.nxp.nxpnfclegacy::INxpNfcLegacy u:object_r:hal_nfc_hwservice:s0
diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te
new file mode 100644
index 0000000..4209b38
--- /dev/null
+++ b/sepolicy/vendor/mi_thermald.te
@@ -0,0 +1,35 @@
+type mi_thermald, domain;
+type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mi_thermald)
+
+set_prop(mi_thermald, vendor_thermal_normal_prop)
+
+allow mi_thermald thermal_data_file:dir rw_dir_perms;
+allow mi_thermald thermal_data_file:file create_file_perms;
+
+allow mi_thermald self:capability { fsetid sys_boot };
+allow mi_thermald mi_thermald:capability { chown fowner };
+allow mi_thermald mi_thermald:capability2 { wake_alarm block_suspend };
+
+allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
+
+r_dir_file(mi_thermald, sysfs_thermal)
+allow mi_thermald sysfs_thermal:file w_file_perms;
+
+r_dir_file(mi_thermald, sysfs)
+allow mi_thermald sysfs:file w_file_perms;
+
+r_dir_file(mi_thermald, sysfs_leds)
+
+allow mi_thermald vendor_sysfs_kgsl:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_kgsl:file rw_file_perms;
+allow mi_thermald vendor_sysfs_kgsl:lnk_file r_file_perms;
+
+allow mi_thermald vendor_sysfs_battery_supply:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_battery_supply:file rw_file_perms;
+allow mi_thermald vendor_sysfs_battery_supply:lnk_file r_file_perms;
+
+allow mi_thermald vendor_sysfs_graphics:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_graphics:file rw_file_perms;
+allow mi_thermald vendor_sysfs_graphics:lnk_file r_file_perms; \ No newline at end of file
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..d647ff7
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,5 @@
+# Camera
+vendor_internal_prop(vendor_camera_sensor_prop);
+
+# Thermal
+vendor_internal_prop(vendor_thermal_normal_prop);
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..00a5068
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,26 @@
+# Camera
+persist.camera. u:object_r:vendor_camera_prop:s0
+ro.boot.camera.config u:object_r:vendor_camera_sensor_prop:s0
+vendor.camera.config. u:object_r:vendor_camera_sensor_prop:s0
+
+# Fingerprint
+persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0
+ro.hardware.fp. u:object_r:vendor_fp_prop:s0
+vendor.fps_hal. u:object_r:vendor_fp_prop:s0
+vendor.silead.fp.ext. u:object_r:vendor_fp_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay. u:object_r:vendor_mlipay_prop:s0
+persist.vendor.sys.provision.status u:object_r:vendor_mlipay_prop:s0
+
+# RIL
+odm.ril.radio.status. u:object_r:vendor_radio_prop:s0
+odm.ril.radio.status.sim1 u:object_r:vendor_radio_prop:s0
+odm.ril.radio.status.sim2 u:object_r:vendor_radio_prop:s0
+
+# Thermal
+vendor.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0
+
+# Wi-Fi
+ro.vendor.ril.oem.btmac u:object_r:vendor_wifi_prop:s0
+ro.vendor.ril.oem.wifimac u:object_r:vendor_wifi_prop:s0
diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te
new file mode 100644
index 0000000..0d6641f
--- /dev/null
+++ b/sepolicy/vendor/qti_init_shell.te
@@ -0,0 +1 @@
+allow vendor_qti_init_shell proc_page_cluster:file rw_file_perms;
diff --git a/sepolicy/vendor/recovery.te b/sepolicy/vendor/recovery.te
new file mode 100644
index 0000000..afc4845
--- /dev/null
+++ b/sepolicy/vendor/recovery.te
@@ -0,0 +1 @@
+allow recovery pstorefs:dir r_dir_perms;
diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te
new file mode 100644
index 0000000..0b0d84d
--- /dev/null
+++ b/sepolicy/vendor/sensors.te
@@ -0,0 +1 @@
+r_dir_file(vendor_sensors, vendor_sysfs_graphics)
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
new file mode 100644
index 0000000..e33161e
--- /dev/null
+++ b/sepolicy/vendor/system_app.te
@@ -0,0 +1,2 @@
+# Xiaomi Parts
+allow system_app sysfs_thermal:file rw_file_perms; \ No newline at end of file
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
new file mode 100644
index 0000000..d2556fb
--- /dev/null
+++ b/sepolicy/vendor/tee.te
@@ -0,0 +1,2 @@
+allow tee vendor_fingerprint_data_file:dir create_dir_perms;
+allow tee vendor_fingerprint_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
new file mode 100644
index 0000000..6e59f5b
--- /dev/null
+++ b/sepolicy/vendor/thermal-engine.te
@@ -0,0 +1,11 @@
+allow vendor_thermal-engine {
+ vendor_sysfs_devfreq
+ thermal_data_file
+}:dir r_dir_perms;
+
+allow vendor_thermal-engine vendor_sysfs_devfreq:file rw_file_perms;
+
+# Rule for vendor_thermal-engine to access init process
+unix_socket_connect(vendor_thermal-engine, property, init);
+
+set_prop(vendor_thermal-engine, vendor_thermal_normal_prop) \ No newline at end of file
diff --git a/sepolicy/vendor/vendor_modprobe.te b/sepolicy/vendor/vendor_modprobe.te
new file mode 100644
index 0000000..4a6f93e
--- /dev/null
+++ b/sepolicy/vendor/vendor_modprobe.te
@@ -0,0 +1,4 @@
+allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe self:cap_userns sys_module;
+allow vendor_modprobe vendor_file:system module_load;
+r_dir_file(vendor_modprobe, vendor_file)
diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te
new file mode 100644
index 0000000..1b25678
--- /dev/null
+++ b/sepolicy/vendor/vendor_qti_init_shell.te
@@ -0,0 +1,4 @@
+# allow init.mi.btmac.sh to read hex-encoded mac address and set it
+allow vendor_qti_init_shell vendor_bluetooth_prop:property_service set;
+allow vendor_qti_init_shell vendor_wifi_vendor_data_file:dir search;
+allow vendor_qti_init_shell vendor_wifi_vendor_data_file:file r_file_perms;