From 44d5c9e2cf9f1ce0670be5bedd1e415cd5c3e739 Mon Sep 17 00:00:00 2001
From: kleidione Freitas <kleidione@gmail.com>
Date: Thu, 24 Mar 2022 09:16:43 -0300
Subject: veux: Merge common tree to veux

- Ref:
  https://github.com/xiaomi-sm6375-devs/android_device_xiaomi_sm6375-common

Signed-off-by: kleidione <kleidione@gmail.com>
---
 sepolicy/vendor/adsprpcd.te                |  1 +
 sepolicy/vendor/app.te                     |  1 +
 sepolicy/vendor/batterysecret.te           | 49 +++++++++++++++++++++++++
 sepolicy/vendor/device.te                  |  8 +++++
 sepolicy/vendor/file.te                    | 17 +++++++++
 sepolicy/vendor/file_contexts              | 56 +++++++++++++++++++++++++++++
 sepolicy/vendor/genfs_contexts             | 58 ++++++++++++++++++++++++++++++
 sepolicy/vendor/hal_audio_default.te       | 13 +++++++
 sepolicy/vendor/hal_bluetooth_default.te   |  6 ++++
 sepolicy/vendor/hal_bootctl_default.te     |  1 +
 sepolicy/vendor/hal_camera_default.te      |  2 ++
 sepolicy/vendor/hal_fingerprint_default.te | 37 +++++++++++++++++++
 sepolicy/vendor/hal_health_default.te      |  2 ++
 sepolicy/vendor/hal_ir_default.te          |  1 +
 sepolicy/vendor/hal_mlipay.te              | 22 ++++++++++++
 sepolicy/vendor/hal_nfc_default.te         |  2 ++
 sepolicy/vendor/hal_perf_default.te        |  5 +++
 sepolicy/vendor/hal_power_default.te       |  3 ++
 sepolicy/vendor/hal_sensors_default.te     | 10 ++++++
 sepolicy/vendor/hal_wifi_default.te        |  1 +
 sepolicy/vendor/hwservice_contexts         | 15 ++++++++
 sepolicy/vendor/mi_thermald.te             | 35 ++++++++++++++++++
 sepolicy/vendor/property.te                |  5 +++
 sepolicy/vendor/property_contexts          | 26 ++++++++++++++
 sepolicy/vendor/qti_init_shell.te          |  1 +
 sepolicy/vendor/recovery.te                |  1 +
 sepolicy/vendor/sensors.te                 |  1 +
 sepolicy/vendor/system_app.te              |  2 ++
 sepolicy/vendor/tee.te                     |  2 ++
 sepolicy/vendor/thermal-engine.te          | 11 ++++++
 sepolicy/vendor/vendor_modprobe.te         |  4 +++
 sepolicy/vendor/vendor_qti_init_shell.te   |  4 +++
 32 files changed, 402 insertions(+)
 create mode 100644 sepolicy/vendor/adsprpcd.te
 create mode 100644 sepolicy/vendor/app.te
 create mode 100644 sepolicy/vendor/batterysecret.te
 create mode 100644 sepolicy/vendor/device.te
 create mode 100644 sepolicy/vendor/file.te
 create mode 100644 sepolicy/vendor/file_contexts
 create mode 100644 sepolicy/vendor/genfs_contexts
 create mode 100644 sepolicy/vendor/hal_audio_default.te
 create mode 100644 sepolicy/vendor/hal_bluetooth_default.te
 create mode 100644 sepolicy/vendor/hal_bootctl_default.te
 create mode 100644 sepolicy/vendor/hal_camera_default.te
 create mode 100644 sepolicy/vendor/hal_fingerprint_default.te
 create mode 100644 sepolicy/vendor/hal_health_default.te
 create mode 100644 sepolicy/vendor/hal_ir_default.te
 create mode 100644 sepolicy/vendor/hal_mlipay.te
 create mode 100644 sepolicy/vendor/hal_nfc_default.te
 create mode 100644 sepolicy/vendor/hal_perf_default.te
 create mode 100644 sepolicy/vendor/hal_power_default.te
 create mode 100644 sepolicy/vendor/hal_sensors_default.te
 create mode 100644 sepolicy/vendor/hal_wifi_default.te
 create mode 100644 sepolicy/vendor/hwservice_contexts
 create mode 100644 sepolicy/vendor/mi_thermald.te
 create mode 100644 sepolicy/vendor/property.te
 create mode 100644 sepolicy/vendor/property_contexts
 create mode 100644 sepolicy/vendor/qti_init_shell.te
 create mode 100644 sepolicy/vendor/recovery.te
 create mode 100644 sepolicy/vendor/sensors.te
 create mode 100644 sepolicy/vendor/system_app.te
 create mode 100644 sepolicy/vendor/tee.te
 create mode 100644 sepolicy/vendor/thermal-engine.te
 create mode 100644 sepolicy/vendor/vendor_modprobe.te
 create mode 100644 sepolicy/vendor/vendor_qti_init_shell.te

(limited to 'sepolicy/vendor')

diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te
new file mode 100644
index 0000000..58fe3e7
--- /dev/null
+++ b/sepolicy/vendor/adsprpcd.te
@@ -0,0 +1 @@
+r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics)
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
new file mode 100644
index 0000000..60325ab
--- /dev/null
+++ b/sepolicy/vendor/app.te
@@ -0,0 +1 @@
+get_prop({ appdomain -isolated_app }, vendor_mlipay_prop)
diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te
new file mode 100644
index 0000000..b55fc19
--- /dev/null
+++ b/sepolicy/vendor/batterysecret.te
@@ -0,0 +1,49 @@
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(batterysecret)
+
+r_dir_file(batterysecret, cgroup)
+r_dir_file(batterysecret, mnt_vendor_file)
+r_dir_file(batterysecret, vendor_sysfs_battery_supply)
+r_dir_file(batterysecret, sysfs_batteryinfo)
+r_dir_file(batterysecret, sysfs_type)
+r_dir_file(batterysecret, vendor_sysfs_usb_supply)
+r_dir_file(batterysecret, vendor_sysfs_usbpd_device)
+
+allow batterysecret {
+  mnt_vendor_file
+  persist_subsys_file
+  rootfs
+}:dir rw_dir_perms;
+
+allow batterysecret {
+  persist_subsys_file
+  sysfs
+  vendor_sysfs_battery_supply
+  sysfs_usb
+  vendor_sysfs_usb_supply
+  vendor_sysfs_usbpd_device
+}:file w_file_perms;
+
+allow batterysecret kmsg_device:chr_file rw_file_perms;
+
+allow batterysecret self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+allow batterysecret self:global_capability_class_set {
+  sys_tty_config
+  sys_boot
+};
+
+allow batterysecret self:capability {
+  chown
+  fsetid
+};
+
+allow batterysecret {
+  system_suspend_hwservice
+  hidl_manager_hwservice
+}:hwservice_manager find;
+
+binder_call(batterysecret, system_suspend_server)
+
+wakelock_use(batterysecret)
\ No newline at end of file
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..99f0186
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,8 @@
+# Audio device
+type sound_device, dev_type;
+
+# Fingerprint device
+type vendor_fingerprint_device, dev_type;
+
+# IR device
+type ir_spi_device, dev_type;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
new file mode 100644
index 0000000..8faaa33
--- /dev/null
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1,17 @@
+# Audio
+type audio_socket, file_type;
+
+# Battery
+type persist_subsys_file, vendor_persist_type, file_type;
+
+# Camera
+type camera_persist_file, vendor_persist_type, file_type;
+
+# Fingerprint
+type vendor_fingerprint_data_file, data_file_type, file_type;
+
+# Thermal
+type thermal_data_file, data_file_type, file_type;
+
+# Touchpanel
+type proc_touchpanel, fs_type, proc_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..7afaa3a
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,56 @@
+  # Audio
+/dev/socket/audio_hw_socket								u:object_r:audio_socket:s0
+/dev/elliptic(.*)?									u:object_r:sound_device:s0
+/mnt/vendor/persist/audio/cali_test.bin							u:object_r:vendor_persist_audio_file:s0
+/mnt/vendor/persist/audio/fsm_calib.bin							u:object_r:vendor_persist_audio_file:s0
+/mnt/vendor/persist/audio/aw_cali.bin							u:object_r:vendor_persist_audio_file:s0
+
+# Battery
+/vendor/bin/batterysecret								u:object_r:batterysecret_exec:s0
+/mnt/vendor/persist/subsys(/.*)?							u:object_r:persist_subsys_file:s0
+
+# Bluetooth
+/vendor/bin/init\.mi\.btmac\.sh								u:object_r:vendor_qti_init_shell_exec:s0
+
+# Camera
+/mnt/vendor/persist/camera(/.*)?							u:object_r:camera_persist_file:s0
+
+# Fingerprint
+/dev/goodix_fp										u:object_r:vendor_fingerprint_device:s0
+/dev/silead_fp										u:object_r:vendor_fingerprint_device:s0
+/dev/silead_s.*										u:object_r:vendor_fingerprint_device:s0
+/dev/silead_stub									u:object_r:vendor_fingerprint_device:s0
+/dev/spidev.*										u:object_r:vendor_fingerprint_device:s0
+/mnt/vendor/persist/silead(/.*)?							u:object_r:vendor_fingerprint_data_file:s0
+/mnt/vendor/persist/goodix(/.*)?							u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpc(/.*)?									u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpdump(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix/gf_data(/.*)?							u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/silead(/.*)?								u:object_r:vendor_fingerprint_data_file:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.1-service\.xiaomi_holi	u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service			u:object_r:hal_fingerprint_default_exec:s0
+
+# IR
+/dev/ir_spi										u:object_r:ir_spi_device:s0
+
+# Mlipay
+/vendor/bin/mlipayd@1.1									u:object_r:hal_mlipay_default_exec:s0
+
+# NFC
+/dev/pn553										u:object_r:nfc_device:s0
+/dev/pn54x										u:object_r:nfc_device:s0
+
+# Sensors
+/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal		u:object_r:hal_sensors_default_exec:s0
+
+# Thermal
+/data/vendor/thermal(/.*)?								u:object_r:thermal_data_file:s0
+/vendor/bin/mi_thermald									u:object_r:mi_thermald_exec:s0
+
+# Vibrator
+/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi			u:object_r:hal_vibrator_default_exec:s0
+
+# Xiaomi MAC
+/data/vendor/mac_addr(/.*)?								u:object_r:vendor_wifi_vendor_data_file:s0
+/data/vendor/wlan_logs(/.*)?								u:object_r:vendor_wifi_vendor_data_file:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..80aa773
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,58 @@
+# Battery
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply			u:object_r:vendor_sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/battery               u:object_r:vendor_sysfs_battery_supply:s0
+
+# Fingerprint
+genfscon sysfs /devices/platform/soc/soc:fpc1020					u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:goodix_fp					u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:silead_fp					u:object_r:vendor_sysfs_fingerprint:s0
+
+# SSR
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name		u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name		u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name			u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name		u:object_r:vendor_sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level	u:object_r:vendor_sysfs_ssr_toggle:s0
+
+# Touchpanel
+genfscon proc /tp_gesture								u:object_r:proc_touchpanel:s0
+
+# Wakeup nodes
+genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup					u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup			u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup				u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,power-on@800/wakeup		u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-06/1c40000.qcom,spmi:qcom,pmk8350@0:rtc@6100/wakeup			u:object_r:sysfs_wakeup:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..7e6e5a4
--- /dev/null
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1,13 @@
+# Allow hal_audio_default to read vendor_persist_audio_file
+r_dir_file(hal_audio_default, vendor_persist_audio_file)
+
+r_dir_file(hal_audio_default, sysfs)
+
+binder_call(hal_audio_default, system_suspend_server)
+
+allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
+
+set_prop(hal_audio_default, vendor_audio_prop)
+
+allow hal_audio_default audio_socket:sock_file rw_file_perms;
+allow hal_audio_default sound_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te
new file mode 100644
index 0000000..82c6ef2
--- /dev/null
+++ b/sepolicy/vendor/hal_bluetooth_default.te
@@ -0,0 +1,6 @@
+# Allow hal_bluetooth_default to read files in vendor_wifi_vendor_data_file
+r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file)
+allow hal_bluetooth_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
+allow hal_bluetooth_default vendor_wifi_vendor_data_file:file create_file_perms;
+
+get_prop(hal_bluetooth_default, vendor_wifi_prop)
diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..e5c73b6
--- /dev/null
+++ b/sepolicy/vendor/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..d97b6ee
--- /dev/null
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,2 @@
+r_dir_file(hal_camera_default, camera_persist_file)
+set_prop(hal_camera_default, vendor_camera_sensor_prop)
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
new file mode 100644
index 0000000..55c920f
--- /dev/null
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,37 @@
+# Binder
+allow hal_fingerprint_default vendor_hal_perf_default:binder call;
+allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;
+
+# Props
+set_prop(hal_fingerprint_default, vendor_fp_prop)
+get_prop(system_server, vendor_fp_prop);
+
+# Sysfs
+allow hal_fingerprint_default {
+  sysfs_rtc
+  vendor_sysfs_fingerprint
+  vendor_sysfs_spss
+}: file rw_file_perms;
+
+allow hal_fingerprint_default {
+  input_device
+  sysfs_rtc
+  vendor_sysfs_fingerprint
+  vendor_sysfs_spss
+}: dir r_dir_perms;
+
+# Dev nodes
+allow hal_fingerprint_default {
+  input_device
+  tee_device
+  uhid_device
+  vendor_fingerprint_device
+}: chr_file rw_file_perms;
+
+# Data
+allow hal_fingerprint_default vendor_fingerprint_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+
+r_dir_file(hal_fingerprint_default, firmware_file)
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..6cecf70
--- /dev/null
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1,2 @@
+allow hal_health_default sysfs_wakeup:dir r_dir_perms;
+allow hal_health_default sysfs_wakeup:file r_file_perms;
diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te
new file mode 100644
index 0000000..46663b7
--- /dev/null
+++ b/sepolicy/vendor/hal_ir_default.te
@@ -0,0 +1 @@
+allow hal_ir_default ir_spi_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te
new file mode 100644
index 0000000..5f4787f
--- /dev/null
+++ b/sepolicy/vendor/hal_mlipay.te
@@ -0,0 +1,22 @@
+type hal_mlipay_hwservice, hwservice_manager_type;
+
+type hal_mlipay_default, domain;
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+
+type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_mlipay_default)
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_mlipay_client, hal_mlipay_server)
+
+# Add hwservice related rules
+add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)
+allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find;
+
+allow hal_mlipay_default tee_device:chr_file rw_file_perms;
+allow hal_mlipay_default ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_mlipay_default, firmware_file)
+set_prop(hal_mlipay_default, vendor_mlipay_prop);
+
+get_prop(hal_mlipay_default, vendor_fp_prop)
diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..9486137
--- /dev/null
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -0,0 +1,2 @@
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_perf_default.te b/sepolicy/vendor/hal_perf_default.te
new file mode 100644
index 0000000..5d19e84
--- /dev/null
+++ b/sepolicy/vendor/hal_perf_default.te
@@ -0,0 +1,5 @@
+allow vendor_hal_perf_default hal_audio_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_audio_default:file r_file_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms;
+allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms;
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
new file mode 100644
index 0000000..d9ef52d
--- /dev/null
+++ b/sepolicy/vendor/hal_power_default.te
@@ -0,0 +1,3 @@
+# Allow hal_power_default to write to dt2w node
+allow hal_power_default proc_touchpanel:dir search;
+allow hal_power_default proc_touchpanel:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..1d3339e
--- /dev/null
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1,10 @@
+binder_call(hal_sensors_default, hal_audio_default)
+
+hal_client_domain(hal_sensors_default, hal_audio)
+
+allow hal_sensors_default audio_socket:sock_file rw_file_perms;
+allow hal_sensors_default socket_device:sock_file rw_file_perms;
+allow hal_sensors_default sound_device:chr_file rw_file_perms;
+allow hal_sensors_default iio_device:chr_file rw_file_perms;
+
+get_prop(hal_sensors_default, vendor_adsprpc_prop)
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..c6580df
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -0,0 +1 @@
+allow hal_wifi_default self:capability sys_module;
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..7af07e3
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,15 @@
+# Fingerprint
+com.fingerprints.extension::IFingerprintSensorTest				u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintNavigation				u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintEngineering				u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon		u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt	u:object_r:hal_fingerprint_hwservice:s0
+vendor.silead.hardware.fingerprintext::ISileadFingerprint			u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint			u:object_r:hal_fingerprint_hwservice:s0
+
+# Mlipay
+vendor.xiaomi.hardware.mlipay::IMlipayService					u:object_r:hal_mlipay_hwservice:s0
+
+# NFC
+vendor.nxp.nxpnfc::INxpNfc							u:object_r:hal_nfc_hwservice:s0
+vendor.nxp.nxpnfclegacy::INxpNfcLegacy						u:object_r:hal_nfc_hwservice:s0
diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te
new file mode 100644
index 0000000..4209b38
--- /dev/null
+++ b/sepolicy/vendor/mi_thermald.te
@@ -0,0 +1,35 @@
+type mi_thermald, domain;
+type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mi_thermald)
+
+set_prop(mi_thermald, vendor_thermal_normal_prop)
+
+allow mi_thermald thermal_data_file:dir rw_dir_perms;
+allow mi_thermald thermal_data_file:file create_file_perms;
+
+allow mi_thermald self:capability { fsetid sys_boot };
+allow mi_thermald mi_thermald:capability { chown fowner };
+allow mi_thermald mi_thermald:capability2 { wake_alarm block_suspend };
+
+allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
+
+r_dir_file(mi_thermald, sysfs_thermal)
+allow mi_thermald sysfs_thermal:file w_file_perms;
+
+r_dir_file(mi_thermald, sysfs)
+allow mi_thermald sysfs:file w_file_perms;
+
+r_dir_file(mi_thermald, sysfs_leds)
+
+allow mi_thermald vendor_sysfs_kgsl:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_kgsl:file rw_file_perms;
+allow mi_thermald vendor_sysfs_kgsl:lnk_file r_file_perms;
+
+allow mi_thermald vendor_sysfs_battery_supply:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_battery_supply:file rw_file_perms;
+allow mi_thermald vendor_sysfs_battery_supply:lnk_file r_file_perms;
+
+allow mi_thermald vendor_sysfs_graphics:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_graphics:file rw_file_perms;
+allow mi_thermald vendor_sysfs_graphics:lnk_file r_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..d647ff7
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,5 @@
+# Camera
+vendor_internal_prop(vendor_camera_sensor_prop);
+
+# Thermal
+vendor_internal_prop(vendor_thermal_normal_prop);
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..00a5068
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,26 @@
+# Camera
+persist.camera.				u:object_r:vendor_camera_prop:s0
+ro.boot.camera.config			u:object_r:vendor_camera_sensor_prop:s0
+vendor.camera.config.			u:object_r:vendor_camera_sensor_prop:s0
+
+# Fingerprint
+persist.vendor.sys.fp.			u:object_r:vendor_fp_prop:s0
+ro.hardware.fp.				u:object_r:vendor_fp_prop:s0
+vendor.fps_hal.				u:object_r:vendor_fp_prop:s0
+vendor.silead.fp.ext.			u:object_r:vendor_fp_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay.			u:object_r:vendor_mlipay_prop:s0
+persist.vendor.sys.provision.status	u:object_r:vendor_mlipay_prop:s0
+
+# RIL
+odm.ril.radio.status.			u:object_r:vendor_radio_prop:s0
+odm.ril.radio.status.sim1		u:object_r:vendor_radio_prop:s0
+odm.ril.radio.status.sim2		u:object_r:vendor_radio_prop:s0
+
+# Thermal
+vendor.sys.thermal.			u:object_r:vendor_thermal_normal_prop:s0
+
+# Wi-Fi
+ro.vendor.ril.oem.btmac			u:object_r:vendor_wifi_prop:s0
+ro.vendor.ril.oem.wifimac		u:object_r:vendor_wifi_prop:s0
diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te
new file mode 100644
index 0000000..0d6641f
--- /dev/null
+++ b/sepolicy/vendor/qti_init_shell.te
@@ -0,0 +1 @@
+allow vendor_qti_init_shell proc_page_cluster:file rw_file_perms;
diff --git a/sepolicy/vendor/recovery.te b/sepolicy/vendor/recovery.te
new file mode 100644
index 0000000..afc4845
--- /dev/null
+++ b/sepolicy/vendor/recovery.te
@@ -0,0 +1 @@
+allow recovery pstorefs:dir r_dir_perms;
diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te
new file mode 100644
index 0000000..0b0d84d
--- /dev/null
+++ b/sepolicy/vendor/sensors.te
@@ -0,0 +1 @@
+r_dir_file(vendor_sensors, vendor_sysfs_graphics)
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
new file mode 100644
index 0000000..e33161e
--- /dev/null
+++ b/sepolicy/vendor/system_app.te
@@ -0,0 +1,2 @@
+# Xiaomi Parts
+allow system_app sysfs_thermal:file rw_file_perms;
\ No newline at end of file
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
new file mode 100644
index 0000000..d2556fb
--- /dev/null
+++ b/sepolicy/vendor/tee.te
@@ -0,0 +1,2 @@
+allow tee vendor_fingerprint_data_file:dir create_dir_perms;
+allow tee vendor_fingerprint_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
new file mode 100644
index 0000000..6e59f5b
--- /dev/null
+++ b/sepolicy/vendor/thermal-engine.te
@@ -0,0 +1,11 @@
+allow vendor_thermal-engine {
+  vendor_sysfs_devfreq
+  thermal_data_file
+}:dir r_dir_perms;
+
+allow vendor_thermal-engine vendor_sysfs_devfreq:file rw_file_perms;
+
+# Rule for vendor_thermal-engine to access init process
+unix_socket_connect(vendor_thermal-engine, property, init);
+
+set_prop(vendor_thermal-engine, vendor_thermal_normal_prop)
\ No newline at end of file
diff --git a/sepolicy/vendor/vendor_modprobe.te b/sepolicy/vendor/vendor_modprobe.te
new file mode 100644
index 0000000..4a6f93e
--- /dev/null
+++ b/sepolicy/vendor/vendor_modprobe.te
@@ -0,0 +1,4 @@
+allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe self:cap_userns sys_module;
+allow vendor_modprobe vendor_file:system module_load;
+r_dir_file(vendor_modprobe, vendor_file)
diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te
new file mode 100644
index 0000000..1b25678
--- /dev/null
+++ b/sepolicy/vendor/vendor_qti_init_shell.te
@@ -0,0 +1,4 @@
+# allow init.mi.btmac.sh to read hex-encoded mac address and set it
+allow vendor_qti_init_shell vendor_bluetooth_prop:property_service set;
+allow vendor_qti_init_shell vendor_wifi_vendor_data_file:dir search;
+allow vendor_qti_init_shell vendor_wifi_vendor_data_file:file r_file_perms;
-- 
cgit v1.2.3