mtk-sepolicy: Initial SEPolicy rules
diff --git a/BoardSEPolicyConfig.mk b/BoardSEPolicyConfig.mk
new file mode 100644
index 0000000..efd69a4
--- /dev/null
+++ b/BoardSEPolicyConfig.mk
@@ -0,0 +1,32 @@
+
+# SELinux Policy File Configuration
+BOARD_SEPOLICY_DIRS += \
+ device/mediatek/sepolicy/basic/non_plat \
+ device/mediatek/sepolicy/bsp/non_plat
+
+ifneq ($(call math_lt,$(PRODUCT_SHIPPING_API_LEVEL),28),)
+BOARD_SEPOLICY_DIRS += $(wildcard device/mediatek/sepolicy/bsp/ota_upgrade)
+endif
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
+ device/mediatek/sepolicy/basic/plat_private \
+ device/mediatek/sepolicy/bsp/plat_private
+
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
+ device/mediatek/sepolicy/basic/plat_public \
+ device/mediatek/sepolicy/bsp/plat_public
+
+# MTK Debug Rules Configuration
+ifeq ($(strip $(HAVE_MTK_DEBUG_SEPOLICY)), yes)
+BOARD_SEPOLICY_DIRS += \
+ device/mediatek/sepolicy/basic/debug/non_plat \
+ device/mediatek/sepolicy/bsp/debug/non_plat
+
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
+ device/mediatek/sepolicy/basic/debug/plat_public \
+ device/mediatek/sepolicy/bsp/debug/plat_public
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \
+ device/mediatek/sepolicy/basic/debug/plat_private \
+ device/mediatek/sepolicy/bsp/debug/plat_private
+endif
diff --git a/basic/debug/non_plat/aee_aedv.te b/basic/debug/non_plat/aee_aedv.te
new file mode 100644
index 0000000..1d5e873
--- /dev/null
+++ b/basic/debug/non_plat/aee_aedv.te
@@ -0,0 +1,500 @@
+# ==============================================
+# Policy File of /vendor/bin/aee_aedv Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type aee_aedv, domain;
+
+type aee_aedv_exec, exec_type, file_type, vendor_file_type;
+typeattribute aee_aedv mlstrustedsubject;
+
+init_daemon_domain(aee_aedv)
+
+# Date : WK14.32
+# Operation : AEE UT
+# Purpose : for AEE module
+allow aee_aedv aed_device:chr_file rw_file_perms;
+allow aee_aedv expdb_device:chr_file rw_file_perms;
+allow aee_aedv expdb_block_device:blk_file rw_file_perms;
+allow aee_aedv bootdevice_block_device:blk_file rw_file_perms;
+allow aee_aedv etb_device:chr_file rw_file_perms;
+
+# AED start: /dev/block/expdb
+allow aee_aedv block_device:dir search;
+
+# NE flow: /dev/RT_Monitor
+allow aee_aedv RT_Monitor_device:chr_file r_file_perms;
+
+#data/aee_exp
+allow aee_aedv aee_exp_vendor_file:dir create_dir_perms;
+allow aee_aedv aee_exp_vendor_file:file create_file_perms;
+
+#data/dumpsys
+allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms;
+allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms;
+
+#/data/core
+allow aee_aedv aee_core_vendor_file:dir create_dir_perms;
+allow aee_aedv aee_core_vendor_file:file create_file_perms;
+
+# /data/data_tmpfs_log
+allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms;
+allow aee_aedv vendor_tmpfs_log_file:file create_file_perms;
+
+allow aee_aedv domain:process { sigkill getattr getsched};
+
+#core-pattern
+allow aee_aedv usermodehelper:file r_file_perms;
+
+# Date: W15.34
+# Operation: Migration
+# Purpose: For pagemap & pageflags information in NE DB
+# /proc/pid/
+# pre-allocation
+allow aee_aedv self:capability {
+ chown
+ fowner
+ fsetid
+ kill
+ linux_immutable
+ net_admin
+ sys_admin
+ sys_nice
+ sys_resource
+ sys_module
+};
+
+# Purpose: aee_aedv set property
+set_prop(aee_aedv, vendor_mtk_persist_mtk_aeev_prop)
+set_prop(aee_aedv, vendor_mtk_persist_aeev_prop)
+set_prop(aee_aedv, vendor_mtk_debug_mtk_aeev_prop)
+set_prop(aee_aedv, vendor_mtk_aeev_dynamic_switch_prop)
+
+# Purpose: mnt/user/*
+allow aee_aedv mnt_user_file:dir search;
+allow aee_aedv mnt_user_file:lnk_file r_file_perms;
+
+allow aee_aedv storage_file:dir search;
+allow aee_aedv storage_file:lnk_file r_file_perms;
+
+userdebug_or_eng(`
+ allow aee_aedv su:dir r_dir_perms;
+ allow aee_aedv su:file r_file_perms;
+')
+
+# PROCESS_FILE_STATE
+allow aee_aedv dumpstate:unix_stream_socket { read write ioctl };
+allow aee_aedv dumpstate:dir search;
+allow aee_aedv dumpstate:file r_file_perms;
+
+allow aee_aedv logdr_socket:sock_file write;
+allow aee_aedv logd:unix_stream_socket connectto;
+
+# vibrator
+allow aee_aedv sysfs_vibrator:file w_file_perms;
+
+# /proc/lk_env
+allow aee_aedv proc_lk_env:file rw_file_perms;
+
+# Data : 2017/03/22
+# Operation : add NE flow rule for Android O
+# Purpose : make aee_aedv can get specific process NE info
+allow aee_aedv domain:dir r_dir_perms;
+allow aee_aedv domain:{ file lnk_file } r_file_perms;
+
+# Data : 2017/04/06
+# Operation : add selinux rule for crash_dump notify aee_aedv
+# Purpose : make aee_aedv can get notify from crash_dump
+allow aee_aedv crash_dump:dir search;
+allow aee_aedv crash_dump:file r_file_perms;
+
+# Date : 20170512
+# Operation : fix aee_archive can't execute issue
+# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for
+# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355
+# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0
+# tclass=file permissive=0
+allow aee_aedv vendor_file:file x_file_perms;
+
+# Purpose: debugfs files
+allow aee_aedv procfs_blockio:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ allow aee_aedv debugfs_cam_dbg:file r_file_perms;
+ allow aee_aedv debugfs_cam_exception:file r_file_perms;
+ ')
+')
+
+# Purpose:
+# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
+# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
+# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# tracing_shell_writable:s0 tclass=file permissive=1
+allow aee_aedv debugfs_tracing:file rw_file_perms;
+
+# Purpose:
+# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc:
+# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv platform_app:dir r_dir_perms;
+allow aee_aedv platform_app:file r_file_perms;
+
+# Purpose:
+# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc:
+# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv untrusted_app_25:dir getattr;
+
+# Purpose:
+# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc:
+# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv untrusted_app:dir getattr;
+
+# Purpose:
+# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc:
+# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r:
+# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0
+allow aee_aedv priv_app:dir getattr;
+
+# Purpose:
+# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153):
+# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608
+# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file
+# permissive=0
+allow aee_aedv proc_interrupts:file r_file_perms;
+
+# Purpose:
+# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200):
+# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r:
+# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0
+allow aee_aedv sysfs_leds:dir search;
+allow aee_aedv sysfs_leds:file r_file_perms;
+
+# Purpose:
+# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied
+# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
+# sysfs_ccci:s0 tclass=dir permissive=1
+# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read }
+# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0
+# tclass=file permissive=1
+# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open }
+# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:
+# object_r:sysfs_ccci:s0 tclass=file permissive=1
+allow aee_aedv sysfs_ccci:dir search;
+allow aee_aedv sysfs_ccci:file r_file_perms;
+
+# Purpose:
+# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied
+# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r:
+# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1
+allow aee_aedv vendor_toolbox_exec:file rx_file_perms;
+
+# Purpose:
+# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for
+# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device:
+# s0 tclass=chr_file permissive=0
+# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied
+# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
+allow aee_aedv kmsg_device:chr_file r_file_perms;
+allow aee_aedv kernel:system syslog_read;
+
+# Purpose:
+# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied
+# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u:
+# object_r:proc_meminfo:s0 tclass=file permissive=0
+allow aee_aedv proc_meminfo:file r_file_perms;
+
+# Purpose:
+# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied
+# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0
+# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
+allow aee_aedv proc_net:file r_file_perms;
+
+# Purpose:
+# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied
+# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext=
+# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
+allow aee_aedv proc_zoneinfo:file r_file_perms;
+
+# Purpose:
+# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read }
+# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
+# rootfs:s0 tclass=file permissive=0
+allow aee_aedv rootfs:file r_file_perms;
+
+# Purpose:
+# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
+# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
+# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
+allow aee_aedv sysfs_mrdump:file rw_file_perms;
+allow aee_aedv sysfs_memory:file r_file_perms;
+
+# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider
+# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956
+# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
+# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED)
+hal_client_domain(aee_aedv, hal_camera)
+allow aee_aedv hal_camera_hwservice:hwservice_manager { find };
+binder_call(aee_aedv, mtk_hal_camera)
+
+# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status
+allow aee_aedv selinuxfs:file r_file_perms;
+
+# Purpose: mrdump db flow and pre-allocation
+# mrdump db flow
+allow aee_aedv sysfs_dt_firmware_android:dir search;
+allow aee_aedv sysfs_dt_firmware_android:file r_file_perms;
+allow aee_aedv kernel:system module_request;
+allow aee_aedv metadata_file:dir search;
+
+allow aee_aedv userdata_block_device:blk_file rw_file_perms;
+allow aee_aedv para_block_device:blk_file rw_file_perms;
+allow aee_aedv mrdump_device:blk_file rw_file_perms;
+allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl {
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+ F2FS_IOC_GET_PIN_FILE
+ F2FS_IOC_SET_PIN_FILE
+ FS_IOC_FIEMAP
+};
+
+# Purpose: allow vendor aee read lowmemorykiller logs
+# file path: /sys/module/lowmemorykiller/parameters/
+allow aee_aedv sysfs_lowmemorykiller:dir search;
+allow aee_aedv sysfs_lowmemorykiller:file r_file_perms;
+
+# Purpose: Allow aee read /sys/class/misc/scp/scp_dump
+allow aee_aedv sysfs_scp:dir r_dir_perms;
+allow aee_aedv sysfs_scp:file r_file_perms;
+
+# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump
+allow aee_aedv sysfs_adsp:dir r_dir_perms;
+allow aee_aedv sysfs_adsp:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/buddyinfo
+allow aee_aedv proc_buddyinfo:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/cmdline
+allow aee_aedv proc_cmdline:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/bootconfig
+allow aee_aedv proc_bootconfig:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/slabinfo
+allow aee_aedv proc_slabinfo:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/stat
+allow aee_aedv proc_stat:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/version
+allow aee_aedv proc_version:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/vmallocinfo
+allow aee_aedv proc_vmallocinfo:file r_file_perms;
+
+# Purpose: allow aee_aedv to read /proc/vmstat
+allow aee_aedv proc_vmstat:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/cpu/alignment
+allow aee_aedv proc_cpu_alignment:file w_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/gpulog
+allow aee_aedv proc_gpulog:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/chip/hw_ver
+allow aee_aedv proc_chip:file r_file_perms;
+allow aee_aedv proc_chip:dir r_dir_perms;
+
+# Purpose: Allow aee_aedv to read /proc/sched_debug
+allow aee_aedv proc_sched_debug:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/atf_log
+allow aee_aedv proc_atf_log:dir r_dir_perms;
+allow aee_aedv proc_atf_log:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/last_kmsg
+allow aee_aedv proc_last_kmsg:file r_file_perms;
+
+# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable
+allow aee_aedv sysfs_vibrator_setting:dir search;
+allow aee_aedv sysfs_vibrator_setting:file w_file_perms;
+allow aee_aedv sysfs_vibrator:dir search;
+
+# Purpose: Allow aee_aedv to read /proc/ufs_debug
+allow aee_aedv proc_ufs_debug:file rw_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/msdc_debug
+allow aee_aedv proc_msdc_debug:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/pidmap
+allow aee_aedv proc_pidmap:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug
+allow aee_aedv sysfs_vcore_debug:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
+allow aee_aedv sysfs_boot_mode:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
+userdebug_or_eng(`
+allow aee_aedv debugfs_tracing_debug:file { rw_file_perms };
+')
+
+#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace
+allow aee_aedv proc_slabtrace:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status
+allow aee_aedv proc_cmdq_debug:file r_file_perms;
+
+#data/dipdebug
+allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms;
+allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms;
+allow aee_aedv proc_isp_p2:dir r_dir_perms;
+allow aee_aedv proc_isp_p2:file r_file_perms;
+
+allow aee_aedv connsyslog_data_vendor_file:file r_file_perms;
+allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms;
+
+# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process
+allow aee_aedv vendor_file_type:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump
+allow aee_aedv proc_isp_p2_kedump:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo
+allow aee_aedv proc_dbg_repo:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /proc/pl_lk
+allow aee_aedv proc_pl_lk:file r_file_perms;
+
+allow aee_aedv proc_aed_reboot_reason:file r_file_perms;
+
+# Purpose: Allow aee_aedv to write /proc/sys/vm/drop_caches
+allow aee_aedv proc_drop_caches:file rw_file_perms;
+
+allow aee_aedv proc_wmt_aee:file r_file_perms;
+
+allow aee_aedv proc_aed:file rw_file_perms;
+allow aee_aedv proc_aed:dir r_dir_perms;
+allow aee_aedv proc_ppm:dir r_dir_perms;
+
+allow aee_aedv dpm_block_device:blk_file r_file_perms;
+allow aee_aedv sspm_block_device:blk_file r_file_perms;
+allow aee_aedv boot_para_block_device:blk_file rw_file_perms;
+
+allow aee_aedv proc_modules:file r_file_perms;
+
+set_prop(aee_aedv, powerctl_prop)
+
+
+allow aee_aedv proc_ccci_dump:file r_file_perms;
+allow aee_aedv proc_log_much:file r_file_perms;
+
+# Purpose: Allow aee_aedv to read /sys/kernel/tracing/instances/mmstat/trace
+allow aee_aedv debugfs_tracing_instances:dir r_dir_perms;
+allow aee_aedv debugfs_tracing_instances:file r_file_perms;
+
+allow aee_aedv binderfs_logs:dir r_dir_perms;
+allow aee_aedv binderfs_logs:file r_file_perms;
+
+allow aee_aedv proc_ion:dir r_dir_perms;
+allow aee_aedv proc_ion:file r_file_perms;
+allow aee_aedv proc_m4u_dbg:dir r_dir_perms;
+allow aee_aedv proc_m4u_dbg:file r_file_perms;
+allow aee_aedv proc_mtkfb:file r_file_perms;
+
+allow aee_aedv proc_dmaheap:dir r_dir_perms;
+allow aee_aedv proc_dmaheap:file r_file_perms;
+
+allow aee_aedv proc_iommu_debug:dir r_dir_perms;
+allow aee_aedv proc_iommu_debug:file r_file_perms;
+
+allow aee_aedv sysfs_dvfsrc_dbg:dir r_dir_perms;
+allow aee_aedv sysfs_dvfsrc_dbg:file r_file_perms;
+
+allow aee_aedv sysfs_systracker:dir r_dir_perms;
+allow aee_aedv sysfs_systracker:file r_file_perms;
+
+allow aee_aedv sysfs_aee_enable:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read /data/vendor/gpu_dump
+allow aee_aedv gpu_dump_vendor_file:dir r_dir_perms;
+allow aee_aedv gpu_dump_vendor_file:file r_file_perms;
+
+# Date : 2020/12/14
+# Purpose: allow aee_aedv to read /sys/kernel/mm/mlog/dump
+allow aee_aedv sysfs_mm:file r_file_perms;
+
+#Purpose: Allow aee_aedv to read /sys/bus/scsi/devices/0:0:0:0/vpd_pg80
+allow aee_aedv sysfs_vpd:dir r_dir_perms;
+allow aee_aedv sysfs_vpd:file r_file_perms;
+
+# Date: 2021/05/21
+# Purpose: allow aee_aedv to read /sys/kernel/notes
+allow aee_aedv sysfs_kernel_notes:file r_file_perms;
+
+# Date: 2021/08/09
+# Purpose: Add apusys debug info into db
+allow aee_aedv proc_apusys_rv_coredump_debug:file r_file_perms;
+allow aee_aedv proc_apusys_rv_xfile_debug:file r_file_perms;
+allow aee_aedv proc_apusys_rv_regdump_debug:file r_file_perms;
+allow aee_aedv proc_apusys_logger_seq_log_debug:file r_file_perms;
+
+# Date: 2021/08/10
+# Purpose: Add apusys mdw debug info into db
+allow aee_aedv proc_aputag_mdw_debug:file r_file_perms;
+
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ allow aee_aedv debugfs_blockio:file r_file_perms;
+ allow aee_aedv debugfs_fb:dir search;
+ allow aee_aedv debugfs_fb:file r_file_perms;
+ allow aee_aedv debugfs_fuseio:dir search;
+ allow aee_aedv debugfs_fuseio:file r_file_perms;
+ allow aee_aedv debugfs_rcu:dir search;
+ allow aee_aedv debugfs_shrinker_debug:file r_file_perms;
+ allow aee_aedv debugfs_dmlog_debug:file r_file_perms;
+ allow aee_aedv debugfs_page_owner_slim_debug:file r_file_perms;
+ allow aee_aedv debugfs_ion_mm_heap:dir search;
+ allow aee_aedv debugfs_ion_mm_heap:file r_file_perms;
+ allow aee_aedv debugfs_ion_mm_heap:lnk_file r_file_perms;
+ allow aee_aedv debugfs_cpuhvfs:dir search;
+ allow aee_aedv debugfs_cpuhvfs:file r_file_perms;
+ allow aee_aedv debugfs_emi_mbw_buf:file r_file_perms;
+
+ # Purpose:
+ # 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search }
+ # for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
+ # debugfs_dynamic_debug:s0 tclass=dir permissive=0
+ allow aee_aedv debugfs_dynamic_debug:dir search;
+ allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
+
+ # Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log
+ allow aee_aedv debugfs_rcu:file r_file_perms;
+
+ # Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon
+ allow aee_aedv debugfs_smi_mon:file r_file_perms;
+
+ allow aee_aedv debugfs_cmdq:file r_file_perms;
+ allow aee_aedv debugfs_mml:file r_file_perms;
+ allow aee_aedv debugfs_wakeup_sources:file r_file_perms;
+ ')
+')
+
+allow aee_aedv sysfs_cache_status:file r_file_perms;
+
+allow aee_aedv sysfs_emiisu:file r_file_perms;
+
+allow aee_aedv mnt_vendor_file:dir search;
+allow aee_aedv nvdata_file:dir r_dir_perms;
+allow aee_aedv nvdata_file:file r_file_perms;
+allow aee_aedv protect_f_data_file:dir r_dir_perms;
+allow aee_aedv protect_f_data_file:file r_file_perms;
+allow aee_aedv protect_s_data_file:dir r_dir_perms;
+allow aee_aedv protect_s_data_file:file r_file_perms;
+allow aee_aedv proc_vpu_memory:file r_file_perms;
+
+allow aee_aedv proc_lockdep:file r_file_perms;
diff --git a/basic/debug/non_plat/aee_core_forwarder.te b/basic/debug/non_plat/aee_core_forwarder.te
new file mode 100644
index 0000000..03123c2
--- /dev/null
+++ b/basic/debug/non_plat/aee_core_forwarder.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Policy File of /system/bin/aee_core_forwarder Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow aee_core_forwarder aee_exp_data_file:dir rw_dir_perms;
+allow aee_core_forwarder aee_exp_data_file:file create_file_perms;
+
+# Date: 2019/06/14
+# Operation : Migration
+# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
+wakelock_use(aee_core_forwarder)
+allow aee_core_forwarder crash_dump:unix_stream_socket connectto;
+allow aee_core_forwarder aee_core_data_file:dir r_dir_perms;
+allow aee_core_forwarder crash_dump:lnk_file r_file_perms;
+allow aee_core_forwarder crash_dump:process {getattr};
+allow aee_core_forwarder sysfs_aee_enable:file r_file_perms;
diff --git a/basic/debug/non_plat/aee_hal.te b/basic/debug/non_plat/aee_hal.te
new file mode 100644
index 0000000..9a722b9
--- /dev/null
+++ b/basic/debug/non_plat/aee_hal.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type aee_hal,domain;
+type aee_hal_exec, exec_type, file_type, vendor_file_type;
+typeattribute aee_hal mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(aee_hal)
+
+hal_server_domain(aee_hal, hal_mtk_aee)
+
+allow aee_hal aee_exp_vendor_file:dir w_dir_perms;
+allow aee_hal aee_exp_vendor_file:file create_file_perms;
+allow aee_hal aee_exp_data_file:file { read write };
+
+set_prop(aee_hal, vendor_mtk_persist_mtk_aeev_prop)
+set_prop(aee_hal, vendor_mtk_persist_aeev_prop)
+set_prop(aee_hal, vendor_mtk_debug_mtk_aeev_prop)
+
+binder_call(aee_hal, system_app);
diff --git a/basic/debug/non_plat/atcid.te b/basic/debug/non_plat/atcid.te
new file mode 100755
index 0000000..c5dc484
--- /dev/null
+++ b/basic/debug/non_plat/atcid.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK21.33
+# Purpose: Add policy to support get modem status
+
+allow atcid ccci_device:chr_file rw_file_perms_no_map;
+allow atcid self:unix_stream_socket ioctl;
+allowxperm atcid self:unix_stream_socket ioctl unpriv_tty_ioctls;
\ No newline at end of file
diff --git a/basic/debug/non_plat/audioserver.te b/basic/debug/non_plat/audioserver.te
new file mode 100644
index 0000000..a31e4c2
--- /dev/null
+++ b/basic/debug/non_plat/audioserver.te
@@ -0,0 +1,3 @@
+# Date : WK16.48
+# Purpose: Allow to trigger AEE dump
+allow audioserver crash_dump:unix_stream_socket connectto;
diff --git a/basic/debug/non_plat/ccci_mdinit.te b/basic/debug/non_plat/ccci_mdinit.te
new file mode 100644
index 0000000..4c800a8
--- /dev/null
+++ b/basic/debug/non_plat/ccci_mdinit.te
@@ -0,0 +1 @@
+get_prop(ccci_mdinit, system_mtk_init_svc_aee_aedv_prop)
diff --git a/basic/debug/non_plat/connsyslogger.te b/basic/debug/non_plat/connsyslogger.te
new file mode 100644
index 0000000..293834f
--- /dev/null
+++ b/basic/debug/non_plat/connsyslogger.te
@@ -0,0 +1,75 @@
+# ==============================================
+# Policy File of /system/bin/connsyslogger Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#for logging sdcard access
+allow connsyslogger fuse:dir create_dir_perms;
+allow connsyslogger fuse:file create_file_perms;
+
+#consys logger access on /data/consyslog
+allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto };
+allow connsyslogger consyslog_data_file:fifo_file create_file_perms;
+allow connsyslogger consyslog_data_file:file create_file_perms;
+
+allow connsyslogger tmpfs:lnk_file create_file_perms;
+
+# purpose: avc: denied { read } for name="plat_file_contexts"
+allow connsyslogger file_contexts_file:file r_file_perms;
+
+#logger SD logging in factory mode
+allow connsyslogger vfat:dir create_dir_perms;
+allow connsyslogger vfat:file create_file_perms;
+
+#logger permission in storage in android M version
+allow connsyslogger mnt_user_file:dir search;
+allow connsyslogger mnt_user_file:lnk_file r_file_perms;
+allow connsyslogger storage_file:lnk_file r_file_perms;
+
+#permission for use SELinux API
+allow connsyslogger rootfs:file r_file_perms;
+
+#permission for storage access storage
+allow connsyslogger storage_file:dir create_dir_perms;
+allow connsyslogger storage_file:file create_file_perms;
+
+#permission for read boot mode
+allow connsyslogger sysfs_boot_mode:file r_file_perms;
+
+allow connsyslogger fw_log_wifi_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_bt_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_gps_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_wmt_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_ics_device:chr_file rw_file_perms;
+allow connsyslogger fw_log_wifimcu_device:chr_file rw_file_perms_no_map;
+allow connsyslogger fw_log_btmcu_device:chr_file rw_file_perms_no_map;
+
+allow connsyslogger sdcardfs:dir create_dir_perms;
+allow connsyslogger sdcardfs:file create_file_perms;
+allow connsyslogger rootfs:lnk_file getattr;
+
+allow connsyslogger media_rw_data_file:file create_file_perms;
+allow connsyslogger media_rw_data_file:dir create_dir_perms;
+
+#permission to get driver ready status
+get_prop(connsyslogger, vendor_mtk_wmt_prop)
+
+#Date:2019/03/25
+# purpose: allow connsyslogger to access persist.meta.connecttype
+get_prop(connsyslogger, vendor_mtk_meta_connecttype_prop)
+
+
+#Date:2019/03/25
+# purpose: allow emdlogger to create socket
+allow connsyslogger port:tcp_socket { name_connect name_bind };
+allow connsyslogger connsyslogger:tcp_socket create_stream_socket_perms;
+allow connsyslogger node:tcp_socket node_bind;
+
+#Date:2019/03/25
+# usb device ttyGSx for modem logger usb logging
+allow connsyslogger ttyGS_device:chr_file rw_file_perms;
+
+# Add permission to access new bootmode file
+allow connsyslogger sysfs_boot_info:file r_file_perms;
diff --git a/basic/debug/non_plat/crash_dump.te b/basic/debug/non_plat/crash_dump.te
new file mode 100644
index 0000000..572b2b4
--- /dev/null
+++ b/basic/debug/non_plat/crash_dump.te
@@ -0,0 +1,27 @@
+#data/aee_exp
+allow crash_dump aee_exp_data_file:dir { create_dir_perms relabelto };
+allow crash_dump aee_exp_data_file:file create_file_perms;
+
+hal_client_domain(crash_dump, hal_mtk_aee)
+
+allow crash_dump aed_device:chr_file rw_file_perms;
+
+# Date : 2020/12/14
+# Purpose: allow aee_aed to read /sys/kernel/mm/mlog/dump
+allow crash_dump sysfs_mm:file r_file_perms;
+
+# Purpose: Allow crash_dump to write /proc/aed/generate-kernel-notify
+allow crash_dump proc_aed:dir r_dir_perms;
+allow crash_dump proc_aed:file rw_file_perms;
+
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ allow crash_dump debugfs_blockio:file r_file_perms;
+ allow crash_dump debugfs_ion_mm_heap:dir search;
+ allow crash_dump debugfs_ion_mm_heap:file r_file_perms;
+ allow crash_dump debugfs_ion_mm_heap:lnk_file r_file_perms;
+ allow crash_dump debugfs_dmlog_debug:file r_file_perms;
+ ')
+')
+
+allow crash_dump sysfs_aee_enable:file r_file_perms;
diff --git a/basic/debug/non_plat/device.te b/basic/debug/non_plat/device.te
new file mode 100644
index 0000000..69aea3a
--- /dev/null
+++ b/basic/debug/non_plat/device.te
@@ -0,0 +1,6 @@
+type aed_device, dev_type;
+
+# Date:2021/07/27
+# Purpose: permission for emdlogger
+type ccci_mdl_device, dev_type;
+
diff --git a/basic/debug/non_plat/domain.te b/basic/debug/non_plat/domain.te
new file mode 100644
index 0000000..4bc29e6
--- /dev/null
+++ b/basic/debug/non_plat/domain.te
@@ -0,0 +1,5 @@
+# Date:20170630
+# Purpose: allow trusted process to connect aee daemon
+allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
+allow { domain -coredomain -hal_configstore_server -vendor_init } aee_exp_vendor_file:file w_file_perms;
+allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd use;
diff --git a/basic/debug/non_plat/dumpstate.te b/basic/debug/non_plat/dumpstate.te
new file mode 100644
index 0000000..d784dbc
--- /dev/null
+++ b/basic/debug/non_plat/dumpstate.te
@@ -0,0 +1,126 @@
+# Purpose: data/aee_exp/*
+allow dumpstate aee_exp_data_file:dir rw_dir_perms;
+allow dumpstate aee_exp_data_file:file create_file_perms;
+
+# Data : 2017/03/22
+# Operation : add fd use selinux rule
+# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
+# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
+# tcontext=u:r:crash_dump:s0 tclass=fd permissive=0
+allow dumpstate crash_dump:fd use;
+allow dumpstate crash_dump:unix_stream_socket { rw_socket_perms connectto };
+
+# Purpose: access dev/aed0
+allow dumpstate aed_device:chr_file r_file_perms;
+allow dumpstate vcp_device:chr_file r_file_perms_no_map;
+
+# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
+# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# sf_bqdump_data_file:s0 tclass=dir permissive=0
+allow dumpstate sf_bqdump_data_file:dir r_dir_perms;
+allow dumpstate sf_bqdump_data_file:file r_file_perms;
+
+# Purpose:
+# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
+# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
+# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# tracing_shell_writable:s0 tclass=file permissive=1
+allow dumpstate debugfs_tracing:file rw_file_perms;
+
+# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
+allow dumpstate mtk_hal_camera:binder call;
+
+# Purpose: Allow aee_dumpstate to read /proc/slabinfo
+allow dumpstate proc_slabinfo:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/zraminfo
+allow dumpstate proc_zraminfo:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/gpulog
+allow dumpstate proc_gpulog:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/sched_debug
+allow dumpstate proc_sched_debug:file r_file_perms;
+
+# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver
+allow dumpstate proc_chip:file r_file_perms;
+allow dumpstate proc_chip:dir r_dir_perms;
+
+# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
+allow dumpstate sysfs_vibrator_setting:file w_file_perms;
+
+# Date : 2020/12/14
+# Purpose: allow aee_dumpstate to read /sys/kernel/mm/mlog/dump
+allow dumpstate sysfs_mm:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /sys/bus/scsi/devices/0:0:0:0/vpd_pg80
+allow dumpstate sysfs_vpd:dir r_dir_perms;
+allow dumpstate sysfs_vpd:file r_file_perms;
+
+#Purpose: Alloc dumpstate to read /proc/dma_heap/
+allow dumpstate proc_dmaheap:dir r_dir_perms;
+allow dumpstate proc_dmaheap:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/iommu_debug/
+allow dumpstate proc_iommu_debug:dir r_dir_perms;
+allow dumpstate proc_iommu_debug:file r_file_perms;
+
+#Date: 2020/07/23
+#Purpose: Allow dumpstate to read /sys/kernel/notes
+allow dumpstate sysfs_kernel_notes:file r_file_perms;
+
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ allow dumpstate debugfs_blockio:file r_file_perms;
+ allow dumpstate debugfs_fb:dir search;
+ allow dumpstate debugfs_fb:file r_file_perms;
+ allow dumpstate debugfs_fuseio:dir search;
+ allow dumpstate debugfs_fuseio:file r_file_perms;
+ allow dumpstate debugfs_rcu:dir search;
+ allow dumpstate debugfs_shrinker_debug:file r_file_perms;
+ allow dumpstate debugfs_dmlog_debug:file r_file_perms;
+ allow dumpstate debugfs_page_owner_slim_debug:file r_file_perms;
+ allow dumpstate debugfs_ion_mm_heap:dir search;
+ allow dumpstate debugfs_ion_mm_heap:file r_file_perms;
+ allow dumpstate debugfs_ion_mm_heap:lnk_file r_file_perms;
+ allow dumpstate debugfs_cpuhvfs:dir search;
+ allow dumpstate debugfs_cpuhvfs:file r_file_perms;
+
+ # Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log
+ allow dumpstate debugfs_rcu:file r_file_perms;
+
+ # Date: 19/07/15
+ # Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak
+ allow dumpstate debugfs_kmemleak:file r_file_perms;
+
+ #Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon
+ allow dumpstate debugfs_smi_mon:file r_file_perms;
+
+ allow dumpstate debugfs_cmdq:file r_file_perms;
+ allow dumpstate debugfs_mml:file r_file_perms;
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+ ')
+')
+
+#Date: 2021/08/24
+#Purpose: debugfs files
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ allow dumpstate debugfs_cam_dbg:file r_file_perms;
+ allow dumpstate debugfs_cam_exception:file r_file_perms;
+ ')
+')
+
+allow dumpstate sysfs_dvfsrc_dbg:dir r_dir_perms;
+allow dumpstate sysfs_dvfsrc_dbg:file r_file_perms;
+#Purpose: Allow dumpstate to read /proc/apusys_rv/apusys_rv_xfile and /proc/apusys_logger/seq_log
+allow dumpstate proc_apusys_rv_xfile_debug:file r_file_perms;
+allow dumpstate proc_apusys_logger_seq_log_debug:file r_file_perms;
+allow dumpstate sysfs_emiisu:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/vpu/vpu_memory
+allow dumpstate proc_vpu_memory:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mtk_mali/gpu_memory
+allow dumpstate proc_gpu_memory:file r_file_perms;
+
diff --git a/basic/debug/non_plat/emdlogger.te b/basic/debug/non_plat/emdlogger.te
new file mode 100644
index 0000000..e466fee
--- /dev/null
+++ b/basic/debug/non_plat/emdlogger.te
@@ -0,0 +1,124 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# ccci device for internal modem
+allow emdlogger ccci_mdl_device:chr_file rw_file_perms;
+allow emdlogger ccci_ccb_device:chr_file rw_file_perms;
+#add for read /dev/ccci_md1_sta
+allow emdlogger ccci_device:chr_file rw_file_perms;
+
+# eemcs device for external modem
+allow emdlogger eemcs_device:chr_file rw_file_perms;
+
+# C2K project SDIO device for external modem ttySDIO2 control port, ttySDIO8 log port
+allow emdlogger ttySDIO_device:chr_file rw_file_perms;
+
+# C2K project modem device for external modem vmodem start/stop/ioctl modem
+allow emdlogger vmodem_device:chr_file rw_file_perms;
+
+# usb device ttyGSx for modem logger usb logging
+allow emdlogger ttyGS_device:chr_file rw_file_perms;
+
+# for modem logging sdcard access
+allow emdlogger sdcard_type:dir create_dir_perms;
+allow emdlogger sdcard_type:file create_file_perms;
+
+# modem logger access on /data/mdlog
+allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto };
+allow emdlogger mdlog_data_file:fifo_file create_file_perms;
+allow emdlogger mdlog_data_file:file create_file_perms;
+
+# modem logger control port access /dev/ttyC1
+allow emdlogger mdlog_device:chr_file rw_file_perms;
+
+# modem logger SD logging in factory mode
+allow emdlogger vfat:dir create_dir_perms;
+allow emdlogger vfat:file create_file_perms;
+
+# modem logger permission in storage in android M version
+allow emdlogger mnt_user_file:dir search;
+allow emdlogger mnt_user_file:lnk_file r_file_perms;
+allow emdlogger storage_file:lnk_file r_file_perms;
+
+# permission for storage link access in vzw Project
+allow emdlogger mnt_media_rw_file:dir search;
+
+# permission for use SELinux API
+# avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs"
+allow emdlogger rootfs:file r_file_perms;
+
+# permission for storage access storage
+allow emdlogger storage_file:dir create_dir_perms;
+allow emdlogger tmpfs:lnk_file r_file_perms;
+allow emdlogger storage_file:file create_file_perms;
+
+# permission for read boot mode
+# avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
+allow emdlogger sysfs_boot_mode:file r_file_perms;
+
+# Allow read to sys/kernel/ccci/* files
+allow emdlogger sysfs_ccci:dir search;
+allow emdlogger sysfs_ccci:file r_file_perms;
+
+allow emdlogger sysfs_mdinfo:file r_file_perms;
+allow emdlogger sysfs_mdinfo:dir search;
+
+# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
+# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow emdlogger system_file:dir r_dir_perms;
+
+# purpose: allow emdlogger to access storage in N version
+allow emdlogger media_rw_data_file:file create_file_perms;
+allow emdlogger media_rw_data_file:dir create_dir_perms;
+
+# For dynamic CCB buffer feature
+# avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192
+# scontext=u:r:emdlogger:s0 tcontext=u:object_r:proc_lk_env:s0 tclass=file permissive=0
+# avc: denied { read } for name="mmcblk0p3" dev="tmpfs" ino=8493 scontext=u:r:emdlogger:s0
+# tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0
+allow emdlogger para_block_device:blk_file rw_file_perms;
+allow emdlogger proc_lk_env:file rw_file_perms;
+
+allow emdlogger block_device:dir search;
+allow emdlogger md_block_device:blk_file r_file_perms;
+allow emdlogger self:capability chown;
+
+# purpose: allow emdlogger to access persist.meta.connecttype
+get_prop(emdlogger, vendor_mtk_meta_connecttype_prop)
+
+# purpose: allow emdlogger to create socket
+allow emdlogger port:tcp_socket { name_connect name_bind };
+allow emdlogger emdlogger:tcp_socket {create_stream_socket_perms};
+allow emdlogger node:tcp_socket node_bind;
+allow emdlogger fwmarkd_socket:sock_file {write};
+allow emdlogger netd:unix_stream_socket {connectto};
+allow emdlogger self:tcp_socket {ioctl};
+
+
+# Android P migration
+get_prop(emdlogger, vendor_mtk_usb_prop)
+
+# Date : WK19.12
+# Operation: add permission to catch logs
+# Purpose : get kernel and radio logs when modem exception
+allow emdlogger kernel:system syslog_read;
+allow emdlogger logcat_exec:file rx_file_perms;
+allow emdlogger logdr_socket:sock_file w_file_perms;
+
+# Add permission to access new bootmode file
+allow emdlogger sysfs_boot_info:file r_file_perms;
+
+# avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0
+# tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
+# security issue control
+allow emdlogger crash_dump:unix_stream_socket connectto;
+# Allow ReadDefaultFstab().
+read_fstab(emdlogger)
+
+# Date : 2021/07/06
+# Purpose: add permission to access devie tree to get ccb gear info
+allow emdlogger sysfs_soc_ccb_gear:file r_file_perms;
+allow emdlogger sysfs_ccb_gear:file r_file_perms;
+
+get_prop(emdlogger, vendor_mtk_atm_ipaddr_prop)
\ No newline at end of file
diff --git a/basic/debug/non_plat/file.te b/basic/debug/non_plat/file.te
new file mode 100644
index 0000000..f746ee6
--- /dev/null
+++ b/basic/debug/non_plat/file.te
@@ -0,0 +1,86 @@
+# AEE exp
+type aee_exp_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type aee_exp_vendor_file, file_type, data_file_type;
+
+# Date : 2019/08/29
+# Purpose: Allow rild access proc/aed/reboot-reason
+type proc_aed_reboot_reason, fs_type, proc_type;
+
+# Date : 2021/06/24
+# Operation: S development
+# Purpose: Add permission for access /proc/iommu_debug
+type proc_iommu_debug, fs_type, proc_type;
+
+type proc_aed, fs_type, proc_type;
+
+type sysfs_soc_ccb_gear, sysfs_type, fs_type;
+type sysfs_ccb_gear, sysfs_type, fs_type;
+
+# Date : 2021/08/09
+# Purpose: Add apusys debug info into db
+type proc_apusys_rv_coredump_debug, fs_type, proc_type;
+type proc_apusys_rv_xfile_debug, fs_type, proc_type;
+type proc_apusys_rv_regdump_debug, fs_type, proc_type;
+type proc_apusys_logger_seq_log_debug, fs_type, proc_type;
+
+# Date : 2021/08/10
+# Purpose: Add apusys MDW debug info into db
+type proc_aputag_mdw_debug, fs_type, proc_type;
+
+# Date : 2021/10/13
+type proc_mtmon, fs_type, proc_type;
+
+# Date : 2022/01/19
+# Purpose: Add lockdep debug info into db
+type proc_lockdep, fs_type, proc_type;
+
+# blockio procfs file
+type debugfs_blockio, fs_type, debugfs_type;
+
+# fuseio debugfs file
+type debugfs_fuseio, fs_type, debugfs_type;
+
+# cpuhvfs debugfs file
+type debugfs_cpuhvfs, fs_type, debugfs_type;
+
+# dynamic_debug debugfs file
+type debugfs_dynamic_debug, fs_type, debugfs_type;
+
+# shrinker debugfs file
+type debugfs_shrinker_debug, fs_type, debugfs_type;
+
+# dmlog debugfs file
+type debugfs_dmlog_debug, fs_type, debugfs_type;
+
+# page_owner_slim debugfs file
+type debugfs_page_owner_slim_debug, fs_type, debugfs_type;
+
+# rcu debugfs file
+type debugfs_rcu, fs_type, debugfs_type;
+
+# /sys/kernel/debug/ion/ion_mm_heap
+type debugfs_ion_mm_heap, fs_type, debugfs_type;
+
+# /sys/kernel/debug/emi_mbw/dump_buf
+type debugfs_emi_mbw_buf, fs_type, debugfs_type;
+
+# /sys/devices/platform/emiisu/emi_isu_buf
+type sysfs_emiisu, sysfs_type, fs_type;
+
+# /sys/kernel/debug/kmemleak
+type debugfs_kmemleak, fs_type, debugfs_type;
+
+# Date : 2019/08/15
+type debugfs_smi_mon, fs_type, debugfs_type;
+
+type debugfs_cmdq, fs_type, debugfs_type;
+type debugfs_mml, fs_type, debugfs_type;
+
+# Date : 2021/08/24
+# camsys debugfs file
+type debugfs_cam_dbg, fs_type, debugfs_type;
+type debugfs_cam_exception, fs_type, debugfs_type;
+
+#vpu proc file
+type proc_vpu_memory, fs_type, proc_type;
+
diff --git a/basic/debug/non_plat/file_contexts b/basic/debug/non_plat/file_contexts
new file mode 100644
index 0000000..ecdd3da
--- /dev/null
+++ b/basic/debug/non_plat/file_contexts
@@ -0,0 +1,37 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# Data files
+#
+/data/connsyslog(/.*)? u:object_r:consyslog_data_file:s0
+##########################
+# Devices
+#
+/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0
+##########################
+# Vendor files
+#
+/vendor/bin/loghidlvendorservice u:object_r:loghidlvendorservice_exec:s0
+
+/data/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0
+/data/vendor/aee_exp(/.*)? u:object_r:aee_exp_vendor_file:s0
+
+/(vendor|system/vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0
+/(vendor|system/vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
+/(vendor|system/vendor)/bin/aee_aedv64_v2 u:object_r:aee_aedv_exec:s0
+
+/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.0-service u:object_r:aee_hal_exec:s0
+/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.1-service u:object_r:aee_hal_exec:s0
+
+/dev/aed[0-9]+ u:object_r:aed_device:s0
+
+# Date:2021/07/27
+# Purpose: permission for emdlogger
+/dev/ccci_md_log_ctrl u:object_r:ccci_mdl_device:s0
+/dev/ccci_ccb_dhl u:object_r:ccci_mdl_device:s0
+/dev/ccci_raw_dhl u:object_r:ccci_mdl_device:s0
+# Purpose: permission for mdlogger
+/dev/ccci_md_log_tx u:object_r:ccci_mdl_device:s0
+/dev/ccci_md_log_rx u:object_r:ccci_mdl_device:s0
diff --git a/basic/debug/non_plat/genfs_contexts b/basic/debug/non_plat/genfs_contexts
new file mode 100644
index 0000000..c824343
--- /dev/null
+++ b/basic/debug/non_plat/genfs_contexts
@@ -0,0 +1,72 @@
+genfscon proc /aed u:object_r:proc_aed:s0
+# Date : 2019/08/29
+# Purpose: allow rild to access /proc/aed/reboot-reason
+genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0
+
+# 2021/06/24
+# Purpose: add iommu debug info into db
+genfscon proc /iommu_debug u:object_r:proc_iommu_debug:s0
+
+# Date : 2021/07/06
+# Purpose: allow emdlogger to access /proc/device-tree/soc/mddriver
+genfscon sysfs /firmware/devicetree/base/soc/mddriver/md1_ccb_gear_list u:object_r:sysfs_soc_ccb_gear:s0
+genfscon sysfs /firmware/devicetree/base/soc/mddriver/md1_ccb_cap_gear u:object_r:sysfs_soc_ccb_gear:s0
+
+# Date : 2021/07/06
+# Purpose: allow emdlogger to access /proc/device-tree/mddriver
+genfscon sysfs /firmware/devicetree/base/mddriver/md1_ccb_cap_gear u:object_r:sysfs_ccb_gear:s0
+genfscon sysfs /firmware/devicetree/base/mddriver/md1_ccb_gear_list u:object_r:sysfs_ccb_gear:s0
+
+# Date : 2021/08/09
+# Purpose: add apusys debug info into db
+genfscon proc /apusys_rv/apusys_rv_coredump u:object_r:proc_apusys_rv_coredump_debug:s0
+genfscon proc /apusys_rv/apusys_rv_xfile u:object_r:proc_apusys_rv_xfile_debug:s0
+genfscon proc /apusys_rv/apusys_regdump u:object_r:proc_apusys_rv_regdump_debug:s0
+genfscon proc /apusys_logger/seq_log u:object_r:proc_apusys_logger_seq_log_debug:s0
+
+# Date : 2021/08/10
+# Purpose: add apusys MDW debug info into db
+genfscon proc /aputag/mdw u:object_r:proc_aputag_mdw_debug:s0
+
+# Date : 2021/10/13
+# Purpose: allow vendor_init to access /proc/mtmon
+genfscon proc /mtmon u:object_r:proc_mtmon:s0
+
+# Date : 2022/01/19
+# Purpose: add lockdep debug info into db
+genfscon proc /lockdep u:object_r:proc_lockdep:s0
+genfscon proc /lockdep_chains u:object_r:proc_lockdep:s0
+genfscon proc /lockdep_stats u:object_r:proc_lockdep:s0
+
+genfscon debugfs /blockio u:object_r:debugfs_blockio:s0
+genfscon debugfs /cpuhvfs u:object_r:debugfs_cpuhvfs:s0
+genfscon debugfs /dmlog u:object_r:debugfs_dmlog_debug:s0
+genfscon debugfs /dynamic_debug u:object_r:debugfs_dynamic_debug:s0
+genfscon debugfs /emi_mbw/dump_buf u:object_r:debugfs_emi_mbw_buf:s0
+genfscon debugfs /fuseio u:object_r:debugfs_fuseio:s0
+genfscon debugfs /ion/client_history u:object_r:debugfs_ion_mm_heap:s0
+genfscon debugfs /ion/heaps u:object_r:debugfs_ion_mm_heap:s0
+genfscon debugfs /ion/ion_mm_heap u:object_r:debugfs_ion_mm_heap:s0
+genfscon debugfs /kmemleak u:object_r:debugfs_kmemleak:s0
+genfscon debugfs /page_owner_slim u:object_r:debugfs_page_owner_slim_debug:s0
+genfscon debugfs /rcu u:object_r:debugfs_rcu:s0
+genfscon debugfs /shrinker u:object_r:debugfs_shrinker_debug:s0
+# 2019/08/15
+genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0
+
+genfscon debugfs /cmdq/cmdq-status u:object_r:debugfs_cmdq:s0
+genfscon debugfs /cmdq/cmdq-record u:object_r:debugfs_cmdq:s0
+
+genfscon debugfs /mml/mml-record u:object_r:debugfs_mml:s0
+genfscon debugfs /mml/mml-frame-dump-in u:object_r:debugfs_mml:s0
+
+# Date: 2021/08/24
+# allow aee to get camsys dump
+genfscon debugfs /mtk_cam_dbg_dump u:object_r:debugfs_cam_dbg:s0
+genfscon debugfs /mtk_cam_exp_dump u:object_r:debugfs_cam_exception:s0
+
+genfscon sysfs /devices/platform/emiisu/emi_isu_buf u:object_r:sysfs_emiisu:s0
+genfscon sysfs /devices/platform/soc/soc:emiisu/emi_isu_buf u:object_r:sysfs_emiisu:s0
+
+genfscon proc /vpu/vpu_memory u:object_r:proc_vpu_memory:s0
+
diff --git a/basic/debug/non_plat/hal_mtk_aee.te b/basic/debug/non_plat/hal_mtk_aee.te
new file mode 100644
index 0000000..d930915
--- /dev/null
+++ b/basic/debug/non_plat/hal_mtk_aee.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_aee, mtk_hal_aee_hwservice)
+
+binder_call(hal_mtk_aee_client, hal_mtk_aee_server)
+binder_call(hal_mtk_aee_server, hal_mtk_aee_client)
+allow hal_mtk_aee_server aee_exp_vendor_file:dir {r_dir_perms rmdir};
+allow hal_mtk_aee_server aee_exp_vendor_file:file r_file_perms;
diff --git a/basic/debug/non_plat/hal_mtk_log.te b/basic/debug/non_plat/hal_mtk_log.te
new file mode 100644
index 0000000..0a6205e
--- /dev/null
+++ b/basic/debug/non_plat/hal_mtk_log.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_log, mtk_hal_log_hwservice)
+
+binder_call(hal_mtk_log_client, hal_mtk_log_server)
+binder_call(hal_mtk_log_server, hal_mtk_log_client)
diff --git a/basic/debug/non_plat/hwservice.te b/basic/debug/non_plat/hwservice.te
new file mode 100644
index 0000000..aafc6b8
--- /dev/null
+++ b/basic/debug/non_plat/hwservice.te
@@ -0,0 +1 @@
+type mtk_hal_aee_hwservice, hwservice_manager_type;
diff --git a/basic/debug/non_plat/hwservice_contexts b/basic/debug/non_plat/hwservice_contexts
new file mode 100644
index 0000000..1d8e9c2
--- /dev/null
+++ b/basic/debug/non_plat/hwservice_contexts
@@ -0,0 +1 @@
+vendor.mediatek.hardware.aee::IAee u:object_r:mtk_hal_aee_hwservice:s0
diff --git a/basic/debug/non_plat/loghidlsysservice.te b/basic/debug/non_plat/loghidlsysservice.te
new file mode 100644
index 0000000..e191118
--- /dev/null
+++ b/basic/debug/non_plat/loghidlsysservice.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Policy File of /system/bin/loghidlsysservice Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose : for create hidl server
+hal_client_domain(loghidlsysservice, hal_mtk_log)
+allow loghidlsysservice connsyslogger:unix_stream_socket connectto;
diff --git a/basic/debug/non_plat/loghidlvendorservice.te b/basic/debug/non_plat/loghidlvendorservice.te
new file mode 100644
index 0000000..859e410
--- /dev/null
+++ b/basic/debug/non_plat/loghidlvendorservice.te
@@ -0,0 +1,30 @@
+# ==============================================
+# Policy File of /vendor/bin/loghidlvendorservice Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type loghidlvendorservice, domain;
+type loghidlvendorservice_exec, exec_type, file_type, vendor_file_type;
+typeattribute loghidlvendorservice mlstrustedsubject;
+
+init_daemon_domain(loghidlvendorservice)
+
+hal_server_domain(loghidlvendorservice, hal_mtk_log)
+allow loghidlvendorservice system_app:binder call;
+
+#============= r/w video log properties ==============
+set_prop(loghidlvendorservice, vendor_mtk_c2_log_prop)
+
+#============= r/w gpud properties ==============
+set_prop(loghidlvendorservice, vendor_mtk_gpu_prop)
+
+# allow loghidlvendorservice can access video node
+allow loghidlvendorservice video_device:chr_file rw_file_perms_no_map;
+
+#============= r/w display debug log properties ==============
+set_prop(loghidlvendorservice, vendor_mtk_hwc_debug_log_prop)
+set_prop(loghidlvendorservice, vendor_mtk_mdp_debug_log_prop)
+set_prop(loghidlvendorservice, vendor_mtk_em_dy_debug_ctrl_prop)
+set_prop(loghidlvendorservice, vendor_debug_logger_prop)
diff --git a/basic/debug/non_plat/mdlogger.te b/basic/debug/non_plat/mdlogger.te
new file mode 100644
index 0000000..b307bb5
--- /dev/null
+++ b/basic/debug/non_plat/mdlogger.te
@@ -0,0 +1,58 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# ccci device for internal modem
+allow mdlogger ccci_device:chr_file rw_file_perms;
+allow mdlogger ccci_mdl_device:chr_file rw_file_perms;
+
+# usb device ttyGSx for modem logger usb logging
+allow mdlogger ttyGS_device:chr_file rw_file_perms;
+
+# modem logger access on /data/mdlog
+allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto};
+allow mdlogger mdlog_data_file:fifo_file create_file_perms;
+allow mdlogger mdlog_data_file:file create_file_perms;
+
+# modem logger control port access /dev/ttyC1
+allow mdlogger mdlog_device:chr_file rw_file_perms;
+
+#modem logger SD logging in factory mode
+allow mdlogger vfat:dir create_dir_perms;
+allow mdlogger vfat:file create_file_perms;
+
+#mdlogger for read /sdcard
+allow mdlogger tmpfs:lnk_file r_file_perms;
+allow mdlogger storage_file:lnk_file rw_file_perms;
+allow mdlogger storage_file:dir create_dir_perms;
+allow mdlogger storage_file:file create_file_perms;
+allow mdlogger mnt_user_file:dir search;
+allow mdlogger mnt_user_file:lnk_file rw_file_perms;
+allow mdlogger sdcard_type:file create_file_perms;
+allow mdlogger sdcard_type:dir create_dir_perms;
+
+# Allow read to sys/kernel/ccci/* files
+allow mdlogger sysfs_ccci:dir search;
+allow mdlogger sysfs_ccci:file r_file_perms;
+
+# purpose: allow mdlogger to access storage in new version
+allow mdlogger media_rw_data_file:file create_file_perms;
+allow mdlogger media_rw_data_file:dir create_dir_perms;
+
+## purpose: avc: denied { read } for name="plat_file_contexts"
+allow emdlogger file_contexts_file:file r_file_perms;
+
+#permission for read boot mode
+#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
+allow mdlogger sysfs_boot_mode:file r_file_perms;
+
+# avc: denied { open } for path="system/etc/mddb" dev="mmcblk0p21" scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow mdlogger system_file:dir r_dir_perms;
+
+# Add permission to access new bootmode file
+allow mdlogger sysfs_boot_info:file r_file_perms;
+
+#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0
+#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
+#security issue control
+allow mdlogger crash_dump:unix_stream_socket connectto;
diff --git a/basic/debug/non_plat/meta_tst.te b/basic/debug/non_plat/meta_tst.te
new file mode 100644
index 0000000..45a8bbb
--- /dev/null
+++ b/basic/debug/non_plat/meta_tst.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /vendor/bin/meta_tst Executable File
+
+# Date: W18.29
+# Operation: Catch log
+# Purpose : meta connect with loghidlserver by socket.
+allow meta_tst loghidlvendorservice:unix_stream_socket connectto;
diff --git a/basic/debug/non_plat/mobile_log_d.te b/basic/debug/non_plat/mobile_log_d.te
new file mode 100644
index 0000000..7c596f9
--- /dev/null
+++ b/basic/debug/non_plat/mobile_log_d.te
@@ -0,0 +1,73 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# boot_mdoe file access
+allow mobile_log_d sysfs_boot_mode:file r_file_perms;
+
+#proc/ access
+allow mobile_log_d proc_kmsg:file r_file_perms;
+allow mobile_log_d proc_cmdline:file r_file_perms;
+allow mobile_log_d proc_atf_log:dir search;
+allow mobile_log_d proc_atf_log:file r_file_perms;
+allow mobile_log_d proc_gz_log:file r_file_perms;
+allow mobile_log_d proc_last_kmsg:file r_file_perms;
+allow mobile_log_d proc_bootprof:file r_file_perms;
+allow mobile_log_d proc_pl_lk:file r_file_perms;
+
+#apusys
+allow mobile_log_d proc_apusys_up_seq_logl:file r_file_perms;
+
+#scp
+allow mobile_log_d sysfs_scp:file w_file_perms;
+allow mobile_log_d sysfs_scp:dir search;
+allow mobile_log_d scp_device:chr_file r_file_perms;
+
+#vcp
+allow mobile_log_d sysfs_vcp:file w_file_perms;
+allow mobile_log_d sysfs_vcp:dir search;
+allow mobile_log_d vcp_device:chr_file r_file_perms_no_map;
+
+#adsp
+allow mobile_log_d sysfs_adsp:file w_file_perms;
+allow mobile_log_d sysfs_adsp:dir search;
+allow mobile_log_d adsp_device:chr_file r_file_perms;
+
+#sspm
+allow mobile_log_d sysfs_sspm:file w_file_perms;
+allow mobile_log_d sysfs_sspm:dir search;
+allow mobile_log_d sspm_device:chr_file r_file_perms;
+
+#data/misc/mblog
+allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms };
+allow mobile_log_d logmisc_data_file:file create_file_perms;
+
+#data/log_temp
+allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms };
+allow mobile_log_d logtemp_data_file:file create_file_perms;
+
+#data/data_tmpfs_log
+allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms;
+allow mobile_log_d data_tmpfs_log_file:file create_file_perms;
+
+# purpose: send log to com port
+allow mobile_log_d ttyGS_device:chr_file rw_file_perms;
+
+# purpose: allow mobile_log_d to access persist.meta.connecttype
+get_prop(mobile_log_d, vendor_mtk_meta_connecttype_prop)
+
+# purpose: allow mobile_log_d to create socket
+allow mobile_log_d port:tcp_socket { name_connect name_bind };
+allow mobile_log_d mobile_log_d:tcp_socket create_stream_socket_perms;
+allow mobile_log_d node:tcp_socket node_bind;
+
+# purpose: allow mobile_log_d to write dev/wmtWifi.
+allow mobile_log_d wmtWifi_device:chr_file rw_file_perms;
+
+# Date: 2016/11/11
+# purpose: allow MobileLog to access aee socket
+allow mobile_log_d crash_dump:unix_stream_socket connectto;
+
+# Date : WK21.31
+# Purpose: Add permission to access new bootmode file
+allow mobile_log_d sysfs_boot_info:file r_file_perms;
diff --git a/basic/debug/non_plat/modemdbfilter_service.te b/basic/debug/non_plat/modemdbfilter_service.te
new file mode 100644
index 0000000..faa5ceb
--- /dev/null
+++ b/basic/debug/non_plat/modemdbfilter_service.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/modemdbfilter_service Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type modemdbfilter_service, domain;
+type modemdbfilter_service_exec, exec_type, file_type, vendor_file_type;
+typeattribute modemdbfilter_service mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(modemdbfilter_service)
+
+#Purpose : for create hidl server
+hal_server_domain(modemdbfilter_service, hal_mtk_md_dbfilter)
diff --git a/basic/debug/non_plat/mtk_hal_camera.te b/basic/debug/non_plat/mtk_hal_camera.te
new file mode 100644
index 0000000..75663ff
--- /dev/null
+++ b/basic/debug/non_plat/mtk_hal_camera.te
@@ -0,0 +1,26 @@
+# callback to /vendor/bin/aee_aedv for aee debugging
+binder_call(mtk_hal_camera, aee_aedv)
+
+# -----------------------------------
+# Android O
+# Purpose: AEE Debugging
+# -----------------------------------
+# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
+allow mtk_hal_camera dumpstate:binder { call };
+allow mtk_hal_camera dumpstate:unix_stream_socket { read write };
+allow mtk_hal_camera dumpstate:fd { use };
+allow mtk_hal_camera dumpstate:fifo_file w_file_perms;
+
+# Purpose: Allow camerahalserver to dump debug info to SYS_DEBUG_MTKCAM via aee_aedv.
+# avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.9oRG8O/SYS_DEBUG_MTKCAM"
+# dev="dm-2" ino=1458278 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_vendor_file:s0
+# tclass=file permissive=0
+allow mtk_hal_camera aee_exp_vendor_file:dir w_dir_perms;
+allow mtk_hal_camera aee_exp_vendor_file:file create_file_perms;
+
+# Date : WK18.01
+# Operation : label aee_aed sockets
+# Purpose : Engineering mode need access for aee commmand
+userdebug_or_eng(`
+allow mtk_hal_camera aee_aedv:unix_stream_socket connectto;
+')
diff --git a/basic/debug/non_plat/mtkrild.te b/basic/debug/non_plat/mtkrild.te
new file mode 100644
index 0000000..d84cb54
--- /dev/null
+++ b/basic/debug/non_plat/mtkrild.te
@@ -0,0 +1,2 @@
+#For Kryptowire mtklog issue
+allow mtkrild aee_aedv:unix_stream_socket connectto;
diff --git a/basic/debug/non_plat/netd.te b/basic/debug/non_plat/netd.te
new file mode 100644
index 0000000..0c5c6d6
--- /dev/null
+++ b/basic/debug/non_plat/netd.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.39
+# Operation : Migration
+# Purpose : MDLogger USB logging
+# Owner : Bo shang
+allow netd mdlogger:fd use;
+allow netd mdlogger:tcp_socket rw_socket_perms_no_ioctl;
+
+# Date : WK14.41
+# Operation : Migration
+# Purpose : network logging
+# Owner : Bo shang
+allow netd netdiag:fd use;
+allow netd netdiag:udp_socket rw_socket_perms_no_ioctl;
+
+userdebug_or_eng(`
+ allow netd mobile_log_d:fd use;
+ allow netd mobile_log_d:tcp_socket rw_socket_perms_no_ioctl;
+')
diff --git a/basic/debug/non_plat/netdiag.te b/basic/debug/non_plat/netdiag.te
new file mode 100644
index 0000000..a264e9c
--- /dev/null
+++ b/basic/debug/non_plat/netdiag.te
@@ -0,0 +1,26 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose : for access storage file
+allow netdiag sdcard_type:dir create_dir_perms;
+allow netdiag sdcard_type:file create_file_perms;
+allow netdiag net_data_file:file r_file_perms;
+allow netdiag net_data_file:dir search;
+allow netdiag storage_file:dir search;
+allow netdiag storage_file:lnk_file r_file_perms;
+allow netdiag mnt_user_file:dir search;
+allow netdiag mnt_user_file:lnk_file r_file_perms;
+allow netdiag platform_app:dir search;
+allow netdiag untrusted_app:dir search;
+allow netdiag mnt_media_rw_file:dir search;
+allow netdiag vfat:dir create_dir_perms;
+allow netdiag vfat:file create_file_perms;
+allow netdiag tmpfs:lnk_file r_file_perms;
+
+# purpose: allow netdiag to access storage in new version
+allow netdiag media_rw_data_file:file create_file_perms;
+allow netdiag media_rw_data_file:dir create_dir_perms;
+
+# purpose: read ip address
+allow netdiag self:netlink_route_socket nlmsg_readpriv;
\ No newline at end of file
diff --git a/basic/debug/non_plat/platform_app.te b/basic/debug/non_plat/platform_app.te
new file mode 100644
index 0000000..7830d69
--- /dev/null
+++ b/basic/debug/non_plat/platform_app.te
@@ -0,0 +1,100 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/07/03
+# Operation : Migration
+# Purpose : get/set agps configuration via hal_mtk_lbs
+hal_client_domain(platform_app, hal_mtk_lbs)
+
+# Date : 2014/08/21
+# Operation : Migration
+# Purpose : FMRadio enable driver access permission for fmradio hardware device
+# Package: com.mediatek.fmradio
+allow platform_app fm_device:chr_file rw_file_perms;
+
+# Date : 2014/09/11
+# Operation : Migration
+# Purpose : MTKLogger need setup local socket with native daemon:mobile_logd,
+# netdialog,mdlogger,emdlogger,cmddumper
+# Package: com.mediatek.mtklogger
+allow platform_app mobile_log_d:unix_stream_socket connectto;
+allow platform_app mdlogger:unix_stream_socket connectto;
+allow platform_app emdlogger:unix_stream_socket connectto;
+allow platform_app cmddumper:unix_stream_socket connectto;
+allow platform_app connsyslogger:unix_stream_socket connectto;
+unix_socket_connect(platform_app, netdiag, netdiag)
+
+# Date: 2018/11/17
+# purpose: allow MTKLogger to control Bluetooth HCI log via socket
+allow platform_app bluetooth:unix_stream_socket connectto;
+
+# Date : 2014/10/17
+# Operation : Migration
+# Purpose :Make MTKLogger or VIASaber apk can Access TTYSDIO_device
+# Package: com.mediatek.mtklogger
+allow platform_app ttySDIO_device:chr_file rw_file_perms;
+
+# Date : 2014/10/17
+# Operation : Migration
+# Purpose :Make MTKLogger or VIASaber apk can Access storage
+# Package: com.mediatek.mtklogger
+allow platform_app sdcard_type:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+
+# Date : 2014/11/12
+# Operation : Migration
+# Purpose : MTKLogger need copy exception db from data folder
+# Package: com.mediatek.mtklogger
+allow platform_app aee_exp_data_file:file r_file_perms;
+allow platform_app aee_exp_data_file:dir r_dir_perms;
+
+# Date : 2014/11/14
+# Operation : Migration
+# Purpose : MTKLogger need update md config file in data for mode changed
+# Package: com.mediatek.mtklogger
+allow platform_app mdlog_data_file:file rw_file_perms;
+allow platform_app mdlog_data_file:dir rw_dir_perms;
+
+# Date : WK17.46
+# Operation : Migration
+# Purpose : allow MTKLogger to read KE DB
+allow platform_app aee_dumpsys_data_file:file r_file_perms;
+
+# Date: 2018/03/23
+# Operation : Migration
+# Purpose : MTKLogger need connect to log hidl server
+# Package: com.mediatek.mtklogger
+hal_client_domain(platform_app, hal_mtk_log)
+
+# Date : 2020/09/15
+# Operation : Migration
+# Purpose : DebugLoggerUI need copy proc/ccci_sib to storage
+# Package: com.debug.loggerui
+allow platform_app proc_ccci_sib:file r_file_perms;
+
+# Date : 2021/03/05
+# Operation : Migration
+# Purpose : DebugLoggerUI need call wifi JNI set wifi level
+# Package: com.debug.loggerui
+allow platform_app self:udp_socket { create ioctl };
+allowxperm platform_app self:udp_socket ioctl {
+ SIOCIWFIRSTPRIV_0B
+ SIOCIWFIRSTPRIV_0F
+ SIOCSIWMODE SIOCIWFIRSTPRIV_01
+ SIOCIWFIRSTPRIV_09
+ SIOCDEVPRIVATE_2
+};
+
+# Date : WK18.17
+# Operation : P Migration
+# Purpose: allow platform_app to read /data/vendor/mtklog/aee_exp
+allow platform_app aee_exp_vendor_file:dir r_dir_perms;
+allow platform_app aee_exp_vendor_file:file r_file_perms;
+
+# Date : 2021/06/01
+# Operation : Migration
+# Purpose : DebugLoggerUI need copy & delete /data/vendor/vcodec/ folder
+# Package: com.debug.loggerui
+allow platform_app vcodec_file:dir {rw_dir_perms rmdir};
+allow platform_app vcodec_file:file rw_file_perms;
diff --git a/basic/debug/non_plat/property.te b/basic/debug/non_plat/property.te
new file mode 100644
index 0000000..1d0fe4f
--- /dev/null
+++ b/basic/debug/non_plat/property.te
@@ -0,0 +1,11 @@
+vendor_restricted_prop(vendor_mtk_debug_mtk_aeev_prop)
+vendor_restricted_prop(vendor_mtk_persist_aeev_prop)
+vendor_restricted_prop(vendor_mtk_persist_mtk_aeev_prop)
+vendor_restricted_prop(vendor_mtk_ro_aee_prop)
+vendor_restricted_prop(vendor_mtk_aeev_dynamic_switch_prop)
+
+typeattribute vendor_mtk_debug_mtk_aeev_prop mtk_core_property_type;
+typeattribute vendor_mtk_persist_aeev_prop mtk_core_property_type;
+typeattribute vendor_mtk_persist_mtk_aeev_prop mtk_core_property_type;
+typeattribute vendor_mtk_ro_aee_prop mtk_core_property_type;
+typeattribute vendor_mtk_aeev_dynamic_switch_prop mtk_core_property_type;
diff --git a/basic/debug/non_plat/property_contexts b/basic/debug/non_plat/property_contexts
new file mode 100644
index 0000000..1d14cb1
--- /dev/null
+++ b/basic/debug/non_plat/property_contexts
@@ -0,0 +1,9 @@
+persist.vendor.mtk.aeev. u:object_r:vendor_mtk_persist_mtk_aeev_prop:s0
+persist.vendor.aeev. u:object_r:vendor_mtk_persist_aeev_prop:s0
+vendor.debug.mtk.aeev u:object_r:vendor_mtk_debug_mtk_aeev_prop:s0
+
+ro.vendor.aee.build.info u:object_r:vendor_mtk_ro_aee_prop:s0
+ro.vendor.aee.enforcing u:object_r:vendor_mtk_ro_aee_prop:s0
+ro.vendor.have_aee_feature u:object_r:vendor_mtk_ro_aee_prop:s0
+ro.vendor.aeev.dynamic.switch u:object_r:vendor_mtk_aeev_dynamic_switch_prop:s0
+ro.vendor.aee.convert64 u:object_r:vendor_mtk_ro_aee_prop:s0
diff --git a/basic/debug/non_plat/rild.te b/basic/debug/non_plat/rild.te
new file mode 100644
index 0000000..a36b4b9
--- /dev/null
+++ b/basic/debug/non_plat/rild.te
@@ -0,0 +1,3 @@
+# Date : 2019/08/29
+# Purpose: Allow rild to access proc/aed/reboot-reason
+allow rild proc_aed_reboot_reason:file rw_file_perms;
diff --git a/basic/debug/non_plat/shell.te b/basic/debug/non_plat/shell.te
new file mode 100644
index 0000000..7b9fc75
--- /dev/null
+++ b/basic/debug/non_plat/shell.te
@@ -0,0 +1,3 @@
+# Date : WK16.46
+# Purpose : allow shell to switch aee mode
+allow shell crash_dump:unix_stream_socket connectto;
diff --git a/basic/debug/non_plat/system_app.te b/basic/debug/non_plat/system_app.te
new file mode 100644
index 0000000..ed7f920
--- /dev/null
+++ b/basic/debug/non_plat/system_app.te
@@ -0,0 +1,6 @@
+# Date : 2017/11/07
+# Operation : Migration
+# Purpose : CAT need copy exception db file from data folder
+# Package: CAT tool
+allow system_app aee_exp_data_file:file r_file_perms;
+allow system_app aee_exp_data_file:dir r_dir_perms;
diff --git a/basic/debug/non_plat/system_server.te b/basic/debug/non_plat/system_server.te
new file mode 100644
index 0000000..694bb79
--- /dev/null
+++ b/basic/debug/non_plat/system_server.te
@@ -0,0 +1,12 @@
+allow system_server aee_exp_data_file:file w_file_perms;
+# Date:W17.22
+# Operation : add aee_aed socket rule
+# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto }
+# for comm=4572726F722064756D703A20737973
+# path=00636F6D2E6D746B2E6165652E6165645F3634
+# scontext=u:r:system_server:s0 tcontext=u:r:crash_dump:s0
+# tclass=unix_stream_socket permissive=0
+allow system_server crash_dump:unix_stream_socket connectto;
+
+# Search /proc/proc_mtmon
+allow system_server proc_mtmon:dir search;
diff --git a/basic/debug/non_plat/vendor_init.te b/basic/debug/non_plat/vendor_init.te
new file mode 100644
index 0000000..fe541d1
--- /dev/null
+++ b/basic/debug/non_plat/vendor_init.te
@@ -0,0 +1,5 @@
+set_prop(vendor_init, system_mtk_persist_mtk_aee_prop)
+set_prop(vendor_init, vendor_mtk_ro_aee_prop)
+set_prop(vendor_init, vendor_mtk_persist_aeev_prop)
+
+allow vendor_init proc_mtmon:file w_file_perms;
diff --git a/basic/debug/non_plat/vendor_shell.te b/basic/debug/non_plat/vendor_shell.te
new file mode 100644
index 0000000..c9a8ce7
--- /dev/null
+++ b/basic/debug/non_plat/vendor_shell.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+# Purpose : allow vendor_shell to run aeev
+allow vendor_shell aee_aedv_exec:file x_file_perms;
diff --git a/basic/debug/plat_private/aee_core_forwarder.te b/basic/debug/plat_private/aee_core_forwarder.te
new file mode 100644
index 0000000..4674252
--- /dev/null
+++ b/basic/debug/plat_private/aee_core_forwarder.te
@@ -0,0 +1,91 @@
+# ==============================================
+# Policy File of /system/bin/aee_core_forwarder Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type aee_core_forwarder_exec, system_file_type, exec_type, file_type;
+typeattribute aee_core_forwarder coredomain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(aee_core_forwarder)
+
+#mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
+allow aee_core_forwarder sdcard_type:dir create_dir_perms;
+allow aee_core_forwarder sdcard_type:file create_file_perms;
+allow aee_core_forwarder self:capability { fsetid setgid sys_nice sys_admin };
+
+#read STDIN_FILENO
+allow aee_core_forwarder kernel:fifo_file r_file_perms;
+
+#read /proc/<pid>/cmdline
+allow aee_core_forwarder domain:dir r_dir_perms;
+allow aee_core_forwarder domain:file r_file_perms;
+
+#get wake_lock to avoid system suspend when coredump is generating
+allow aee_core_forwarder sysfs_wake_lock:file rw_file_perms;
+
+# Date : 2015/07/11
+# Operation : Migration
+# Purpose : for mtk debug mechanism
+allow aee_core_forwarder self:capability2 block_suspend;
+
+# Date : 2015/07/21
+# Operation : Migration
+# Purpose : for generating core dump on sdcard
+allow aee_core_forwarder mnt_user_file:dir search;
+allow aee_core_forwarder mnt_user_file:lnk_file r_file_perms;
+allow aee_core_forwarder storage_file:dir search;
+allow aee_core_forwarder storage_file:lnk_file r_file_perms;
+
+# Date : 2016/03/05
+# Operation : selinux waring fix
+# Purpose : avc: denied { search } for pid=15909 comm="aee_core_forwar"
+# name="15493" dev="proc" ino=112310 scontext=u:r:aee_core_forwarder:s0
+# tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
+dontaudit aee_core_forwarder untrusted_app:dir search;
+
+# Date : 2016/04/18
+# Operation : N0 Migration
+# Purpose : access for pipefs
+allow aee_core_forwarder kernel:fd use;
+
+# Purpose: search root dir "/"
+allow aee_core_forwarder tmpfs:dir search;
+
+# Purpose : read /selinux_version
+allow aee_core_forwarder rootfs:file r_file_perms;
+
+# Data : 2016/06/13
+# Operation : fix sys_ptrace selinux warning
+# Purpose : type=1400 audit(1420070409.080:177): avc: denied { sys_ptrace } for pid=3136
+# comm="aee_core_forwar" capability=19 scontext=u:r:aee_core_forwarder:s0
+# tcontext=u:r:aee_core_forwarder:s0 tclass=capability permissive=0
+dontaudit aee_core_forwarder self:capability sys_ptrace;
+
+# Data : 2016/06/24
+# Operation : fix media_rw_data_file access selinux warning
+# Purpose :
+# type=1400 audit(0.0:6511): avc: denied { search } for name="db.p08JgF"
+# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
+# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
+# type=1400 audit(0.0:6512): avc: denied { write } for name="db.p08JgF"
+# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
+# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
+# type=1400 audit(0.0:6513): avc: denied { add_name } for name="CURRENT.dbg"
+# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
+# tclass=dir permissive=1
+# type=1400 audit(0.0:6514): avc: denied { create } for name="CURRENT.dbg"
+# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
+# tclass=file permissive=1
+# type=1400 audit(0.0:6515): avc: denied { write open } for
+# path="/data/media/0/mtklog/aee_exp/temp/db.p08JgF/CURRENT.dbg" dev="dm-0"
+# ino=540952 scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
+# tclass=file permissive=1
+allow aee_core_forwarder media_rw_data_file:dir w_dir_perms;
+allow aee_core_forwarder media_rw_data_file:file create_file_perms;
+
+# Purpose : allow aee_core_forwarder to connect aee_aed socket
+allow aee_core_forwarder crash_dump:unix_stream_socket connectto;
diff --git a/basic/debug/plat_private/connsyslogger.te b/basic/debug/plat_private/connsyslogger.te
new file mode 100644
index 0000000..8070561
--- /dev/null
+++ b/basic/debug/plat_private/connsyslogger.te
@@ -0,0 +1,15 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute connsyslogger coredomain;
+typeattribute connsyslogger mlstrustedsubject;
+type connsyslogger_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(connsyslogger)
+
+set_prop(connsyslogger, system_mtk_connsysfw_prop)
+
+#Date:2019/06/27
+#access data/debuglog
+allow connsyslogger debuglog_data_file:dir {relabelto create_dir_perms};
+allow connsyslogger debuglog_data_file:file create_file_perms;
diff --git a/basic/debug/plat_private/crash_dump.te b/basic/debug/plat_private/crash_dump.te
new file mode 100644
index 0000000..24f57bb
--- /dev/null
+++ b/basic/debug/plat_private/crash_dump.te
@@ -0,0 +1,29 @@
+# Purpose: crash_dump set property
+set_prop(crash_dump, system_mtk_persist_mtk_aee_prop)
+set_prop(crash_dump, system_mtk_persist_aee_prop)
+set_prop(crash_dump, system_mtk_debug_mtk_aee_prop)
+get_prop(crash_dump, system_mtk_aee_basic_prop)
+
+# Date : WK17.09
+# Operation : AEE UT for Android O
+# Purpose : for AEE module to dump files
+domain_auto_trans(crash_dump, dumpstate_exec, dumpstate)
+
+# aee db dir and db files
+allow crash_dump sdcard_type:dir create_dir_perms;
+allow crash_dump sdcard_type:file create_file_perms;
+
+# system(cmd) aee_dumpstate aee_archive
+allow crash_dump shell_exec:file rx_file_perms;
+
+# Purpose: dump bugreport into NE DB
+allow crash_dump dumpstate_socket:sock_file w_file_perms;
+allow crash_dump dumpstate:unix_stream_socket connectto;
+set_prop(crash_dump, ctl_start_prop)
+
+# Purpose: Allow crash_dump to get mobile log prop
+get_prop(crash_dump, system_mtk_mobile_log_prop)
+
+# Purpose: Allow crash_dump to write /data/debuglogger/mobilelog
+allow crash_dump debuglog_data_file:dir create_dir_perms;
+allow crash_dump debuglog_data_file:file create_file_perms;
diff --git a/basic/debug/plat_private/dumpstate.te b/basic/debug/plat_private/dumpstate.te
new file mode 100644
index 0000000..236691c
--- /dev/null
+++ b/basic/debug/plat_private/dumpstate.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
+# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
+# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
+# tracing_shell_writable:s0 tclass=file permissive=1
+allow dumpstate debugfs_tracing:file rw_file_perms;
+
+# Purpose: aee_dumpstate set surfaceflinger property
+set_prop(dumpstate, system_mtk_debug_bq_dump_prop)
+
+# Date: W1826
+# Purpose : mobile_log_d exec 'logcat -L' via dumpstate
+allow dumpstate mobile_log_d:fd use;
+allow dumpstate mobile_log_d:fifo_file w_file_perms;
+allow dumpstate mobile_log_d:unix_stream_socket rw_socket_perms_no_ioctl;
diff --git a/basic/debug/plat_private/emdlogger.te b/basic/debug/plat_private/emdlogger.te
new file mode 100644
index 0000000..73203f8
--- /dev/null
+++ b/basic/debug/plat_private/emdlogger.te
@@ -0,0 +1,87 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type emdlogger_exec, system_file_type, exec_type, file_type;
+typeattribute emdlogger coredomain;
+typeattribute emdlogger mlstrustedsubject;
+
+init_daemon_domain(emdlogger)
+binder_use(emdlogger)
+binder_service(emdlogger)
+
+# for modem logging sdcard access
+allow emdlogger sdcard_type:dir create_dir_perms;
+allow emdlogger sdcard_type:file create_file_perms;
+
+# modem logger socket access
+allow emdlogger platform_app:unix_stream_socket connectto;
+allow emdlogger shell_exec:file rx_file_perms;
+allow emdlogger system_file:file x_file_perms;
+allow emdlogger zygote_exec:file rx_file_perms;
+
+#modem logger SD logging in factory mode
+allow emdlogger vfat:dir create_dir_perms;
+allow emdlogger vfat:file create_file_perms;
+
+#modem logger permission in storage in android M version
+allow emdlogger mnt_user_file:dir search;
+allow emdlogger mnt_user_file:lnk_file r_file_perms;
+allow emdlogger storage_file:lnk_file r_file_perms;
+
+#permission for storage link access in vzw Project
+allow emdlogger mnt_media_rw_file:dir search;
+
+
+#permission for use SELinux API
+#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs"
+allow emdlogger rootfs:file r_file_perms;
+
+#permission for storage access storage
+allow emdlogger storage_file:dir create_dir_perms;
+allow emdlogger tmpfs:lnk_file r_file_perms;
+allow emdlogger storage_file:file create_file_perms;
+
+# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
+# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow emdlogger system_file:dir r_dir_perms;
+
+# permission for android N policy
+allow emdlogger toolbox_exec:file rx_file_perms;
+
+# purpose: allow emdlogger to access storage in N version
+allow emdlogger media_rw_data_file:file create_file_perms;
+allow emdlogger media_rw_data_file:dir create_dir_perms;
+
+## Android P migration
+## purpose: denied { read } for name="cmdline" dev="proc"
+#denied { search } for name="android" dev="sysfs"
+#for name="compatible" dev="sysfs" ino=2985 scontext=u
+#:r:emdlogger:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0
+#avc: denied { open } for path="/system/etc/mddb"
+#avc: denied { read } for name="u:object_r:vendor_default_prop:s0"
+allow emdlogger proc_cmdline:file r_file_perms;
+allow emdlogger sysfs_dt_firmware_android:dir r_dir_perms;
+allow emdlogger tmpfs:dir w_dir_perms;
+allow emdlogger sysfs_dt_firmware_android:file r_file_perms;
+set_prop(emdlogger, system_mtk_persist_mtklog_prop)
+set_prop(emdlogger, system_mtk_mdl_prop)
+set_prop(emdlogger, system_mtk_mdl_start_prop)
+set_prop(emdlogger, system_mtk_debug_mdlogger_prop)
+set_prop(emdlogger, system_mtk_persist_mdlog_prop)
+set_prop(emdlogger, system_mtk_mdl_pulllog_prop)
+set_prop(emdlogger, usb_prop)
+set_prop(emdlogger, debug_prop)
+set_prop(emdlogger, usb_control_prop)
+
+## Android Q migration
+## purpose: read modem db and filter folder and file
+allow emdlogger mddb_filter_data_file:dir r_dir_perms;
+allow emdlogger mddb_filter_data_file:file r_file_perms;
+
+# save log into /data/debuglogger
+allow emdlogger debuglog_data_file:dir {relabelto create_dir_perms};
+allow emdlogger debuglog_data_file:file create_file_perms;
+
+# get persist.sys. proeprty
+get_prop(emdlogger, system_prop)
diff --git a/basic/debug/plat_private/file_contexts b/basic/debug/plat_private/file_contexts
new file mode 100644
index 0000000..28466fc
--- /dev/null
+++ b/basic/debug/plat_private/file_contexts
@@ -0,0 +1,29 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# System files
+#
+/system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0
+/system/bin/modemdbfilter_client u:object_r:modemdbfilter_client_exec:s0
+/system/bin/netdiag u:object_r:netdiag_exec:s0
+/system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0
+/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0
+
+##########################
+# SystemExt files
+#
+/(system_ext|system/system_ext)/bin/mdlogger u:object_r:mdlogger_exec:s0
+/(system_ext|system/system_ext)/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0
+
+/(system_ext|system/system_ext)/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
+/(system_ext|system/system_ext)/bin/aeedb u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed64 u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed64_v2 u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_core_forwarder_v2 u:object_r:aee_core_forwarder_exec:s0
+/(system_ext|system/system_ext)/bin/aee_v2 u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aeedb_v2 u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_dumpstate_v2 u:object_r:dumpstate_exec:s0
diff --git a/basic/debug/plat_private/init.te b/basic/debug/plat_private/init.te
new file mode 100644
index 0000000..20fe316
--- /dev/null
+++ b/basic/debug/plat_private/init.te
@@ -0,0 +1 @@
+domain_trans(init, crash_dump_exec, shell)
diff --git a/basic/debug/plat_private/kernel.te b/basic/debug/plat_private/kernel.te
new file mode 100644
index 0000000..cbe42f6
--- /dev/null
+++ b/basic/debug/plat_private/kernel.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder)
+
diff --git a/basic/debug/plat_private/loghidlsysservice.te b/basic/debug/plat_private/loghidlsysservice.te
new file mode 100644
index 0000000..84ee073
--- /dev/null
+++ b/basic/debug/plat_private/loghidlsysservice.te
@@ -0,0 +1,16 @@
+# ==============================================
+# Policy File of /system/bin/loghidlsysservice Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type loghidlsysservice_exec, system_file_type, exec_type, file_type;
+typeattribute loghidlsysservice coredomain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(loghidlsysservice)
+
+allow loghidlsysservice emdlogger:unix_stream_socket connectto;
+allow loghidlsysservice mobile_log_d:unix_stream_socket connectto;
diff --git a/basic/debug/plat_private/mdlogger.te b/basic/debug/plat_private/mdlogger.te
new file mode 100644
index 0000000..699cc7e
--- /dev/null
+++ b/basic/debug/plat_private/mdlogger.te
@@ -0,0 +1,65 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mdlogger_exec , system_file_type, exec_type, file_type;
+typeattribute mdlogger coredomain;
+typeattribute mdlogger mlstrustedsubject;
+
+init_daemon_domain(mdlogger)
+
+binder_use(mdlogger)
+
+binder_service(mdlogger)
+
+# modem logger socket access
+allow mdlogger platform_app:unix_stream_socket connectto;
+allow mdlogger shell_exec:file rx_file_perms;
+allow mdlogger system_file:file x_file_perms;
+allow mdlogger zygote_exec:file r_file_perms;
+allow mdlogger node:tcp_socket node_bind;
+allow mdlogger port:tcp_socket name_bind;
+allow mdlogger self:tcp_socket create_stream_socket_perms;
+
+#modem logger SD logging in factory mode
+allow mdlogger vfat:dir create_dir_perms;
+allow mdlogger vfat:file create_file_perms;
+
+allow mdlogger tmpfs:lnk_file r_file_perms;
+allow mdlogger storage_file:lnk_file rw_file_perms;
+allow mdlogger mnt_user_file:dir search;
+allow mdlogger mnt_user_file:lnk_file rw_file_perms;
+allow mdlogger sdcard_type:file create_file_perms;
+allow mdlogger sdcard_type:dir create_dir_perms;
+
+# purpose: allow mdlogger to access storage in new version
+allow mdlogger media_rw_data_file:file create_file_perms;
+allow mdlogger media_rw_data_file:dir create_dir_perms;
+
+allow mdlogger storage_file:dir create_dir_perms;
+allow mdlogger storage_file:file create_file_perms;
+
+## purpose: avc: denied { read } for name="plat_file_contexts"
+allow mdlogger file_contexts_file:file r_file_perms;
+
+# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
+# scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow mdlogger system_file:dir r_dir_perms;
+
+# Android P migration
+set_prop(mdlogger, system_mtk_mdl_prop)
+set_prop(mdlogger, system_mtk_persist_mdlog_prop)
+set_prop(mdlogger, system_mtk_persist_mtklog_prop)
+
+## Android Q migration
+## purpose: read modem db and filter folder and file
+allow mdlogger mddb_filter_data_file:dir r_dir_perms;
+allow mdlogger mddb_filter_data_file:file r_file_perms;
+
+## Save modem log into data
+allow mdlogger debuglog_data_file:dir {relabelto create_dir_perms};
+allow mdlogger debuglog_data_file:file create_file_perms;
+
+#allow mdlogger to set property
+set_prop(mdlogger, system_mtk_debug_mdlogger_prop)
+set_prop(mdlogger, debug_prop)
diff --git a/basic/debug/plat_private/mobile_log_d.te b/basic/debug/plat_private/mobile_log_d.te
new file mode 100644
index 0000000..e8d4697
--- /dev/null
+++ b/basic/debug/plat_private/mobile_log_d.te
@@ -0,0 +1,105 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mobile_log_d_exec, system_file_type, exec_type, file_type;
+typeattribute mobile_log_d coredomain;
+typeattribute mobile_log_d mlstrustedsubject;
+
+init_daemon_domain(mobile_log_d)
+
+#syslog module
+allow mobile_log_d kernel:system syslog_mod;
+
+#GMO project
+dontaudit mobile_log_d untrusted_app:fd use;
+dontaudit mobile_log_d isolated_app:fd use;
+
+#debug property set
+set_prop(mobile_log_d, debug_prop)
+
+#socket connect and write
+unix_socket_connect(mobile_log_d, logdr, logd);
+
+#capability
+allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };
+allow mobile_log_d self:capability2 syslog;
+
+#aee mode switch
+allow mobile_log_d system_file:file x_file_perms;
+
+#shell command
+allow mobile_log_d shell_exec:file rx_file_perms;
+
+# execute logcat command
+allow mobile_log_d logcat_exec:file rx_file_perms;
+
+# execute 'logcat -L' via dumpstate
+domain_auto_trans(mobile_log_d, logcat_exec, dumpstate)
+
+#general storage access
+allow mobile_log_d storage_file:dir create_dir_perms;
+allow mobile_log_d storage_file:file create_file_perms;
+allow mobile_log_d storage_file:lnk_file create_file_perms;
+allow mobile_log_d mnt_user_file:dir create_dir_perms;
+allow mobile_log_d mnt_user_file:lnk_file create_file_perms;
+allow mobile_log_d sdcard_type:dir create_dir_perms;
+allow mobile_log_d sdcard_type:file create_file_perms;
+
+#factory mode vfat access
+allow mobile_log_d vfat:dir create_dir_perms;
+allow mobile_log_d vfat:file create_file_perms;
+
+#chiptest mode storage access
+allow mobile_log_d mnt_media_rw_file:dir create_dir_perms;
+allow mobile_log_d mnt_media_rw_file:lnk_file create_file_perms;
+
+#system/bin/toybox for using 'sh' command
+allow mobile_log_d toolbox_exec:file rx_file_perms;
+
+#selinux_version access
+allow mobile_log_d rootfs:file r_file_perms;
+
+#dev/__properties__ access
+get_prop(mobile_log_d, device_logging_prop)
+get_prop(mobile_log_d, mmc_prop)
+get_prop(mobile_log_d, safemode_prop)
+
+# purpose: allow MobileLog to access storage in N version
+allow mobile_log_d media_rw_data_file:file create_file_perms;
+allow mobile_log_d media_rw_data_file:dir create_dir_perms;
+
+# access debugfs/tracing/instances/
+allow mobile_log_d debugfs_tracing:dir create_dir_perms;
+allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
+allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
+
+#data/debuglog
+allow mobile_log_d debuglog_data_file:dir {relabelto create_dir_perms};
+allow mobile_log_d debuglog_data_file:file create_file_perms;
+
+#mcupm
+allow mobile_log_d mcupm_device:chr_file r_file_perms;
+allow mobile_log_d sysfs_mcupm:file w_file_perms;
+allow mobile_log_d sysfs_mcupm:dir search;
+
+#for logpost feature
+userdebug_or_eng(`
+ allow mobile_log_d domain:dir r_dir_perms;
+ allow mobile_log_d domain:{file lnk_file} r_file_perms;
+ allow mobile_log_d dnsproxyd_socket:sock_file w_file_perms;
+ allow mobile_log_d self:udp_socket create_socket_perms_no_ioctl;
+ allow mobile_log_d netd:unix_stream_socket connectto;
+ allow mobile_log_d self:tcp_socket getopt;
+ allow mobile_log_d fwmarkd_socket:sock_file w_file_perms;
+ set_prop(mobile_log_d, system_mtk_mobile_log_post_prop)
+')
+
+#mobile itself property
+set_prop(mobile_log_d, system_mtk_mobile_log_prop)
+
+#wifi driver log property
+get_prop(mobile_log_d, system_mtk_wifisa_log_prop)
+
+# purpose: allow mobile_log_d to read persist.vendor.mtk.aee
+get_prop(mobile_log_d, system_mtk_persist_mtk_aee_prop)
diff --git a/basic/debug/plat_private/modemdbfilter_client.te b/basic/debug/plat_private/modemdbfilter_client.te
new file mode 100644
index 0000000..64b9e16
--- /dev/null
+++ b/basic/debug/plat_private/modemdbfilter_client.te
@@ -0,0 +1,20 @@
+# ==============================================
+# Policy File of /system/bin/modemdbfilter_client Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type modemdbfilter_client_exec, exec_type, system_file_type, file_type;
+typeattribute modemdbfilter_client coredomain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(modemdbfilter_client)
+
+# Purpose : for create hidl client
+hal_client_domain(modemdbfilter_client, hal_mtk_md_dbfilter)
+allow modemdbfilter_client mddb_filter_data_file:dir { create_dir_perms relabelto };
+allow modemdbfilter_client mddb_filter_data_file:file create_file_perms;
diff --git a/basic/debug/plat_private/netdiag.te b/basic/debug/plat_private/netdiag.te
new file mode 100644
index 0000000..9d54ea5
--- /dev/null
+++ b/basic/debug/plat_private/netdiag.te
@@ -0,0 +1,102 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type netdiag_exec, system_file_type, exec_type, file_type;
+typeattribute netdiag coredomain;
+typeattribute netdiag mlstrustedsubject;
+
+init_daemon_domain(netdiag)
+
+# Purpose : for access storage file
+allow netdiag sdcard_type:dir create_dir_perms;
+allow netdiag sdcard_type:file create_file_perms;
+allow netdiag domain:dir search;
+allow netdiag domain:file r_file_perms;
+allow netdiag net_data_file:file r_file_perms;
+allow netdiag net_data_file:dir search;
+allow netdiag storage_file:dir search;
+allow netdiag storage_file:lnk_file r_file_perms;
+allow netdiag mnt_user_file:dir search;
+allow netdiag mnt_user_file:lnk_file r_file_perms;
+allow netdiag platform_app:dir search;
+allow netdiag untrusted_app:dir search;
+allow netdiag mnt_media_rw_file:dir search;
+allow netdiag vfat:dir create_dir_perms;
+allow netdiag vfat:file create_file_perms;
+allow netdiag tmpfs:lnk_file r_file_perms;
+allow netdiag system_file:file rx_file_perms;
+
+# Purpose : for shell, set uid and gid
+allow netdiag self:capability { net_admin setuid net_raw setgid};
+allow netdiag shell_exec:file rx_file_perms;
+
+#access /proc/318/net/psched
+allow netdiag proc_net:file r_file_perms;
+
+# Purpose : for ping
+allow netdiag dnsproxyd_socket:sock_file w_file_perms;
+allow netdiag fwmarkd_socket:sock_file w_file_perms;
+allow netdiag netd:unix_stream_socket connectto;
+allow netdiag self:udp_socket create_socket_perms;
+
+# Purpose : for service permission
+allow netdiag connectivity_service:service_manager find;
+allow netdiag netstats_service:service_manager find;
+allow netdiag system_server:binder call;
+allow netdiag servicemanager:binder call;
+binder_use(netdiag)
+
+# Purpose : for dumpsys permission
+allow netdiag connmetrics_service:service_manager find;
+allow netdiag netpolicy_service:service_manager find;
+allow netdiag network_management_service:service_manager find;
+allow netdiag settings_service:service_manager find;
+
+# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
+get_prop(netdiag, device_logging_prop)
+get_prop(netdiag, mmc_prop)
+allow netdiag proc_net:dir r_dir_perms;
+get_prop(netdiag, safemode_prop)
+allow netdiag toolbox_exec:file rx_file_perms;
+
+# purpose: allow netdiag to access storage in new version
+allow netdiag media_rw_data_file:file create_file_perms;
+allow netdiag media_rw_data_file:dir create_dir_perms;
+
+# Purpose : for ip spec output
+allow netdiag self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Purpose: for socket error of tcpdump
+allow netdiag self:packet_socket create_socket_perms;
+allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP};
+allow netdiag proc_net_tcp_udp:file r_file_perms;
+
+# Purpose: for ip
+allow netdiag self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Purpose: for iptables
+allow netdiag kernel:system module_request;
+allow netdiag self:rawip_socket create_socket_perms_no_ioctl;
+
+#Purpose : for network log property
+set_prop(netdiag, system_mtk_debug_netlog_prop)
+set_prop(netdiag, system_mtk_persist_mtklog_prop)
+set_prop(netdiag, system_mtk_debug_mtklog_prop)
+
+## Android P migration
+allow netdiag proc_qtaguid_stat:dir r_dir_perms;
+allow netdiag proc_qtaguid_stat:file r_file_perms;
+allow netdiag netd:binder call;
+get_prop(netdiag, apexd_prop)
+
+# Q save log into /data/debuglogger
+allow netdiag debuglog_data_file:dir {relabelto create_dir_perms};
+allow netdiag debuglog_data_file:file create_file_perms;
+
+# add for dump network_stack
+allow netdiag network_stack:binder call;
+allow netdiag network_stack_service:service_manager find;
+
+# add for unlink file_tree.txt
+allow netdiag debuglog_data_file:lnk_file { getattr unlink };
diff --git a/basic/debug/plat_private/network_stack.te b/basic/debug/plat_private/network_stack.te
new file mode 100644
index 0000000..2c7822c
--- /dev/null
+++ b/basic/debug/plat_private/network_stack.te
@@ -0,0 +1,3 @@
+# add for netdiag dump network_stack
+allow network_stack netdiag:fd use;
+allow network_stack netdiag:fifo_file w_file_perms;
\ No newline at end of file
diff --git a/basic/debug/plat_private/platform_app.te b/basic/debug/plat_private/platform_app.te
new file mode 100644
index 0000000..9214d75
--- /dev/null
+++ b/basic/debug/plat_private/platform_app.te
@@ -0,0 +1,37 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow platform_app system_app_service:service_manager find;
+
+# Date : WK17.29
+# Stage: O Migration, SQC
+# Purpose: Allow to use selinux for hal_power
+hal_client_domain(platform_app, hal_power)
+
+# Date: 2018/06/08
+# Operation : Migration
+# Purpose : MTKLogger need get netlog/mdlog/mobilelog property for property change
+# Package: com.mediatek.mtklogger
+get_prop(platform_app, system_mtk_debug_mdlogger_prop)
+get_prop(platform_app, system_mtk_debug_mtklog_prop)
+get_prop(platform_app, system_mtk_vendor_bluetooth_prop)
+get_prop(platform_app, system_mtk_mobile_log_prop)
+
+get_prop(platform_app, system_mtk_connsysfw_prop)
+
+# Date: 2019/07/18
+# Operation : Migration
+# Purpose : DebugLoggerUI access data/debuglogger/ folder
+# Package: com.debug.loggerui
+allow platform_app debuglog_data_file:dir create_dir_perms;
+allow platform_app debuglog_data_file:file create_file_perms;
+
+#For tel log settings
+set_prop(platform_app, log_tag_prop)
+
+#For audio log settings
+set_prop(platform_app, system_mtk_audio_prop)
+
+#For display debug log settings
+set_prop(platform_app, system_mtk_sf_debug_prop)
diff --git a/basic/debug/plat_private/property.te b/basic/debug/plat_private/property.te
new file mode 100644
index 0000000..ba0c12a
--- /dev/null
+++ b/basic/debug/plat_private/property.te
@@ -0,0 +1,8 @@
+system_internal_prop(system_mtk_debug_mtk_aee_prop)
+system_internal_prop(system_mtk_persist_aee_prop)
+system_internal_prop(system_mtk_aee_basic_prop)
+
+typeattribute system_mtk_debug_mtk_aee_prop extended_core_property_type;
+typeattribute system_mtk_persist_aee_prop extended_core_property_type;
+typeattribute system_mtk_aee_basic_prop extended_core_property_type;
+typeattribute system_mtk_persist_mtk_aee_prop extended_core_property_type;
diff --git a/basic/debug/plat_private/property_contexts b/basic/debug/plat_private/property_contexts
new file mode 100644
index 0000000..464db08
--- /dev/null
+++ b/basic/debug/plat_private/property_contexts
@@ -0,0 +1,5 @@
+persist.vendor.mtk.aee. u:object_r:system_mtk_persist_mtk_aee_prop:s0
+persist.vendor.aee. u:object_r:system_mtk_persist_aee_prop:s0
+vendor.debug.mtk.aee. u:object_r:system_mtk_debug_mtk_aee_prop:s0
+ro.vendor.aee.basic u:object_r:system_mtk_aee_basic_prop:s0
+init.svc.aee_aedv u:object_r:system_mtk_init_svc_aee_aedv_prop:s0
\ No newline at end of file
diff --git a/basic/debug/plat_private/radio.te b/basic/debug/plat_private/radio.te
new file mode 100644
index 0000000..47e2a6b
--- /dev/null
+++ b/basic/debug/plat_private/radio.te
@@ -0,0 +1,5 @@
+#Date : 2021/08/01
+# Operation : Allow radio read write data/debuglogger folder
+# Purpose : Add for ATG app
+allow radio debuglog_data_file:dir create_dir_perms;
+allow radio debuglog_data_file:file create_file_perms;
\ No newline at end of file
diff --git a/basic/debug/plat_private/shell.te b/basic/debug/plat_private/shell.te
new file mode 100644
index 0000000..5ad5b4d
--- /dev/null
+++ b/basic/debug/plat_private/shell.te
@@ -0,0 +1,3 @@
+get_prop(shell, system_mtk_persist_mtk_aee_prop)
+get_prop(shell, system_mtk_persist_aee_prop)
+get_prop(shell, system_mtk_debug_mtk_aee_prop)
diff --git a/basic/debug/plat_private/system_server.te b/basic/debug/plat_private/system_server.te
new file mode 100644
index 0000000..a554fe7
--- /dev/null
+++ b/basic/debug/plat_private/system_server.te
@@ -0,0 +1,9 @@
+# Date : WK18.33
+# Purpose : type=1400 audit(0.0:1592): avc: denied { read }
+# for comm=4572726F722064756D703A20646174 name=
+# "u:object_r:system_mtk_persist_mtk_aee_prop:s0" dev="tmpfs"
+# ino=10312 scontext=u:r:system_server:s0 tcontext=
+# u:object_r:system_mtk_persist_mtk_aee_prop:s0 tclass=file permissive=0
+get_prop(system_server, system_mtk_persist_mtk_aee_prop)
+
+get_prop(system_server, system_mtk_debug_mtk_aee_prop)
diff --git a/basic/debug/plat_public/aee_core_forwarder.te b/basic/debug/plat_public/aee_core_forwarder.te
new file mode 100644
index 0000000..b8c237e
--- /dev/null
+++ b/basic/debug/plat_public/aee_core_forwarder.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/aee_core_forwarder Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type aee_core_forwarder, domain;
diff --git a/basic/debug/plat_public/attributes b/basic/debug/plat_public/attributes
new file mode 100644
index 0000000..9abd6f6
--- /dev/null
+++ b/basic/debug/plat_public/attributes
@@ -0,0 +1,13 @@
+# ==============================================
+# MTK Attribute declarations
+# ==============================================
+
+# Date: 2018/03/23
+# log hidl
+attribute hal_mtk_log;
+attribute hal_mtk_log_client;
+attribute hal_mtk_log_server;
+
+attribute hal_mtk_aee;
+attribute hal_mtk_aee_client;
+attribute hal_mtk_aee_server;
diff --git a/basic/debug/plat_public/connsyslogger.te b/basic/debug/plat_public/connsyslogger.te
new file mode 100644
index 0000000..f3062c8
--- /dev/null
+++ b/basic/debug/plat_public/connsyslogger.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/connsyslogger Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type connsyslogger, domain;
diff --git a/basic/debug/plat_public/emdlogger.te b/basic/debug/plat_public/emdlogger.te
new file mode 100644
index 0000000..f116ac0
--- /dev/null
+++ b/basic/debug/plat_public/emdlogger.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/emdlogger[x] Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type emdlogger, domain;
diff --git a/basic/debug/plat_public/loghidlsysservice.te b/basic/debug/plat_public/loghidlsysservice.te
new file mode 100644
index 0000000..9f3b33d
--- /dev/null
+++ b/basic/debug/plat_public/loghidlsysservice.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/loghidlsysservice Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type loghidlsysservice, domain;
diff --git a/basic/debug/plat_public/mdlogger.te b/basic/debug/plat_public/mdlogger.te
new file mode 100644
index 0000000..4febc5e
--- /dev/null
+++ b/basic/debug/plat_public/mdlogger.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/mdlogger Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mdlogger, domain;
diff --git a/basic/debug/plat_public/mobile_log_d.te b/basic/debug/plat_public/mobile_log_d.te
new file mode 100644
index 0000000..8ad1e2a
--- /dev/null
+++ b/basic/debug/plat_public/mobile_log_d.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/mobile_log_d Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mobile_log_d, domain;
diff --git a/basic/debug/plat_public/modemdbfilter_client.te b/basic/debug/plat_public/modemdbfilter_client.te
new file mode 100644
index 0000000..ec9df6e
--- /dev/null
+++ b/basic/debug/plat_public/modemdbfilter_client.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/modemdbfilter_client Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type modemdbfilter_client, domain;
diff --git a/basic/debug/plat_public/property.te b/basic/debug/plat_public/property.te
new file mode 100644
index 0000000..b89898c
--- /dev/null
+++ b/basic/debug/plat_public/property.te
@@ -0,0 +1,2 @@
+system_public_prop(system_mtk_init_svc_aee_aedv_prop)
+system_public_prop(system_mtk_persist_mtk_aee_prop)
diff --git a/basic/non_plat/DcxoSetCap.te b/basic/non_plat/DcxoSetCap.te
new file mode 100644
index 0000000..b5b5fe4
--- /dev/null
+++ b/basic/non_plat/DcxoSetCap.te
@@ -0,0 +1,26 @@
+# ==============================================
+# Policy File of /vendor/bin/DcxoSetCap Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type DcxoSetCap, domain;
+type DcxoSetCap_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(DcxoSetCap)
+
+#============= DcxoSetCap ==============
+allow DcxoSetCap nvdata_file:dir rw_dir_perms;
+allow DcxoSetCap nvdata_file:file rw_file_perms;
+allow DcxoSetCap proc_cmdline:file r_file_perms;
+allow DcxoSetCap sysfs_dcxo:file rw_file_perms;
+allow DcxoSetCap sysfs_boot_mode:file r_file_perms;
+allow DcxoSetCap sysfs_dt_firmware_android:dir r_dir_perms;
+allow DcxoSetCap sysfs_dt_firmware_android:file r_file_perms;
+
+allow DcxoSetCap metadata_file:dir search;
+allow DcxoSetCap gsi_metadata_file:dir search;
+allow DcxoSetCap mnt_vendor_file:dir search;
\ No newline at end of file
diff --git a/basic/non_plat/adbd.te b/basic/non_plat/adbd.te
new file mode 100644
index 0000000..b7c2287
--- /dev/null
+++ b/basic/non_plat/adbd.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Data : WK17.46
+# Operator: Migration
+# Purpose: Allow adbd to read KE DB
+allow adbd aee_dumpsys_data_file:file r_file_perms;
+allow adbd gpu_device:dir search;
diff --git a/basic/non_plat/app.te b/basic/non_plat/app.te
new file mode 100644
index 0000000..9e9a6e1
--- /dev/null
+++ b/basic/non_plat/app.te
@@ -0,0 +1,56 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow appdomain proc_ged:file rw_file_perms;
+allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls };
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow appdomain surfaceflinger:fifo_file rw_file_perms;
+
+# Date : W16.42
+# Operation : Integration
+# Purpose : DRM / DRI GPU driver required
+allow appdomain gpu_device:dir search;
+
+# Date : W17.41
+# Operation: SQC
+# Purpose : Allow HWUI to access perfmgr
+allow appdomain proc_perfmgr:dir search;
+allow appdomain proc_perfmgr:file r_file_perms;
+allowxperm appdomain proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_BQID
+ PERFMGR_FPSGO_SWAP_BUFFER
+ PERFMGR_FPSGO_SBE_RESCUE
+};
+
+# Date : W19.23
+# Operation : Migration
+# Purpose : For platform app com.android.gallery3d
+allow { appdomain -isolated_app } radio_data_file:file rw_file_perms;
+
+# Date : W19.23
+# Operation : Migration
+# Purpose : For app com.tencent.qqpimsecure
+allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START;
+
+# Date : W20.26
+# Operation : Migration
+# Purpose : For apps other than isolated_app call hidl
+hwbinder_use({ appdomain -isolated_app })
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop)
+allow { appdomain -isolated_app } hidl_manager_hwservice:hwservice_manager find;
+binder_call({ appdomain -isolated_app }, mtk_safe_halserverdomain_type)
+allow { appdomain -isolated_app } mtk_safe_hwservice_manager_type:hwservice_manager find;
+
+# Date : 2021/04/24
+# Operation: addwindow
+# Purpose: Get the variable value of touch report rate
+get_prop(appdomain, vendor_mtk_input_report_rate_prop)
diff --git a/basic/non_plat/atci_service.te b/basic/non_plat/atci_service.te
new file mode 100644
index 0000000..7a6bbdf
--- /dev/null
+++ b/basic/non_plat/atci_service.te
@@ -0,0 +1,130 @@
+# ==============================================
+# Policy File of /vendor/bin/atci_service Executable File
+# ==============================================
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type atci_service, domain;
+type atci_service_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(atci_service)
+
+allow atci_service block_device:dir search;
+allow atci_service misc2_block_device:blk_file rw_file_perms;
+allow atci_service misc2_device:chr_file rw_file_perms;
+allow atci_service camera_isp_device:chr_file rw_file_perms;
+allow atci_service graphics_device:chr_file rw_file_perms;
+allow atci_service graphics_device:dir search;
+allow atci_service kd_camera_hw_device:chr_file rw_file_perms;
+allow atci_service self:capability { sys_nice ipc_lock sys_boot };
+allow atci_service nvram_device:chr_file rw_file_perms;
+allow atci_service camera_sysram_device:chr_file r_file_perms;
+allow atci_service camera_tsf_device:chr_file rw_file_perms;
+allow atci_service camera_rsc_device:chr_file rw_file_perms;
+allow atci_service camera_gepf_device:chr_file rw_file_perms;
+allow atci_service camera_fdvt_device:chr_file rw_file_perms;
+allow atci_service camera_wpe_device:chr_file rw_file_perms;
+allow atci_service camera_owe_device:chr_file rw_file_perms;
+allow atci_service camera_pda_device:chr_file rw_file_perms;
+allow atci_service kd_camera_flashlight_device:chr_file rw_file_perms;
+allow atci_service ccu_device:chr_file rw_file_perms;
+allow atci_service vpu_device:chr_file rw_file_perms;
+allow atci_service MTK_SMI_device:chr_file rw_file_perms;
+allow atci_service DW9714AF_device:chr_file rw_file_perms;
+allow atci_service devmap_device:chr_file rw_file_perms;
+allow atci_service sdcard_type:dir create_dir_perms;
+allow atci_service sdcard_type:file create_file_perms;
+allow atci_service mediaserver:binder call;
+
+# Date : 2015/09/17
+# Operation : M-Migration
+# Purpose : to operation CCT tool
+allow atci_service nvram_device:blk_file rw_file_perms;
+allow atci_service input_device:dir r_dir_perms;
+allow atci_service input_device:file rw_file_perms;
+allow atci_service input_device:chr_file rw_file_perms;
+allow atci_service MAINAF_device:chr_file rw_file_perms;
+allow atci_service MAIN2AF_device:chr_file rw_file_perms;
+allow atci_service MAIN3AF_device:chr_file rw_file_perms;
+allow atci_service MAIN4AF_device:chr_file rw_file_perms;
+allow atci_service SUBAF_device:chr_file rw_file_perms;
+allow atci_service SUB2AF_device:chr_file rw_file_perms;
+allow atci_service tmpfs:lnk_file r_file_perms;
+allow atci_service self:capability2 block_suspend;
+
+# Date : 2015/10/13
+# Operation : M-Migration
+# Purpose : to operation CCT tool
+allow atci_service mnt_user_file:dir search;
+allow atci_service mnt_user_file:lnk_file r_file_perms;
+allow atci_service storage_file:lnk_file r_file_perms;
+
+set_prop(atci_service, vendor_mtk_em_prop)
+
+# Date : 2016/03/02
+# Operation : M-Migration
+# Purpose : to support ATCI touch tool
+allow atci_service vendor_shell_exec:file rx_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow atci_service proc_ged:file rw_file_perms;
+
+# Date : WK16.35
+# Operation : Migration
+# Purpose : Update camera flashlight driver device file
+allow atci_service flashlight_device:chr_file rw_file_perms;
+
+# Date : WK17.01
+# Operation : Migration
+# Purpose : Update AT_Command NFC function
+allow atci_service factory_data_file:sock_file write;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(atci_service, hal_mtk_pq)
+
+# Date : WK17.28
+# Purpose : Allow to execute battery command
+allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms;
+
+# Date : WK17.43
+# Purpose : CCT
+allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms;
+allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms;
+allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms;
+allow atci_service camera_eeprom_device:chr_file rw_file_perms;
+allow atci_service seninf_n3d_device:chr_file rw_file_perms;
+allow atci_service fwk_sensor_hwservice:hwservice_manager find;
+allow atci_service ion_device:chr_file r_file_perms;
+allow atci_service mtk_cmdq_device:chr_file r_file_perms;
+allow atci_service mtk_mdp_device:chr_file r_file_perms;
+allow atci_service mtk_mdp_sync_device:chr_file r_file_perms;
+allow atci_service sw_sync_device:chr_file r_file_perms;
+hal_client_domain(atci_service, hal_power)
+allow atci_service sysfs_batteryinfo:dir search;
+allow atci_service sysfs_batteryinfo:file r_file_perms;
+allow atci_service system_file:dir r_dir_perms;
+allow atci_service camera_pipemgr_device:chr_file r_file_perms;
+allow atci_service mtk_hal_camera:binder call;
+allow atci_service debugfs_ion:dir search;
+allow atci_service sysfs_tpd_setting:file rw_file_perms;
+allow atci_service sysfs_vibrator_setting:file rw_file_perms;
+allow atci_service sysfs_leds_setting:file rw_file_perms;
+allow atci_service vendor_toolbox_exec:file rx_file_perms;
+
+# Date : WK18.21
+# Purpose: Allow to use HIDL
+hal_client_domain(atci_service, hal_mtk_atci)
+
+# Date : WK18.26
+# Purpose: Allow gps socket sendto
+allow atci_service mnld:unix_dgram_socket sendto;
+
+# Date : WK18.35
+# Purpose : allow CCT to allocate memory
+hal_client_domain(atci_service, hal_allocator)
+
+allow atci_service gpu_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/atcid.te b/basic/non_plat/atcid.te
new file mode 100644
index 0000000..2cc2bf0
--- /dev/null
+++ b/basic/non_plat/atcid.te
@@ -0,0 +1,92 @@
+# ==============================================
+# Policy File of /vendor/bin/atcid Executable File
+# ==============================================
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type atcid, domain;
+type atcid_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(atcid)
+set_prop(atcid, vendor_mtk_persist_service_atci_prop)
+allow atcid block_device:dir search;
+allow atcid gsmrild_socket:sock_file w_file_perms;
+
+# Date : WK17.21
+# Purpose: Allow to use HIDL
+hal_client_domain(atcid, hal_telephony)
+
+allow atcid ttyGS_device:chr_file rw_file_perms;
+allow atcid wmtWifi_device:chr_file w_file_perms;
+allow atcid misc2_block_device:blk_file rw_file_perms;
+allow atcid self:capability sys_time;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow atcid proc_ged:file rw_file_perms;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(atcid, hal_mtk_pq)
+
+# Date : WK17.34
+# Purpose: Allow to access meta_tst
+allow atcid meta_tst:unix_stream_socket connectto;
+
+# Date : WK18.15
+# Purpose: Allow to access power_supply in sysfs
+allow atcid sysfs_batteryinfo:file r_file_perms;
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow atcid to get vendor_mtk_tel_switch_prop
+get_prop(atcid, vendor_mtk_tel_switch_prop)
+
+# Date : WK18.21
+# Purpose: Allow to use HIDL
+vndbinder_use(atcid)
+hal_server_domain(atcid, hal_mtk_atci)
+
+# Date : WK18.21
+# Purpose: For special command for customer
+set_prop(atcid, vendor_mtk_atci_prop)
+set_prop(atcid, powerctl_prop)
+allow atcid mnt_vendor_file:dir search;
+allow atcid nvdata_file:dir rw_dir_perms;
+allow atcid nvdata_file:file create_file_perms;
+allow atcid nvram_device:blk_file rw_file_perms;
+allow atcid proc_meminfo:file r_file_perms;
+allow atcid sysfs_batteryinfo:dir search;
+allow atcid sysfs_devices_block:dir search;
+allow atcid sysfs_devices_block:file r_file_perms;
+
+# Date : WK18.35
+# Purpose: Add socket for TelephonyWare ATCI
+unix_socket_connect(atcid, rild_atci, rild)
+unix_socket_connect(atcid, rilproxy_atci, rild)
+unix_socket_connect(atcid, atci_service, atci_service)
+
+# Date : WK19.42
+# Purpose: Add policy to access ATCI sockets
+unix_socket_connect(atcid, atci-audio, audiocmdservice_atci)
+unix_socket_connect(atcid, meta_atci, meta_tst)
+allow atcid adb_atci_socket:sock_file w_file_perms;
+
+# Date : WK21.13
+# Purpose: Add policy to access CCCI
+allow atcid sysfs_ccci:dir search;
+allow atcid sysfs_ccci:file r_file_perms;
+allow atcid gsm0710muxd_device:chr_file rw_file_perms;
+
+# Date : WK21.22
+unix_socket_connect(atcid, factory_atci, factory);
+set_prop(atcid, vendor_mtk_factory_start_prop)
+
+# Date : WK21.31
+# Purpose: Add policy to support uart
+allow atcid sysfs_boot_info:file r_file_perms;
+allow atcid sysfs_meta_info:file r_file_perms;
+allow atcid ttyS_device:chr_file rw_file_perms;
+
diff --git a/basic/non_plat/audiocmdservice_atci.te b/basic/non_plat/audiocmdservice_atci.te
new file mode 100644
index 0000000..ed9f24c
--- /dev/null
+++ b/basic/non_plat/audiocmdservice_atci.te
@@ -0,0 +1,33 @@
+# ==============================================
+# Policy File of /vendor/bin/audiocmdservice_atci Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type audiocmdservice_atci, domain;
+type audiocmdservice_atci_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(audiocmdservice_atci)
+
+allow audiocmdservice_atci self:unix_stream_socket create_socket_perms;
+
+# Access to storages for audio tuning tool to read/write tuning result
+allow audiocmdservice_atci mnt_user_file:dir rw_dir_perms;
+allow audiocmdservice_atci { mnt_user_file storage_file }:lnk_file rw_file_perms;
+allow audiocmdservice_atci bootdevice_block_device:blk_file rw_file_perms;
+
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(audiocmdservice_atci)
+binder_call(audiocmdservice_atci, mtk_hal_audio)
+
+hal_client_domain(audiocmdservice_atci, hal_audio)
+
+#To access the file at /dev/kmsg
+allow audiocmdservice_atci kmsg_device:chr_file w_file_perms;
+
+userdebug_or_eng(`
+ allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin };
+')
diff --git a/basic/non_plat/audioserver.te b/basic/non_plat/audioserver.te
new file mode 100644
index 0000000..8ec55b5
--- /dev/null
+++ b/basic/non_plat/audioserver.te
@@ -0,0 +1,48 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK14.44
+# Operation : Migration
+# Purpose : EVDO
+allow audioserver rpc_socket:sock_file write;
+allow audioserver ttySDIO_device:chr_file rw_file_perms;
+
+# Data: WK14.44
+# Operation : Migration
+# Purpose : for low SD card latency issue
+allow audioserver sysfs_lowmemorykiller:file r_file_perms;
+
+# Data: WK14.45
+# Operation : Migration
+# Purpose : for change thermal policy when needed
+allow audioserver proc_mtkcooler:dir search;
+allow audioserver proc_mtktz:dir search;
+allow audioserver proc_thermal:dir search;
+
+# Date : WK15.03
+# Operation : Migration
+# Purpose : offloadservice
+allow audioserver offloadservice_device:chr_file rw_file_perms;
+
+# Date : WK16.17
+# Operation : Migration
+# Purpose: read/open sysfs node
+allow audioserver sysfs_ccci:file r_file_perms;
+
+# Date : WK16.18
+# Operation : Migration
+# Purpose: research root dir "/"
+allow audioserver tmpfs:dir search;
+
+# Date : WK16.18
+# Operation : Migration
+# Purpose: access sysfs node
+allow audioserver sysfs_ccci:dir search;
+
+# Purpose: Dump debug info
+allow audioserver fuse:file w_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow audioserver proc_ged:file rw_file_perms;
diff --git a/basic/non_plat/biosensord_nvram.te b/basic/non_plat/biosensord_nvram.te
new file mode 100644
index 0000000..2fe6860
--- /dev/null
+++ b/basic/non_plat/biosensord_nvram.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /vendor/bin/biosensord_nvram Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type biosensord_nvram, domain;
+type biosensord_nvram_exec , exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(biosensord_nvram)
+
+# Data : WK16.21
+# Operation : New Feature
+# Purpose : For biosensor daemon can do nvram r/w to save calibration data
+allow biosensord_nvram nvdata_file:dir rw_dir_perms;
+allow biosensord_nvram nvdata_file:file create_file_perms;
+allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms;
+allow biosensord_nvram biometric_device:chr_file rw_file_perms;
+allow biosensord_nvram self:capability { chown fsetid };
diff --git a/basic/non_plat/bip_ap.te b/basic/non_plat/bip_ap.te
new file mode 100644
index 0000000..00e0331
--- /dev/null
+++ b/basic/non_plat/bip_ap.te
@@ -0,0 +1,34 @@
+# ==============================================
+# Policy File of /vendor/bin/bip_ap Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type bip_ap, domain, mtkimsmddomain;
+type bip_ap_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(bip_ap)
+net_domain(bip_ap)
+
+# Date : WK14.42
+# Operation : Migration
+# Purpose : for bip_ap send RTP/RTCP
+allow bip_ap self:udp_socket create_socket_perms;
+allow bip_ap node:udp_socket node_bind;
+allow bip_ap port:udp_socket name_bind;
+allow bip_ap fwmarkd_socket:sock_file write;
+allow bip_ap self:tcp_socket create_stream_socket_perms;
+allow bip_ap port:tcp_socket name_connect;
+allow bip_ap self:netlink_route_socket read;
+
+# Purpose : for access ccci device
+allow bip_ap ccci_device:chr_file rw_file_perms;
+
+# Purpose : for raw socket
+allow bip_ap self:rawip_socket { create write bind setopt read getattr};
+allow bip_ap node:rawip_socket node_bind;
+
+allow bip_ap netd:unix_stream_socket connectto;
+allow bip_ap netd_socket:sock_file write;
+
diff --git a/basic/non_plat/bluetooth.te b/basic/non_plat/bluetooth.te
new file mode 100644
index 0000000..4734932
--- /dev/null
+++ b/basic/non_plat/bluetooth.te
@@ -0,0 +1,32 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date:W17.07
+# Operation : bt hal developing
+# Purpose : bt hal interface permission
+binder_call(bluetooth, mtk_hal_bluetooth)
+
+allow bluetooth storage_stub_file:dir getattr;
+
+# Date: 2018/02/02
+# Major permission allow are in /system/sepoplicy/private/bluetooth.te
+# Add dir create perms for bluetooth on /data/misc/bluetooth/logs
+allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto };
+allow bluetooth bluetooth_logs_data_file:fifo_file create_file_perms;
+
+# Date: 2019/09/19
+allow bluetooth mtk_hal_bluetooth_audio_hwservice:hwservice_manager find;
+
+# Date : 2020/06/11
+# Operation : allow bt native process to access driver debug node and set kernel thread priority
+# Purpose: allow bt native process to access driver debug node and set kernel thread priority
+allow bluetooth proc_btdbg:file rw_file_perms;
+allow bluetooth kernel:process setsched;
+
+get_prop(bluetooth, vendor_mtk_bt_perf_prop)
+
+# Date : 2021/09/07
+# Operation : allow bluetooth to access mediametrics
+# Purpose: This operation will block A2DP Sink playback
+allow bluetooth mediametrics_service:service_manager find;
diff --git a/basic/non_plat/boot_logo_updater.te b/basic/non_plat/boot_logo_updater.te
new file mode 100644
index 0000000..62f6b1d
--- /dev/null
+++ b/basic/non_plat/boot_logo_updater.te
@@ -0,0 +1,27 @@
+# ==============================================
+# Policy File of /system/bin/boot_logo_updater Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.43
+# Operation : Migration
+# Purpose : To access file directories and files like logo.bin
+allow boot_logo_updater logo_block_device:blk_file r_file_perms;
+
+# To access block files at /dev/block/mmcblk0 ir /dev/block/sdc
+allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms;
+
+#To access file at /dev/logo
+allow boot_logo_updater logo_device:chr_file r_file_perms;
+
+# To access file at /proc/lk_env
+allow boot_logo_updater proc_lk_env:file rw_file_perms;
+
+# Date : WK16.25
+# Operation : Global_Device/Uniservice Feature
+# Purpose : for it to read-write SysEnv data
+allow boot_logo_updater para_block_device:blk_file rw_file_perms;
+# Allow ReadDefaultFstab().
+read_fstab(boot_logo_updater)
diff --git a/basic/non_plat/bootanim.te b/basic/non_plat/bootanim.te
new file mode 100644
index 0000000..ea20491
--- /dev/null
+++ b/basic/non_plat/bootanim.te
@@ -0,0 +1,40 @@
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.46
+# Operation : Migration
+# Purpose : For MTK Emulator HW GPU
+allow bootanim qemu_pipe_device:chr_file rw_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow bootanim proc_ged:file rw_file_perms;
+
+# Date : WK17.43
+# Operation : Migration
+# Purpose : For MTK perfmgr
+allow bootanim proc_perfmgr:dir r_dir_perms;
+allow bootanim proc_perfmgr:file r_file_perms;
+
+# Date : WK19.11
+# Operation : Migration
+# Purpose : Allow to access ged for ioctl related functions
+allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls };
+allowxperm bootanim proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_BQID
+};
+
+# Date : WK19.48
+# Operation : Migration
+# Purpose : Allow to access gpu device search
+allow bootanim gpu_device:dir search;
+
+# Date : WK21.26
+# Operation : Migration
+# Purpose : donotaudit data directory search
+dontaudit bootanim system_data_file:dir search;
diff --git a/basic/non_plat/bp_kmsetkey_ca.te b/basic/non_plat/bp_kmsetkey_ca.te
new file mode 100644
index 0000000..dce5b19
--- /dev/null
+++ b/basic/non_plat/bp_kmsetkey_ca.te
@@ -0,0 +1 @@
+type bp_kmsetkey_ca, domain;
diff --git a/basic/non_plat/bt_dump.te b/basic/non_plat/bt_dump.te
new file mode 100644
index 0000000..4cdb090
--- /dev/null
+++ b/basic/non_plat/bt_dump.te
@@ -0,0 +1,28 @@
+# ==============================================
+# Policy File of /vendor/bin/bt_dump Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type bt_dump, domain;
+type bt_dump_exec, vendor_file_type, exec_type, file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(bt_dump)
+
+allow bt_dump self:capability net_admin;
+allow bt_dump self:netlink_socket create_socket_perms_no_ioctl;
+allow bt_dump self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow bt_dump conninfra_device:chr_file rw_file_perms;
+allow bt_dump stpwmt_device:chr_file rw_file_perms;
+allow bt_dump tmpfs:lnk_file r_file_perms;
+allow bt_dump mnt_user_file:dir search;
+allow bt_dump mnt_user_file:lnk_file r_file_perms;
+allow bt_dump storage_file:lnk_file r_file_perms;
+allow bt_dump stp_dump_data_file:dir create_dir_perms;
+allow bt_dump stp_dump_data_file:file create_file_perms;
+allow bt_dump connsyslog_data_vendor_file:dir create_dir_perms;
+allow bt_dump connsyslog_data_vendor_file:file create_file_perms;
+get_prop(bt_dump, vendor_mtk_coredump_prop)
diff --git a/basic/non_plat/cameraserver.te b/basic/non_plat/cameraserver.te
new file mode 100644
index 0000000..13b9f55
--- /dev/null
+++ b/basic/non_plat/cameraserver.te
@@ -0,0 +1,63 @@
+# ==============================================================================
+# Policy File of /system/bin/cameraserver Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# -----------------------------------
+# Android O
+# Purpose: Allow cameraserver to perform binder IPC to servers and callbacks.
+# call camerahalserver
+binder_call(cameraserver, mtk_hal_camera)
+
+# call the graphics allocator hal
+binder_call(cameraserver, hal_graphics_allocator)
+
+# -----------------------------------
+# Android O
+# Purpose: adb shell dumpsys media.camera --unreachable
+allow cameraserver self:process ptrace;
+
+# Date : WK14.40
+# Operation : Migration
+# Purpose : HDMI driver access
+allow cameraserver graphics_device:chr_file rw_file_perms;
+
+# Date : WK16.20
+# Operation : Migration
+# Purpose: research root dir "/"
+allow cameraserver tmpfs:dir search;
+
+# Date : WK16.21
+# Operation : Migration
+# Purpose : EGL file access
+allow cameraserver system_file:dir r_dir_perms;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver gpu_device:dir search;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow cameraserver proc_ged:file rw_file_perms;
+allowxperm cameraserver proc_ged:file ioctl proc_ged_ioctls;
+
+# Date : WK17.25
+# Operation : Migration
+allow cameraserver debugfs_ion:dir search;
+
+# Date : WK17.49
+# Operation : MT6771 SQC
+# Purpose: Allow permgr access
+allow cameraserver proc_perfmgr:dir r_dir_perms;
+allow cameraserver proc_perfmgr:file r_file_perms;
+allowxperm cameraserver proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_BQID
+};
+
+# Date : WK21.25
+# Operation : Migration
+# Purpose : PDA Driver
+allow cameraserver camera_pda_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/ccci_fsd.te b/basic/non_plat/ccci_fsd.te
new file mode 100644
index 0000000..fd41e81
--- /dev/null
+++ b/basic/non_plat/ccci_fsd.te
@@ -0,0 +1,77 @@
+# ==============================================
+# Policy File of /system/bin/ccci_fsd Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type ccci_fsd_exec, exec_type, file_type, vendor_file_type;
+type ccci_fsd, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(ccci_fsd)
+
+wakelock_use(ccci_fsd)
+
+#============= ccci_fsd MD NVRAM==============
+allow ccci_fsd nvram_data_file:dir create_dir_perms;
+allow ccci_fsd nvram_data_file:file create_file_perms;
+allow ccci_fsd nvram_data_file:lnk_file read;
+allow ccci_fsd nvdata_file:lnk_file read;
+allow ccci_fsd nvdata_file:dir create_dir_perms;
+allow ccci_fsd nvdata_file:file create_file_perms;
+allow ccci_fsd nvram_device:chr_file rw_file_perms;
+allow ccci_fsd vendor_configs_file:file r_file_perms;
+allow ccci_fsd vendor_configs_file:dir r_dir_perms;
+
+#============= ccci_fsd device/path/data access==============
+allow ccci_fsd ccci_device:chr_file rw_file_perms;
+allow ccci_fsd ccci_cfg_file:dir create_dir_perms;
+allow ccci_fsd ccci_cfg_file:file create_file_perms;
+#============= ccci_fsd MD Data==============
+allow ccci_fsd protect_f_data_file:dir create_dir_perms;
+allow ccci_fsd protect_f_data_file:file create_file_perms;
+
+allow ccci_fsd protect_s_data_file:dir create_dir_perms;
+allow ccci_fsd protect_s_data_file:file create_file_perms;
+#============= ccci_fsd MD3 related==============
+allow ccci_fsd c2k_file:dir create_dir_perms;
+allow ccci_fsd c2k_file:file create_file_perms;
+allow ccci_fsd otp_part_block_device:blk_file rw_file_perms;
+allow ccci_fsd otp_device:chr_file rw_file_perms;
+allow ccci_fsd sysfs_boot_type:file { read open };
+#============= ccci_fsd MD block data==============
+#restore>NVM_GetDeviceInfo>open /dev/block/by-name/nvram
+allow ccci_fsd block_device:dir search;
+allow ccci_fsd nvram_device:blk_file rw_file_perms;
+allow ccci_fsd nvdata_device:blk_file rw_file_perms;
+allow ccci_fsd nvcfg_file:dir create_dir_perms;
+allow ccci_fsd nvcfg_file:file create_file_perms;
+#============= ccci_fsd cryption related ==============
+allow ccci_fsd rawfs:dir create_dir_perms;
+allow ccci_fsd rawfs:file create_file_perms;
+#============= ccci_fsd sysfs related ==============
+allow ccci_fsd sysfs_ccci:dir search;
+allow ccci_fsd sysfs_ccci:file r_file_perms;
+
+#============= ccci_fsd ==============
+allow ccci_fsd mnt_vendor_file:dir search;
+
+# Purpose: for fstab parser
+allow ccci_fsd kmsg_device:chr_file w_file_perms;
+allow ccci_fsd proc_lk_env:file rw_file_perms;
+
+#============= ccci_fsd MD Low Power Monitor Related ==============
+allow ccci_fsd ccci_data_md1_file:dir create_dir_perms;
+allow ccci_fsd ccci_data_md1_file:file create_file_perms;
+allow ccci_fsd sysfs_devices_block:dir search;
+allow ccci_fsd sysfs_devices_block:file { read getattr open };
+
+#============= ccci_fsd access vendor/etc/md file ==============
+allow ccci_fsd vendor_etc_md_file:dir search;
+allow ccci_fsd vendor_etc_md_file:file r_file_perms;
+
+#============= ccci_fsd access data/vendor_de/md file ==============
+allow ccci_fsd data_vendor_de_md_file:dir create_dir_perms;
+allow ccci_fsd data_vendor_de_md_file:file create_file_perms;
diff --git a/basic/non_plat/ccci_mdinit.te b/basic/non_plat/ccci_mdinit.te
new file mode 100644
index 0000000..de9af63
--- /dev/null
+++ b/basic/non_plat/ccci_mdinit.te
@@ -0,0 +1,168 @@
+# ==============================================
+# Policy File of /vendor/bin/ccci_mdinit Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type ccci_mdinit, domain;
+type ccci_mdinit_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(ccci_mdinit)
+wakelock_use(ccci_mdinit)
+
+#=============allow ccci_mdinit to start c2krild==============
+set_prop(ccci_mdinit, vendor_mtk_ctl_viarild_prop)
+
+#=============allow ccci_mdinit to start/stop rild, mdlogger==============
+set_prop(ccci_mdinit, system_mtk_ctl_mdlogger_prop)
+set_prop(ccci_mdinit, system_mtk_ctl_emdlogger1_prop)
+set_prop(ccci_mdinit, system_mtk_ctl_emdlogger2_prop)
+set_prop(ccci_mdinit, system_mtk_ctl_emdlogger3_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_gsm0710muxd_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ril-daemon-mtk_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_fusion_ril_mtk_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ril-proxy_prop)
+set_prop(ccci_mdinit, vendor_mtk_ril_active_md_prop)
+set_prop(ccci_mdinit, vendor_mtk_md_prop)
+set_prop(ccci_mdinit, vendor_mtk_net_cdma_mdmstat_prop)
+set_prop(ccci_mdinit, ctl_start_prop)
+get_prop(ccci_mdinit, vendor_mtk_tel_switch_prop)
+
+#=============allow ccci_mdinit to start/stop fsd==============
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci_fsd_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci2_fsd_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci3_fsd_prop)
+
+get_prop(ccci_mdinit, system_mtk_init_svc_emdlogger1_prop)
+
+allow ccci_mdinit ccci_device:chr_file rw_file_perms;
+allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms;
+
+allow ccci_mdinit ccci_ccb_device:chr_file rw_file_perms;
+#=============allow ccci_mdinit to access MD NVRAM==============
+
+allow ccci_mdinit nvram_data_file:file create_file_perms;
+allow ccci_mdinit nvram_data_file:lnk_file r_file_perms;
+allow ccci_mdinit nvdata_file:lnk_file r_file_perms;
+allow ccci_mdinit nvdata_file:file create_file_perms;
+allow ccci_mdinit nvram_device:chr_file rw_file_perms;
+read_fstab(ccci_mdinit)
+get_prop(ccci_mdinit, vendor_mtk_rat_config_prop)
+
+#=============allow ccci_mdinit to access ccci config==============
+allow ccci_mdinit protect_f_data_file:file create_file_perms;
+
+#=============allow ccci_mdinit to property==============
+allow ccci_mdinit protect_s_data_file:file create_file_perms;
+allow ccci_mdinit nvram_device:blk_file rw_file_perms;
+allow ccci_mdinit nvdata_device:blk_file rw_file_perms;
+
+set_prop(ccci_mdinit, vendor_mtk_ril_mux_report_case_prop)
+
+allow ccci_mdinit ccci_cfg_file:dir create_dir_perms;
+allow ccci_mdinit ccci_cfg_file:file create_file_perms;
+
+#===============security relate ==========================
+allow ccci_mdinit preloader_device:chr_file rw_file_perms;
+allow ccci_mdinit misc_sd_device:chr_file r_file_perms;
+allow ccci_mdinit sec_ro_device:chr_file r_file_perms;
+
+allow ccci_mdinit custom_file:dir r_dir_perms;
+allow ccci_mdinit custom_file:file r_file_perms;
+
+# Purpose : for nand partition access
+allow ccci_mdinit mtd_device:dir search;
+allow ccci_mdinit mtd_device:chr_file rw_file_perms;
+allow ccci_mdinit devmap_device:chr_file r_file_perms;
+
+# Purpose : for device bring up, not to block early migration/sanity
+allow ccci_mdinit proc_lk_env:file rw_file_perms;
+allow ccci_mdinit para_block_device:blk_file rw_file_perms;
+
+#============= ccci_mdinit sysfs related ==============
+allow ccci_mdinit sysfs_ccci:dir search;
+allow ccci_mdinit sysfs_ccci:file rw_file_perms;
+allow ccci_mdinit sysfs_ssw:dir search;
+allow ccci_mdinit sysfs_ssw:file r_file_perms;
+allow ccci_mdinit sysfs_boot_info:file r_file_perms;
+
+# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
+allow ccci_mdinit proc_bootprof:file rw_file_perms;
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
+allow ccci_mdinit mnt_vendor_file:dir search;
+
+# Purpose : Allow ccci_mdinit call sysenv_get and sysenv_set
+allow ccci_mdinit block_device:dir search;
+allow ccci_mdinit proc_cmdline:file r_file_perms;
+allow ccci_mdinit sysfs_dt_firmware_android:dir search;
+
+# ==============================================
+# Policy File of /vendor/bin/ccci_fs Executable File
+
+#============= ccci_fsd MD NVRAM==============
+allow ccci_mdinit nvram_data_file:dir create_dir_perms;
+allow ccci_mdinit nvdata_file:dir create_dir_perms;
+
+#============= ccci_fsd MD Data==============
+allow ccci_mdinit protect_f_data_file:dir create_dir_perms;
+allow ccci_mdinit protect_s_data_file:dir create_dir_perms;
+
+#============= ccci_fsd MD3 related==============
+allow ccci_mdinit c2k_file:dir create_dir_perms;
+allow ccci_mdinit c2k_file:file create_file_perms;
+allow ccci_mdinit otp_part_block_device:blk_file rw_file_perms;
+allow ccci_mdinit otp_device:chr_file rw_file_perms;
+allow ccci_mdinit sysfs_boot_type:file r_file_perms;
+
+#============= ccci_fsd MD block data==============
+#restore>NVM_GetDeviceInfo>open /dev/block/by-name/nvram
+allow ccci_mdinit nvcfg_file:dir create_dir_perms;
+allow ccci_mdinit nvcfg_file:file create_file_perms;
+
+#============= ccci_fsd cryption related ==============
+allow ccci_mdinit rawfs:dir create_dir_perms;
+allow ccci_mdinit rawfs:file create_file_perms;
+
+# Purpose: for fstab parser
+allow ccci_mdinit kmsg_device:chr_file w_file_perms;
+
+#============= ccci_fsd MD Low Power Monitor Related ==============
+allow ccci_mdinit ccci_data_md1_file:dir create_dir_perms;
+allow ccci_mdinit ccci_data_md1_file:file create_file_perms;
+allow ccci_mdinit sysfs_devices_block:dir search;
+allow ccci_mdinit sysfs_devices_block:file r_file_perms;
+
+#============= ccci_fsd access vendor/etc/md file ==============
+allow ccci_mdinit vendor_etc_md_file:dir search;
+allow ccci_mdinit vendor_etc_md_file:file r_file_perms;
+
+#============= ccci_fsd access data/vendor_de/md file ==============
+allow ccci_mdinit data_vendor_de_md_file:dir create_dir_perms;
+allow ccci_mdinit data_vendor_de_md_file:file create_file_perms;
+
+allow ccci_mdinit unlabeled:dir rw_dir_perms;
+allow ccci_mdinit unlabeled:file rw_file_perms;
+
+# Date : 2021-04-12
+# Purpose: allow ccci_mdinit to access ccci_dump
+allow ccci_mdinit proc_ccci_dump:file w_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(ccci_mdinit)
+
+allow ccci_mdinit mcf_ota_block_device:dir search;
+
+# Date : 2021-07-30
+# Purpose : change sepolicy for MCF3.0
+allow ccci_mdinit sysfs_dt_firmware_android:file r_file_perms;
+allow ccci_mdinit proc_version:file r_file_perms;
+allow ccci_mdinit mcf_ota_file:dir { getattr search };
+allow ccci_mdinit mcf_ota_file:file rw_file_perms;
+
diff --git a/basic/non_plat/ccci_rpcd.te b/basic/non_plat/ccci_rpcd.te
new file mode 100644
index 0000000..b64e847
--- /dev/null
+++ b/basic/non_plat/ccci_rpcd.te
@@ -0,0 +1 @@
+type ccci_rpcd, domain;
diff --git a/basic/non_plat/chipinfo.te b/basic/non_plat/chipinfo.te
new file mode 100644
index 0000000..c62fd84
--- /dev/null
+++ b/basic/non_plat/chipinfo.te
@@ -0,0 +1,11 @@
+type chipinfo, domain;
+type chipinfo_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(chipinfo)
+
+allow chipinfo vendor_toolbox_exec:file rx_file_perms;
+allow chipinfo sysfs_device_tree_model:file r_file_perms;
+allow chipinfo sysfs_soc:file r_file_perms;
+allow chipinfo sysfs_soc:dir search;
+
+set_prop(chipinfo, vendor_mtk_soc_prop)
diff --git a/basic/non_plat/cmddumper.te b/basic/non_plat/cmddumper.te
new file mode 100644
index 0000000..aeb5e54
--- /dev/null
+++ b/basic/non_plat/cmddumper.te
@@ -0,0 +1,29 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#cmddumper access external modem ttySDIO2
+allow cmddumper ttySDIO_device:chr_file rw_file_perms;
+
+# for modem logging sdcard access
+allow cmddumper sdcard_type:dir create_dir_perms;
+allow cmddumper sdcard_type:file create_file_perms;
+
+# cmddumper access on /data/mdlog
+allow cmddumper mdlog_data_file:fifo_file create_file_perms;
+allow cmddumper mdlog_data_file:file create_file_perms;
+allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto };
+
+# purpose: allow cmddumper to access storage in N version
+allow cmddumper media_rw_data_file:file create_file_perms;
+allow cmddumper media_rw_data_file:dir create_dir_perms;
+
+# purpose: access plat_file_contexts
+allow cmddumper file_contexts_file:file r_file_perms;
+
+# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
+allow cmddumper sysfs_boot_mode:file r_file_perms;
+
+# Android P migration
+allow cmddumper tmpfs:lnk_file r_file_perms;
+allow cmddumper vmodem_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/conninfra_loader.te b/basic/non_plat/conninfra_loader.te
new file mode 100644
index 0000000..f530406
--- /dev/null
+++ b/basic/non_plat/conninfra_loader.te
@@ -0,0 +1,20 @@
+# ==============================================
+# Policy File of /vendor/bin/conninfra_loader Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type conninfra_loader, domain;
+type conninfra_loader_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(conninfra_loader)
+
+# Set the property
+set_prop(conninfra_loader, vendor_mtk_wmt_prop)
+
+# add ioctl/open/read/write permission for conninfra_loader with /dev/conninfra_dev
+allow conninfra_loader conninfra_device:chr_file rw_file_perms;
+
diff --git a/basic/non_plat/crash_dump.te b/basic/non_plat/crash_dump.te
new file mode 100644
index 0000000..5301f87
--- /dev/null
+++ b/basic/non_plat/crash_dump.te
@@ -0,0 +1,58 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.32
+# Operation : AEE UT
+# Purpose : for AEE module
+allow crash_dump expdb_device:chr_file rw_file_perms;
+allow crash_dump expdb_block_device:blk_file rw_file_perms;
+allow crash_dump etb_device:chr_file rw_file_perms;
+
+# open/dev/mtd/mtd12 failed(expdb)
+allow crash_dump mtd_device:dir create_dir_perms;
+allow crash_dump mtd_device:chr_file rw_file_perms;
+
+# NE flow: /dev/RT_Monitor
+allow crash_dump RT_Monitor_device:chr_file r_file_perms;
+
+#data/dumpsys
+allow crash_dump aee_dumpsys_data_file:dir create_dir_perms;
+allow crash_dump aee_dumpsys_data_file:file create_file_perms;
+
+#/data/core
+allow crash_dump aee_core_data_file:dir create_dir_perms;
+allow crash_dump aee_core_data_file:file create_file_perms;
+
+# /data/data_tmpfs_log
+allow crash_dump data_tmpfs_log_file:dir create_dir_perms;
+allow crash_dump data_tmpfs_log_file:file create_file_perms;
+
+# /proc/lk_env
+allow crash_dump proc_lk_env:file rw_file_perms;
+
+# Purpose: Allow crash_dump to read /proc/cpu/alignment
+allow crash_dump proc_cpu_alignment:file w_file_perms;
+
+# Purpose: Allow crash_dump to access /sys/devices/virtual/timed_output/vibrator/enable
+allow crash_dump sysfs_vibrator_setting:dir search;
+allow crash_dump sysfs_vibrator_setting:file w_file_perms;
+allow crash_dump sysfs_vibrator:dir search;
+allow crash_dump sysfs_leds:dir search;
+
+# Purpose: Allow crash_dump to read /proc/kpageflags
+allow crash_dump proc_kpageflags:file r_file_perms;
+
+# Purpose: create /data/aee_exp at runtime
+allow crash_dump file_contexts_file:file r_file_perms;
+
+allow crash_dump proc_ppm:dir r_dir_perms;
+allow crash_dump proc_ppm:file rw_file_perms;
+allow crash_dump selinuxfs:file r_file_perms;
+
+allow crash_dump proc_meminfo:file r_file_perms;
+allow crash_dump procfs_blockio:file r_file_perms;
+
+# Purpose: Allow crash_dump to create/write /sys/kernel/tracing/slog
+allow crash_dump debugfs_tracing_instances:dir create_dir_perms;
+allow crash_dump debugfs_tracing_instances:file create_file_perms;
diff --git a/basic/non_plat/dconfig.te b/basic/non_plat/dconfig.te
new file mode 100644
index 0000000..387b7a4
--- /dev/null
+++ b/basic/non_plat/dconfig.te
@@ -0,0 +1 @@
+type mtk_dconfig, domain;
diff --git a/basic/non_plat/device.te b/basic/non_plat/device.te
new file mode 100644
index 0000000..88447c2
--- /dev/null
+++ b/basic/non_plat/device.te
@@ -0,0 +1,380 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# Device types
+type devmap_device, dev_type;
+type ttyMT_device, dev_type;
+type ttyS_device, dev_type;
+type ttySDIO_device, dev_type;
+type vmodem_device, dev_type;
+type stpwmt_device, dev_type;
+type conninfra_device, dev_type;
+type conn_pwr_device, dev_type;
+type conn_scp_device, dev_type;
+type wmtdetect_device, dev_type;
+type wmtWifi_device, dev_type;
+type stpbt_device, dev_type;
+type fw_log_bt_device, dev_type;
+type stpant_device, dev_type;
+type fm_device, dev_type, mlstrustedobject;
+type gps_emi_device, dev_type;
+type stpgps_device, dev_type;
+type gps2scp_device, dev_type;
+type gps_pwr_device, dev_type;
+type gpsdl_device, dev_type;
+type connfem_device, dev_type;
+type fw_log_gps_device, dev_type;
+type fw_log_wmt_device, dev_type;
+type fw_log_wifi_device, dev_type;
+type fw_log_ics_device, dev_type;
+type fw_log_wifimcu_device, dev_type;
+type fw_log_btmcu_device, dev_type;
+type pmem_multimedia_device, dev_type;
+type mt6516_isp_device, dev_type;
+type mt6516_IDP_device, dev_type;
+type mt9p012_device, dev_type;
+type mt6516_jpeg_device, dev_type;
+type FM50AF_device, dev_type;
+type DW9714AF_device, dev_type;
+type DW9814AF_device, dev_type;
+type AK7345AF_device, dev_type;
+type DW9714A_device, dev_type;
+type LC898122AF_device, dev_type;
+type LC898212AF_device, dev_type;
+type BU6429AF_device, dev_type;
+type AD5820AF_device, dev_type;
+type DW9718AF_device, dev_type;
+type BU64745GWZAF_device, dev_type;
+type MAINAF_device, dev_type;
+type MAIN2AF_device, dev_type;
+type MAIN3AF_device, dev_type;
+type MAIN4AF_device, dev_type;
+type SUBAF_device, dev_type;
+type SUB2AF_device, dev_type;
+type M4U_device_device, dev_type;
+type Vcodec_device, dev_type;
+type MJC_device, dev_type;
+type smartpa_device, dev_type;
+type smartpa1_device, dev_type;
+type tahiti_device, dev_type;
+type uio0_device, dev_type;
+type xt_qtaguid_device, dev_type;
+type rfkill_device, dev_type;
+type sw_sync_device, dev_type, mlstrustedobject;
+type sec_device, dev_type;
+type hid_keyboard_device, dev_type;
+type btn_device, dev_type;
+type uinput_device, dev_type;
+type TV_out_device, dev_type;
+type gz_device, dev_type;
+type camera_sysram_device, dev_type;
+type camera_mem_device, dev_type;
+type camera_isp_device, dev_type;
+type camera_dip_device, dev_type;
+type camera_dpe_device, dev_type;
+type camera_tsf_device, dev_type;
+type camera_fdvt_device, dev_type;
+type camera_rsc_device, dev_type;
+type camera_gepf_device, dev_type;
+type camera_wpe_device, dev_type;
+type camera_owe_device, dev_type;
+type camera_mfb_device, dev_type;
+type camera_pda_device, dev_type;
+type camera_pipemgr_device, dev_type;
+type mtk_hcp_device, dev_type;
+type mtk_ccd_device, dev_type;
+type mtk_v4l2_media_device, dev_type;
+type ccu_device, dev_type;
+type gpueb_device, dev_type;
+type vcp_device, dev_type;
+type mvpu_algo_device, dev_type;
+type vpu_device, dev_type, mlstrustedobject;
+type mdla_device, dev_type, mlstrustedobject;
+type apusys_device, dev_type;
+type mtk_jpeg_device, dev_type;
+type kd_camera_hw_device, dev_type;
+type seninf_device, dev_type;
+type kd_camera_flashlight_device, dev_type;
+type flashlight_device, dev_type;
+type kd_camera_hw_bus2_device, dev_type;
+type MATV_device, dev_type;
+type mt_otg_test_device, dev_type;
+type mt_mdp_device, dev_type;
+type mtkg2d_device, dev_type;
+type misc_sd_device, dev_type;
+type mtk_sched_device, dev_type;
+type ampc0_device, dev_type;
+type mmp_device, dev_type;
+type ttyGS_device, dev_type;
+type CAM_CAL_DRV_device, dev_type;
+type CAM_CAL_DRV1_device, dev_type;
+type CAM_CAL_DRV2_device, dev_type;
+type camera_eeprom_device, dev_type;
+type seninf_n3d_device, dev_type;
+type MTK_SMI_device, dev_type;
+type mtk_cmdq_device, dev_type;
+type mtk_mdp_device, dev_type;
+type mtk_mdp_sync_device, dev_type;
+type mtk_fmt_sync_device, dev_type;
+type mtk_fmt_device, dev_type;
+type mtk_rrc_device, dev_type;
+type ebc_device, dev_type;
+type vow_device, dev_type;
+type MT6516_H264_DEC_device, dev_type;
+type MT6516_Int_SRAM_device, dev_type;
+type MT6516_MM_QUEUE_device, dev_type;
+type MT6516_MP4_DEC_device, dev_type;
+type MT6516_MP4_ENC_device, dev_type;
+type sensor_device, dev_type;
+type ccci_device, dev_type;
+type ccci_monitor_device, dev_type;
+type gsm0710muxd_device, dev_type;
+type eemcs_device, dev_type;
+type emd_device, dev_type;
+type st21nfc_device, dev_type;
+type st54spi_device, dev_type;
+type mmcblk_device, dev_type;
+type BOOT_device, dev_type;
+type MT_pmic_device, dev_type;
+type aal_als_device, dev_type;
+type accdet_device, dev_type;
+type android_device, dev_type;
+type bmtpool_device, dev_type;
+type bootimg_device, dev_type;
+type btif_device, dev_type;
+type cache_device, dev_type;
+type cpu_dma_latency_device, dev_type;
+type dummy_cam_cal_device, dev_type;
+type ebr_device, dev_type;
+type expdb_device, dev_type;
+type fat_device, dev_type;
+type logo_device, dev_type;
+type loop-control_device, dev_type;
+type mbr_device, dev_type;
+type met_device, dev_type;
+type misc_device, dev_type;
+type misc2_device, dev_type;
+type mtfreqhopping_device, dev_type;
+type mtgpio_device, dev_type;
+type mtk_kpd_device, dev_type;
+type network_device, dev_type;
+type nvram_device, dev_type;
+type pmt_device, dev_type;
+type preloader_device, dev_type;
+type pro_info_device, dev_type;
+type protect_f_device, dev_type;
+type protect_s_device, dev_type;
+type psaux_device, dev_type;
+type ptyp_device, dev_type;
+type recovery_device, dev_type;
+type sec_ro_device, dev_type;
+type seccfg_device, dev_type;
+type tee_part_device, dev_type;
+type snapshot_device, dev_type;
+type tgt_device, dev_type;
+type touch_device, dev_type;
+type tpd_em_log_device, dev_type;
+type ttyp_device, dev_type;
+type uboot_device, dev_type;
+type uibc_device, dev_type;
+type usrdata_device, dev_type;
+type zram0_device, dev_type;
+type hwzram0_device, dev_type;
+type RT_Monitor_device, dev_type;
+type kick_powerkey_device, dev_type;
+type agps_device, dev_type;
+type mnld_device, dev_type;
+type geo_device, dev_type;
+type mdlog_device, dev_type;
+type md32_device, dev_type;
+type scp_device, dev_type;
+type adsp_device, dev_type;
+type audio_scp_device, dev_type;
+type sspm_device, dev_type;
+type etb_device, dev_type;
+type MT_pmic_adc_cali_device, dev_type;
+type mtk-adc-cali_device, dev_type;
+type MT_pmic_cali_device,dev_type;
+type otp_device, dev_type;
+type otp_part_block_device, dev_type;
+type qemu_pipe_device, dev_type;
+type icusb_device, dev_type;
+type nlop_device, dev_type;
+type irtx_device, dev_type;
+type pmic_ftm_device, dev_type;
+type charger_ftm_device, dev_type;
+type shf_device, dev_type;
+type keyblock_device, dev_type;
+type offloadservice_device, dev_type;
+type ttyACM_device, dev_type;
+type hrm_device, dev_type;
+type lens_device, dev_type;
+type nvdata_device, dev_type;
+type mcf_ota_block_device,dev_type;
+type nvcfg_device, dev_type;
+type expdb_block_device, dev_type;
+type misc2_block_device, dev_type;
+type logo_block_device, dev_type;
+type para_block_device, dev_type;
+type tee_block_device, dev_type;
+type seccfg_block_device, dev_type;
+type secro_block_device, dev_type;
+type preloader_block_device, dev_type;
+type lk_block_device, dev_type;
+type protect1_block_device, dev_type;
+type protect2_block_device, dev_type;
+type keystore_block_device, dev_type;
+type oemkeystore_block_device, dev_type;
+type sec1_block_device, dev_type;
+type md1img_block_device, dev_type;
+type md1dsp_block_device, dev_type;
+type md1arm7_block_device, dev_type;
+type md3img_block_device, dev_type;
+type mmcblk1_block_device, dev_type;
+type mmcblk1p1_block_device, dev_type;
+type bootdevice_block_device, dev_type;
+type odm_block_device, dev_type;
+type oem_block_device, dev_type;
+type vendor_block_device, dev_type;
+type dtbo_block_device, dev_type;
+type loader_ext_block_device, dev_type;
+type spm_device, dev_type;
+type persist_block_device, dev_type;
+type md_block_device, dev_type;
+type spmfw_block_device, dev_type;
+type mcupmfw_block_device, dev_type;
+type scp_block_device, dev_type;
+type sspm_block_device, dev_type;
+type dsp_block_device, dev_type;
+type ppl_block_device, dev_type;
+type nvcfg_block_device, dev_type;
+type ancservice_device, dev_type;
+type mbim_device, dev_type;
+type audio_ipi_device, dev_type;
+type cam_vpu_block_device,dev_type;
+type boot_para_block_device,dev_type;
+type mtk_dfrc_device, dev_type;
+type vbmeta_block_device, dev_type;
+type alarm_device, dev_type;
+type mdp_device, dev_type;
+type mrdump_device, dev_type;
+type kb_block_device,dev_type;
+type dkb_block_device,dev_type;
+type mtk_radio_device, dev_type;
+type dpm_block_device, dev_type;
+type audio_dsp_block_device, dev_type;
+type gz_block_device, dev_type;
+type pi_img_device, dev_type;
+type vpud_device, dev_type;
+type vcu_device, dev_type;
+type mml_pq_device, dev_type;
+
+##########################
+# Sensor common Devices Start
+#
+type hwmsensor_device, dev_type;
+type msensor_device, dev_type;
+type gsensor_device, dev_type;
+type als_ps_device, dev_type;
+type gyroscope_device, dev_type;
+type barometer_device,dev_type;
+type humidity_device,dev_type;
+type biometric_device,dev_type;
+type sensorlist_device,dev_type;
+type hf_manager_device,dev_type;
+
+##########################
+# Sensor Devices Start
+#
+type m_batch_misc_device, dev_type;
+
+##########################
+# Sensor bio Devices Start
+#
+type m_als_misc_device, dev_type;
+type m_ps_misc_device, dev_type;
+type m_baro_misc_device, dev_type;
+type m_hmdy_misc_device, dev_type;
+type m_acc_misc_device, dev_type;
+type m_mag_misc_device, dev_type;
+type m_gyro_misc_device, dev_type;
+type m_act_misc_device, dev_type;
+type m_pedo_misc_device, dev_type;
+type m_situ_misc_device, dev_type;
+type m_step_c_misc_device, dev_type;
+type m_fusion_misc_device, dev_type;
+type m_bio_misc_device, dev_type;
+
+# Date : 2016/07/11
+# Operation : Migration
+# Purpose : Add permission for gpu access
+type dri_device, dev_type, mlstrustedobject;
+
+# Date : 2021/07/09
+# Operation : S Migration
+# Purpose : Add permission for ABOTA
+type postinstall_block_device, dev_type;
+
+# Date : 2021/08/27
+# Operation : S Migration
+# Purpose : Add permission for wifi proxy
+type ccci_wifi_proxy_device, dev_type;
+
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: access for fp device and client device of TEEI
+type teei_fp_device, dev_type;
+type teei_client_device, dev_type, mlstrustedobject;
+type teei_config_device, dev_type;
+type utr_tui_device, dev_type;
+type teei_vfs_device, dev_type;
+type teei_rpmb_device, dev_type;
+type ut_keymaster_device, dev_type;
+
+# Date : 2019/07/19
+# Operation : Add newwork optimization feature
+# Purpose : Add permission for nwk
+type nwkopt_device, dev_type;
+type tx_device, dev_type;
+
+# Date : 2019/11/07
+# Operation : Add thp feature
+# Purpose : Add permission for thp
+type gdix_mt_wrapper_device, dev_type, fs_type;
+type gdix_thp_device, dev_type, fs_type;
+
+type mddp_device, dev_type;
+
+type tkcore_admin_device, dev_type, mlstrustedobject;
+type tkcore_block_device, dev_type;
+
+# mobicore device type
+type mobicore_admin_device, dev_type;
+type mobicore_user_device, dev_type, mlstrustedobject;
+type mobicore_tui_device, dev_type;
+
+# teeperf device type
+type teeperf_device, dev_type, mlstrustedobject;
+
+type rpmb_block_device, dev_type;
+type rpmb_device, dev_type;
+
+type fingerprint_device, dev_type;
+
+# widevine device type
+type widevine_drv_device, dev_type;
+
+# Date:2021/08/05
+# Purpose: permission for audioserver to use ccci node
+type ccci_aud_device, dev_type;
+
+# Date:2021/07/27
+# Purpose: permission for CCB user
+type ccci_ccb_device, dev_type;
+# Purpose: permission for md_monitor
+type ccci_mdmonitor_device, dev_type;
+
+# Date: 2021/09/26
+# Operator: S migration
+# Purpose: Add permission for vilte
+type ccci_vts_device, dev_type;
diff --git a/basic/non_plat/dmc_core.te b/basic/non_plat/dmc_core.te
new file mode 100644
index 0000000..7522042
--- /dev/null
+++ b/basic/non_plat/dmc_core.te
@@ -0,0 +1 @@
+type dmc_core, domain;
diff --git a/basic/non_plat/domain.te b/basic/non_plat/domain.te
new file mode 100644
index 0000000..277ca64
--- /dev/null
+++ b/basic/non_plat/domain.te
@@ -0,0 +1,23 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Grant read access to mtk core property type which represents all
+# mtk properties except those with ctl_xxx prefix.
+# Align Google change: f01453ad453b29dd723838984ea03978167491e5
+get_prop(domain, mtk_core_property_type)
+
+# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
+# as it is a public interface for all processes to read some OTP data.
+allow {
+ domain
+ -isolated_app
+} sysfs_devinfo:file r_file_perms;
+
+# Date : W18.45
+# Operation : MTK gpu enable drvb
+# Purpose : drvb need dgb2 permission
+allow {
+ domain
+ -isolated_app
+} sysfs_gpu:file r_file_perms;
diff --git a/basic/non_plat/drmserver.te b/basic/non_plat/drmserver.te
new file mode 100644
index 0000000..e7c76b3
--- /dev/null
+++ b/basic/non_plat/drmserver.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow drmserver proc_ged:file rw_file_perms;
+
+# get prop to judge use 64-bit or not
+get_prop(drmserver, vendor_mtk_prefer64_prop)
\ No newline at end of file
diff --git a/basic/non_plat/dumpstate.te b/basic/non_plat/dumpstate.te
new file mode 100644
index 0000000..1fff2b0
--- /dev/null
+++ b/basic/non_plat/dumpstate.te
@@ -0,0 +1,122 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose: data/dumpsys/*
+allow dumpstate aee_dumpsys_data_file:dir w_dir_perms;
+allow dumpstate aee_dumpsys_data_file:file create_file_perms;
+
+# Purpose: debugfs files
+allow dumpstate procfs_blockio:file r_file_perms;
+
+# Purpose: /sys/kernel/ccci/md_chn
+allow dumpstate sysfs_ccci:dir search;
+allow dumpstate sysfs_ccci:file r_file_perms;
+
+# Purpose: leds status
+allow dumpstate sysfs_leds:lnk_file r_file_perms;
+
+# Purpose: /sys/module/lowmemorykiller/parameters/adj
+allow dumpstate sysfs_lowmemorykiller:file r_file_perms;
+allow dumpstate sysfs_lowmemorykiller:dir search;
+
+# Purpose: /dev/block/mmcblk0p10
+allow dumpstate expdb_block_device:blk_file rw_file_perms;
+
+#/data/anr/SF_RTT
+allow dumpstate sf_rtt_file:dir { search getattr };
+
+allow dumpstate sysfs_leds:dir r_dir_perms;
+
+# Data : WK17.03
+# Purpose: Allow to access gpu
+allow dumpstate gpu_device:dir search;
+
+# Purpose: Allow dumpstate to read /proc/ufs_debug
+allow dumpstate proc_ufs_debug:file rw_file_perms;
+
+# Purpose: Allow dumpstate to read /proc/msdc_debug
+allow dumpstate proc_msdc_debug:file r_file_perms;
+
+# Purpose: Allow dumpstate to r/w /proc/pidmap
+allow dumpstate proc_pidmap:file rw_file_perms;
+
+# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug
+allow dumpstate sysfs_vcore_debug:file r_file_perms;
+
+# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt
+allow dumpstate sf_rtt_file:file r_file_perms;
+
+#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace
+allow dumpstate proc_slabtrace:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status
+allow dumpstate proc_cmdq_debug:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo
+allow dumpstate proc_dbg_repo:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump
+allow dumpstate proc_isp_p2_dump:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump
+allow dumpstate proc_isp_p2_kedump:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mali/memory_usage
+allow dumpstate proc_memory_usage:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump
+allow dumpstate proc_mtk_es_reg_dump:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate
+allow dumpstate sysfs_execstate:file r_file_perms;
+
+allow dumpstate proc_isp_p2:dir r_dir_perms;
+allow dumpstate proc_isp_p2:file r_file_perms;
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow dumpstate surfaceflinger:fifo_file rw_file_perms;
+
+# Date : W19.26
+# Operation : Migration
+# Purpose : fix google dumpstate avc error in xTS
+allow dumpstate debugfs_mmc:dir search;
+allow dumpstate mnt_media_rw_file:dir getattr;
+
+# Date: 19/07/15
+# Purpose: fix google dumpstate avc error in xTs
+allow dumpstate sysfs_devices_block:file r_file_perms;
+allow dumpstate proc_last_kmsg:file r_file_perms;
+
+#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log
+allow dumpstate sysfs_adsp:file r_file_perms;
+
+# MTEE Trusty
+allow dumpstate mtee_trusty_file:file rw_file_perms;
+
+# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990):
+# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0
+# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
+allow dumpstate mnt_expand_file:dir { search getattr };
+
+#Purpose: Allow dumpstate to read /dev/usb-ffs
+allow dumpstate functionfs:file getattr;
+
+#Purpose: Allow dumpstate to read /sys/bus/platform/drivers/cache_parity/cache_status
+allow dumpstate sysfs_cache_status:file r_file_perms;
+
+hal_client_domain(dumpstate, hal_light)
+
+#Purpose: Allow dumpstate to read /sys/kernel/tracing/instances/mmstat/trace
+allow dumpstate debugfs_tracing_instances:dir r_dir_perms;
+allow dumpstate debugfs_tracing_instances:file r_file_perms;
+
+allow dumpstate proc_ion:dir r_dir_perms;
+allow dumpstate proc_ion:file r_file_perms;
+allow dumpstate proc_m4u_dbg:dir r_dir_perms;
+allow dumpstate proc_m4u_dbg:file r_file_perms;
+allow dumpstate proc_mtkfb:file r_file_perms;
+
+allow dumpstate proc_ccci_dump:file r_file_perms;
diff --git a/basic/non_plat/e2fs.te b/basic/non_plat/e2fs.te
new file mode 100644
index 0000000..a69759f
--- /dev/null
+++ b/basic/non_plat/e2fs.te
@@ -0,0 +1,34 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.32
+# Operation : Migration
+# Purpose : create ext4 images for protect1/protect2/persist/nvdata/nvcfg block devices.
+allow e2fs protect1_block_device:blk_file rw_file_perms;
+allow e2fs protect2_block_device:blk_file rw_file_perms;
+allow e2fs persist_block_device:blk_file rw_file_perms;
+allow e2fs nvdata_device:blk_file rw_file_perms;
+allow e2fs nvcfg_block_device:blk_file rw_file_perms;
+
+allow e2fs devpts:chr_file rw_file_perms;
+
+# Date : WK18.23
+# Operation: P migration
+# Purpose : Allow mke2fs to format userdata and cache partition
+allow e2fs cache_block_device:blk_file rw_file_perms;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+
+# Date : WK19.23
+# Operation: Q migration
+# Purpose : Allow format /metadata for UDC
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
+# Date : WK19.34
+# Operation: Q migration
+# Purpose : Allow mke2fs to use ioctl/ioctlcmd
+allowxperm e2fs protect1_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs protect2_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs nvdata_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs nvcfg_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
+allowxperm e2fs persist_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
diff --git a/basic/non_plat/eara_io.te b/basic/non_plat/eara_io.te
new file mode 100644
index 0000000..68d1422
--- /dev/null
+++ b/basic/non_plat/eara_io.te
@@ -0,0 +1,31 @@
+# ==============================================================================
+# Type Declaration
+# ==============================================================================
+type eara_io, domain;
+type eara_io_exec, vendor_file_type, exec_type, file_type;
+# ==============================================================================
+# Common SEPolicy Rules
+# ==============================================================================
+init_daemon_domain(eara_io)
+
+allow eara_io eara_io_data_file:dir rw_dir_perms;
+allow eara_io eara_io_data_file:fifo_file create_file_perms;
+allow eara_io eara_io_data_file:file create_file_perms;
+allow eara_io proc_earaio:file r_file_perms;
+allow eara_io proc_earaio:dir r_dir_perms;
+allow eara_io proc_perfmgr:file r_file_perms;
+allow eara_io proc_perfmgr:dir r_dir_perms;
+allow eara_io proc_version:file r_file_perms;
+allow eara_io self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow eara_io self:perf_event { open kernel };
+allow eara_io sysfs_boot_mode:file r_file_perms;
+hal_client_domain(eara_io, hal_power)
+allowxperm eara_io proc_earaio:file ioctl {
+ PERFMGR_EARA_GETINDEX
+ PERFMGR_EARA_COLLECT
+};
+allowxperm eara_io proc_perfmgr:file ioctl {
+ PERFMGR_EARA_GETINDEX
+ PERFMGR_EARA_COLLECT
+};
+set_prop(eara_io, vendor_mtk_eara_io_prop)
diff --git a/basic/non_plat/em_hidl.te b/basic/non_plat/em_hidl.te
new file mode 100644
index 0000000..ced4962
--- /dev/null
+++ b/basic/non_plat/em_hidl.te
@@ -0,0 +1,138 @@
+# ==============================================
+# Policy File of /vendor/bin/em_hidl Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type em_hidl, domain;
+type em_hidl_exec, exec_type, file_type, vendor_file_type;
+
+# Date : 2018/06/28
+init_daemon_domain(em_hidl)
+
+# Date : 2018/06/28
+# Purpose: EM_HILD
+hal_server_domain(em_hidl, hal_mtk_em)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set ims operator
+set_prop(em_hidl, vendor_mtk_operator_id_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_simswitch_emmode_prop
+set_prop(em_hidl, vendor_mtk_simswitch_emmode_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_dsbp_support_prop
+set_prop(em_hidl, vendor_mtk_dsbp_support_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_imstestmode_prop
+set_prop(em_hidl, vendor_mtk_imstestmode_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_smsformat_prop
+set_prop(em_hidl, vendor_mtk_smsformat_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_gprs_prefer_prop
+set_prop(em_hidl, vendor_mtk_gprs_prefer_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_testsim_cardtype_prop
+set_prop(em_hidl, vendor_mtk_testsim_cardtype_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should set vendor_mtk_ct_ir_engmode_prop
+set_prop(em_hidl, vendor_mtk_ct_ir_engmode_prop)
+
+# Date : 2018/06/28
+# Operation : EM DEBUG
+# Purpose: EM should vendor_mtk_disable_c2k_cap_prop
+set_prop(em_hidl, vendor_mtk_disable_c2k_cap_prop)
+
+# Date : 2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should vendor_mtk_debug_md_reset_prop
+set_prop(em_hidl, vendor_mtk_debug_md_reset_prop)
+
+# Date : 2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_omx_log_prop
+set_prop(em_hidl, vendor_mtk_omx_log_prop)
+
+# Date : 2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_vdec_log_prop
+set_prop(em_hidl, vendor_mtk_vdec_log_prop)
+
+# Date : 2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_vdectlc_log_prop
+set_prop(em_hidl, vendor_mtk_vdectlc_log_prop)
+
+# Date : 2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_venc_h264_showlog_prop
+set_prop(em_hidl, vendor_mtk_venc_h264_showlog_prop)
+
+# Date : 2018/06/29
+# Operation : EM DEBUG
+# Purpose: EM should video log vendor_mtk_modem_warning_prop
+set_prop(em_hidl, vendor_mtk_modem_warning_prop)
+
+# Date : 2018/07/06
+# Operation : EM DEBUG
+# Purpose: EM allow usb vendor_mtk_em_usb_prop
+set_prop(em_hidl, vendor_mtk_em_usb_prop)
+
+# Date : 2018/07/06
+# Operation : EM DEBUG
+# Purpose: for setting usb otg enable property
+set_prop(em_hidl, vendor_mtk_usb_otg_switch_prop)
+
+# Data : 2018/07/06
+# Purpose : EM MCF read nvdata dir and file
+allow em_hidl nvcfg_file:dir ra_dir_perms;
+allow em_hidl nvcfg_file:file r_file_perms;
+
+# Data : 2018/07/06
+# Purpose : EM MCF search vendor dir
+allow em_hidl mnt_vendor_file:dir search;
+
+# Data : 2018/08/10
+# Purpose : EM BT usage
+allow em_hidl stpbt_device:chr_file rw_file_perms;
+allow em_hidl sysfs_boot_mode:file r_file_perms;
+allow em_hidl ttyGS_device:chr_file rw_file_perms;
+set_prop(em_hidl, vendor_mtk_usb_prop)
+allow em_hidl nvdata_file:file r_file_perms;
+allow em_hidl nvdata_file:dir search;
+
+# Date : 2018/08/28
+# Operation : EM DEBUG
+# Purpose: for em set hidl configure
+set_prop(em_hidl, vendor_mtk_em_hidl_prop)
+
+# Date : 2019/08/22
+# Operation : EM AAL
+# Purpose: for em set aal property
+set_prop(em_hidl, vendor_mtk_pq_prop)
+
+# Date : 2019/09/10
+# Operation : EM wcn coredump
+# Purpose: for em set wcn coredump property
+set_prop(em_hidl, vendor_mtk_coredump_prop)
+
+# Date : 2021/04/15
+# Operation : mdota read
+# Purpose: read mdota files
+allow em_hidl mcf_ota_file:dir r_dir_perms;
diff --git a/basic/non_plat/em_svr.te b/basic/non_plat/em_svr.te
new file mode 100644
index 0000000..5a2a4dc
--- /dev/null
+++ b/basic/non_plat/em_svr.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK1812
+# Purpose: add for MD log filter
+allow em_svr md_block_device:blk_file r_file_perms;
+
+# Date: WK1812
+# Purpose: add for SIB capture
+allow em_svr para_block_device:blk_file rw_file_perms;
+allow em_svr proc_lk_env:file rw_file_perms;
diff --git a/basic/non_plat/emcamera_app.te b/basic/non_plat/emcamera_app.te
new file mode 100644
index 0000000..feb8b9f
--- /dev/null
+++ b/basic/non_plat/emcamera_app.te
@@ -0,0 +1 @@
+type emcamera_app, domain;
diff --git a/basic/non_plat/ephemeral_app.te b/basic/non_plat/ephemeral_app.te
new file mode 100644
index 0000000..b84b387
--- /dev/null
+++ b/basic/non_plat/ephemeral_app.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2020/06/08
+# Purpose: Allow ephemeral app to access mtk jpeg
+allow ephemeral_app proc_mtk_jpeg:file rw_file_perms;
+allowxperm ephemeral_app proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_DEC_IO_LOCK
+ JPG_BRIDGE_DEC_IO_WAIT
+ JPG_BRIDGE_DEC_IO_UNLOCK
+};
diff --git a/basic/non_plat/factory.te b/basic/non_plat/factory.te
new file mode 100644
index 0000000..9f28f91
--- /dev/null
+++ b/basic/non_plat/factory.te
@@ -0,0 +1,521 @@
+# ==============================================
+# Policy File of /vendor/bin/factory Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type factory, domain;
+type factory_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(factory)
+
+allow factory MTK_SMI_device:chr_file r_file_perms;
+allow factory ashmem_device:chr_file x_file_perms;
+allow factory ebc_device:chr_file rw_file_perms;
+allow factory stpbt_device:chr_file rw_file_perms;
+
+# Date: WK14.47
+# Operation : Migration
+# Purpose : CCCI
+allow factory eemcs_device:chr_file rw_file_perms;
+allow factory ccci_device:chr_file rw_file_perms;
+allow factory gsm0710muxd_device:chr_file rw_file_perms;
+
+# Purpose: file system requirement
+allow factory devpts:chr_file rw_file_perms;
+allow factory vfat:dir { w_dir_perms mounton };
+allow factory vfat:filesystem { mount unmount };
+allow factory labeledfs:filesystem unmount;
+allow factory rootfs:dir mounton;
+
+# Purpose : SDIO
+allow factory ttySDIO_device:chr_file rw_file_perms;
+
+# Purpose: USB
+allow factory ttyMT_device:chr_file rw_file_perms;
+allow factory ttyS_device:chr_file rw_file_perms;
+allow factory ttyGS_device:chr_file rw_file_perms;
+
+# Purpose: OTG
+allow factory usb_device:chr_file rw_file_perms;
+allow factory usb_device:dir r_dir_perms;
+allow factory sysfs_usb_nonplat:file r_file_perms;
+allow factory sysfs_usb_nonplat:dir r_dir_perms;
+
+# Date: WK15.01
+# Purpose : OTG Mount
+allow factory sdcard_type:dir { mounton create_dir_perms };
+
+# Date: WK15.07
+# Purpose : use c2k flight mode;
+allow factory vmodem_device:chr_file rw_file_perms;
+
+# Date: WK15.13
+# Purpose: for nand project
+allow factory mtd_device:dir search;
+allow factory mtd_device:chr_file rw_file_perms;
+allow factory self:capability {
+ chown
+ fsetid
+ ipc_lock
+ net_admin
+ net_raw
+ sys_time
+ sys_admin
+ sys_boot
+ sys_module
+ sys_nice
+ sys_resource
+ };
+allow factory pro_info_device:chr_file rw_file_perms;
+
+# Data: WK15.28
+# Purpose: for mt-ramdump reset
+allow factory proc_mrdump_rst:file w_file_perms;
+
+# Date: WK15.31
+# Purpose: define factory_data_file instead of system_data_file
+# because system_data_file is sensitive partition from M
+wakelock_use(factory);
+allow factory storage_file:dir { create_dir_perms mounton };
+
+# Date: WK15.44
+# Purpose: factory idle current status
+set_prop(factory, vendor_mtk_factory_idle_state_prop)
+
+# Date: WK15.46
+# Purpose: gps factory mode
+allow factory agpsd_data_file:dir search;
+allow factory gps_data_file:dir { w_dir_perms unlink};
+allow factory gps_data_file:file create_file_perms;
+allow factory gps_data_file:lnk_file r_file_perms;
+allow factory storage_file:lnk_file r_file_perms;
+allow factory mnld:unix_dgram_socket sendto;
+
+# Date: WK15.48
+# Purpose: capture for factory mode
+allow factory devmap_device:chr_file r_file_perms;
+allow factory sdcard_type:file create_file_perms;
+allow factory mnt_user_file:dir search;
+allow factory mnt_user_file:lnk_file r_file_perms;
+
+# Date: WK16.05
+# Purpose: For access NVRAM
+allow factory nvram_data_file:dir create_dir_perms;
+allow factory nvram_data_file:file create_file_perms;
+allow factory nvram_data_file:lnk_file r_file_perms;
+allow factory nvdata_file:lnk_file r_file_perms;
+allow factory nvram_device:chr_file rw_file_perms;
+allow factory nvram_device:blk_file rw_file_perms;
+allow factory nvdata_device:blk_file rw_file_perms;
+
+# Date: WK16.12
+# Purpose: For sensor test
+allow factory hf_manager_device:chr_file rw_file_perms;
+allow factory als_ps_device:chr_file r_file_perms;
+allow factory barometer_device:chr_file r_file_perms;
+allow factory gsensor_device:chr_file r_file_perms;
+allow factory gyroscope_device:chr_file r_file_perms;
+allow factory msensor_device:chr_file r_file_perms;
+allow factory biometric_device:chr_file r_file_perms;
+
+# Purpose: For camera Test
+allow factory kd_camera_flashlight_device:chr_file rw_file_perms;
+allow factory kd_camera_hw_device:chr_file rw_file_perms;
+allow factory seninf_device:chr_file rw_file_perms;
+allow factory CAM_CAL_DRV_device:chr_file rw_file_perms;
+allow factory camera_eeprom_device:chr_file rw_file_perms;
+allow factory ion_device:chr_file rw_file_perms;
+
+# Purpose: For reboot the target
+set_prop(factory, powerctl_prop)
+
+# Purpose: For memory card test
+allow factory misc_sd_device:chr_file r_file_perms;
+allow factory mmcblk1_block_device:blk_file rw_file_perms;
+allow factory bootdevice_block_device:blk_file rw_file_perms;
+allow factory mmcblk1p1_block_device:blk_file rw_file_perms;
+allow factory block_device:dir search;
+allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE;
+allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE;
+
+# Purpose: For EMMC test
+allow factory nvdata_file:dir create_dir_perms;
+allow factory nvdata_file:file create_file_perms;
+
+# Purpose: For HRM test
+allow factory hrm_device:chr_file r_file_perms;
+
+# Purpose: For IrTx LED test
+allow factory irtx_device:chr_file rw_file_perms;
+
+# Purpose: For battery test, ext_buck test and ext_vbat_boost test
+allow factory pmic_ftm_device:chr_file rw_file_perms;
+allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms;
+allow factory MT_pmic_cali_device:chr_file r_file_perms;
+allow factory charger_ftm_device:chr_file r_file_perms;
+
+# Purpose: For HDMI test
+allow factory graphics_device:dir w_dir_perms;
+allow factory graphics_device:chr_file rw_file_perms;
+
+# Purpose: For WIFI test
+allow factory wmtWifi_device:chr_file rw_file_perms;
+
+# Purpose: For rtc test
+allow factory rtc_device:chr_file rw_file_perms;
+
+# Purpose: For gps test
+allow factory mnld_device:chr_file rw_file_perms;
+allow factory stpgps_device:chr_file rw_file_perms;
+allow factory mnld_exec:file rx_file_perms;
+
+# Purpose: For keypad test
+allow factory mtk_kpd_device:chr_file r_file_perms;
+
+# Purpose: For Humidity test
+allow factory humidity_device:chr_file r_file_perms;
+
+# Purpose: For camera test
+allow factory camera_isp_device:chr_file rw_file_perms;
+allow factory camera_dip_device:chr_file rw_file_perms;
+allow factory camera_pipemgr_device:chr_file r_file_perms;
+allow factory camera_sysram_device:chr_file r_file_perms;
+allow factory ccu_device:chr_file rw_file_perms;
+allow factory vpu_device:chr_file rw_file_perms;
+allow factory mdla_device:chr_file rw_file_perms;
+allow factory apusys_device:chr_file rw_file_perms;
+allow factory sysfs_apusys_queue:dir r_dir_perms;
+allow factory sysfs_apusys_queue:file r_file_perms;
+allow factory MAINAF_device:chr_file rw_file_perms;
+allow factory MAIN2AF_device:chr_file rw_file_perms;
+allow factory MAIN3AF_device:chr_file rw_file_perms;
+allow factory MAIN4AF_device:chr_file rw_file_perms;
+allow factory SUBAF_device:chr_file rw_file_perms;
+allow factory SUB2AF_device:chr_file rw_file_perms;
+allow factory FM50AF_device:chr_file rw_file_perms;
+allow factory AD5820AF_device:chr_file rw_file_perms;
+allow factory DW9714AF_device:chr_file rw_file_perms;
+allow factory DW9714A_device:chr_file rw_file_perms;
+allow factory LC898122AF_device:chr_file rw_file_perms;
+allow factory LC898212AF_device:chr_file rw_file_perms;
+allow factory BU6429AF_device:chr_file rw_file_perms;
+allow factory DW9718AF_device:chr_file rw_file_perms;
+allow factory BU64745GWZAF_device:chr_file rw_file_perms;
+allow factory cct_data_file:dir create_dir_perms;
+allow factory cct_data_file:file create_file_perms;
+allow factory camera_tsf_device:chr_file rw_file_perms;
+allow factory camera_rsc_device:chr_file rw_file_perms;
+allow factory camera_gepf_device:chr_file rw_file_perms;
+allow factory camera_fdvt_device:chr_file rw_file_perms;
+allow factory camera_wpe_device:chr_file rw_file_perms;
+allow factory camera_owe_device:chr_file rw_file_perms;
+allow factory camera_mfb_device:chr_file rw_file_perms;
+allow factory camera_pda_device:chr_file rw_file_perms;
+hal_client_domain(factory, hal_power)
+get_prop(factory, vendor_mtk_mediatek_prop)
+
+# Date: 2021/12/10
+# Operation : allow camera test to read dla network file
+allow factory vendor_etc_nn_file:dir r_dir_perms;
+allow factory vendor_etc_nn_file:file r_file_perms;
+allowxperm factory vendor_etc_nn_file:file ioctl VT_SENDSIG;
+
+# Date: 2020/07/20
+# Operation : For M4U security
+allow factory proc_m4u:file r_file_perms;
+allowxperm factory proc_m4u:file ioctl {
+ MTK_M4U_T_SEC_INIT
+ MTK_M4U_T_CONFIG_PORT
+};
+
+# Purpose: For FM test and headset test
+allow factory accdet_device:chr_file r_file_perms;
+allow factory fm_device:chr_file rw_file_perms;
+
+# Purpose: For audio test
+allow factory audio_device:chr_file rw_file_perms;
+allow factory audio_device:dir w_dir_perms;
+set_prop(factory, vendor_mtk_audiohal_prop)
+allow factory audio_ipi_device:chr_file rw_file_perms;
+allow factory audio_scp_device:chr_file r_file_perms;
+
+# Purpose: For key and touch event
+allow factory input_device:chr_file r_file_perms;
+allow factory input_device:dir rw_dir_perms;
+
+# Date: WK16.17
+# Purpose: N Migration For ccci sysfs node
+# Allow read to sys/kernel/ccci/* files
+allow factory sysfs_ccci:dir search;
+allow factory sysfs_ccci:file r_file_perms;
+
+# Date: WK16.18
+# Purpose: N Migration For boot_mode
+# Allow to read boot mode
+# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117
+# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0
+# tclass=file permissive=0
+allow factory sysfs_boot_mode:file r_file_perms;
+allow factory sysfs_boot_type:file r_file_perms;
+
+# Date: WK16.31
+# Purpose: For gps test
+set_prop(factory, vendor_mtk_mnld_prop)
+
+# Date: WK16.33
+# Purpose: for unmount sdcardfs and stop services which are using data partition
+allow factory sdcard_type:filesystem unmount;
+set_prop(factory, ctl_default_prop)
+
+# Date : WK16.35
+# Operation : Migration
+# Purpose : Update camera flashlight driver device file
+allow factory flashlight_device:chr_file rw_file_perms;
+
+# Date: WK15.25
+# Purpose: for unmount sdcardfs and stop services which are using data partition
+set_prop(factory, system_mtk_ctl_emdlogger1_prop)
+
+# Date: WK17.07
+# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs
+allow factory tmpfs:filesystem unmount;
+allow factory sysfs:dir r_dir_perms;
+allow factory sysfs_leds:lnk_file r_file_perms;
+allow factory sysfs_leds:file rw_file_perms;
+allow factory sysfs_leds:dir r_dir_perms;
+allow factory sysfs_power:file rw_file_perms;
+allow factory sysfs_power:dir r_dir_perms;
+allow factory self:capability2 block_suspend;
+allow factory sysfs_vibrator:file rw_file_perms;
+allow factory debugfs_ion:dir search;
+allow factory selinuxfs:file r_file_perms;
+allow factory sysfs_devices_block:dir r_dir_perms;
+allow factory vendor_mtk_factory_start_prop:file read;
+allow factory vendor_mtk_factory_start_prop:file open;
+allow factory vendor_mtk_factory_start_prop:file getattr;
+allow factory vendor_mtk_factory_start_prop:file map;
+
+# Date: WK17.27
+# Purpose: STMicro NFC solution integration
+allow factory st21nfc_device:chr_file rw_file_perms;
+hal_client_domain(factory, hal_nfc)
+
+# Date : WK17.32
+# Operation : O Migration
+# Purpose: Allow to access cmdq driver
+allow factory mtk_cmdq_device:chr_file r_file_perms;
+allow factory mtk_mdp_device:chr_file r_file_perms;
+allow factory mtk_mdp_sync_device:chr_file r_file_perms;
+allow factory sw_sync_device:chr_file r_file_perms;
+
+# Date: WK1733
+# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode
+set_prop(factory, vendor_mtk_ctl_ccci_fsd_prop)
+
+# Date : WK17.38
+# Operation : O Migration
+# Purpose: Allow to access sysfs
+allow factory sysfs_therm:dir search;
+allow factory sysfs_therm:file rw_file_perms;
+
+# Date: W18.22
+# Purpose: P Migration for factory get com port type and uart port info
+# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10):
+# avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev=
+# "sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
+allow factory sysfs_comport_type:file rw_file_perms;
+allow factory sysfs_uart_info:file rw_file_perms;
+
+# from private
+allow factory kernel:system module_request;
+allow factory node:tcp_socket node_bind;
+allow factory userdata_block_device:blk_file rw_file_perms;
+allow factory port:tcp_socket { name_bind name_connect };
+allow factory self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow factory proc_net:file r_file_perms;
+allowxperm factory self:udp_socket ioctl { priv_sock_ioctls SIOCGIFFLAGS SIOCGIWNWID};
+
+allow factory self:process execmem;
+allow factory self:tcp_socket create_stream_socket_perms;
+allow factory self:udp_socket create_socket_perms;
+
+allow factory sysfs_wake_lock:file rw_file_perms;
+
+# For Light HIDL permission
+hal_client_domain(factory, hal_light)
+allow factory mtk_hal_light:binder call;
+allow factory merged_hal_service:binder call;
+
+# For vibrator test permission
+allow factory sysfs_vibrator:dir search;
+
+# For Audio device permission
+allow factory proc_asound:dir r_dir_perms;
+allow factory proc_asound:file rw_file_perms;
+
+# For Accdet data permission
+allow factory sysfs_headset:file r_file_perms;
+
+# For touch auto test
+allow factory sysfs_tpd_setting:dir search;
+allow factory sysfs_tpd_setting:file r_file_perms;
+
+# For fingerprinto test
+allow factory sysfs_gf_spi_tee:dir search;
+allow factory sysfs_gf_spi_tee:file r_file_perms;
+
+# Date : WK18.23
+# Operation: P migration
+# Purpose : Allow factory to unmount partition, stop service, and then erase partition
+allow factory vendor_shell_exec:file rx_file_perms;
+allow factory vendor_toolbox_exec:file x_file_perms;
+allow factory proc_cmdline:file r_file_perms;
+allow factory sysfs_dt_firmware_android:file r_file_perms;
+allow factory sysfs_dt_firmware_android:dir r_dir_perms;
+
+# For power_supply and switch permission
+r_dir_file(factory, sysfs_batteryinfo)
+r_dir_file(factory, sysfs_switch)
+
+# Date : WK18.31
+# Operation: P migration
+# Purpose : Refine policy
+allow factory sysfs_devices_block:dir search;
+allow factory sysfs_devices_block:file r_file_perms;
+
+# Date : WK18.37
+# Operation: P migration
+# Purpose : ADSP SmartPA calibration
+allow factory vendor_file:file x_file_perms;
+allow factory mtk_audiohal_data_file:dir create_dir_perms;
+allow factory mtk_audiohal_data_file:file create_file_perms;
+
+# Date : WK18.37
+# Operation: P migration
+# Purpose : Allow factory to open /proc/version
+allow factory proc_version:file r_file_perms;
+
+# Purpose : adsp
+allow factory adsp_device:chr_file rw_file_perms;
+
+# Purpose : NFC
+allow factory vendor_nfc_socket_file:dir w_dir_perms;
+
+# Allow to get AOSP property persist.radio.multisim.config
+get_prop(factory, radio_control_prop)
+
+# Date : WK19.38
+# Operation : Q Migration
+# Purpose: Allow clear eMMC
+set_prop(factory, system_mtk_ctl_mdlogger_prop)
+
+# Date : WK19.41
+# Operation : Q Migration
+# Purpose: allow system_server to access rt5509 param and calib node
+allow factory sysfs_rt_param:file rw_file_perms;
+allow factory sysfs_rt_calib:file rw_file_perms;
+allow factory sysfs_rt_param:dir r_dir_perms;
+allow factory sysfs_rt_calib:dir r_dir_perms;
+
+# Date : WK20.13
+# Operation: R migration
+# Contains lib to visit file permission
+allow factory ashmem_libcutils_device:chr_file x_file_perms;
+
+# Date : WK20.13
+# Operation: R migration
+# Purpose : Add permission for new device node.
+allow factory sysfs_boot_info:file r_file_perms;
+allow factory proc_bootprof:file getattr;
+allow factory sysfs_meta_info:file r_file_perms;
+
+# Date : WK20.17
+# Operation: R migration
+# Purpose : Add permission for acess vendor_de.
+allow factory factory_vendor_file:file create_file_perms;
+allow factory factory_vendor_file:dir w_dir_perms;
+
+# Date : WK20.20
+# Operation: R migration
+# Purpose : Add permission for health HAL and vbus
+hal_client_domain(factory, hal_health)
+allow factory sysfs_vbus:file r_file_perms;
+allow factory sysfs_chg2_present:file r_file_perms;
+
+# Date : WK20.31
+# Operation: R migration
+# Purpose : Add permission for /proc/bus/input/devices
+allow factory proc_bus_input:file r_file_perms;
+
+# Date : WK20.33
+# Operation: R migration
+# Purpose : Add permission for access aux_adc
+allow factory sys_mt6577_auxadc:dir r_dir_perms;
+allow factory sys_mt6577_auxadc:file r_file_perms;
+
+# Date : WK21.14
+# Operation: Layer decoupling 2.0
+# Purpose: ro.vendor.factory.GB2312
+set_prop(factory, vendor_mtk_factory_prop)
+
+# Date : WK21.18
+# Operation: GKI
+# Purpose : Factory access drm permission
+allow factory gpu_device:dir search;
+allow factory dri_device:chr_file rw_file_perms;
+
+# Date : WK21.19
+# Operation: GKI
+# Purpose : Add permission for access camera_mem
+allow factory camera_mem_device:chr_file rw_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(factory)
+allow factory proc_bootconfig:file r_file_perms;
+
+# Date : WK21.22
+# Operation: GKI 2.0
+# Purpose : Add permission for access dmabuf
+allow factory dmabuf_system_heap_device:chr_file rw_file_perms;
+
+# Date: 2021/05/26
+# Purpose : add permission for access extdev_io (rtk device)
+allow factory sysfs_extdev:dir r_dir_perms;
+allow factory sysfs_extdev:file rw_file_perms;
+
+# Date: 2021/06/23
+# Purpose : add permission for access camera dev
+hal_client_domain(factory, hal_camera)
+
+# Date : 2021/06/30
+# Operation: New IMGSYS Driver
+# Purpose : Add permission for imgsys daemon driver
+allow factory mtk_hcp_device:chr_file rw_file_perms;
+
+# Date: 2021/07/02
+# Purpose : add permission for charger configuration
+allow factory sysfs_chg_cfg:file r_file_perms;
+
+# Date: 2021/07/30
+# Operation : To access V4L2 devices (media, video and sub devices)
+allow factory mtk_v4l2_media_device:dir r_dir_perms;
+allow factory mtk_v4l2_media_device:chr_file rw_file_perms;
+allow factory video_device:dir r_dir_perms;
+allow factory video_device:chr_file rw_file_perms;
+
+# Date: 2021/07/30
+# Purpose : Add permission for access /dev directory
+allow factory device:dir r_dir_perms;
+
+# Date: 2021/07/30
+# Operation : To access camera control daemon driver
+allow factory mtk_ccd_device:chr_file rw_file_perms;
+# Date: 2021/08/27
+# Operation : add permission for storage
+allow factory sysfs_block:dir search;
+
+
+# Date: 2022/01/24
+allow factory mnt_vendor_file:dir search;
+allow factory mnt_vendor_file:file r_file_perms;
diff --git a/basic/non_plat/fastbootd.te b/basic/non_plat/fastbootd.te
new file mode 100644
index 0000000..194c28d
--- /dev/null
+++ b/basic/non_plat/fastbootd.te
@@ -0,0 +1,20 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# fastbootd (used in recovery init.rc for /sbin/fastbootd)
+
+allow fastbootd {
+ bootdevice_block_device
+ para_block_device
+ }:blk_file rw_file_perms;
+
+allow fastbootd sysfs_boot_type:file rw_file_perms;
+
+allow fastbootd self:process setfscreate;
+allow fastbootd self:capability sys_rawio;
+
+allowxperm fastbootd bootdevice_block_device:blk_file ioctl {
+ BLKSECDISCARD
+ BLKDISCARD
+ MMC_IOCTLCMD
+};
diff --git a/basic/non_plat/file.te b/basic/non_plat/file.te
new file mode 100644
index 0000000..b7220ad
--- /dev/null
+++ b/basic/non_plat/file.te
@@ -0,0 +1,660 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+##########################
+# Filesystem types
+#
+##########################
+# Proc Filesystem types
+#
+type proc_secmem, fs_type, proc_type;
+type proc_thermal, fs_type, proc_type;
+type proc_mtkcooler, fs_type, proc_type;
+type proc_mtktz, fs_type, proc_type;
+type proc_mtd, fs_type, proc_type;
+type proc_slogger, fs_type, proc_type;
+type proc_lk_env, fs_type, proc_type;
+type proc_ged, fs_type, proc_type;
+type proc_mtk_jpeg, fs_type, proc_type, mlstrustedobject;
+type proc_perfmgr, fs_type, proc_type;
+type proc_wmtdbg, fs_type, proc_type;
+type proc_zraminfo, fs_type, proc_type;
+type proc_cpu_alignment, fs_type, proc_type;
+type proc_gpulog, fs_type, proc_type;
+type proc_gpufreqv2, fs_type, proc_type;
+type proc_sched_debug, fs_type, proc_type;
+type proc_chip, fs_type, proc_type;
+type proc_atf_log, fs_type, proc_type;
+type proc_gz_log, fs_type, proc_type;
+type proc_last_kmsg, fs_type, proc_type;
+type proc_bootprof, fs_type, proc_type;
+type proc_mtprintk, fs_type, proc_type;
+type proc_pl_lk, fs_type, proc_type;
+type proc_msdc_debug, fs_type, proc_type;
+type proc_ufs_debug, fs_type, proc_type;
+type proc_pidmap, fs_type, proc_type;
+type proc_slabtrace, fs_type, proc_type;
+type proc_cmdq_debug, fs_type, proc_type;
+type proc_isp_p2, fs_type, proc_type;
+type proc_dbg_repo, fs_type, proc_type;
+type proc_isp_p2_dump, fs_type, proc_type;
+type proc_isp_p2_kedump, fs_type, proc_type;
+type proc_memory_usage, fs_type, proc_type;
+type proc_gpu_memory, fs_type, proc_type;
+type proc_mtk_es_reg_dump, fs_type, proc_type;
+type proc_ccci_dump, fs_type, proc_type;
+type proc_log_much, fs_type, proc_type;
+
+#For icusb
+type proc_icusb, fs_type, proc_type;
+
+# for mt-ramdump reset
+type proc_mrdump_rst, fs_type, proc_type;
+
+# blockio procfs file
+type proc_earaio, fs_type, proc_type;
+type procfs_blockio, fs_type, proc_type;
+
+# memtrack procfs file
+type procfs_gpu_img, fs_type, proc_type;
+
+# Date : WK19.27
+# Purpose: Android Migration for SVP
+type proc_m4u, fs_type, proc_type;
+
+# Date : 2019/09/05
+# Purpose: Allow powerhal to control kernel resources
+type proc_ppm, fs_type, proc_type;
+type proc_cpufreq, fs_type, proc_type;
+type proc_hps, fs_type, proc_type;
+type proc_cm_mgr, fs_type, proc_type;
+type proc_fliperfs, fs_type, proc_type;
+
+# Date : 2019/11/14
+# Purpose: Allow powerhal to control MCDI
+type proc_cpuidle, fs_type, proc_type;
+
+# Date : 2019/10/11
+# Purpose : allow system_server to access /proc/wlan/status for Q Migration
+type proc_wlan_status, fs_type, proc_type;
+
+# Date : 2019/12/10
+# Purpose: Allow bt process or tool to control bt_dbg
+type proc_btdbg, fs_type, proc_type;
+
+type proc_wmt_aee, fs_type, proc_type;
+
+# Date : 2020/01/16
+# Purpose: Allow mtk_hal_neuralnetworks to read chip id and segment code
+type proc_devinfo, fs_type, proc_type;
+
+# Date : 2020/06/12
+# Operation: R migration
+# Purpose: Allow powerhal to control displowpower
+type proc_displowpower, fs_type, proc_type;
+
+# Date : 2020/06/29
+# Operation: R migration
+# Purpose: Add permission for access /proc/ion/*
+type proc_ion, fs_type, proc_type;
+
+# Date : 2020/07/01
+# Operation: R migration
+# Purpose: Add permission for access /proc/m4u_dbg/*
+type proc_m4u_dbg, fs_type, proc_type;
+
+# Date : WK20.31
+# Operation: R migration
+# Purpose : Add permission for /proc/bus/input/devices
+type proc_bus_input, fs_type, proc_type;
+
+# Date : 2020/08/05
+# Purpose: Add permission for /proc/driver/wmt_user_proc
+type proc_wmtuserproc, fs_type, proc_type;
+
+# Date : 2020/09/07
+# Purpose: mtk trigger panic by rcu stall
+type proc_panic_on_rcu_stall, fs_type, proc_type;
+
+# Date : 2020/09/18
+# Purpose: add permission for /proc/mcdi/
+type proc_mcdi, fs_type, proc_type;
+
+# Date : 2020/09/22
+# Purpose: define proc_ccci_sib
+type proc_ccci_sib, fs_type, proc_type;
+
+type proc_mtkfb, fs_type, proc_type;
+
+# Date : 2020/07/08
+# Purpose: add permission for /proc/sys/vm/swappiness
+type proc_swappiness, fs_type, proc_type;
+
+# Date : 2020/12/23
+# Purpose: Add permission for /proc/driver/conninfra_dbg
+type proc_conninfradbg, fs_type, proc_type;
+
+# Date: 2021/04/20
+# Purpose : add permission for proc/sys/vm/watermark_scale_factor
+type proc_watermark_scale_factor, fs_type, proc_type;
+
+# Data : 2021/4/21
+# Purpose : add permission for /proc/mtk_usb, /proc/mtk_typec
+type proc_usb_plat, fs_type, proc_type;
+
+# Date 2021/05/10
+# Purpose : init the default value before bootup
+type proc_sched_migration_cost_ns, fs_type, proc_type;
+
+# Date : 2021/5/21
+# Purpose: Allow mobile log to read apusysy log
+type proc_apusys_up_seq_logl, fs_type, proc_type;
+
+# Date : 2021/8/24
+# For CachedAppOptimizer
+type proc_mtk_mdp_debug, fs_type, proc_type;
+
+# 2021/8/25
+# allow powerhal to access /proc/cpuhvfs/cpufreq_cci_mode
+type proc_cpuhvfs, fs_type, proc_type;
+
+##########################
+# Sys Filesystem types
+#
+type sysfs_execstate, fs_type, sysfs_type;
+type sysfs_therm, fs_type, sysfs_type;
+type sysfs_thermal_sram, fs_type, sysfs_type;
+type sysfs_charger_cooler, fs_type, sysfs_type;
+type sysfs_fps, fs_type, sysfs_type;
+type sysfs_ccci, fs_type, sysfs_type;
+type sysfs_mdinfo, fs_type,sysfs_type;
+type sysfs_ssw, fs_type,sysfs_type;
+type sysfs_soc, fs_type, sysfs_type;
+type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type;
+type sysfs_md32, fs_type, sysfs_type;
+type sysfs_scp, fs_type, sysfs_type;
+type sysfs_adsp, fs_type, sysfs_type;
+type sysfs_rt_param, fs_type, sysfs_type;
+type sysfs_rt_calib, fs_type, sysfs_type;
+type sysfs_reset_dsp, fs_type, sysfs_type;
+type sysfs_chip_vendor, fs_type, sysfs_type;
+type sysfs_pa_num, fs_type, sysfs_type;
+type sysfs_sspm, fs_type, sysfs_type;
+type sysfs_devinfo, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_aee_enable, fs_type, sysfs_type;
+type sysfs_dcm, fs_type, sysfs_type;
+type sysfs_dcs, fs_type, sysfs_type;
+type sysfs_vcore_debug, fs_type, sysfs_type;
+type sysfs_systracker, fs_type, sysfs_type;
+type sysfs_keypad_file, fs_type, sysfs_type;
+type sysfs_vcp, fs_type, sysfs_type;
+
+# apusys_queue sysfs file
+type sysfs_apusys_queue, fs_type, sysfs_type;
+
+# Date : WK1814
+# Purpose : for factory to get boot mode and type
+type sysfs_boot_mode, fs_type, sysfs_type;
+type sysfs_boot_type, fs_type, sysfs_type;
+
+# Date : WK1817
+# Purpose : for meta to get com port type and uart port info
+type sysfs_comport_type, fs_type, sysfs_type;
+type sysfs_uart_info, fs_type, sysfs_type;
+type sysfs_usb_nonplat, fs_type, sysfs_type;
+
+# Date : WK1820
+# Purpose : for charger to access pump_express
+type sysfs_pump_express, fs_type, sysfs_type;
+type sysfs_chg2_present, fs_type, sysfs_type;
+
+# Date : 2018/10/25
+# Purpose : mtk GPU drvb permission setting
+type sysfs_gpu, fs_type, sysfs_type, mlstrustedobject;
+
+# Touch parameters file
+type sysfs_tpd_setting, fs_type, sysfs_type;
+
+# Date : 2019/09/17
+# Purpose : mtk factory fingerprint settings
+type sysfs_gf_spi_tee, fs_type, sysfs_type;
+
+# Backlight brightness file
+type sysfs_leds_setting, fs_type, sysfs_type;
+
+# Vibrator vibrate file
+type sysfs_vibrator_setting, fs_type, sysfs_type;
+
+# Date : WK18.16
+# Purpose: Android Migration
+type sysfs_mmcblk, fs_type, sysfs_type;
+type sysfs_mmcblk1, fs_type, sysfs_type;
+
+# Date : 2019/08/24
+type sysfs_sensor, fs_type, sysfs_type;
+
+#MTEE trusty
+type mtee_trusty_file, fs_type, sysfs_type;
+
+type sysfs_ged, fs_type, sysfs_type;
+type sysfs_fbt_cpu, fs_type, sysfs_type;
+type sysfs_fbt_fteh, fs_type, sysfs_type;
+type sysfs_fpsgo, fs_type, sysfs_type;
+type sysfs_xgf, fs_type, sysfs_type;
+type sysfs_gbe, fs_type, sysfs_type;
+type sysfs_mtk_fpsgo, fs_type, sysfs_type;
+type sysfs_mtk_core_ctl, fs_type, sysfs_type;
+
+# Date : 2019/09/17
+# Purpose: Allow powerhal to control cache audit
+type sysfs_cache_ctrl, fs_type, sysfs_type;
+type sysfs_pftch_qos, fs_type, sysfs_type;
+
+# Date : 2019/09/19
+# Purpose: Allow powerhal to trigger task-turbo
+type sysfs_task_turbo, fs_type, sysfs_type;
+
+# Date : 2019/09/23
+# Purpose: Define change_rate fs_type
+type sysfs_change_rate, fs_type, sysfs_type;
+
+# Date : 2019/10/16
+# Purpose: Define sysfs_ext4_disable_barrier fs_type
+type sysfs_ext4_disable_barrier, fs_type, sysfs_type;
+
+# Date : WK19.38
+# Purpose: Android Migration for video codec driver
+type sysfs_device_tree_model, fs_type, sysfs_type;
+
+# Date : 2019/10/11
+# Purpose : allow system_server to access /sys/kernel/mm/ksm/pages_xxx
+type sysfs_pages_shared, fs_type, sysfs_type;
+type sysfs_pages_sharing, fs_type, sysfs_type;
+type sysfs_pages_unshared, fs_type, sysfs_type;
+type sysfs_pages_volatile, fs_type, sysfs_type;
+
+# Date : 2019/10/22
+# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo
+type sysfs_mrdump, fs_type, sysfs_type;
+type sysfs_memory, fs_type, sysfs_type;
+
+# Date : 2019/10/25
+# Purpose : To avoid using the SELabel of u:object_r:proc:s0 or u:object_r:sysfs:s0
+# to access /proc/device-tree/chosen/atag,chipid or /sysfs/firmware/devicetree/base/chosen/atag,chipid
+type sysfs_chipid, fs_type, sysfs_type;
+
+# Date : 2019/12/12
+# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
+type sysfs_concurrency_scenario, fs_type, sysfs_type;
+
+# Date : WK20.07
+# Operation: R migration
+# Purpose : Add permission for new device node.
+type sysfs_meta_info, fs_type, sysfs_type;
+
+type sysfs_cache_status, fs_type, sysfs_type;
+
+# Date : 2020/06/12
+# Purpose: define sysfs_mali_power_policy fs_type
+type sysfs_mali_power_policy, fs_type, sysfs_type;
+
+# Date : 20120/07/02
+# Purpose: define sysfs_mtk_nanohub_state fs_type
+type sysfs_mtk_nanohub_state, fs_type, sysfs_type;
+
+# Date : 20120/07/13
+# Purpose: define sysfs_dvfsrc_dbg fs_type
+type sysfs_dvfsrc_dbg, fs_type, sysfs_type;
+
+# Date : 2020/07/31
+# Purpose: add permission for /sys/kernel/apusys/
+type sysfs_apusys, fs_type, sysfs_type;
+
+# Date : WK20.33
+# Operation: R migration
+# Purpose : Add permission for access aux_adc
+type sys_mt6577_auxadc, fs_type, sysfs_type;
+
+# Date : 2020/07/10
+# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/*
+type sysfs_emi_ctrl_concurrency_scenario, fs_type, sysfs_type;
+
+# Date : 20120/08/19
+# Purpose: define sysfs_dvfsrc_devfreq fs_type
+type sysfs_dvfsrc_devfreq, fs_type, sysfs_type;
+
+# Date : 2020/09/03
+# Purpose: mtk MMQoS set camera max BW
+type sysfs_camera_max_bw, fs_type, sysfs_type;
+type sysfs_camera_max_bw_v2, fs_type, sysfs_type;
+
+# Date : 2021/06/15
+# Purpose: mtk MMQoS scenario change
+type sysfs_mtk_mmqos_scen, fs_type, sysfs_type;
+type sysfs_mtk_mmqos_scen_v2, fs_type, sysfs_type;
+
+# Date : 2020/09/29
+# Purpose: add permission for /sys/kernel/eara_thermal/
+type sysfs_eara_thermal, fs_type, sysfs_type;
+
+# Date : 2021/3/12
+# Purpose: add permission for /sys/class/misc/mali0/device/pm_poweroff
+type sysfs_mali_poweroff, fs_type, sysfs_type;
+
+# Date : 2020/12/14
+# Purpose: allow dumpstate/crash_dump/aee_aedv to read /sys/kernel/mm/mlog/dump
+type sysfs_mm, fs_type, sysfs_type;
+
+type sysfs_vpd, fs_type, sysfs_type;
+
+# Date : 2021/06/01
+# Purpose: for dcxo calibration
+type sysfs_dcxo, fs_type, sysfs_type;
+
+# 2021/05/26
+# RTK Device
+type sysfs_extdev, fs_type, sysfs_type;
+
+# 2021/07/06
+# charger configuration
+type sysfs_chg_cfg, fs_type, sysfs_type;
+
+# 2021/07/29
+# boot mode access
+type sysfs_boot_info, fs_type, sysfs_type;
+
+# 2021/8/25
+# allow powerhal to access /sys/kernel/cm_mgr/dbg_cm_mgr
+type sysfs_cm_mgr, fs_type, sysfs_type;
+
+##########################
+# Debug Filesystem types
+#
+
+# display debugfs file
+type debugfs_fb, fs_type, debugfs_type;
+
+# fpsgo debugfs file
+type debugfs_fpsgo, fs_type, debugfs_type;
+
+# memtrack debugfs file
+type debugfs_ion, fs_type, debugfs_type;
+
+##########################
+# Other Filesystem types
+#
+# for labeling /mnt/cd-rom as iso9660
+type iso9660, fs_type;
+
+# rawfs for /protect_f on NAND projects
+type rawfs, fs_type, mlstrustedobject;
+
+#fuse
+type fuseblk, sdcard_type, fs_type, mlstrustedobject;
+
+##########################
+# File types
+#
+# Date : 2019/12/19
+# Purpose : Allow ccci_mdinit read /vendor/etc/md
+type vendor_etc_md_file, vendor_file_type, file_type;
+
+# Date : 2021/12/10
+# Purpose : Allow mtk_hal_camera read /vendor/etc/nn
+type vendor_etc_nn_file, vendor_file_type, file_type;
+
+
+# Data : 2020/12/30
+# Purpose : DBReleasePlan
+type vendor_bin_crossbuild_file, vendor_file_type, file_type;
+##########################
+# File types
+# Data file types
+type custom_file, file_type, data_file_type;
+type lost_found_data_file, file_type, data_file_type;
+type dontpanic_data_file, file_type, data_file_type;
+type resource_cache_data_file, file_type, data_file_type;
+type http_proxy_cfg_data_file, file_type, data_file_type;
+type acdapi_data_file, file_type, data_file_type;
+type ppp_data_file, file_type, data_file_type;
+type wpa_supplicant_data_file, file_type, data_file_type;
+type radvd_data_file, file_type, data_file_type;
+type mal_data_file, file_type, data_file_type;
+type bt_data_file, file_type, data_file_type;
+type agpsd_data_file, file_type, data_file_type;
+type mnld_data_file, file_type, data_file_type;
+type gps_data_file, file_type, data_file_type;
+type MPED_data_file, file_type, data_file_type;
+type protect_f_data_file, file_type, data_file_type;
+type protect_s_data_file, file_type, data_file_type;
+type persist_data_file, file_type, data_file_type;
+type nvram_data_file, file_type, data_file_type;
+type nvdata_file, file_type, data_file_type;
+type nvcfg_file, file_type, data_file_type;
+type mcf_ota_file, file_type, data_file_type;
+type cct_data_file, file_type, data_file_type;
+type mediaserver_data_file, file_type, data_file_type;
+type mediacodec_data_file, file_type, data_file_type;
+type connsyslog_data_vendor_file, file_type, data_file_type;
+
+# AAO
+type data_vendor_aao_file, file_type, data_file_type;
+type data_vendor_aaoHwBuf_file, file_type, data_file_type;
+type data_vendor_AAObitTrue_file, file_type, data_file_type;
+
+# Flash
+type data_vendor_flash_file, file_type, data_file_type;
+
+# Flicker
+type data_vendor_flicker_file, file_type, data_file_type;
+
+# AFO
+type data_vendor_afo_file, file_type, data_file_type;
+
+# PDO
+type data_vendor_pdo_file, file_type, data_file_type;
+
+# NE core_forwarder
+type aee_core_vendor_file, file_type, data_file_type;
+
+type aee_dumpsys_vendor_file, file_type, data_file_type;
+
+type ccci_cfg_file, file_type, data_file_type;
+type ccci_data_md1_file, file_type, data_file_type;
+type c2k_file, file_type, data_file_type;
+
+#For sensor
+type sensor_data_file, file_type, data_file_type;
+
+type stp_dump_data_file, file_type, data_file_type;
+type wifi_dump_data_file, file_type, data_file_type;
+type bt_dump_data_file, file_type, data_file_type;
+
+# data_tmpfs_log
+type vendor_tmpfs_log_file, file_type, data_file_type;
+
+# fat on nand fat.img
+type fon_image_data_file, file_type, data_file_type;
+
+# ims ipsec config file
+type ims_ipsec_data_file, file_type, data_file_type;
+
+# thermal manager config file
+type thermal_manager_data_file, file_type, data_file_type;
+
+# thermal core config file
+type thermal_core_data_file, file_type, data_file_type;
+
+#autokd data file
+type autokd_data_file, file_type, data_file_type;
+
+# MTK audio HAL folder
+type mtk_audiohal_data_file, file_type, data_file_type;
+
+# MTK Power HAL folder
+type mtk_powerhal_data_file, file_type, data_file_type;
+
+# Date : WK1743
+# Purpose : for meta_tst copy MD DB from MD image
+type mddb_data_file, file_type, data_file_type;
+
+# Widevine move data/mediadrm folder from system to vendor
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
+# drm key manager
+type provision_file, file_type, data_file_type;
+type key_install_data_file, file_type, data_file_type;
+
+type aee_dipdebug_vendor_file, file_type, data_file_type;
+
+# Date : WK19.34
+# Purpose: Android Migration for video codec driver
+type vcodec_file, file_type, data_file_type, mlstrustedobject;
+
+# Date : 2019/12/23
+# Purpose : Allow ccci_mdinit read /data/vendor_de/md
+type data_vendor_de_md_file, data_file_type, file_type;
+
+# Date : 2019/04/23
+# Operation: R migration
+# Purpose : Add permission for acess vendor_de.
+type factory_vendor_file, file_type, data_file_type;
+
+# Date : 2020/09/24
+# Purpose: mtk camsys raw buffer dump
+type data_vendor_raw_file, file_type, data_file_type;
+
+type vendor_nfc_socket_file, file_type, data_file_type;
+
+# Date : W2109
+# Purpose: add permission for /data/vendor/gpu_dump
+type gpu_dump_vendor_file, file_type, data_file_type;
+
+# Date : 2021/2/22
+# Purpose: Add permission for EARA-IO
+type eara_io_data_file, file_type, data_file_type;
+
+##########################
+# File types
+# Core domain data file types
+#
+#mobilelog data/misc/mblog
+type logmisc_data_file, file_type, data_file_type, core_data_file_type;
+
+#mobilelog data/log_temp
+type logtemp_data_file, file_type, data_file_type, core_data_file_type;
+
+# NE core_forwarder
+type aee_core_data_file, file_type, data_file_type, core_data_file_type;
+
+type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type;
+
+# SF rtt dump
+type sf_rtt_file, file_type, data_file_type, core_data_file_type;
+
+# data_tmpfs_log
+type data_tmpfs_log_file, file_type, data_file_type, core_data_file_type;
+
+# adbd config file
+type adbd_data_file, file_type, data_file_type, core_data_file_type;
+
+# SF bqdump
+type sf_bqdump_data_file, file_type, data_file_type, core_data_file_type;
+
+# factory data file
+type factory_data_file, file_type, data_file_type, core_data_file_type;
+
+# Modem Log folder
+type mdlog_data_file, file_type, data_file_type, core_data_file_type;
+
+# consys Log folder
+type consyslog_data_file, file_type, data_file_type, core_data_file_type;
+
+type nfc_socket_file, file_type, data_file_type, core_data_file_type;
+
+##########################
+# Socket types
+#
+type volte_vt_socket, file_type;
+type dfo_socket, file_type;
+type gsmrild_socket, file_type;
+type rild2_socket, file_type;
+type rild3_socket, file_type;
+type rild4_socket, file_type;
+type rild_mal_socket, file_type;
+type rild_mal_at_socket, file_type;
+type rild_mal_md2_socket, file_type;
+type rild_mal_at_md2_socket, file_type;
+type rild_ims_socket, file_type;
+type rild_imsm_socket, file_type;
+type rild_oem_socket, file_type;
+type rild_mtk_ut_socket, file_type;
+type rild_mtk_ut_2_socket, file_type;
+type rild_mtk_modem_socket, file_type;
+type rild_md2_socket, file_type;
+type rild2_md2_socket, file_type;
+type rild_debug_md2_socket, file_type;
+type rild_oem_md2_socket, file_type;
+type rild_mtk_ut_md2_socket, file_type;
+type rild_mtk_ut_2_md2_socket, file_type;
+type rild_mtk_modem_md2_socket, file_type;
+type rild_vsim_socket, file_type;
+type rild_vsim_md2_socket, file_type;
+type mal_mfi_socket, file_type;
+type netdiag_socket, file_type, mlstrustedobject;
+type wpa_wlan0_socket, file_type;
+type soc_vt_imcb_socket, file_type;
+type soc_vt_tcv_socket, file_type;
+type soc_vt_stk_socket, file_type;
+type soc_vt_svc_socket, file_type;
+type dbus_bluetooth_socket, file_type;
+type bt_int_adp_socket, file_type;
+type bt_a2dp_stream_socket, file_type;
+type agpsd_socket, file_type;
+type mnld_socket, file_type;
+type MPED_socket, file_type;
+type sysctl_socket, file_type;
+type backuprestore_socket, file_type;
+
+#for 3Gdongle
+type rild-dongle_socket, file_type;
+
+type rild_via_socket, file_type;
+type rpc_socket, file_type;
+type rild_ctclient_socket, file_type;
+
+# socket between atci_service and audio-daemon
+type atci-audio_socket, file_type;
+
+# socket between atcid and meta_tst
+type meta_atci_socket, file_type;
+
+# socket between atcid and factory
+type factory_atci_socket, file_type;
+
+# ATCI socket types
+type rild_atci_socket, file_type;
+type rilproxy_atci_socket, file_type;
+type atci_service_socket, file_type;
+type adb_atci_socket, file_type;
+
+type netd_socket, file_type, coredomain_socket;
+
+# thermal hal socket file
+type thermal_hal_socket, file_type;
+
+# thermal core socket file
+type thermal_socket, file_type;
+
+# Data : 2021/08/24
+# Operaton: S development
+# Purpose: Add permission for node /proc/dma_heap
+type proc_dmaheap, fs_type, proc_type;
+
+# Date : 2021/11/12
+# Purpose: add permission for /proc/sys/vm/watermark_boost_factor
+type proc_watermark_boost_factor, fs_type, proc_type;
+
+# Date: 2021/12/24
+# Purpose: add new label for /proc/mgq
+type proc_mgq, fs_type, proc_type;
diff --git a/basic/non_plat/file_contexts b/basic/non_plat/file_contexts
new file mode 100644
index 0000000..194232d
--- /dev/null
+++ b/basic/non_plat/file_contexts
@@ -0,0 +1,971 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# Data files
+#
+/data/vendor/.tp(/.*)? u:object_r:thermal_manager_data_file:s0
+/data/vendor/thermal(/.*)? u:object_r:thermal_core_data_file:s0
+/data/vendor_de/meta(/.*)? u:object_r:mddb_data_file:s0
+/data/vendor/agps_supl(/.*)? u:object_r:agpsd_data_file:s0
+/data/vendor/gps(/.*)? u:object_r:gps_data_file:s0
+/data/vendor/log/gps(/.*)? u:object_r:gps_data_file:s0
+/data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0
+/data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0
+/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0
+/data/vendor/flashless(/.*)? u:object_r:c2k_file:s0
+/data/core(/.*)? u:object_r:aee_core_data_file:s0
+/data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0
+/data/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0
+/data/vendor/dumpsys(/.*)? u:object_r:aee_dumpsys_vendor_file:s0
+/data/extmdl(/.*)? u:object_r:mdlog_data_file:s0
+/data/log_temp(/.*)? u:object_r:logtemp_data_file:s0
+/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0
+/data/mdl(/.*)? u:object_r:mdlog_data_file:s0
+/data/mdl3(/.*)? u:object_r:mdlog_data_file:s0
+/data/nfc_socket(/.*)? u:object_r:nfc_socket_file:s0
+/data/vendor/nfc_socket(/.*)? u:object_r:vendor_nfc_socket_file:s0
+/data/vendor/md3(/.*)? u:object_r:c2k_file:s0
+/data/SF_dump(./*)? u:object_r:sf_bqdump_data_file:s0
+/data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
+/data/vendor/data_tmpfs_log(/.*)? u:object_r:vendor_tmpfs_log_file:s0
+/data/vendor/audiohal(/.*)? u:object_r:mtk_audiohal_data_file:s0
+/data/vendor/powerhal(/.*)? u:object_r:mtk_powerhal_data_file:s0
+/data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0
+/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0
+/data/vendor/vcodec(/.*)? u:object_r:vcodec_file:s0
+
+# Misc data
+/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0
+/data/vendor/sensor(/.*)? u:object_r:sensor_data_file:s0
+
+# Wallpaper file for smartbook
+/data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0
+
+/data/vendor/connsyslog(/.*)? u:object_r:connsyslog_data_vendor_file:s0
+
+# AAO
+/data/vendor/aao(/.*)? u:object_r:data_vendor_aao_file:s0
+/data/vendor/aaoHwBuf(/.*)? u:object_r:data_vendor_aaoHwBuf_file:s0
+/data/vendor/AAObitTrue(/.*)? u:object_r:data_vendor_AAObitTrue_file:s0
+
+# Flash
+/data/vendor/flash(/.*)? u:object_r:data_vendor_flash_file:s0
+
+# Flicker
+/data/vendor/flicker(/.*)? u:object_r:data_vendor_flicker_file:s0
+
+# AFO
+/data/vendor/AFObitTrue(/.*)? u:object_r:data_vendor_afo_file:s0
+
+# PDO
+/data/vendor/pdo(/.*)? u:object_r:data_vendor_pdo_file:s0
+
+# ccci_mdinit access /data/vendor_de/md file
+/data/vendor_de/md(/.*)? u:object_r:data_vendor_de_md_file:s0
+
+# Date : 2019/04/23
+# Operation: R migration
+# Purpose : Add permission for acess vendor_de.
+/data/vendor_de/factory(/.*)? u:object_r:factory_vendor_file:s0
+
+# Date: 2020/09/24
+# Purpose: mtk camsys raw dump file
+/data/vendor/raw(/.*)? u:object_r:data_vendor_raw_file:s0
+
+# Date: 2020/02/22
+# Purpose: add permission for /data/vendor/gpu_dump
+/data/vendor/gpu_dump(/.*)? u:object_r:gpu_dump_vendor_file:s0
+
+# EARA-IO
+/data/vendor/eara_io(/.*)? u:object_r:eara_io_data_file:s0
+
+##########################
+# Devices
+#
+/dev/aal_als(/.*)? u:object_r:aal_als_device:s0
+/dev/accdet(/.*)? u:object_r:accdet_device:s0
+/dev/AD5820AF(/.*)? u:object_r:AD5820AF_device:s0
+/dev/ampc0(/.*)? u:object_r:ampc0_device:s0
+/dev/android(/.*)? u:object_r:android_device:s0
+
+/dev/block/zram0 u:object_r:swap_block_device:s0
+/dev/block/by-name/otp u:object_r:otp_part_block_device:s0
+
+/dev/bmtpool(/.*)? u:object_r:bmtpool_device:s0
+/dev/bootimg(/.*)? u:object_r:bootimg_device:s0
+/dev/BOOT(/.*)? u:object_r:BOOT_device:s0
+/dev/btif(/.*)? u:object_r:btif_device:s0
+/dev/btn(/.*)? u:object_r:btn_device:s0
+
+/dev/BU6429AF(/.*)? u:object_r:BU6429AF_device:s0
+/dev/BU64745GWZAF(/.*)? u:object_r:BU64745GWZAF_device:s0
+
+/dev/MAINAF(/.*)? u:object_r:MAINAF_device:s0
+/dev/MAIN2AF(/.*)? u:object_r:MAIN2AF_device:s0
+/dev/MAIN3AF(/.*)? u:object_r:MAIN3AF_device:s0
+/dev/MAIN4AF(/.*)? u:object_r:MAIN4AF_device:s0
+
+/dev/SUBAF(/.*)? u:object_r:SUBAF_device:s0
+/dev/SUB2AF(/.*)? u:object_r:SUB2AF_device:s0
+/dev/cache(/.*)? u:object_r:cache_device:s0
+
+/dev/CAM_CAL_DRV(/.*)? u:object_r:CAM_CAL_DRV_device:s0
+/dev/CAM_CAL_DRV1(/.*)? u:object_r:CAM_CAL_DRV1_device:s0
+/dev/CAM_CAL_DRV2(/.*)? u:object_r:CAM_CAL_DRV2_device:s0
+/dev/camera_eeprom[0-9]+ u:object_r:camera_eeprom_device:s0
+/dev/seninf_n3d u:object_r:seninf_n3d_device:s0
+
+/dev/gz_kree(/.*)? u:object_r:gz_device:s0
+/dev/camera-fdvt(/.*)? u:object_r:camera_fdvt_device:s0
+/dev/camera-mem(/.*)? u:object_r:camera_mem_device:s0
+/dev/camera-isp(/.*)? u:object_r:camera_isp_device:s0
+/dev/camera-dip(/.*)? u:object_r:camera_dip_device:s0
+/dev/camera-dpe(/.*)? u:object_r:camera_dpe_device:s0
+/dev/camera-tsf(/.*)? u:object_r:camera_tsf_device:s0
+/dev/camera-rsc(/.*)? u:object_r:camera_rsc_device:s0
+/dev/camera-gepf(/.*)? u:object_r:camera_gepf_device:s0
+/dev/camera-wpe(/.*)? u:object_r:camera_wpe_device:s0
+/dev/camera-owe(/.*)? u:object_r:camera_owe_device:s0
+/dev/camera-mfb(/.*)? u:object_r:camera_mfb_device:s0
+/dev/camera-pda(/.*)? u:object_r:camera_pda_device:s0
+/dev/camera-pipemgr(/.*)? u:object_r:camera_pipemgr_device:s0
+/dev/camera-sysram(/.*)? u:object_r:camera_sysram_device:s0
+/dev/mtk_ccd(/.*)? u:object_r:mtk_ccd_device:s0
+
+/dev/mtk_hcp(/.*)? u:object_r:mtk_hcp_device:s0
+/dev/media[0-9]+ u:object_r:mtk_v4l2_media_device:s0
+/dev/v4l-subdev.* u:object_r:mtk_v4l2_media_device:s0
+/dev/ccu(/.*)? u:object_r:ccu_device:s0
+/dev/ccu_rproc(/.*)? u:object_r:ccu_device:s0
+/dev/vpu(/.*)? u:object_r:vpu_device:s0
+/dev/mdlactl(/.*)? u:object_r:mdla_device:s0
+/dev/apusys(/.*)? u:object_r:apusys_device:s0
+/dev/ccci_monitor u:object_r:ccci_monitor_device:s0
+/dev/ccci_c2k_agps u:object_r:agps_device:s0
+/dev/ccci.* u:object_r:ccci_device:s0
+
+/dev/cpu_dma_latency(/.*)? u:object_r:cpu_dma_latency_device:s0
+/dev/devmap(/.*)? u:object_r:devmap_device:s0
+/dev/dri(/.*)? u:object_r:gpu_device:s0
+/dev/dummy_cam_cal(/.*)? u:object_r:dummy_cam_cal_device:s0
+
+/dev/DW9714AF(/.*)? u:object_r:DW9714AF_device:s0
+/dev/DW9814AF(/.*)? u:object_r:DW9814AF_device:s0
+/dev/AK7345AF(/.*)? u:object_r:AK7345AF_device:s0
+/dev/DW9714A(/.*)? u:object_r:DW9714A_device:s0
+/dev/DW9718AF(/.*)? u:object_r:DW9718AF_device:s0
+/dev/WV511AAF(/.*)? u:object_r:lens_device:s0
+
+/dev/ebc(/.*)? u:object_r:ebc_device:s0
+/dev/usip(/.*)? u:object_r:ebc_device:s0
+/dev/ebr[0-9]+ u:object_r:ebr_device:s0
+/dev/eemcs.* u:object_r:eemcs_device:s0
+/dev/emd.* u:object_r:emd_device:s0
+
+/dev/etb u:object_r:etb_device:s0
+/dev/expdb(/.*)? u:object_r:expdb_device:s0
+
+/dev/fat(/.*)? u:object_r:fat_device:s0
+/dev/FM50AF(/.*)? u:object_r:FM50AF_device:s0
+/dev/fm(/.*)? u:object_r:fm_device:s0
+/dev/fw_log_wmt u:object_r:fw_log_wmt_device:s0
+/dev/fw_log_wifi u:object_r:fw_log_wifi_device:s0
+/dev/fw_log_wifimcu u:object_r:fw_log_wifimcu_device:s0
+/dev/fw_log_ics u:object_r:fw_log_ics_device:s0
+
+/dev/geofence(/.*)? u:object_r:geo_device:s0
+/dev/fw_log_gps u:object_r:fw_log_gps_device:s0
+/dev/hdmitx(/.*)? u:object_r:graphics_device:s0
+/dev/gps2scp u:object_r:gps2scp_device:s0
+/dev/gps_pwr u:object_r:gps_pwr_device:s0
+/dev/hid-keyboard(/.*)? u:object_r:hid_keyboard_device:s0
+/dev/ion(/.*)? u:object_r:ion_device:s0
+
+/dev/kd_camera_flashlight(/.*)? u:object_r:kd_camera_flashlight_device:s0
+/dev/flashlight(/.*)? u:object_r:flashlight_device:s0
+/dev/kd_camera_hw_bus2(/.*)? u:object_r:kd_camera_hw_bus2_device:s0
+/dev/kd_camera_hw(/.*)? u:object_r:kd_camera_hw_device:s0
+/dev/seninf(/.*)? u:object_r:seninf_device:s0
+
+/dev/LC898122AF(/.*)? u:object_r:LC898122AF_device:s0
+/dev/LC898212AF(/.*)? u:object_r:LC898212AF_device:s0
+
+/dev/logo(/.*)? u:object_r:logo_device:s0
+/dev/loop-control(/.*)? u:object_r:loop-control_device:s0
+
+/dev/dma_heap/mtk_mm u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/mtk_mm-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/mtk_svp_page-uncached u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_prot_page-uncached u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_svp_region u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_svp_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_prot_region u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_prot_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_2d_fr_region u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_2d_fr_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_wfd_region u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_wfd_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_wfd_page-uncached u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_sapu_data_shm_region u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_sapu_data_shm_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_sapu_engine_shm_region u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/mtk_sapu_engine_shm_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0
+
+/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0
+/dev/mali.* u:object_r:gpu_device:s0
+/dev/MATV(/.*)? u:object_r:MATV_device:s0
+/dev/mbr(/.*)? u:object_r:mbr_device:s0
+/dev/md32(/.*)? u:object_r:md32_device:s0
+
+/dev/scp(/.*)? u:object_r:scp_device:s0
+/dev/scp_B(/.*)? u:object_r:scp_device:s0
+/dev/sspm(/.*)? u:object_r:sspm_device:s0
+/dev/vcp(/.*)? u:object_r:vcp_device:s0
+
+/dev/misc-sd(/.*)? u:object_r:misc_sd_device:s0
+/dev/misc(/.*)? u:object_r:misc_device:s0
+/dev/misc2(/.*)? u:object_r:misc2_device:s0
+/dev/MJC(/.*)? u:object_r:MJC_device:s0
+/dev/mmp(/.*)? u:object_r:mmp_device:s0
+
+/dev/MT6516_H264_DEC(/.*)? u:object_r:MT6516_H264_DEC_device:s0
+/dev/mt6516-IDP(/.*)? u:object_r:mt6516_IDP_device:s0
+/dev/MT6516_Int_SRAM(/.*)? u:object_r:MT6516_Int_SRAM_device:s0
+/dev/mt6516-isp(/.*)? u:object_r:mt6516_isp_device:s0
+/dev/mt6516_jpeg(/.*)? u:object_r:mt6516_jpeg_device:s0
+/dev/MT6516_MM_QUEUE(/.*)? u:object_r:MT6516_MM_QUEUE_device:s0
+/dev/MT6516_MP4_DEC(/.*)? u:object_r:MT6516_MP4_DEC_device:s0
+/dev/MT6516_MP4_ENC(/.*)? u:object_r:MT6516_MP4_ENC_device:s0
+
+/dev/st21nfc u:object_r:st21nfc_device:s0
+/dev/st54spi u:object_r:st54spi_device:s0
+
+/dev/mt9p012(/.*)? u:object_r:mt9p012_device:s0
+/dev/mtfreqhopping(/.*)? u:object_r:mtfreqhopping_device:s0
+/dev/mtgpio(/.*)? u:object_r:mtgpio_device:s0
+
+/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0
+/dev/mtk_disp.* u:object_r:graphics_device:s0
+/dev/mtkfb_vsync(/.*)? u:object_r:graphics_device:s0
+/dev/mtkg2d(/.*)? u:object_r:mtkg2d_device:s0
+/dev/mtk_jpeg(/.*)? u:object_r:mtk_jpeg_device:s0
+/dev/mtk-kpd(/.*)? u:object_r:mtk_kpd_device:s0
+/dev/mtk_sched(/.*)? u:object_r:mtk_sched_device:s0
+/dev/MTK_SMI(/.*)? u:object_r:MTK_SMI_device:s0
+/dev/mtk_cmdq(/.*)? u:object_r:mtk_cmdq_device:s0
+/dev/mtk_mdp(/.*)? u:object_r:mtk_mdp_device:s0
+/dev/mdp_device(/.*)? u:object_r:mdp_device:s0
+/dev/mdp_sync(/.*)? u:object_r:mtk_mdp_sync_device:s0
+/dev/fmt_sync(/.*)? u:object_r:mtk_fmt_sync_device:s0
+/dev/vdec-fmt(/.*)? u:object_r:mtk_fmt_device:s0
+/dev/mtk_rrc(/.*)? u:object_r:mtk_rrc_device:s0
+/dev/mtk_dfrc(/.*)? u:object_r:mtk_dfrc_device:s0
+
+/dev/mt-mdp(/.*)? u:object_r:mt_mdp_device:s0
+/dev/mt_otg_test(/.*)? u:object_r:mt_otg_test_device:s0
+/dev/MT_pmic_adc_cali u:object_r:MT_pmic_adc_cali_device:s0
+/dev/MT_pmic_adc_cali(/.*)? u:object_r:MT_pmic_cali_device:s0
+/dev/MT_pmic(/.*)? u:object_r:MT_pmic_device:s0
+
+/dev/network.* u:object_r:network_device:s0
+/dev/nvram(/.*)? u:object_r:nvram_device:s0
+/dev/nxpspk(/.*)? u:object_r:smartpa_device:s0
+
+/dev/otp u:object_r:otp_device:s0
+/dev/pmem_multimedia(/.*)? u:object_r:pmem_multimedia_device:s0
+/dev/pmt(/.*)? u:object_r:pmt_device:s0
+
+/dev/preloader(/.*)? u:object_r:preloader_device:s0
+/dev/pro_info(/.*)? u:object_r:pro_info_device:s0
+/dev/protect_f(/.*)? u:object_r:protect_f_device:s0
+/dev/protect_s(/.*)? u:object_r:protect_s_device:s0
+
+/dev/psaux(/.*)? u:object_r:psaux_device:s0
+/dev/ptmx(/.*)? u:object_r:ptmx_device:s0
+/dev/ptyp.* u:object_r:ptyp_device:s0
+/dev/pvr_sync(/.*)? u:object_r:gpu_device:s0
+
+/dev/qemu_pipe(/.*)? u:object_r:qemu_pipe_device:s0
+/dev/recovery(/.*)? u:object_r:recovery_device:s0
+/dev/rfkill(/.*)? u:object_r:rfkill_device:s0
+/dev/rtc[0-9]+ u:object_r:rtc_device:s0
+/dev/RT_Monitor(/.*)? u:object_r:RT_Monitor_device:s0
+/dev/kick_powerkey(/.*)? u:object_r:kick_powerkey_device:s0
+
+/dev/seccfg(/.*)? u:object_r:seccfg_device:s0
+/dev/sec_ro(/.*)? u:object_r:sec_ro_device:s0
+/dev/sec(/.*)? u:object_r:sec_device:s0
+
+/dev/tee1 u:object_r:tee_part_device:s0
+/dev/tee2 u:object_r:tee_part_device:s0
+
+/dev/sensor(/.*)? u:object_r:sensor_device:s0
+/dev/smartpa_i2c(/.*)? u:object_r:smartpa1_device:s0
+/dev/snapshot(/.*)? u:object_r:snapshot_device:s0
+/dev/i2c-9(/.*)? u:object_r:tahiti_device:s0
+
+/dev/socket/adbd(/.*)? u:object_r:adbd_socket:s0
+/dev/socket/agpsd2(/.*)? u:object_r:agpsd_socket:s0
+/dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0
+/dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0
+/dev/socket/atci-audio(/.*)? u:object_r:atci-audio_socket:s0
+
+/dev/socket/meta-atci(/.*)? u:object_r:meta_atci_socket:s0
+/dev/socket/factory-atci(/.*)? u:object_r:factory_atci_socket:s0
+/dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0
+
+/dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0
+/dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate(/.*)? u:object_r:dumpstate_socket:s0
+
+/dev/socket/mdnsd(/.*)? u:object_r:mdnsd_socket:s0
+/dev/socket/mdns(/.*)? u:object_r:mdns_socket:s0
+/dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0
+
+/dev/socket/netd(/.*)? u:object_r:netd_socket:s0
+
+/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0
+
+/dev/socket/rild-atci u:object_r:gsmrild_socket:s0
+/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0
+
+/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0
+
+/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0
+/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0
+
+/dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0
+/dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0
+/dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0
+/dev/socket/rild4(/.*)? u:object_r:rild4_socket:s0
+
+/dev/socket/rild-mal(/.*)? u:object_r:rild_mal_socket:s0
+/dev/socket/rild-mal-at(/.*)? u:object_r:rild_mal_at_socket:s0
+/dev/socket/rild-mal-md2(/.*)? u:object_r:rild_mal_md2_socket:s0
+/dev/socket/rild-mal-at-md2(/.*)? u:object_r:rild_mal_at_md2_socket:s0
+/dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0
+/dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0
+
+/dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0
+/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0
+/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0
+/dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0
+
+/dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0
+/dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0
+/dev/socket/rild-debug(/.*)? u:object_r:rild_debug_socket:s0
+/dev/socket/rild-dongle(/.*)? u:object_r:rild-dongle_socket:s0
+
+/dev/socket/rild-md2(/.*)? u:object_r:rild_md2_socket:s0
+/dev/socket/rild-mtk-modem-md2(/.*)? u:object_r:rild_mtk_modem_md2_socket:s0
+/dev/socket/rild-mtk-modem(/.*)? u:object_r:rild_mtk_modem_socket:s0
+/dev/socket/rild-mtk-ut-2-md2(/.*)? u:object_r:rild_mtk_ut_2_md2_socket:s0
+/dev/socket/rild-mtk-ut-2(/.*)? u:object_r:rild_mtk_ut_2_socket:s0
+/dev/socket/rild-mtk-ut-md2(/.*)? u:object_r:rild_mtk_ut_md2_socket:s0
+/dev/socket/rild-mtk-ut(/.*)? u:object_r:rild_mtk_ut_socket:s0
+
+/dev/socket/rild-oem-md2(/.*)? u:object_r:rild_oem_md2_socket:s0
+/dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0
+/dev/socket/rild(/.*)? u:object_r:rild_socket:s0
+/dev/socket/rild-via u:object_r:rild_via_socket:s0
+/dev/socket/rildc-debug u:object_r:rild_via_socket:s0
+/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0
+
+/dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0
+/dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0
+/dev/socket/rpc u:object_r:rpc_socket:s0
+
+/dev/socket/soc_vt_stk(/.*)? u:object_r:soc_vt_stk_socket:s0
+/dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0
+/dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0
+
+/dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0
+/dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0
+/dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0
+
+/dev/socket/thermal_socket(/.*)? u:object_r:thermal_socket:s0
+/dev/socket/thermal_hal_socket(/.*)? u:object_r:thermal_hal_socket:s0
+
+/dev/stpant(/.*)? u:object_r:stpant_device:s0
+/dev/stpbt(/.*)? u:object_r:stpbt_device:s0
+/dev/fw_log_bt u:object_r:fw_log_bt_device:s0
+/dev/fw_log_btmcu u:object_r:fw_log_btmcu_device:s0
+
+/dev/stpgps u:object_r:mnld_device:s0
+/dev/stpgps(/.*)? u:object_r:stpgps_device:s0
+/dev/stpgps2(/.*)? u:object_r:stpgps_device:s0
+/dev/gpsdl0 u:object_r:mnld_device:s0
+/dev/gpsdl0(/.*)? u:object_r:gpsdl_device:s0
+/dev/gpsdl1 u:object_r:mnld_device:s0
+/dev/gpsdl1(/.*)? u:object_r:gpsdl_device:s0
+/dev/gps_emi(/.*)? u:object_r:gps_emi_device:s0
+
+/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0
+/dev/conninfra_dev(/.*)? u:object_r:conninfra_device:s0
+/dev/sw_sync(/.*)? u:object_r:sw_sync_device:s0
+/dev/tgt(/.*)? u:object_r:tgt_device:s0
+/dev/touch(/.*)? u:object_r:touch_device:s0
+/dev/tpd_em_log(/.*)? u:object_r:tpd_em_log_device:s0
+
+/dev/connfem(/.*)? u:object_r:connfem_device:s0
+
+/dev/ttyC0 u:object_r:gsm0710muxd_device:s0
+/dev/ttyCMIPC0 u:object_r:gsm0710muxd_device:s0
+/dev/ttyCMIPC1 u:object_r:gsm0710muxd_device:s0
+/dev/ttyCMIPC2 u:object_r:gsm0710muxd_device:s0
+/dev/ttyCMIPC9 u:object_r:gsm0710muxd_device:s0
+/dev/ttyC1 u:object_r:mdlog_device:s0
+/dev/ttyC2 u:object_r:agps_device:s0
+/dev/ttyC3 u:object_r:icusb_device:s0
+/dev/ttyC6 u:object_r:nlop_device:s0
+/dev/ttyGS.* u:object_r:ttyGS_device:s0
+/dev/ttyMT.* u:object_r:ttyMT_device:s0
+/dev/ttyS.* u:object_r:ttyS_device:s0
+/dev/ttyp.* u:object_r:ttyp_device:s0
+/dev/ttySDIO.* u:object_r:ttySDIO_device:s0
+/dev/ttyUSB0 u:object_r:tty_device:s0
+/dev/ttyUSB1 u:object_r:tty_device:s0
+/dev/ttyUSB2 u:object_r:tty_device:s0
+/dev/ttyUSB3 u:object_r:tty_device:s0
+/dev/ttyUSB4 u:object_r:tty_device:s0
+
+/dev/TV-out(/.*)? u:object_r:TV_out_device:s0
+/dev/uboot(/.*)? u:object_r:uboot_device:s0
+/dev/uibc(/.*)? u:object_r:uibc_device:s0
+/dev/uinput(/.*)? u:object_r:uinput_device:s0
+/dev/uio0(/.*)? u:object_r:uio0_device:s0
+/dev/usrdata(/.*)? u:object_r:usrdata_device:s0
+
+/dev/Vcodec(/.*)? u:object_r:Vcodec_device:s0
+/dev/vmodem u:object_r:vmodem_device:s0
+/dev/vow(/.*)? u:object_r:vow_device:s0
+
+/dev/wmtdetect(/.*)? u:object_r:wmtdetect_device:s0
+/dev/conn_pwr_dev(/.*)? u:object_r:conn_pwr_device:s0
+/dev/conn_scp(/.*)? u:object_r:conn_scp_device:s0
+/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0
+/dev/ancservice(/.*)? u:object_r:ancservice_device:s0
+/dev/offloadservice(/.*)? u:object_r:offloadservice_device:s0
+/dev/audio_ipi(/.*)? u:object_r:audio_ipi_device:s0
+
+/dev/adsp(/.*)? u:object_r:adsp_device:s0
+/dev/adsp_0(/.*)? u:object_r:adsp_device:s0
+/dev/adsp_1(/.*)? u:object_r:adsp_device:s0
+/dev/audio_scp(/.*)? u:object_r:audio_scp_device:s0
+
+/dev/irtx u:object_r:irtx_device:s0
+/dev/lirc[0-9]+ u:object_r:irtx_device:s0
+/dev/spm(/.*)? u:object_r:spm_device:s0
+/dev/xt_qtaguid(/.*)? u:object_r:xt_qtaguid_device:s0
+/dev/pmic_ftm(/.*)? u:object_r:pmic_ftm_device:s0
+/dev/charger_ftm(/.*)? u:object_r:charger_ftm_device:s0
+/dev/shf u:object_r:shf_device:s0
+/dev/ttyACM0 u:object_r:ttyACM_device:s0
+/dev/hrm u:object_r:hrm_device:s0
+/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
+/dev/nebula-ipc-dev0 u:object_r:tee_device:s0
+/dev/trustzone u:object_r:tee_device:s0
+/dev/mbim u:object_r:mbim_device:s0
+/dev/alarm(/.*)? u:object_r:alarm_device:s0
+/dev/radio(/.*)? u:object_r:mtk_radio_device:s0
+/dev/mml_pq u:object_r:mml_pq_device:s0
+
+# Sensor common Devices Start
+/dev/als_ps(/.*)? u:object_r:als_ps_device:s0
+/dev/barometer(/.*)? u:object_r:barometer_device:s0
+/dev/humidity(/.*)? u:object_r:humidity_device:s0
+/dev/gsensor(/.*)? u:object_r:gsensor_device:s0
+/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0
+/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0
+/dev/msensor(/.*)? u:object_r:msensor_device:s0
+/dev/biometric(/.*)? u:object_r:biometric_device:s0
+/dev/sensorlist(/.*)? u:object_r:sensorlist_device:s0
+/dev/hf_manager(/.*)? u:object_r:hf_manager_device:s0
+
+# Sensor Devices Start
+/dev/m_batch_misc(/.*)? u:object_r:m_batch_misc_device:s0
+
+# Sensor bio Devices Start
+/dev/m_als_misc(/.*)? u:object_r:m_als_misc_device:s0
+/dev/m_ps_misc(/.*)? u:object_r:m_ps_misc_device:s0
+/dev/m_baro_misc(/.*)? u:object_r:m_baro_misc_device:s0
+/dev/m_hmdy_misc(/.*)? u:object_r:m_hmdy_misc_device:s0
+/dev/m_acc_misc(/.*)? u:object_r:m_acc_misc_device:s0
+/dev/m_mag_misc(/.*)? u:object_r:m_mag_misc_device:s0
+/dev/m_gyro_misc(/.*)? u:object_r:m_gyro_misc_device:s0
+/dev/m_act_misc(/.*)? u:object_r:m_act_misc_device:s0
+/dev/m_pedo_misc(/.*)? u:object_r:m_pedo_misc_device:s0
+/dev/m_situ_misc(/.*)? u:object_r:m_situ_misc_device:s0
+/dev/m_step_c_misc(/.*)? u:object_r:m_step_c_misc_device:s0
+/dev/m_fusion_misc(/.*)? u:object_r:m_fusion_misc_device:s0
+/dev/m_bio_misc(/.*)? u:object_r:m_bio_misc_device:s0
+
+# block partition definitions
+/dev/block/mmcblk0boot0 u:object_r:preloader_block_device:s0
+/dev/block/mmcblk0boot1 u:object_r:preloader_block_device:s0
+/dev/block/sda u:object_r:preloader_block_device:s0
+/dev/block/sdb u:object_r:preloader_block_device:s0
+/dev/block/mmcblk0 u:object_r:bootdevice_block_device:s0
+/dev/block/sdc u:object_r:bootdevice_block_device:s0
+/dev/block/mmcblk1 u:object_r:mmcblk1_block_device:s0
+/dev/block/mmcblk1p1 u:object_r:mmcblk1p1_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/proinfo u:object_r:nvram_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvram u:object_r:nvram_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvdata u:object_r:nvdata_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/expdb u:object_r:expdb_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc2 u:object_r:misc2_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/logo u:object_r:logo_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/para u:object_r:para_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/seccfg u:object_r:seccfg_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/secro u:object_r:secro_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system u:object_r:system_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/recovery u:object_r:recovery_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect1 u:object_r:protect1_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect2 u:object_r:protect2_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/keystore u:object_r:keystore_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot u:object_r:boot_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/persist u:object_r:persist_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/metadata u:object_r:metadata_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvcfg u:object_r:nvcfg_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/ppl u:object_r:ppl_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sec1 u:object_r:sec1_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot_para u:object_r:boot_para_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/super u:object_r:super_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot(_[ab])? u:object_r:boot_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system(_[ab])? u:object_r:system_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odm(_[ab])? u:object_r:odm_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oem(_[ab])? u:object_r:oem_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/lk(_[ab])? u:object_r:lk_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1img(_[ab])? u:object_r:md_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md3img(_[ab])? u:object_r:md_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/scp(_[ab])? u:object_r:scp_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/dpm.* u:object_r:dpm_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/mcf_ota(_[ab])? u:object_r:mcf_ota_block_device:s0
+/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vcp(_[ab])? u:object_r:vcp_device:s0
+# Key manager
+/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb u:object_r:kb_block_device:s0
+/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb u:object_r:dkb_block_device:s0
+
+/dev/block/by-name/proinfo u:object_r:nvram_device:s0
+/dev/block/by-name/nvram u:object_r:nvram_device:s0
+/dev/block/by-name/nvdata u:object_r:nvdata_device:s0
+/dev/block/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/by-name/expdb u:object_r:expdb_block_device:s0
+/dev/block/by-name/misc2 u:object_r:misc2_block_device:s0
+/dev/block/by-name/logo u:object_r:logo_block_device:s0
+/dev/block/by-name/para u:object_r:para_block_device:s0
+/dev/block/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/by-name/seccfg u:object_r:seccfg_block_device:s0
+/dev/block/by-name/secro u:object_r:secro_block_device:s0
+/dev/block/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/by-name/recovery u:object_r:recovery_block_device:s0
+/dev/block/by-name/protect1 u:object_r:protect1_block_device:s0
+/dev/block/by-name/protect2 u:object_r:protect2_block_device:s0
+/dev/block/by-name/keystore u:object_r:keystore_block_device:s0
+/dev/block/by-name/persist u:object_r:persist_block_device:s0
+/dev/block/by-name/metadata u:object_r:metadata_block_device:s0
+/dev/block/by-name/nvcfg u:object_r:nvcfg_block_device:s0
+/dev/block/by-name/sec1 u:object_r:sec1_block_device:s0
+/dev/block/by-name/boot_para u:object_r:boot_para_block_device:s0
+/dev/block/by-name/mcf_ota(_[ab])? u:object_r:mcf_ota_block_device:s0
+/dev/block/by-name/super u:object_r:super_block_device:s0
+/dev/block/by-name/cam_vpu[1-3](_[ab])? u:object_r:cam_vpu_block_device:s0
+/dev/block/by-name/system(_[ab])? u:object_r:system_block_device:s0
+/dev/block/by-name/boot(_[ab])? u:object_r:boot_block_device:s0
+/dev/block/by-name/odm(_[ab])? u:object_r:odm_block_device:s0
+/dev/block/by-name/oem(_[ab])? u:object_r:oem_block_device:s0
+/dev/block/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0
+/dev/block/by-name/lk(_[ab])? u:object_r:lk_block_device:s0
+/dev/block/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0
+/dev/block/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0
+/dev/block/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0
+/dev/block/by-name/md1img(_[ab])? u:object_r:md_block_device:s0
+/dev/block/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0
+/dev/block/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0
+/dev/block/by-name/md3img(_[ab])? u:object_r:md_block_device:s0
+/dev/block/by-name/scp(_[ab])? u:object_r:scp_block_device:s0
+/dev/block/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0
+/dev/block/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0
+/dev/block/by-name/mcupmfw(_[ab])? u:object_r:mcupmfw_block_device:s0
+/dev/block/by-name/mcupm(_[ab])? u:object_r:mcupmfw_block_device:s0
+/dev/block/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0
+/dev/block/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0
+/dev/block/by-name/dpm.* u:object_r:dpm_block_device:s0
+/dev/block/by-name/dpm(_[ab])? u:object_r:dpm_block_device:s0
+/dev/block/by-name/audio_dsp(_[ab])? u:object_r:audio_dsp_block_device:s0
+/dev/block/by-name/gz([12]|_[ab]) u:object_r:gz_block_device:s0
+/dev/block/by-name/vendor_boot(_[ab])? u:object_r:boot_block_device:s0
+/dev/block/by-name/pi_img(_[ab])? u:object_r:pi_img_device:s0
+/dev/block/by-name/apusys(_[ab])? u:object_r:apusys_device:s0
+/dev/block/by-name/ccu(_[ab])? u:object_r:ccu_device:s0
+/dev/block/by-name/gpueb(_[ab])? u:object_r:gpueb_device:s0
+/dev/block/by-name/vcp(_[ab])? u:object_r:vcp_device:s0
+/dev/block/by-name/mvpu_algo(_[ab])? u:object_r:mvpu_algo_device:s0
+# W19.23 Q new feature - Userdata Checkpoint
+/dev/block/by-name/md_udc u:object_r:metadata_block_device:s0
+
+# MRDUMP
+/dev/block/by-name/mrdump(/.*)? u:object_r:mrdump_device:s0
+
+/dev/vcu u:object_r:vcu_device:s0
+/dev/vpud u:object_r:vpud_device:s0
+
+##########################
+# Vendor files
+#
+/(vendor|system/vendor)/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
+/(vendor|system/vendor)/bin/stp_dump3 u:object_r:stp_dump3_exec:s0
+/(vendor|system/vendor)/bin/wifi_dump u:object_r:wifi_dump_exec:s0
+/(vendor|system/vendor)/bin/bt_dump u:object_r:bt_dump_exec:s0
+/(vendor|system/vendor)/bin/wmt_launcher u:object_r:mtk_wmt_launcher_exec:s0
+/(vendor|system/vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0
+/(vendor|system/vendor)/bin/smartcharging u:object_r:smartcharging_exec:s0
+/(vendor|system/vendor)/bin/fuelgauged_nvram u:object_r:fuelgauged_nvram_exec:s0
+/(vendor|system/vendor)/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0
+/(vendor|system/vendor)/bin/mmc_ffu u:object_r:mmc_ffu_exec:s0
+/(vendor|system/vendor)/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0
+/(vendor|system/vendor)/bin/mtkrild u:object_r:mtkrild_exec:s0
+/(vendor|system/vendor)/bin/muxreport u:object_r:muxreport_exec:s0
+/(vendor|system/vendor)/bin/nvram_agent_binder u:object_r:mtk_hal_nvramagent_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service u:object_r:mtk_hal_nvramagent_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service-lazy u:object_r:mtk_hal_nvramagent_exec:s0
+/(vendor|system/vendor)/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0
+/(vendor|system/vendor)/bin/slpd u:object_r:slpd_exec:s0
+/(vendor|system/vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0
+/(vendor|system/vendor)/bin/thermal_core u:object_r:thermal_core_exec:s0
+/(vendor|system/vendor)/bin/thermal_core64 u:object_r:thermal_core_exec:s0
+/(vendor|system/vendor)/bin/frs u:object_r:thermal_core_exec:s0
+/(vendor|system/vendor)/bin/frs64 u:object_r:thermal_core_exec:s0
+/(vendor|system/vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mtk u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0
+/(vendor|system/vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0
+/(vendor|system/vendor)/bin/kisd u:object_r:kisd_exec:s0
+
+/(vendor|system/vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0
+/(vendor|system/vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0
+/(vendor|system/vendor)/bin/wmt_loader u:object_r:wmt_loader_exec:s0
+/(vendor|system/vendor)/bin/spm_loader u:object_r:spm_loader_exec:s0
+/(vendor|system/vendor)/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0
+/(vendor|system/vendor)/bin/factory u:object_r:factory_exec:s0
+/(vendor|system/vendor)/bin/conninfra_loader u:object_r:conninfra_loader_exec:s0
+
+/(vendor|system/vendor)/bin/mnld u:object_r:mnld_exec:s0
+/(vendor|system/vendor)/bin/gbe u:object_r:gbe_native_exec:s0
+/(vendor|system/vendor)/bin/fpsgo u:object_r:fpsgo_native_exec:s0
+/(vendor|system/vendor)/bin/xgff_test u:object_r:xgff_test_native_exec:s0
+
+/(vendor|system/vendor)/bin/biosensord_nvram u:object_r:biosensord_nvram_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service-mediatek u:object_r:mtk_hal_bluetooth_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.1-service-mediatek u:object_r:mtk_hal_gnss_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service\.mediatek u:object_r:mtk_hal_gnss_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service\.mediatek u:object_r:mtk_hal_audio_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkpower@1\.0-service u:object_r:mtk_hal_power_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2\.0-service\.multihal-mediatek u:object_r:mtk_hal_sensors_exec:s0
+/(vendor|system/vendor)/bin/hw/rilproxy u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/mtkfusionrild u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek u:object_r:mtk_hal_light_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek-lazy u:object_r:mtk_hal_light_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.mediatek u:object_r:mtk_hal_light_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek-lazy u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service\.example u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service\.mediatek u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/camerahalserver u:object_r:mtk_hal_camera_exec:s0
+/(vendor|system/vendor)/bin/hw/mt[0-9]+[a-z]*/camerahalserver u:object_r:mtk_hal_camera_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service-mediatek u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/mt[0-9]+[a-z]*/android\.hardware\.graphics\.allocator@4\.0-service-mediatek\.mt[0-9]+[a-z]* u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2@1\.2-mediatek u:object_r:mtk_hal_c2_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2@1\.2-mediatek-64b u:object_r:mtk_hal_c2_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.mediatek u:object_r:mtk_hal_memtrack_exec:s0
+
+# Google Trusty system files
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0
+
+# MTEE keymaster4.0/4.1 system files
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.mtee u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.mtee u:object_r:hal_keymaster_default_exec:s0
+
+# Trustonic TEE
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service\.trustonic u:object_r:hal_keymint_default_exec:s0
+
+# PQ hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0
+
+# MMS hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.6-service u:object_r:mtk_hal_mms_exec:s0
+
+#MMAgent hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mmagent@[0-9]+\.[0-9]+-service u:object_r:mtk_hal_mmagent_exec:s0
+# Keymaster Attestation Hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0
+
+# ST NFC 1.2 hidl service
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service-st u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-st54spi u:object_r:st54spi_hal_secure_element_exec:s0
+
+# MTK Wifi Hal
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-mediatek u:object_r:mtk_hal_wifi_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy-mediatek u:object_r:mtk_hal_wifi_exec:s0
+
+# MTK USB hal
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.[0-9]+-service-mediatek u:object_r:mtk_hal_usb_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.[0-9]+-service-mediatekv2 u:object_r:mtk_hal_usb_exec:s0
+
+# MTK OMAPI for UICC
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-mediatek u:object_r:mtk_hal_secure_element_exec:s0
+
+# hidl process merging
+/(vendor|system/vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0
+
+# Date: 2019/07/16
+# hdmi hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.hdmi@1\.0-service u:object_r:mtk_hal_hdmi_exec:s0
+
+# BIP AP
+/(vendor|system/vendor)/bin/bip_ap u:object_r:bip_ap_exec:s0
+
+# Date : 2019/10/28
+# Purpose : move these contexts from plat_private/file_contexts
+/vendor/bin/em_hidl u:object_r:em_hidl_exec:s0
+
+# Widevine drm hal(include lazy hal)
+/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0
+
+# Cleaarkey hal(include lazy hal)
+/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.clearkey u:object_r:hal_drm_clearkey_exec:s0
+
+# Date: 2020/06/16
+# Operation: R migration
+# Purpose: Add permission for boot control lazy HAL
+/vendor/bin/hw/android\.hardware\.boot@[0-9]+\.[0-9]+-service-lazy u:object_r:hal_bootctl_default_exec:s0
+
+# Date: 2020/09/25
+# Purpose: kernel modules
+/vendor/bin/init\.insmod\.sh u:object_r:init_insmod_sh_exec:s0
+
+# GMS requirement
+/vendor/bin/chipinfo u:object_r:chipinfo_exec:s0
+
+/vendor/bin/vpud u:object_r:vpud_native_exec:s0
+/vendor/bin(/mt[0-9]+)?/v3avpud(\.mt[0-9]+)? u:object_r:vpud_native_exec:s0
+
+# EARA-IO
+/vendor/bin/eara_io_service u:object_r:eara_io_exec:s0
+
+# ccci_mdinit access vendor/etc/md file
+/vendor/etc/md(/.*)? u:object_r:vendor_etc_md_file:s0
+
+# AI feature access vendor/etc/nn file
+/vendor/etc/nn(/.*)? u:object_r:vendor_etc_nn_file:s0
+
+# Data : 2020/12/30
+# Purpose : DBReleasePlan
+/vendor/bin/crossbuild(/.*)? u:object_r:vendor_bin_crossbuild_file:s0
+##########################
+# same-process HAL files and their dependencies
+#
+/vendor/lib(64)?/hw/gralloc\.mt[0-9]+[a-z]*\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/gralloc\.rogue\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/mt[0-9]+[a-z]*/gralloc\.rogue\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.mtk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.mali\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/mt[0-9]+/vulkan\.mali\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/mt[0-9]+/vulkan\.mtk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgpudataproducer\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+\/libgpudataproducer\.so u:object_r:same_process_hal_file:s0
+
+
+/vendor/lib(64)?/libIMGegl\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libglslcompiler\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libPVRScopeServices\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libsrv_um\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libmpvr\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libPVRMtkutils\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libusc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libtqvalidate\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libPVROCL\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libufwriter\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libmemtrack_GL\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libPVRTrace\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libIMGegl\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libglslcompiler\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVRScopeServices\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libsrv_um\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libmpvr\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVRMtkutils\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libusc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libtqvalidate\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVROCL\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libufwriter\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libmemtrack_GL\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVRTrace\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/libGLES_mali\.so u:object_r:same_process_hal_file:s0
+
+/vendor/firmware/valhall-1691526.wa u:object_r:same_process_hal_file:s0
+/vendor/firmware/mali_csffw.bin u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/libgralloc_extra\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgpu_aux\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgpud\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgralloc_metadata\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgralloctypes_mtk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libged\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libion_mtk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libion_ulit\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mtk_cache\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/arm\.graphics-ndk_platform\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-mediatek\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/mt[0-9]+[a-z]*/android\.hardware\.graphics\.mapper@4\.0-impl-mediatek\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/vendor\.mediatek\.hardware\.mms@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdpframework\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libdpframework\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libpq_cust_base\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libpq_cust_base\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/vendor\.mediatek\.hardware\.pq@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libpq_prot\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libpq_prot\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libhdrvideo\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libscltm\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libaal_mtk\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/vendor\.mediatek\.hardware\.mmagent@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/mt[0-9]+[a-z]*/libaiselector\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libaispq\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/vendor\.mediatek\.hardware\.gpu@1\.0.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/libladder\.so u:object_r:same_process_hal_file:s0
+
+/vendor/lib(64)?/libtflite_mtk.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libnir_neon_driver_ndk.mtk.vndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libcmdl_ndk.mtk.vndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libarmnn_ndk.mtk.vndk\.so u:object_r:same_process_hal_file:s0
+
+# Date: 2018/07/06
+# Purpose for same-process HAL files and their dependencies: libGLES_mali.so need libm4u.so on mali GPU.
+/vendor/lib(64)?/libm4u\.so u:object_r:same_process_hal_file:s0
+
+# Date: 2018/12/04
+# Purpose: Neuron runtime API and the dependencies
+/vendor/lib(64)?/libneuron_platform.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libion_mtk.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/mtk_cache.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libvpu.so u:object_r:same_process_hal_file:s0
+
+# Date: 2019/01/21
+# Purpose: OpenCL feature requirments
+/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0
+
+# Date: 2019/09/05
+# Purpose: GiFT related libraries
+/vendor/lib(64)?/libDefaultFpsActor.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libNoFpsActor.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libFrameRecord.so u:object_r:same_process_hal_file:s0
+
+# Date: 2021/07/26
+# Purpose: RayTracing related libraries
+/vendor/lib(64)?/libVkLayer_mtk_rt_sdk.so u:object_r:same_process_hal_file:s0
+
+##########################
+# Others
+#
+# nvdata
+/mnt/vendor/nvdata(/.*)? u:object_r:nvdata_file:s0
+/mnt/vendor/nvcfg(/.*)? u:object_r:nvcfg_file:s0
+
+# protected data file
+/mnt/vendor/protect_f(/.*)? u:object_r:protect_f_data_file:s0
+/mnt/vendor/protect_s(/.*)? u:object_r:protect_s_data_file:s0
+/mnt/vendor/persist(/.*)? u:object_r:persist_data_file:s0
+
+# fat on nand image
+/fat(/.*)? u:object_r:fon_image_data_file:s0
+
+# A/B system
+/enableswap.sh u:object_r:rootfs:s0
+/factory_init\..* u:object_r:rootfs:s0
+/meta_init\..* u:object_r:rootfs:s0
+/multi_init\..* u:object_r:rootfs:s0
+/dev/block/by-name/preloader_raw_a u:object_r:postinstall_block_device:s0
+/dev/block/by-name/preloader_raw_b u:object_r:postinstall_block_device:s0
+/dev/block/platform/bootdevice/by-name/preloader_raw_a u:object_r:postinstall_block_device:s0
+/dev/block/platform/bootdevice/by-name/preloader_raw_b u:object_r:postinstall_block_device:s0
+
+/postinstall/bin/mtk_plpath_utils_ota u:object_r:postinstall_file:s0
+# Custom files
+(/vendor)?/custom(/.*)? u:object_r:custom_file:s0
+
+# mdota
+/mnt/vendor/mdota(/.*)? u:object_r:mcf_ota_file:s0
+
+# Date: 2021/07/23
+# Purpose: Add permission for dcxo calibration daemon to set cap id
+/vendor/bin/dcxosetcap u:object_r:DcxoSetCap_exec:s0
+
+# Date:2021/08/05
+# Purpose: permission for audioserver to access ccci node
+/dev/ccci_aud u:object_r:ccci_aud_device:s0
+/dev/ccci_raw_audio u:object_r:ccci_aud_device:s0
+
+# Date : 2021/08/27
+# Purpose : Add permission for wifi proxy
+/dev/ccci_wifi_proxy u:object_r:ccci_wifi_proxy_device:s0
+
+# Date:2021/07/27
+# Purpose: permission for CCB user
+/dev/ccci_ccb_ctrl u:object_r:ccci_ccb_device:s0
+# Purpose: permission for md_monitor
+/dev/ccci_ccb_md_monitor u:object_r:ccci_mdmonitor_device:s0
+/dev/ccci_mdl_monitor u:object_r:ccci_mdmonitor_device:s0
+/dev/ccci_raw_mdm u:object_r:ccci_mdmonitor_device:s0
+
+# Date: 2021/09/26
+# Purpose: Add permission for vilte
+/dev/ccci_vts u:object_r:ccci_vts_device:s0
diff --git a/basic/non_plat/flashlessd.te b/basic/non_plat/flashlessd.te
new file mode 100644
index 0000000..f774721
--- /dev/null
+++ b/basic/non_plat/flashlessd.te
@@ -0,0 +1 @@
+type flashlessd, domain;
diff --git a/basic/non_plat/fm_hidl_service.te b/basic/non_plat/fm_hidl_service.te
new file mode 100644
index 0000000..1c10139
--- /dev/null
+++ b/basic/non_plat/fm_hidl_service.te
@@ -0,0 +1,16 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type fm_hidl_service, domain;
+type fm_hidl_service_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(fm_hidl_service)
+
+hal_server_domain(fm_hidl_service, hal_mtk_fm)
+
+vndbinder_use(fm_hidl_service)
+
+allow fm_hidl_service fm_device:chr_file rw_file_perms;
+
+binder_call(fm_hidl_service, system_server)
diff --git a/basic/non_plat/fpsgo_native.te b/basic/non_plat/fpsgo_native.te
new file mode 100644
index 0000000..a2feb46
--- /dev/null
+++ b/basic/non_plat/fpsgo_native.te
@@ -0,0 +1,52 @@
+# ==============================================
+# Policy File of /vendor/bin/fpsgo Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type fpsgo_native_exec, exec_type, file_type, vendor_file_type;
+type fpsgo_native, domain, mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(fpsgo_native)
+
+allow fpsgo_native self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow fpsgo_native sysfs_boot_mode:file r_file_perms;
+hal_client_domain(fpsgo_native, hal_power)
+allow fpsgo_native proc_perfmgr:dir r_dir_perms;
+allow fpsgo_native proc_perfmgr:file rw_file_perms;
+
+allow fpsgo_native audioserver:process setsched;
+allow fpsgo_native dumpstate:process setsched;
+allow fpsgo_native hal_graphics_allocator_default:process setsched;
+allow fpsgo_native init:process setsched;
+allow fpsgo_native logd:process setsched;
+allow fpsgo_native mediaserver:process setsched;
+allow fpsgo_native mediaswcodec:process setsched;
+allow fpsgo_native mediaextractor:process setsched;
+allow fpsgo_native mtk_hal_audio:process setsched;
+allow fpsgo_native mtk_hal_sensors:process setsched;
+allow fpsgo_native mtk_hal_c2:process setsched;
+allow fpsgo_native mtk_hal_gnss:process setsched;
+allow fpsgo_native mtk_hal_power:process setsched;
+allow fpsgo_native netd:process setsched;
+allow fpsgo_native platform_app:process setsched;
+allow fpsgo_native priv_app:process setsched;
+allow fpsgo_native radio:process setsched;
+allow fpsgo_native self:capability sys_nice;
+allow fpsgo_native servicemanager:process setsched;
+allow fpsgo_native surfaceflinger:process setsched;
+allow fpsgo_native system_app:process setsched;
+allow fpsgo_native system_server:process setsched;
+allow fpsgo_native untrusted_app_all:process setsched;
+allow fpsgo_native vpud_native:process setsched;
+allow fpsgo_native wificond:process setsched;
+
+
+
+
+allowxperm fpsgo_native proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_GET_CMD
+};
diff --git a/basic/non_plat/fsck.te b/basic/non_plat/fsck.te
new file mode 100644
index 0000000..7ba0876
--- /dev/null
+++ b/basic/non_plat/fsck.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.29
+# Operation : Migration
+# Purpose : file system check for protect1/protect2/nvdata/persist/nvcfg block devices.
+allow fsck protect1_block_device:blk_file rw_file_perms;
+allow fsck protect2_block_device:blk_file rw_file_perms;
+allow fsck nvdata_device:blk_file rw_file_perms;
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck nvcfg_block_device:blk_file rw_file_perms;
+allow fsck odm_block_device:blk_file rw_file_perms;
+allow fsck oem_block_device:blk_file rw_file_perms;
+
+# Date : WK17.12
+# Purpose: Fix bootup fail
+allow fsck system_block_device:blk_file getattr;
diff --git a/basic/non_plat/fuelgauged.te b/basic/non_plat/fuelgauged.te
new file mode 100644
index 0000000..a7dbfb0
--- /dev/null
+++ b/basic/non_plat/fuelgauged.te
@@ -0,0 +1,61 @@
+# ==============================================
+# Policy File of /vendor/bin/fuelgauged Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type fuelgauged, domain;
+type fuelgauged_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(fuelgauged)
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : Fuel Gauge daemon for access driver node
+allow fuelgauged input_device:dir rw_dir_perms;
+allow fuelgauged input_device:file r_file_perms;
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : For meta tool calibration
+allow fuelgauged mtk-adc-cali_device:chr_file rw_file_perms;
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : For fg.log can be printed with kernel log
+allow fuelgauged kmsg_device:chr_file w_file_perms;
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : For fg daemon can comminucate with kernel
+allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl;
+allow fuelgauged self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+
+# Data : WK16.39
+allow fuelgauged self:capability { chown fsetid };
+
+# Date: W17.22
+# Operation : New Feature
+# Purpose : Add for A/B system
+allow fuelgauged kernel:system module_request;
+
+# Date: W18.03
+# Operation : change fuelgagued access from cache to nvcfg
+# Purpose : add fuelgauged to nvcfg read write permit
+allow fuelgauged nvcfg_file:dir create_dir_perms;
+allow fuelgauged nvcfg_file:file create_file_perms;
+
+# Date: W18.17
+# Operation : add label for /sys/devices/platform/battery(/.*)
+# Purpose : add fuelgauged could access
+r_dir_file(fuelgauged, sysfs_batteryinfo)
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
+allow fuelgauged mnt_vendor_file:dir search;
+
diff --git a/basic/non_plat/fuelgauged_nvram.te b/basic/non_plat/fuelgauged_nvram.te
new file mode 100644
index 0000000..9114614
--- /dev/null
+++ b/basic/non_plat/fuelgauged_nvram.te
@@ -0,0 +1,56 @@
+# ==============================================
+# Policy File of /vendor/bin/fuelgauged_nvram Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type fuelgauged_nvram, domain;
+type fuelgauged_nvram_exec , exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(fuelgauged_nvram)
+
+# Data : WK16.21
+# Operation : New Feature
+# Purpose : For fg daemon can do nvram r/w to save car_tune_value
+allow fuelgauged_nvram nvdata_file:dir rw_dir_perms;
+allow fuelgauged_nvram nvdata_file:file create_file_perms;
+allow fuelgauged_nvram nvdata_file:lnk_file rw_file_perms;
+allow fuelgauged_nvram nvram_data_file:lnk_file rw_file_perms;
+
+# Data : W16.43
+# Operation : New Feature
+# Purpose : Change from /data to /cache
+allow fuelgauged_nvram self:capability { chown fsetid };
+allow fuelgauged_nvram kmsg_device:chr_file w_file_perms;
+
+# Data : W17.34
+# Operation : New Feature
+# Purpose : fgauge_nvram could use IOCTL
+allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms;
+
+# Date: W18.03
+# Operation : change fuelgagued_nvram access from cache to nvcfg
+# Purpose : add fuelgauged to nvcfg read write permit
+# need add label
+allow fuelgauged_nvram nvcfg_file:dir create_dir_perms;
+allow fuelgauged_nvram nvcfg_file:file create_file_perms;
+
+# Date: W18.17
+# Operation : add label for /sys/devices/platform/battery(/.*)
+# Purpose : add fuelgauged could access
+r_dir_file(fuelgauged_nvram, sysfs_batteryinfo)
+
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
+allow fuelgauged_nvram mnt_vendor_file:dir search;
+
+allow fuelgauged_nvram sysfs_boot_mode:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(fuelgauged_nvram)
diff --git a/basic/non_plat/gbe_native.te b/basic/non_plat/gbe_native.te
new file mode 100644
index 0000000..7374da1
--- /dev/null
+++ b/basic/non_plat/gbe_native.te
@@ -0,0 +1,23 @@
+# ==============================================
+# Policy File of /vendor/bin/gbe Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type gbe_native_exec, exec_type, file_type, vendor_file_type;
+type gbe_native, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(gbe_native)
+
+allow gbe_native self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+set_prop(gbe_native, vendor_mtk_gbe_prop)
+allow gbe_native sysfs_boot_mode:file r_file_perms;
+hal_client_domain(gbe_native, hal_power)
+allow gbe_native proc_perfmgr:dir r_dir_perms;
+allow gbe_native proc_perfmgr:file rw_file_perms;
+allowxperm gbe_native proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_GBE_GET_CMD
+};
diff --git a/basic/non_plat/genfs_contexts b/basic/non_plat/genfs_contexts
new file mode 100644
index 0000000..c9b37e6
--- /dev/null
+++ b/basic/non_plat/genfs_contexts
@@ -0,0 +1,674 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# proc files
+#
+genfscon proc /blocktag/blockio u:object_r:procfs_blockio:s0
+genfscon proc /blocktag/eara_io u:object_r:proc_earaio:s0
+genfscon proc /driver/thermal u:object_r:proc_thermal:s0
+genfscon proc /thermlmt u:object_r:proc_thermal:s0
+genfscon proc /fps_tm u:object_r:proc_thermal:s0
+genfscon proc /wmt_tm u:object_r:proc_thermal:s0
+genfscon proc /mobile_tm u:object_r:proc_thermal:s0
+genfscon proc /bcctlmt u:object_r:proc_thermal:s0
+genfscon proc /battery_status u:object_r:proc_thermal:s0
+genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0
+genfscon proc /mtktz u:object_r:proc_mtktz:s0
+genfscon proc /lk_env u:object_r:proc_lk_env:s0
+genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0
+genfscon proc /driver/icusb u:object_r:proc_icusb:s0
+genfscon proc /mrdump_rst u:object_r:proc_mrdump_rst:s0
+genfscon proc /mtd u:object_r:proc_mtd:s0
+genfscon proc /ged u:object_r:proc_ged:s0
+genfscon proc /mtk_jpeg u:object_r:proc_mtk_jpeg:s0
+genfscon proc /perfmgr u:object_r:proc_perfmgr:s0
+genfscon proc /driver/wmt_dbg u:object_r:proc_wmtdbg:s0
+genfscon proc /zraminfo u:object_r:proc_zraminfo:s0
+genfscon proc /gpulog u:object_r:proc_gpulog:s0
+genfscon proc /gpufreqv2 u:object_r:proc_gpufreqv2:s0
+genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /sched_debug u:object_r:proc_sched_debug:s0
+genfscon proc /chip u:object_r:proc_chip:s0
+genfscon proc /atf_log u:object_r:proc_atf_log:s0
+genfscon proc /gz_log u:object_r:proc_gz_log:s0
+genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0
+genfscon proc /bootprof u:object_r:proc_bootprof:s0
+genfscon proc /mtprintk u:object_r:proc_mtprintk:s0
+genfscon proc /pl_lk u:object_r:proc_pl_lk:s0
+genfscon proc /msdc_debug u:object_r:proc_msdc_debug:s0
+genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0
+genfscon proc /pidmap u:object_r:proc_pidmap:s0
+genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0
+genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0
+genfscon proc /mtk_cmdq_debug/record u:object_r:proc_cmdq_debug:s0
+genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0
+genfscon proc /sys/kernel/panic_on_rcu_stall u:object_r:proc_panic_on_rcu_stall:s0
+
+# Purpose dump not exit file
+genfscon proc /isp_p2/isp_p2_dump u:object_r:proc_isp_p2_dump:s0
+genfscon proc /isp_p2/isp_p2_kedump u:object_r:proc_isp_p2_kedump:s0
+genfscon proc /mali/memory_usage u:object_r:proc_memory_usage:s0
+genfscon proc /mtk_mali/gpu_memory u:object_r:proc_gpu_memory:s0
+genfscon proc /mtk_es_reg_dump u:object_r:proc_mtk_es_reg_dump:s0
+
+# Date : 2018/11/01
+# Purpose : mtk EM c2k bypass read usb file
+genfscon proc /isp_p2 u:object_r:proc_isp_p2:s0
+
+# Date : WK19.27
+# Purpose: Android Migration for SVP
+genfscon proc /m4u u:object_r:proc_m4u:s0
+
+genfscon proc /driver/wmt_aee u:object_r:proc_wmt_aee:s0
+
+genfscon proc /ccci_dump u:object_r:proc_ccci_dump:s0
+genfscon proc /log_much u:object_r:proc_log_much:s0
+genfscon proc /ccci_sib u:object_r:proc_ccci_sib:s0
+
+# Purpose: get input devices
+genfscon proc /bus/input/devices u:object_r:proc_bus_input:s0
+
+# 2019/09/05
+# Purpose: Allow powerhal to control kernel resources
+genfscon proc /ppm u:object_r:proc_ppm:s0
+genfscon proc /cpufreq u:object_r:proc_cpufreq:s0
+genfscon proc /hps u:object_r:proc_hps:s0
+genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0
+genfscon proc /fliperfs u:object_r:proc_fliperfs:s0
+
+# Date : 2019/10/11
+# Purpose : allow system_server to access /proc/wlan/status for Q Migration
+genfscon proc /wlan/status u:object_r:proc_wlan_status:s0
+
+genfscon sysfs /devices/platform/11015000.i2c9/i2c-9/9-0041/reset_dsp u:object_r:sysfs_reset_dsp:s0
+genfscon sysfs /bus/platform/drivers/smartpainfo/chip_vendor u:object_r:sysfs_chip_vendor:s0
+genfscon sysfs /bus/platform/drivers/smartpainfo/pa_num u:object_r:sysfs_pa_num:s0
+
+# 2019/11/14
+# Purpose: Allow powerhal to control MCDI
+genfscon proc /cpuidle u:object_r:proc_cpuidle:s0
+
+# Date : 2019/12/10
+# Purpose: Allow bt process or tool to control bt_dbg
+genfscon proc /driver/bt_dbg u:object_r:proc_btdbg:s0
+
+# Date : WK20.03
+# Purpose: Allow mtk_hal_neuralnetworks to read chip id and segment code
+# /proc/device-tree/chosen/atag,chipid is linked to
+genfscon proc /device-tree/chosen/atag,devinfo u:object_r:proc_devinfo:s0
+
+# 2020/06/12
+# Operation: R migration
+# Purpose: Allow powerhal to control displowpower
+genfscon proc /displowpower u:object_r:proc_displowpower:s0
+
+# 2020/06/29
+# Operation: R migration
+# Purpose: Add permission for access /proc/ion/*
+genfscon proc /ion u:object_r:proc_ion:s0
+
+# 2020/07/01
+# Operation: R migration
+# Purpose: Add permission for access /proc/m4u_dbg/*
+genfscon proc /m4u_dbg u:object_r:proc_m4u_dbg:s0
+
+genfscon proc /mtkfb u:object_r:proc_mtkfb:s0
+
+# 2020/07/07
+# Operation: R migration
+# Purpose: Add permission for access /proc/pvr/*
+genfscon proc /pvr u:object_r:procfs_gpu_img:s0
+
+# Date : 2020/07/08
+# Purpose: add permission for /proc/sys/vm/swappiness
+genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0
+
+# Date : 2020/08/05
+# Purpose: add permission for /proc/driver/wmt_user_proc
+genfscon proc /driver/wmt_user_proc u:object_r:proc_wmtuserproc:s0
+
+# Date : 2020/09/18
+# Purpose: add permission for /proc/mcdi/
+genfscon proc /mcdi/ u:object_r:proc_mcdi:s0
+
+# Date : 2020/12/23
+# Purpose: Add permission for /proc/driver/conninfra_dbg
+genfscon proc /driver/conninfra_dbg u:object_r:proc_conninfradbg:s0
+
+# Date : 2021/04/20
+# Purpose : write /proc/sys/vm/watermark_scale_factor
+genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
+
+# Data : 2021/4/21
+# Purpose : read/write /proc/mtk_usb, /proc/mtk_typec
+genfscon proc /mtk_usb u:object_r:proc_usb_plat:s0
+genfscon proc /mtk_typec u:object_r:proc_usb_plat:s0
+
+# Date 2021/05/10
+# Purpose : init the default value before bootup
+genfscon proc /sys/kernel/sched_migration_cost_ns u:object_r:proc_sched_migration_cost_ns:s0
+
+# 2021/8/25
+# allow powerhal to access /proc/cpuhvfs/cpufreq_cci_mode
+genfscon proc /cpuhvfs/cpufreq_cci_mode u:object_r:proc_cpuhvfs:s0
+
+# Date : 2021/11/12
+# Purpose : write /proc/sys/vm/watermark_boost_factor
+genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
+
+##########################
+# sysfs files
+#
+genfscon sysfs /bus/platform/drivers/mtk-kpd u:object_r:sysfs_keypad_file:s0
+genfscon sysfs /power/vcorefs/pwr_ctrl u:object_r:sysfs_vcorefs_pwrctrl:s0
+genfscon sysfs /power/dcm_state u:object_r:sysfs_dcm:s0
+genfscon sysfs /power/mtkdcs/mode u:object_r:sysfs_dcs:s0
+genfscon sysfs /power/mtkpasr/execstate u:object_r:sysfs_execstate:s0
+genfscon sysfs /mtk_ssw u:object_r:sysfs_ssw:s0
+genfscon sysfs /devices/soc0 u:object_r:sysfs_soc:s0
+
+genfscon sysfs /kernel/mm/mlog/dump u:object_r:sysfs_mm:s0
+
+genfscon sysfs /bus/platform/drivers/dev_info/dev_info u:object_r:sysfs_devinfo:s0
+genfscon sysfs /bus/platform/drivers/meta_com_type_info/meta_com_type_info u:object_r:sysfs_comport_type:s0
+genfscon sysfs /bus/platform/drivers/meta_uart_port_info/meta_uart_port_info u:object_r:sysfs_uart_info:s0
+
+genfscon sysfs /devices/platform/battery u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0
+genfscon sysfs /devices/platform/charger/Charger_Config u:object_r:sysfs_chg_cfg:s0
+genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0
+genfscon sysfs /devices/platform/charger/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11d04000.i2c8/i2c-8/8-0055/power_supply/battery u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11d04000.i2c8/i2c-8/8-0055/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/charger/power_supply/mtk-slave-charger/present u:object_r:sysfs_chg2_present:s0
+genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11cb1000.i2c/i2c-9/9-0034/11cb1000.i2c:mt6375@34:mt6375_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11016000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-5/5-0034/mt6360_chg.1.auto/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11f00000.i2c/i2c-5/5-0034/mt6360_chg.2.auto/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11cb1000.i2c/i2c-9/9-0034/11cb1000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11017000.i2c/i2c-5/5-0034/11017000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/mt6360_chg.3.auto/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-charger-type-detection/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/typec u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/mt_usb/musb-hdrc/dual_role_usb u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/mt_usb/musb-hdrc/cmode u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/cmode u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/usb0/cmode u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/mt_usb/musb-hdrc/usb2 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/mt_usb/musb-hdrc/usb2 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb2 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb3 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/11201000.usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/11201000.usb0/11200000.xhci0/usb2 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/11201000.usb0/11200000.xhci0/usb3 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/usb_xhci/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/usb3_xhci/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/mt_usb/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/11201000.mtu3_0/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/11201000.usb3/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/11201000.usb0/udc/11201000.usb0 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/usb0/udc/usb0 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/usb0/11200000.xhci0/usb2 u:object_r:sysfs_usb_nonplat:s0
+
+genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0
+genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_type u:object_r:sysfs_boot_type:s0
+
+genfscon sysfs /devices/virtual/misc/md32 u:object_r:sysfs_md32:s0
+genfscon sysfs /devices/virtual/misc/scp u:object_r:sysfs_scp:s0
+genfscon sysfs /devices/virtual/misc/scp_B u:object_r:sysfs_scp:s0
+genfscon sysfs /devices/virtual/misc/sspm u:object_r:sysfs_sspm:s0
+genfscon sysfs /devices/virtual/misc/adsp u:object_r:sysfs_adsp:s0
+genfscon sysfs /devices/virtual/misc/adsp_0 u:object_r:sysfs_adsp:s0
+genfscon sysfs /devices/virtual/misc/adsp_1 u:object_r:sysfs_adsp:s0
+genfscon sysfs /devices/virtual/misc/vcp u:object_r:sysfs_vcp:s0
+
+# Date : 2019/09/12
+genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0
+genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0
+genfscon sysfs /kernel/thermal u:object_r:sysfs_thermal_sram:s0
+genfscon sysfs /kernel/charger_cooler u:object_r:sysfs_charger_cooler:s0
+
+genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0
+
+genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0
+
+genfscon sysfs /firmware/devicetree/base/chosen/aee,enable u:object_r:sysfs_aee_enable:s0
+
+genfscon sysfs /kernel/ccci u:object_r:sysfs_ccci:s0
+
+# Date : 2018/06/15
+# Purpose : mtk EM touchscreen settings
+genfscon sysfs /module/tpd_setting u:object_r:sysfs_tpd_setting:s0
+genfscon sysfs /power/vcorefs/vcore_debug u:object_r:sysfs_vcore_debug:s0
+genfscon sysfs /power/vcorefs/opp_table u:object_r:sysfs_vcore_debug:s0
+
+# Date: 2018/08/09
+# Purpose : MTK Vibrator
+genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/soc/soc:regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/soc/soc:pwm_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/soc:mtk_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/mtk_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/i2c_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/pwmleds/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/disp_leds/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/11f00000.i2c6/i2c-6/6-0011/leds/lcd-backlight u:object_r:sysfs_leds:s0
+
+# Date : 2018/11/22
+# Purpose: allow mdlogger to read mdinfo file
+genfscon sysfs /kernel/md/mdee u:object_r:sysfs_mdinfo:s0
+
+# Date : 2019/07/03
+# Purpose: SIU update sysfs_devices_block access for emmc and ufs
+genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/wp_grp_size u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc2 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc61 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc2 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc61 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/112b0000.ufshci/host0/scsi_host/host0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/11230000.mmc/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/11230000.msdc/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/11240000.mmc/mmc_host/mmc0/mmc0:aaaa/block/mmcblk0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/11240000.mmc/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0
+
+# Date : 2019/07/12
+# Purpose:dumpstate mmcblk1 access
+genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11240000.mmc/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0
+
+# Date : 2019/09/16
+# Purpose : mtk factory fingerprint settings
+genfscon sysfs /module/gf_spi_tee u:object_r:sysfs_gf_spi_tee:s0
+
+# Date : 2019/10/22
+# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo
+genfscon sysfs /module/mrdump/version u:object_r:sysfs_mrdump:s0
+genfscon sysfs /kernel/mrdump_version u:object_r:sysfs_mrdump:s0
+genfscon sysfs /firmware/devicetree/base/chosen/mrdump,lk u:object_r:sysfs_mrdump:s0
+genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump:s0
+genfscon sysfs /firmware/devicetree/base/memory/reg u:object_r:sysfs_memory:s0
+genfscon sysfs /firmware/devicetree/base/memory@0x40000000/reg u:object_r:sysfs_memory:s0
+
+# mtk APUSYS information reading
+genfscon sysfs /devices/virtual/misc/apusys/queue u:object_r:sysfs_apusys_queue:s0
+
+# 2019/08/24
+genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0
+genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0
+
+# MTEE trusty
+genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0
+
+# 2019/09/05
+# Purpose: Allow powerhal to control kernel resources
+genfscon sysfs /module/ged u:object_r:sysfs_ged:s0
+genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0
+genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0
+genfscon sysfs /module/xgf u:object_r:sysfs_xgf:s0
+genfscon sysfs /module/mtk_fpsgo u:object_r:sysfs_mtk_fpsgo:s0
+genfscon sysfs /module/mtk_core_ctl u:object_r:sysfs_mtk_core_ctl:s0
+
+# 2019/09/05
+# Purpose: Allow powerhal to control cache audit
+genfscon sysfs /module/cache_ctrl u:object_r:sysfs_cache_ctrl:s0
+genfscon sysfs /module/pftch_qos u:object_r:sysfs_pftch_qos:s0
+
+# 2019/09/19
+# Purpose: Allow powerhal to trigger task-turbo
+genfscon sysfs /module/task_turbo u:object_r:sysfs_task_turbo:s0
+
+# Date : 2019/09/23
+# Operation: SQC
+# Purpose : Allow powerHAL to control touch boost
+genfscon sysfs /devices/platform/mtk-tpd2.0/change_rate u:object_r:sysfs_change_rate:s0
+
+# Date : 2019/10/16
+# Operation: SQC
+# Purpose : Allow powerHAL to control /sys/fs/ext4/xxx/disable_barrier
+genfscon sysfs /fs/ext4/sdc46/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0
+genfscon sysfs /fs/ext4/sdc47/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0
+genfscon sysfs /fs/ext4/sdc48/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0
+genfscon sysfs /fs/ext4/dm-6/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0
+
+# Date : WK19.38
+# Purpose: Android Migration for video codec driver
+genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0
+
+# Date : 2019/10/11
+# Purpose : allow system_server to access /sys/kernel/mm/ksm/pages_xxx
+genfscon sysfs /kernel/mm/ksm/pages_shared u:object_r:sysfs_pages_shared:s0
+genfscon sysfs /kernel/mm/ksm/pages_sharing u:object_r:sysfs_pages_sharing:s0
+genfscon sysfs /kernel/mm/ksm/pages_unshared u:object_r:sysfs_pages_unshared:s0
+genfscon sysfs /kernel/mm/ksm/pages_volatile u:object_r:sysfs_pages_volatile:s0
+
+# Date : 2019/10/25
+# Purpose : /proc/device-tree/chosen/atag,chipid or /sysfs/firmware/devicetree/base/chosen/atag,chipid
+genfscon sysfs /firmware/devicetree/base/chosen/atag,chipid u:object_r:sysfs_chipid:s0
+
+# Date : 2019/10/18
+# Purpose : allow system_server to access rt5509 param and calib node
+genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_param.0 u:object_r:sysfs_rt_param:s0
+genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0
+
+# Date : 2020/07/10
+# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/*
+genfscon sysfs /bus/platform/drivers/emi_ctrl/concurrency_scenario u:object_r:sysfs_emi_ctrl_concurrency_scenario:s0
+
+# Date : 2019/12/12
+# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
+genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0
+
+# Date : WK20.07
+# Operation: R migration
+# Purpose : Add permission for new device node.
+genfscon sysfs /firmware/devicetree/base/chosen/atag,meta u:object_r:sysfs_meta_info:s0
+
+genfscon sysfs /bus/platform/drivers/cache_parity/cache_status u:object_r:sysfs_cache_status:s0
+genfscon sysfs /bus/platform/drivers/cache_parity/status u:object_r:sysfs_cache_status:s0
+
+# Date : WK20.17
+# Purpose: Allow powerhal to control ged hal
+genfscon sysfs /kernel/ged u:object_r:sysfs_ged:s0
+
+# Date : WK20.19
+# Purpose: Allow powerhal to control fpsgo
+genfscon sysfs /kernel/fpsgo u:object_r:sysfs_fpsgo:s0
+
+# Date : WK20.23
+# Purpose: Allow powerhal to control gbe
+genfscon sysfs /kernel/gbe u:object_r:sysfs_gbe:s0
+
+# Date : 2020/06/12
+# Purpose : Allow powerhal to control mali power policy
+genfscon sysfs /class/misc/mali0/device/power_policy u:object_r:sysfs_mali_power_policy:s0
+genfscon sysfs /devices/platform/13000000.mali/power_policy u:object_r:sysfs_mali_power_policy:s0
+
+# Date : WK20.25
+# Operation: R migration
+# Purpose : for VTS NetdSELinuxTest.CheckProperMTULabels requirement.
+genfscon sysfs /devices/platform/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/180f0000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/180f0000.wifi/net/p2p0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/p2p0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.wifi/net/p2p0/mtu u:object_r:sysfs_net:s0
+
+# Date : 2020/07/02
+# Purpose : mtk nanohub sensor state detect
+genfscon sysfs /bus/platform/drivers/mtk_nanohub/state u:object_r:sysfs_mtk_nanohub_state:s0
+
+# Date : 2020/07/13
+# Purpose : Add permission for access dvfsrc dbg sysfs
+genfscon sysfs /devices/platform/10012000.dvfsrc/helio-dvfsrc u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/1c00f000.dvfsrc/1c00f000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/soc/1c00f000.dvfsrc/1c00f000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0
+
+
+# Date : 2020/07/31
+# Purpose: add permission for /sys/kernel/apusys/
+genfscon sysfs /kernel/apusys/ u:object_r:sysfs_apusys:s0
+
+# Date : WK20.33
+# Operation: R migration
+# Purpose: Add permission for access aux_adc
+genfscon sysfs /bus/platform/drivers/mt6577-auxadc u:object_r:sys_mt6577_auxadc:s0
+genfscon sysfs /devices/platform/11001000.auxadc/iio:device2 u:object_r:sys_mt6577_auxadc:s0
+
+# Date : 2020/08/11
+# Purpose : For kernel 4.14 platforms, allow system_server to access rt5509 param and calib node
+genfscon sysfs /devices/platform/rt5509_param.0 u:object_r:sysfs_rt_param:s0
+genfscon sysfs /devices/virtual/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0
+
+# Date : 2020/08/19
+# Purpose : Add permission for access dvfsrc dbg sysfs
+genfscon sysfs /devices/platform/soc/10012000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0
+genfscon sysfs /devices/platform/10012000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0
+genfscon sysfs /devices/platform/1c00f000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0
+genfscon sysfs /devices/platform/soc/1c00f000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0
+
+# Date : 2020/08/21
+# Purpose : allow aee_aedv to access /sys/bus/platform/drivers/systracker node
+genfscon sysfs /bus/platform/drivers/systracker u:object_r:sysfs_systracker:s0
+
+# Date : 2020/09/03
+# Purpose: mtk MMQoS set camera max BW
+genfscon sysfs /devices/platform/soc/soc:interconnect/mmqos_hrt/camera_max_bw u:object_r:sysfs_camera_max_bw:s0
+genfscon sysfs /devices/platform/interconnect/mmqos_hrt/camera_max_bw u:object_r:sysfs_camera_max_bw_v2:s0
+
+# Date : 2020/06/15
+# Purpose: mtk MMQoS scen change
+genfscon sysfs /devices/platform/soc/soc:interconnect/mmqos_hrt/mtk_mmqos_scen u:object_r:sysfs_mtk_mmqos_scen:s0
+genfscon sysfs /devices/platform/interconnect/mmqos_hrt/mtk_mmqos_scen u:object_r:sysfs_mtk_mmqos_scen_v2:s0
+
+# Date : 2020/09/29
+# Purpose: add permission for /sys/kernel/eara_thermal/
+genfscon sysfs /kernel/eara_thermal/ u:object_r:sysfs_eara_thermal:s0
+
+# Date : 2021/3/12
+# Purpose : Allow powerhal to control mali power onoff
+genfscon sysfs /class/misc/mali0/device/pm_poweroff u:object_r:sysfs_mali_poweroff:s0
+genfscon sysfs /devices/platform/13000000.mali/pm_poweroff u:object_r:sysfs_mali_poweroff:s0
+
+# Date: 2021/05/28
+# Purpose: allow DcxoSetCap set dcxo calibration
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:mt6357-pmic/mt6357-dcxo/dcxo_board_offset u:object_r:sysfs_dcxo:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:mt6357-pmic/mt6357-dcxo/nvram_board_offset u:object_r:sysfs_dcxo:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:mt6357-pmic/mt6357-dcxo/dcxo_capid u:object_r:sysfs_dcxo:s0
+genfscon sysfs /power/clk_buf/ u:object_r:sysfs_dcxo:s0
+
+# Date : 2021/06/04
+# Purpose: Allow mobile log to read apusysy log
+genfscon proc /apusys_logger/seq_logl u:object_r:proc_apusys_up_seq_logl:s0
+
+# labeling sysfs wakeup files to avoid sepolicy violation
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-charger-type-detection/power_supply/mtk_charger_type/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply/mtk-gauge/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt635x-auxadc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt6359-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt6359-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt635x-auxadc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply/mtk-gauge/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt635x-auxadc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/10027000.spmi:mt6362@9:chg/power_supply/10027000.spmi:mt6362@9:chg/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/10027000.spmi:mt6362@9:tcpc/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/10027000.spmi:mt6362@9:tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply/mt6370_pmu_charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-004e/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11201000.mtu3_0/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11201000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11cb0000.i2c3/i2c-3/3-0018/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11d00000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11d00000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11d00000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11e00000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11e00000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11e00000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11e01000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.3.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11e01000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11e01000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11f00000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11f00000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11f00000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/15004000.ispsys/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/15020000.imgsys/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/battery/power_supply/ac/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/battery/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/battery/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/charger/power_supply/mtk-master-charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/charger/power_supply/mtk-slave-charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/mt_charger/power_supply/ac/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/mt_charger/power_supply/charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/mt_charger/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/mt_charger/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/mtk_lpm/mtk_cpuidle_pm/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/mt-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/mt-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1000f000.pwrap/1000f000.pwrap:mt6392/mt6397-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1000f000.pwrap/1000f000.pwrap:mt6392/mt6397-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/11201000.usb0/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/power_supply/mt6360_chg.1.auto/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-004e/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/15020000.imgsys_config/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/18002000.consys/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1a000000.camisp_legacy/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/mt_usb/musb-hdrc/dual_role_usb/dual-role-usb20/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:mfgsys-async/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/trusty/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/alarm/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/atc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/data/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/dummy0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/dummy1/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/dummy2/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/ets/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/gps/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/usb_rawbulk/pcv/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1f000000.mdp/wakeup/wakeup2/event_count u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1f000000.mdp/wakeup/wakeup2 u:object_r:sysfs_wakeup:s0
+
+# allow gpu to set dbg
+genfscon sysfs /disp/dbg1 u:object_r:sysfs_gpu:s0
+genfscon sysfs /disp/dbg2 u:object_r:sysfs_gpu:s0
+genfscon sysfs /disp/dbg3 u:object_r:sysfs_gpu:s0
+
+# Purpose: Add permission for /sys/devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/vpd_pg80
+genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/vpd_pg80 u:object_r:sysfs_vpd:s0
+
+# Purpose: Add permission for /sys/devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/vpd_pg80
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/vpd_pg80 u:object_r:sysfs_vpd:s0
+
+# RTK Device
+genfscon sysfs /class/extdev_io u:object_r:sysfs_extdev:s0
+
+# 2021/8/25
+# allow powerhal to access /sys/kernel/cm_mgr/dbg_cm_mgr
+genfscon sysfs /kernel/cm_mgr u:object_r:sysfs_cm_mgr:s0
+
+##########################
+# debugfs files
+#
+genfscon debugfs /displowpower u:object_r:debugfs_fb:s0
+genfscon debugfs /disp u:object_r:debugfs_fb:s0
+genfscon debugfs /dispsys u:object_r:debugfs_fb:s0
+genfscon debugfs /fbconfig u:object_r:debugfs_fb:s0
+genfscon debugfs /fpsgo u:object_r:debugfs_fpsgo:s0
+genfscon debugfs /ion/clients u:object_r:debugfs_ion:s0
+genfscon debugfs /mtkfb u:object_r:debugfs_fb:s0
+genfscon debugfs /mmprofile u:object_r:debugfs_fb:s0
+
+##########################
+# other files
+#
+genfscon iso9660 / u:object_r:iso9660:s0
+genfscon rawfs / u:object_r:rawfs:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
+
+# move from plat_private to non_plat
+genfscon sysfs /firmware/devicetree/base/chosen/atag,boot u:object_r:sysfs_boot_info:s0
+
+# 2021/08/24
+# Purpose: add dmabuf heap debug info for memtrack
+genfscon proc /dma_heap u:object_r:proc_dmaheap:s0
+
+# For CachedAppOptimizer
+genfscon proc /mtk_mdp_debug u:object_r:proc_mtk_mdp_debug:s0
+
+# AudioManager/WiredAccessoryManager, extcon uevents
+genfscon sysfs /devices/platform/14800000.dp_tx/extcon u:object_r:sysfs_extcon:s0
+
+# dumpstate mmcblk access
+genfscon sysfs /devices/platform/soc/11230000.mmc/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11240000.mmc/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0
+
+# Purpose: allow otg access
+genfscon sysfs /devices/platform/soc/11201000.usb/11200000.xhci/usb1 u:object_r:sysfs_usb_nonplat:s0
+
+# Purpose: allow mgq access
+genfscon proc /mgq u:object_r:proc_mgq:s0
diff --git a/basic/non_plat/getgameserver.te b/basic/non_plat/getgameserver.te
new file mode 100644
index 0000000..97e48c3
--- /dev/null
+++ b/basic/non_plat/getgameserver.te
@@ -0,0 +1 @@
+type getgameserver, domain;
diff --git a/basic/non_plat/gpuservice.te b/basic/non_plat/gpuservice.te
new file mode 100644
index 0000000..f5ada1e
--- /dev/null
+++ b/basic/non_plat/gpuservice.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK19.31
+# Operation : Migration
+# Purpose : [ALPS04685294] com.google.android.graphics.gts.VulkanTest#checkVulkan1_1Requirements-fail
+allow gpuservice gpu_device:dir search;
diff --git a/basic/non_plat/gsm0710muxd.te b/basic/non_plat/gsm0710muxd.te
new file mode 100644
index 0000000..348285e
--- /dev/null
+++ b/basic/non_plat/gsm0710muxd.te
@@ -0,0 +1,40 @@
+# ==============================================
+# Policy File of /vendor/bin/gsm0710muxd Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type gsm0710muxd, domain;
+type gsm0710muxd_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(gsm0710muxd)
+
+# Capabilities assigned for gsm0710muxd
+allow gsm0710muxd self:capability { chown fowner setuid };
+
+# Property service
+set_prop(gsm0710muxd, vendor_mtk_ctl_ril-daemon-mtk_prop)
+set_prop(gsm0710muxd, vendor_mtk_ctl_fusion_ril_mtk_prop)
+set_prop(gsm0710muxd, vendor_mtk_gsm0710muxd_prop)
+set_prop(gsm0710muxd, vendor_mtk_radio_prop)
+
+# Date: w2043
+# Allow to get AOSP property persist.radio.multisim.config
+get_prop(gsm0710muxd, radio_control_prop)
+
+# allow set muxreport control properties
+set_prop(gsm0710muxd, vendor_mtk_ril_mux_report_case_prop)
+
+# Allow read/write to devices/files
+allow gsm0710muxd gsm0710muxd_device:chr_file rw_file_perms;
+allow gsm0710muxd mtk_radio_device:dir rw_dir_perms;
+allow gsm0710muxd mtk_radio_device:lnk_file create_file_perms;
+allow gsm0710muxd devpts:chr_file setattr;
+allow gsm0710muxd eemcs_device:chr_file rw_file_perms;
+
+# Allow read to sys/kernel/ccci/* files
+allow gsm0710muxd sysfs_ccci:dir search;
+allow gsm0710muxd sysfs_ccci:file r_file_perms;
diff --git a/basic/non_plat/hal_audio.te b/basic/non_plat/hal_audio.te
new file mode 100644
index 0000000..066e8b5
--- /dev/null
+++ b/basic/non_plat/hal_audio.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2019/06/14
+# Operation : Migration
+# Purpose : interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice
+hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
+
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
diff --git a/basic/non_plat/hal_bluetooth.te b/basic/non_plat/hal_bluetooth.te
new file mode 100644
index 0000000..3592bdb
--- /dev/null
+++ b/basic/non_plat/hal_bluetooth.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find;
diff --git a/basic/non_plat/hal_bootctl_default.te b/basic/non_plat/hal_bootctl_default.te
new file mode 100644
index 0000000..5d36ec9
--- /dev/null
+++ b/basic/non_plat/hal_bootctl_default.te
@@ -0,0 +1,16 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow hal_bootctl_default rootfs:file r_file_perms;
+allow hal_bootctl_default sysfs:dir r_dir_perms;
+allow hal_bootctl_default misc_sd_device:chr_file rw_file_perms;
+allow hal_bootctl_default bootdevice_block_device:blk_file rw_file_perms;
+allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl {
+ MMC_IOCTLCMD
+ UFS_IOCTLCMD
+};
+allow hal_bootctl_default proc_cmdline:file r_file_perms;
+allow hal_bootctl_default sysfs_boot_type:file r_file_perms;
+allow hal_bootctl_default self:capability sys_rawio;
+allow hal_bootctl_default para_block_device:blk_file rw_file_perms;
diff --git a/basic/non_plat/hal_camera.te b/basic/non_plat/hal_camera.te
new file mode 100644
index 0000000..0c24ba6
--- /dev/null
+++ b/basic/non_plat/hal_camera.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2020/08/13
+# Operation : To access camera control daemon driver
+allow hal_camera mtk_ccd_device:chr_file rw_file_perms;
+
+# Date: 2020/08/13
+# Operation : To access V4L2 devices (media, video and sub devices)
+allow hal_camera mtk_v4l2_media_device:dir r_dir_perms;
+allow hal_camera mtk_v4l2_media_device:chr_file rw_file_perms;
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/hal_cas_default.te b/basic/non_plat/hal_cas_default.te
new file mode 100644
index 0000000..289fab7
--- /dev/null
+++ b/basic/non_plat/hal_cas_default.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/08/14
+# Operation : O1 Migration
+# Purpose : hal_cas_default needs to use vendor binder to communicate
+vndbinder_use(hal_cas_default)
+
diff --git a/basic/non_plat/hal_drm_clearkey.te b/basic/non_plat/hal_drm_clearkey.te
new file mode 100644
index 0000000..3bcb375
--- /dev/null
+++ b/basic/non_plat/hal_drm_clearkey.te
@@ -0,0 +1,17 @@
+# ==============================================
+# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)
+
+vndbinder_use(hal_drm_clearkey)
+
+allow hal_drm_clearkey { appdomain -isolated_app }:fd use;
diff --git a/basic/non_plat/hal_drm_default.te b/basic/non_plat/hal_drm_default.te
new file mode 100644
index 0000000..fd7b4a2
--- /dev/null
+++ b/basic/non_plat/hal_drm_default.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+vndbinder_use(hal_drm_default)
+
+allow hal_drm_default debugfs_tracing:file w_file_perms;
+allow hal_drm_default debugfs_ion:dir search;
diff --git a/basic/non_plat/hal_drm_widevine.te b/basic/non_plat/hal_drm_widevine.te
new file mode 100644
index 0000000..0cad4e7
--- /dev/null
+++ b/basic/non_plat/hal_drm_widevine.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type hal_drm_widevine, domain;
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_widevine)
+
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+allow hal_drm_widevine mediacodec:fd use;
+allow hal_drm_widevine { appdomain -isolated_app }:fd use;
+
+vndbinder_use(hal_drm_widevine)
+
+hal_client_domain(hal_drm_widevine, hal_graphics_composer)
+
+allow hal_drm_widevine hal_allocator_server:fd use;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+
diff --git a/basic/non_plat/hal_gnss.te b/basic/non_plat/hal_gnss.te
new file mode 100644
index 0000000..07d7d70
--- /dev/null
+++ b/basic/non_plat/hal_gnss.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#TODO:: work around solution, wait for correct solution from google
+vndbinder_use(hal_gnss)
diff --git a/basic/non_plat/hal_gnss_default.te b/basic/non_plat/hal_gnss_default.te
new file mode 100644
index 0000000..bd9bb14
--- /dev/null
+++ b/basic/non_plat/hal_gnss_default.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Communicate over a socket created by mnld process.
+allow hal_gnss_default mnld_data_file:sock_file create_file_perms;
+allow hal_gnss_default mnld_data_file:dir create_dir_perms;
+allow hal_gnss_default mnld:unix_dgram_socket sendto;
diff --git a/basic/non_plat/hal_graphics_allocator.te b/basic/non_plat/hal_graphics_allocator.te
new file mode 100644
index 0000000..1a75285
--- /dev/null
+++ b/basic/non_plat/hal_graphics_allocator.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.13
+# Operation : Add sepolicy
+# Purpose : Add policy for gralloc HIDL
+allow hal_graphics_allocator proc_ged:file r_file_perms;
diff --git a/basic/non_plat/hal_graphics_allocator_default.te b/basic/non_plat/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..fef9261
--- /dev/null
+++ b/basic/non_plat/hal_graphics_allocator_default.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow hal_graphics_allocator_default gpu_device:dir search;
+allow hal_graphics_allocator_default sw_sync_device:chr_file rw_file_perms;
+allow hal_graphics_allocator_default debugfs_ion:dir search;
+allow hal_graphics_allocator_default debugfs_tracing:file w_file_perms;
+allow hal_graphics_allocator_default proc_ged:file r_file_perms;
+allow hal_graphics_allocator_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allowxperm hal_graphics_allocator_default proc_ged:file ioctl proc_ged_ioctls;
diff --git a/basic/non_plat/hal_graphics_composer.te b/basic/non_plat/hal_graphics_composer.te
new file mode 100644
index 0000000..52e20b4
--- /dev/null
+++ b/basic/non_plat/hal_graphics_composer.te
@@ -0,0 +1,2 @@
+# allow hal_graphics_composer domain to get mtk_hal_composer_ext_hwservice
+hal_attribute_hwservice(hal_graphics_composer, mtk_hal_composer_ext_hwservice)
diff --git a/basic/non_plat/hal_graphics_composer_default.te b/basic/non_plat/hal_graphics_composer_default.te
new file mode 100644
index 0000000..81f304e
--- /dev/null
+++ b/basic/non_plat/hal_graphics_composer_default.te
@@ -0,0 +1,79 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+vndbinder_use(hal_graphics_composer_default)
+
+allow hal_graphics_composer_default proc_ged:file r_file_perms;
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Date : WK17.21
+# Purpose: GPU driver required
+allow hal_graphics_composer_default sw_sync_device:chr_file rw_file_perms;
+
+# Date : W17.24
+# Purpose: GPU driver required
+allow hal_graphics_composer_default gpu_device:dir search;
+
+allow hal_graphics_composer_default debugfs_ion:dir search;
+allow hal_graphics_composer_default debugfs_tracing:file w_file_perms;
+
+# Date : WK17.30
+# Operation : O Migration
+# Purpose: Allow to access cmdq driver
+allow hal_graphics_composer_default mtk_cmdq_device:chr_file r_file_perms;
+
+# Date : W17.30
+# Add for control PowerHAL
+hal_client_domain(hal_graphics_composer_default, hal_power)
+
+# Date : WK17.32
+# Operation : O Migration
+# Purpose: Allow to access property
+set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_pid_prop)
+set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_hdr_prop)
+set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_validate_separate_prop)
+
+# Date : WK18.03
+# Purpose: Allow to access property dev/mdp_sync
+allow hal_graphics_composer_default mtk_mdp_sync_device:chr_file r_file_perms;
+allow hal_graphics_composer_default mtk_mdp_device:chr_file r_file_perms;
+allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms;
+allow hal_graphics_composer_default tee_device:chr_file rw_file_perms;
+allowxperm hal_graphics_composer_default proc_ged:file ioctl proc_ged_ioctls;
+
+# Date: 2018/11/08
+# Operation : JPEG
+# Purpose : JPEG need to use PQ via MMS HIDL
+allow hal_graphics_composer_default sysfs_boot_mode:file r_file_perms;
+
+# Data: 2019/09/04
+# Purpose: Display architecture chage to DRM, so HWC has to access
+# the DRM device node "/dev/dri/card0".
+allow hal_graphics_composer_default dri_device:chr_file rw_file_perms;
+
+# Data: 2020/03/25
+# Purpose: HWC has to access allocator for dbq
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
+
+# Data: 2021/04/01
+# Purpose: HWC needs to check whether AppGamePQ is supported or not
+get_prop(hal_graphics_composer_default, vendor_mtk_pq_ro_prop)
+
+# Data: 2021/02/24
+# Purpose: HWC has to access to open m4u for m4u_sec_init
+allow hal_graphics_composer_default proc_m4u:file r_file_perms;
+allowxperm hal_graphics_composer_default proc_m4u:file ioctl { MTK_M4U_T_SEC_INIT MTK_M4U_GZ_SEC_INIT };
+
+# Data: 2021/09/16
+# Purpose: HWC has to access to open debug log for mtk_hwc_debug_log
+set_prop(hal_graphics_composer_default, vendor_mtk_hwc_debug_log_prop)
+
+# Date: 2021/9/29
+# Purpose: HWC needs to check whether display bringup or not
+get_prop(hal_graphics_composer_default, vendor_mtk_display_ro_prop)
+
+# Date: 2021/10/22
+# Purpose: Add permission for simplehwc reading dmabuf_system_secure_heap_device
+allow hal_graphics_composer_default dmabuf_system_secure_heap_device:chr_file r_file_perms_no_map;
+
diff --git a/basic/non_plat/hal_ir_default.te b/basic/non_plat/hal_ir_default.te
new file mode 100644
index 0000000..ddcf13e
--- /dev/null
+++ b/basic/non_plat/hal_ir_default.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow hal_ir_default irtx_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/basic/non_plat/hal_keymaster.te b/basic/non_plat/hal_keymaster.te
new file mode 100644
index 0000000..8c842d3
--- /dev/null
+++ b/basic/non_plat/hal_keymaster.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Associate mtk_hal_keymanage_hwservice with all server domain
+add_hwservice(hal_keymaster_server, mtk_hal_keymanage_hwservice)
+
+# Give permission for hal_keymaster_client to find mtk_hal_keymanage_hwservice via hwservice_manager
+allow hal_keymaster_client mtk_hal_keymanage_hwservice:hwservice_manager find;
\ No newline at end of file
diff --git a/basic/non_plat/hal_keymaster_attestation.te b/basic/non_plat/hal_keymaster_attestation.te
new file mode 100644
index 0000000..6c7f6fc
--- /dev/null
+++ b/basic/non_plat/hal_keymaster_attestation.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type hal_keymaster_attestation, domain;
+type hal_keymaster_attestation_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_keymaster_attestation)
+
+hal_server_domain(hal_keymaster_attestation, hal_mtk_keyattestation)
+
+allow hal_keymaster_attestation tee_device:chr_file rw_file_perms;
+
+# Date : WK17.42 2017/10/19
+# Operation: Keymaster 3.0
+# Purpose: Access attestation key in persist partition
+allow hal_keymaster_attestation mnt_vendor_file:dir search;
+allow hal_keymaster_attestation persist_data_file:dir w_dir_perms;
+allow hal_keymaster_attestation persist_data_file:file create_file_perms;
diff --git a/basic/non_plat/hal_keymaster_default.te b/basic/non_plat/hal_keymaster_default.te
new file mode 100644
index 0000000..5174eb7
--- /dev/null
+++ b/basic/non_plat/hal_keymaster_default.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.30 2017/07/25
+# Operation : keystore
+# Purpose : Fix keystore boot selinux violation
+allow hal_keymaster_default debugfs_tracing:file w_file_perms;
diff --git a/basic/non_plat/hal_keymint_default.te b/basic/non_plat/hal_keymint_default.te
new file mode 100644
index 0000000..0b1ebf4
--- /dev/null
+++ b/basic/non_plat/hal_keymint_default.te
@@ -0,0 +1,16 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2021/08/12
+# Operation: Keymint 1.0
+# Purpose: Access attestation key in persist partition.
+allow hal_keymint_default mnt_vendor_file:dir search;
+allow hal_keymint_default persist_data_file:dir search;
+allow hal_keymint_default persist_data_file:file r_file_perms;
+
+# Date : 2021/08/12
+# Operation: Keymint 1.0
+# Purpose : Open MobiCore access permission for keystore.
+allow hal_keymint_default mobicore:unix_stream_socket { connectto read write };
+allow hal_keymint_default mobicore_user_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/hal_memtrack.te b/basic/non_plat/hal_memtrack.te
new file mode 100644
index 0000000..3ae8ca3
--- /dev/null
+++ b/basic/non_plat/hal_memtrack.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.52
+# Operation : HIDL Migration
+# Purpose : For memtrack related service access
+allow hal_memtrack procfs_gpu_img:dir search;
+allow hal_memtrack procfs_gpu_img:file r_file_perms;
+
+# Date : 2020/06/29
+# Operation: R migration
+# Purpose: Add permission for access /proc/ion/*
+allow hal_memtrack proc_ion:dir r_dir_perms;
+allow hal_memtrack proc_ion:file r_file_perms;
+
+# Date : 2020/11/10
+# Operation: R migration replace debug node with proc node
+# Purpose: Add permission for access /proc/mali/memory_usage
+allow hal_memtrack proc_memory_usage:file r_file_perms;
+
+# Date : 2021/05/14
+# Operation: GPU DDK migration rename proc node
+# Purpose: Add permission for access /proc/mtk_mali/gpu_memory
+allow hal_memtrack proc_gpu_memory:file r_file_perms;
diff --git a/basic/non_plat/hal_mtk_atci.te b/basic/non_plat/hal_mtk_atci.te
new file mode 100644
index 0000000..3d453f5
--- /dev/null
+++ b/basic/non_plat/hal_mtk_atci.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_atci, mtk_hal_atci_hwservice)
+
+binder_call(hal_mtk_atci_client, hal_mtk_atci_server)
+binder_call(hal_mtk_atci_server, hal_mtk_atci_client)
diff --git a/basic/non_plat/hal_mtk_bgs.te b/basic/non_plat/hal_mtk_bgs.te
new file mode 100644
index 0000000..8d4b5a2
--- /dev/null
+++ b/basic/non_plat/hal_mtk_bgs.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_bgs, mtk_hal_bgs_hwservice)
+
+binder_call(hal_mtk_bgs_client, hal_mtk_bgs_server)
+binder_call(hal_mtk_bgs_server, hal_mtk_bgs_client)
diff --git a/basic/non_plat/hal_mtk_em.te b/basic/non_plat/hal_mtk_em.te
new file mode 100644
index 0000000..5df7cbb
--- /dev/null
+++ b/basic/non_plat/hal_mtk_em.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_em, mtk_hal_em_hwservice)
+
+binder_call(hal_mtk_em_client, hal_mtk_em_server)
+binder_call(hal_mtk_em_server, hal_mtk_em_client)
diff --git a/basic/non_plat/hal_mtk_fm.te b/basic/non_plat/hal_mtk_fm.te
new file mode 100644
index 0000000..bff3758
--- /dev/null
+++ b/basic/non_plat/hal_mtk_fm.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_fm, mtk_hal_fm_hwservice)
+
+binder_call(hal_mtk_fm_client, hal_mtk_fm_server)
+binder_call(hal_mtk_fm_server, hal_mtk_fm_client)
+
+vndbinder_use(hal_mtk_fm)
diff --git a/basic/non_plat/hal_mtk_hdmi.te b/basic/non_plat/hal_mtk_hdmi.te
new file mode 100644
index 0000000..5d76ba3
--- /dev/null
+++ b/basic/non_plat/hal_mtk_hdmi.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_hdmi, mtk_hal_hdmi_hwservice)
+
+binder_call(hal_mtk_hdmi_client, hal_mtk_hdmi_server)
+binder_call(hal_mtk_hdmi_server, hal_mtk_hdmi_client)
diff --git a/basic/non_plat/hal_mtk_imsa.te b/basic/non_plat/hal_mtk_imsa.te
new file mode 100644
index 0000000..f60c013
--- /dev/null
+++ b/basic/non_plat/hal_mtk_imsa.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_imsa, mtk_hal_imsa_hwservice)
+
+binder_call(hal_mtk_imsa_client, hal_mtk_imsa_server)
+binder_call(hal_mtk_imsa_server, hal_mtk_imsa_client)
diff --git a/basic/non_plat/hal_mtk_keyattestation.te b/basic/non_plat/hal_mtk_keyattestation.te
new file mode 100644
index 0000000..b8ad311
--- /dev/null
+++ b/basic/non_plat/hal_mtk_keyattestation.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_keyattestation, mtk_hal_keyattestation_hwservice)
+
+binder_call(hal_mtk_keyattestation_client, hal_mtk_keyattestation_server)
+binder_call(hal_mtk_keyattestation_server, hal_mtk_keyattestation_client)
diff --git a/basic/non_plat/hal_mtk_lbs.te b/basic/non_plat/hal_mtk_lbs.te
new file mode 100644
index 0000000..f5ec2ee
--- /dev/null
+++ b/basic/non_plat/hal_mtk_lbs.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_lbs, mtk_hal_lbs_hwservice)
+
+binder_call(hal_mtk_lbs_client, hal_mtk_lbs_server)
+binder_call(hal_mtk_lbs_server, hal_mtk_lbs_client)
+
+vndbinder_use(hal_mtk_lbs)
diff --git a/basic/non_plat/hal_mtk_md_dbfilter.te b/basic/non_plat/hal_mtk_md_dbfilter.te
new file mode 100644
index 0000000..b821cf5
--- /dev/null
+++ b/basic/non_plat/hal_mtk_md_dbfilter.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_md_dbfilter, mtk_hal_md_dbfilter_hwservice)
+
+binder_call(hal_mtk_md_dbfilter_client, hal_mtk_md_dbfilter_server)
+binder_call(hal_mtk_md_dbfilter_server, hal_mtk_md_dbfilter_client)
diff --git a/basic/non_plat/hal_mtk_mmagent.te b/basic/non_plat/hal_mtk_mmagent.te
new file mode 100644
index 0000000..c0ae839
--- /dev/null
+++ b/basic/non_plat/hal_mtk_mmagent.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_mtk_mmagent_client, hal_mtk_mmagent_server)
+binder_call(hal_mtk_mmagent_server, hal_mtk_mmagent_client)
+
+# add/find permission rule to hwservicemanager
+hal_attribute_hwservice(hal_mtk_mmagent, mtk_hal_mmagent_hwservice)
\ No newline at end of file
diff --git a/basic/non_plat/hal_mtk_mms.te b/basic/non_plat/hal_mtk_mms.te
new file mode 100644
index 0000000..bdcebeb
--- /dev/null
+++ b/basic/non_plat/hal_mtk_mms.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_mtk_mms_client, hal_mtk_mms_server)
+binder_call(hal_mtk_mms_server, hal_mtk_mms_client)
+
+# add/find permission rule to hwservicemanager
+add_hwservice(hal_mtk_mms_server, mtk_hal_mms_hwservice)
+
+# give permission for hal client
+allow hal_mtk_mms_client mtk_hal_mms_hwservice:hwservice_manager find;
diff --git a/basic/non_plat/hal_mtk_nvramagent.te b/basic/non_plat/hal_mtk_nvramagent.te
new file mode 100644
index 0000000..2f69ef5
--- /dev/null
+++ b/basic/non_plat/hal_mtk_nvramagent.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_nvramagent, mtk_hal_nvramagent_hwservice)
+
+binder_call(hal_mtk_nvramagent_client, hal_mtk_nvramagent_server)
+binder_call(hal_mtk_nvramagent_server, hal_mtk_nvramagent_client)
+
diff --git a/basic/non_plat/hal_mtk_pq.te b/basic/non_plat/hal_mtk_pq.te
new file mode 100644
index 0000000..89588ca
--- /dev/null
+++ b/basic/non_plat/hal_mtk_pq.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_pq, mtk_hal_pq_hwservice)
+
+binder_call(hal_mtk_pq_client, hal_mtk_pq_server)
+binder_call(hal_mtk_pq_server, hal_mtk_pq_client)
diff --git a/basic/non_plat/hal_nfc.te b/basic/non_plat/hal_nfc.te
new file mode 100644
index 0000000..f972894
--- /dev/null
+++ b/basic/non_plat/hal_nfc.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow hal_nfc st21nfc_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/hal_tee_default.te b/basic/non_plat/hal_tee_default.te
new file mode 100644
index 0000000..623dc5b
--- /dev/null
+++ b/basic/non_plat/hal_tee_default.te
@@ -0,0 +1 @@
+type hal_tee_default, domain;
diff --git a/basic/non_plat/hal_teeregistry_default.te b/basic/non_plat/hal_teeregistry_default.te
new file mode 100644
index 0000000..03e2939
--- /dev/null
+++ b/basic/non_plat/hal_teeregistry_default.te
@@ -0,0 +1 @@
+type hal_teeregistry_default, domain;
diff --git a/basic/non_plat/hal_telephony.te b/basic/non_plat/hal_telephony.te
new file mode 100644
index 0000000..f4933ca
--- /dev/null
+++ b/basic/non_plat/hal_telephony.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#Date : W17.18
+#Purpose: Treble SEpolicy denied clean up
+add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice)
+allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find;
\ No newline at end of file
diff --git a/basic/non_plat/hal_thermal_default.te b/basic/non_plat/hal_thermal_default.te
new file mode 100644
index 0000000..0403fee
--- /dev/null
+++ b/basic/non_plat/hal_thermal_default.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow hal_thermal_default proc_mtktz:dir search;
+allow hal_thermal_default proc_mtktz:file r_file_perms;
+allow hal_thermal_default proc_stat:file r_file_perms;
+
+#for uevent handle
+allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+#for thermal sysfs
+allow hal_thermal_default sysfs_therm:file rw_file_perms;
+allow hal_thermal_default sysfs_therm:dir search;
+
+#for thermal hal socket
+allow hal_thermal_default thermal_hal_socket:dir { rw_dir_perms setattr};
+allow hal_thermal_default thermal_hal_socket:sock_file create_file_perms;
\ No newline at end of file
diff --git a/basic/non_plat/hal_vibrator.te b/basic/non_plat/hal_vibrator.te
new file mode 100644
index 0000000..a35814a
--- /dev/null
+++ b/basic/non_plat/hal_vibrator.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# vibrator sysfs rw access
+allow hal_vibrator sysfs_vibrator:dir r_dir_perms;
+allow hal_vibrator sysfs_vibrator:file rw_file_perms;
+allow hal_vibrator sysfs_leds:file rw_file_perms;
+allow hal_vibrator sysfs_leds:dir r_dir_perms;
+allow hal_vibrator sysfs_leds:lnk_file r_file_perms;
diff --git a/basic/non_plat/hal_vibrator_default.te b/basic/non_plat/hal_vibrator_default.te
new file mode 100644
index 0000000..bd84b3e
--- /dev/null
+++ b/basic/non_plat/hal_vibrator_default.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# vibrator sysfs rw access
+allow hal_vibrator_default sysfs_vibrator:file rw_file_perms;
diff --git a/basic/non_plat/hal_wifi.te b/basic/non_plat/hal_wifi.te
new file mode 100644
index 0000000..b7cf2f6
--- /dev/null
+++ b/basic/non_plat/hal_wifi.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Allow hal wifi service to open/read/setattr wifi device.
+# wmtWifi is wifi char device file to control wifi driver.
+allow hal_wifi wmtWifi_device:chr_file w_file_perms;
+
diff --git a/basic/non_plat/hal_wifi_default.te b/basic/non_plat/hal_wifi_default.te
new file mode 100644
index 0000000..81d9043
--- /dev/null
+++ b/basic/non_plat/hal_wifi_default.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow hal_wifi_default self:capability sys_module;
+allow hal_wifi_default vendor_file:system module_load;
+allow hal_wifi_default kernel:system module_request;
+
+# allow hal service to manage AP bridge
+allowxperm hal_wifi_default self:udp_socket ioctl {
+ SIOCBRADDBR
+ SIOCBRADDIF
+ SIOCBRDELBR
+ SIOCBRDELIF
+ SIOCDEVPRIVATE_1
+};
+
+set_prop(hal_wifi_default, vendor_mtk_wifi_hal_prop)
diff --git a/basic/non_plat/hwservice.te b/basic/non_plat/hwservice.te
new file mode 100644
index 0000000..4d59524
--- /dev/null
+++ b/basic/non_plat/hwservice.te
@@ -0,0 +1,76 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_hal_bluetooth_hwservice, hwservice_manager_type;
+
+# Date: 2017/05/9
+type mtk_hal_rild_hwservice, hwservice_manager_type;
+
+# Date: 2017/06/07
+# power hidl
+type mtk_hal_power_hwservice, hwservice_manager_type;
+
+# Date: 2017/06/12
+# LBS HIDL
+type mtk_hal_lbs_hwservice, hwservice_manager_type;
+
+# Date: 2017/06/27
+# IMSA HIDL
+type mtk_hal_imsa_hwservice, hwservice_manager_type;
+
+# Date: 2017/07/12
+# NVRAM HIDL
+type mtk_hal_nvramagent_hwservice, hwservice_manager_type;
+
+# Date: 2017/07/19
+# PQ HIDL
+type mtk_hal_pq_hwservice, hwservice_manager_type;
+
+# Date: 2017/07/20
+# keymaster attestation hidl
+type mtk_hal_keyattestation_hwservice, hwservice_manager_type;
+
+# Date: 2018/05/25
+# FM HIDL
+type mtk_hal_fm_hwservice, hwservice_manager_type;
+
+# Date: 2018/03/23
+# log hidl
+type mtk_hal_log_hwservice, hwservice_manager_type;
+
+# Date: 2018/06/26
+# em hidl
+type mtk_hal_em_hwservice, hwservice_manager_type;
+
+# Date: 2018/07/02
+# MMS HIDL
+type mtk_hal_mms_hwservice, hwservice_manager_type, mtk_safe_hwservice_manager_type;
+
+type mtk_hal_atci_hwservice, hwservice_manager_type;
+
+# Date: 2020/12/02
+# MMAgent HIDL
+type mtk_hal_mmagent_hwservice, hwservice_manager_type;
+
+type mtk_hal_keymanage_hwservice, hwservice_manager_type;
+
+# Date: 2019/06/12
+# modem db filter hidl
+type mtk_hal_md_dbfilter_hwservice, hwservice_manager_type;
+
+# Date: 2019/07/16
+# HDMI HIDL
+type mtk_hal_hdmi_hwservice, hwservice_manager_type;
+
+# Date: 2019/09/06
+# BGService HIDL
+type mtk_hal_bgs_hwservice, hwservice_manager_type;
+
+# Date: 2019/07/04
+# bluetooth audio hidl
+type mtk_hal_bluetooth_audio_hwservice,hwservice_manager_type;
+
+# Date: 2021/06/30
+# composer extension HIDL
+type mtk_hal_composer_ext_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/basic/non_plat/hwservice_contexts b/basic/non_plat/hwservice_contexts
new file mode 100644
index 0000000..5e5a37e
--- /dev/null
+++ b/basic/non_plat/hwservice_contexts
@@ -0,0 +1,89 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0
+
+# Date: 2017/05/9
+vendor.mediatek.hardware.mtkradioex::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0
+vendor.mediatek.hardware.radio::ISap u:object_r:mtk_hal_rild_hwservice:s0
+vendor.mediatek.hardware.interfaces_tc1.mtkradioex_tc1::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0
+vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0
+
+# Date: 2017/06/07
+# power hidl
+vendor.mediatek.hardware.mtkpower::IMtkPerf u:object_r:hal_power_hwservice:s0
+vendor.mediatek.hardware.mtkpower::IMtkPower u:object_r:hal_power_hwservice:s0
+
+# Date: 2017/06/12
+# LBS HIDL
+vendor.mediatek.hardware.lbs::ILbs u:object_r:mtk_hal_lbs_hwservice:s0
+
+# Date : 2017/06/27
+# IMSA HIDL
+vendor.mediatek.hardware.imsa::IImsa u:object_r:mtk_hal_imsa_hwservice:s0
+
+# Date : 2017/07/12
+# nvram hidl
+vendor.mediatek.hardware.nvram::INvram u:object_r:mtk_hal_nvramagent_hwservice:s0
+
+# Date : 2017/07/19
+# PQ HIDL
+vendor.mediatek.hardware.pq::IPictureQuality u:object_r:mtk_hal_pq_hwservice:s0
+
+# Date: 2017/07/20
+# keymaster attestation hidl
+vendor.mediatek.hardware.keymaster_attestation::IKeymasterDevice u:object_r:mtk_hal_keyattestation_hwservice:s0
+
+# Date: 2018/05/25
+# FM HIDL
+vendor.mediatek.hardware.fm::IFmRadio u:object_r:mtk_hal_fm_hwservice:s0
+
+# Date: 2018/03/23
+# log hidl
+vendor.mediatek.hardware.log::ILog u:object_r:mtk_hal_log_hwservice:s0
+
+# Date: 2018/05/23
+# ATCI
+vendor.mediatek.hardware.atci::IAtcid u:object_r:mtk_hal_atci_hwservice:s0
+
+# Date: 2018/06/26
+# em hidl
+vendor.mediatek.hardware.engineermode::IEmd u:object_r:mtk_hal_em_hwservice:s0
+
+# Date : 2018/07/02
+# MMS HIDL
+vendor.mediatek.hardware.mms::IMms u:object_r:mtk_hal_mms_hwservice:s0
+
+# Date : 2020/12/02
+# MMAgent HIDL
+vendor.mediatek.hardware.mmagent::IMMAgent u:object_r:mtk_hal_mmagent_hwservice:s0
+
+# Date: 2019/06/12
+# modem db filter hidl
+vendor.mediatek.hardware.modemdbfilter::ICopyDBFilter u:object_r:mtk_hal_md_dbfilter_hwservice:s0
+
+# Date: 2019/07/04
+vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0
+vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0
+vendor.mediatek.hardware.camera.bgservice::IBGService u:object_r:mtk_hal_bgs_hwservice:s0
+vendor.mediatek.hardware.camera.isphal::IISPModule u:object_r:mtk_hal_bgs_hwservice:s0
+
+# Date : 2019/07/31
+vendor.mediatek.hardware.camera.postproc::IPostDevice u:object_r:mtk_hal_bgs_hwservice:s0
+
+# Date : 2019/07/16
+# HDMI HIDL
+vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice:s0
+
+# Date: 2019/09/02
+# ATMs hidl
+vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0
+
+# Date: 2019/09/04
+# bluetooth audio hidl
+vendor.mediatek.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:mtk_hal_bluetooth_audio_hwservice:s0
+
+# Date: 2021/06/30
+# composer extension HIDL
+vendor.mediatek.hardware.composer_ext::IComposerExt u:object_r:mtk_hal_composer_ext_hwservice:s0
diff --git a/basic/non_plat/init.te b/basic/non_plat/init.te
new file mode 100644
index 0000000..d99d170
--- /dev/null
+++ b/basic/non_plat/init.te
@@ -0,0 +1,148 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose : for L early bring up: add for nvram command in init rc files
+allow init nvram_data_file:dir create_dir_perms;
+allow init nvram_data_file:lnk_file r_file_perms;
+allow init nvdata_file:lnk_file r_file_perms;
+allow init nvdata_file:dir { create_dir_perms mounton };
+
+#============= init ==============
+# Date : W14.42
+# Operation : Migration
+# Purpose : for L : add for partition (chown/chmod)
+allow init system_block_device:blk_file setattr;
+allow init nvram_device:blk_file setattr;
+allow init seccfg_block_device:blk_file setattr;
+allow init secro_block_device:blk_file setattr;
+allow init frp_block_device:blk_file setattr;
+allow init logo_block_device:blk_file setattr;
+allow init para_block_device:blk_file { setattr w_file_perms };
+allow init recovery_block_device:blk_file setattr;
+
+# Date : WK15.30
+# Operation : Migration
+# Purpose : format wiped partition with "formattable" and "check" flag in fstab file
+allow init protect1_block_device:blk_file rw_file_perms;
+allow init protect2_block_device:blk_file rw_file_perms;
+allow init userdata_block_device:blk_file rw_file_perms;
+allow init cache_block_device:blk_file rw_file_perms;
+allow init nvdata_device:blk_file w_file_perms;
+allow init persist_block_device:blk_file rw_file_perms;
+allow init nvcfg_block_device:blk_file rw_file_perms;
+allow init odm_block_device:blk_file rw_file_perms;
+allow init oem_block_device:blk_file rw_file_perms;
+
+# Date : W16.28
+# Operation : Migration
+# Purpose : enable modules capability
+allow init self:capability sys_module;
+allow init kernel:system module_request;
+
+# Date : WK16.35
+# Operation : Migration
+# Purpose : create symbolic link from /mnt/sdcard to /sdcard
+allow init tmpfs:lnk_file create_file_perms;
+
+# Date:W17.07
+# Operation : bt hal
+# Purpose : bt hal interface permission
+allow init mtk_hal_bluetooth_exec:file getattr;
+
+# Date : WK17.02
+# Purpose: Fix audio hal service fail
+allow init mtk_hal_audio_exec:file getattr;
+
+# Date : W17.20
+# Purpose: Enable PRODUCT_FULL_TREBLE
+allow init vendor_block_device:lnk_file relabelto;
+
+# Date : WK17.21
+# Purpose: Fix gnss hal service fail
+allow init mtk_hal_gnss_exec:file getattr;
+
+# Fix boot up violation
+allow init debugfs_tracing_instances:file relabelfrom;
+
+# Date: W17.22
+# Operation : New Feature
+# Purpose : Add for A/B system
+allow init oemfs:dir mounton;
+allow init protect_f_data_file:dir mounton;
+allow init protect_s_data_file:dir mounton;
+allow init nvcfg_file:dir mounton;
+allow init mcf_ota_file:dir mounton;
+allow init persist_data_file:dir mounton;
+
+# Date : WK17.39
+# Operation : able to relabel mntl block device link
+# Purpose : Correct permission for mntl
+allow init expdb_block_device:lnk_file relabelto;
+allow init mcupmfw_block_device:lnk_file relabelto;
+allow init tee_block_device:lnk_file relabelto;
+
+# Date : WK17.43
+# Operation : able to insert fpsgo kernel module
+# Purpose : Correct permission for fpsgo
+allow init rootfs:system module_load;
+
+# Date: W17.43
+# Operation : module load
+# Purpose : insmod LKM under /vendor (connsys module KO)
+allow init vendor_file:system module_load;
+
+# Date : WK17.46
+# Operation : feature porting
+# Purpose : kernel module verification
+allow init kernel:key search;
+
+# Date : WK17.50
+# Operation : boost cpu while booting
+# Purpose : enhance boottime
+allow init proc_perfmgr:file w_file_perms;
+allow init proc_wmtdbg:file w_file_perms;
+
+# Date : W18.20
+# Operation : mount soc vendor's partition when booting
+allow init mnt_vendor_file:dir mounton;
+
+# Date : W19.28
+# Purpose: Allow to setattr /proc/last_kmsg
+allow init proc_last_kmsg:file setattr;
+
+# Purpose: Allow to write /proc/cpu/alignment
+allow init proc_cpu_alignment:file w_file_perms;
+
+# Purpose: Allow to relabelto for selinux_android_restorecon
+allow init boot_block_device:lnk_file relabelto;
+allow init vbmeta_block_device:lnk_file relabelto;
+
+# Purpose: Allow to write /proc/mtprintk
+allow init proc_mtprintk:file w_file_perms;
+
+# Date : 2020/08/05
+# Purpose: Allow to write /proc/driver/wmt_user_proc
+allow init proc_wmtuserproc:file w_file_perms;
+
+# Date: 2020/09/02
+# Operation: R migration
+# Purpose: Add permission for pl path utilities to add symlink to raw pl
+recovery_only(`
+ domain_trans(init, rootfs, update_engine)
+')
+
+# Date : 2020/12/23
+# Purpose: Allow init to write /proc/driver/conninfra_dbg
+allow init proc_conninfradbg:file w_file_perms;
+# Date : 2021/07/15
+# Purpose: Add permission for pl path utilities
+domain_auto_trans(init, postinstall_file, update_engine)
+
+# Date : 2021/09/13
+# Purpose: Add permission for mtk_core_ctl
+allow init sysfs_mtk_core_ctl:dir r_dir_perms;
+allow init sysfs_mtk_core_ctl:file rw_file_perms;
+
diff --git a/basic/non_plat/init_insmod_sh.te b/basic/non_plat/init_insmod_sh.te
new file mode 100644
index 0000000..a9fb4e4
--- /dev/null
+++ b/basic/non_plat/init_insmod_sh.te
@@ -0,0 +1,17 @@
+type init_insmod_sh, domain;
+type init_insmod_sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_insmod_sh)
+
+allow init_insmod_sh vendor_toolbox_exec:file rx_file_perms;
+allow init_insmod_sh self:capability sys_module;
+allow init_insmod_sh vendor_file:system module_load;
+allow init_insmod_sh kernel:key search;
+
+# Date : WK20.46
+# Purpose : modprobe need proc_modules
+allow init_insmod_sh proc_modules:file r_file_perms;
+
+# Date : WK20.46
+# Purpose : Set the vendor.all.modules.ready property
+set_prop(init_insmod_sh, vendor_mtk_device_prop)
diff --git a/basic/non_plat/init_thh_service.te b/basic/non_plat/init_thh_service.te
new file mode 100644
index 0000000..3a40479
--- /dev/null
+++ b/basic/non_plat/init_thh_service.te
@@ -0,0 +1 @@
+type init_thh_service, domain;
diff --git a/basic/non_plat/ioctl_defines b/basic/non_plat/ioctl_defines
new file mode 100644
index 0000000..da54262
--- /dev/null
+++ b/basic/non_plat/ioctl_defines
@@ -0,0 +1,120 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# ged_bridge_id.h
+#
+define(`GED_BRIDGE_IO_LOG_BUF_GET', `0x6700')
+define(`GED_BRIDGE_IO_LOG_BUF_WRITE', `0x6701')
+define(`GED_BRIDGE_IO_LOG_BUF_RESET', `0x6702')
+define(`GED_BRIDGE_IO_BOOST_GPU_FREQ', `0x6703')
+define(`GED_BRIDGE_IO_MONITOR_3D_FENCE', `0x6704')
+define(`GED_BRIDGE_IO_QUERY_INFO', `0x6705')
+define(`GED_BRIDGE_IO_NOTIFY_VSYNC', `0x6706')
+define(`GED_BRIDGE_IO_DVFS_PROBE', `0x6707')
+define(`GED_BRIDGE_IO_DVFS_UM_RETURN', `0x6708')
+define(`GED_BRIDGE_IO_EVENT_NOTIFY', `0x6709')
+define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a')
+define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b')
+define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c')
+define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d')
+define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e')
+define(`GED_BRIDGE_IO_QUERY_DVFS_FREQ_PRED', `0x670f')
+define(`GED_BRIDGE_IO_QUERY_GPU_DVFS_INFO', `0x6710')
+
+define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764')
+define(`GED_BRIDGE_IO_GE_GET', `0x6765')
+define(`GED_BRIDGE_IO_GE_SET', `0x6766')
+define(`GED_BRIDGE_IO_GPU_TIMESTAMP', `0x6767')
+define(`GED_BRIDGE_IO_TARGET_FPS', `0x6768')
+define(`GED_BRIDGE_IO_GE_INFO', `0x6769')
+define(`GED_BRIDGE_IO_GPU_TUNER_STATUS', `0x676a')
+define(`GED_BRIDGE_IO_DMABUF_SET_NAME', `0x676b')
+
+define(`GED_BRIDGE_IO_CREATE_TIMELINE', `0x67c8')
+
+##########################
+# perf_ioctl.h : FPSGO
+#
+define(`PERFMGR_FPSGO_QUEUE', `0x6701')
+define(`PERFMGR_FPSGO_DEQUEUE', `0x6703')
+define(`PERFMGR_FPSGO_VSYNC', `0x6705')
+define(`PERFMGR_FPSGO_TOUCH', `0x670a')
+define(`PERFMGR_FPSGO_SWAP_BUFFER', `0x670e')
+define(`PERFMGR_FPSGO_QUEUE_CONNECT', `0x670f')
+define(`PERFMGR_FPSGO_BQID', `0x6710')
+define(`PERFMGR_FPSGO_GET_FPS', `0x6711')
+define(`PERFMGR_FPSGO_GET_CMD', `0x6712')
+define(`PERFMGR_FPSGO_GBE_GET_CMD', `0x6713')
+define(`PERFMGR_FPSGO_GET_FSTB_ACTIVE', `0x6714')
+define(`PERFMGR_FPSGO_WAIT_FSTB_ACTIVE', `0x6715')
+define(`PERFMGR_FPSGO_SBE_RESCUE', `0x6716')
+
+# perf_ioctl.h : EARA
+define(`PERFMGR_EARA_NN_BEGIN', `0x6701')
+define(`PERFMGR_EARA_NN_END', `0x6702')
+define(`PERFMGR_EARA_GETUSAGE', `0x6703')
+
+define(`PERFMGR_EARA_GETINDEX', `0x6701')
+define(`PERFMGR_EARA_COLLECT', `0x6702')
+
+# perf_ioctl.h : EARA
+define(`PERFMGR_EARA_ENABLE', `0x6701')
+define(`PERFMGR_EARA_GETINFO', `0x6702')
+define(`PERFMGR_EARA_TDIFF', `0x6703')
+
+# perf_ioctl.h : others
+define(`PERFMGR_CPU_PREFER', `0x6701')
+
+# perf_ioctl.h : EAS
+define(`EAS_SYNC_SET', `0x6701')
+define(`EAS_PERTASK_LS_SET', `0x6703')
+define(`CORE_CTL_FORCE_PAUSE_CPU', `0x6707')
+define(`CORE_CTL_SET_OFFLINE_THROTTLE_MS', `0x6708')
+define(`CORE_CTL_SET_LIMIT_CPUS', `0x6709')
+define(`CORE_CTL_SET_NOT_PREFERRED', `0x670a')
+define(`CORE_CTL_SET_BOOST', `0x670b')
+define(`CORE_CTL_SET_UP_THRES', `0x670c')
+define(`CPUQOS_V3_SET_CPUQOS_MODE', `0x670e')
+define(`CPUQOS_V3_SET_CT_TASK', `0x670f')
+define(`CPUQOS_V3_SET_CT_GROUP', `0x6710')
+define(`EAS_NEWLY_IDLE_BALANCE_INTERVAL_SET', `0x6711')
+define(`EAS_GET_THERMAL_HEADROOM_INTERVAL_SET', `0x6713')
+
+# perf_ioctl.h : XGFF
+define(`PERFMGR_XGFFRAME_START', `0x6701')
+define(`PERFMGR_XGFFRAME_END', `0x6702')
+
+##########################
+#
+#
+define(`MMC_IOCTLCMD', `0xb300')
+define(`MMC_IOC_MULTI_CMD', `0xb301')
+define(`UFS_IOCTLCMD', `0x5388')
+define(`UFS_IOCTL_RPMB', `0x5391')
+
+##########################
+#
+#
+define(`JPG_BRIDGE_ENC_IO_INIT', `0x780b')
+define(`JPG_BRIDGE_ENC_IO_CONFIG', `0x780c')
+define(`JPG_BRIDGE_ENC_IO_WAIT', `0x780d')
+define(`JPG_BRIDGE_ENC_IO_DEINIT', `0x780e')
+define(`JPG_BRIDGE_ENC_IO_START', `0x780f')
+define(`JPG_BRIDGE_DEC_IO_LOCK', `0x7812')
+define(`JPG_BRIDGE_DEC_IO_WAIT', `0x7813')
+define(`JPG_BRIDGE_DEC_IO_UNLOCK', `0x7814')
+
+##########################
+# m4u_priv.h
+#
+define(`MTK_M4U_T_ALLOC_MVA', `0x6704')
+define(`MTK_M4U_T_DEALLOC_MVA', `0x6705')
+define(`MTK_M4U_T_CONFIG_PORT', `0x670b')
+define(`MTK_M4U_T_DMA_OP', `0x671d')
+define(`MTK_M4U_T_SEC_INIT', `0x6732')
+define(`MTK_M4U_T_CONFIG_PORT_ARRAY', `0x671a')
+define(`MTK_M4U_T_CACHE_SYNC', `0x670a')
+define(`MTK_M4U_GZ_SEC_INIT', `0x673c')
+
diff --git a/basic/non_plat/ioctl_macros b/basic/non_plat/ioctl_macros
new file mode 100644
index 0000000..9d9e37c
--- /dev/null
+++ b/basic/non_plat/ioctl_macros
@@ -0,0 +1,33 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# proc_ged ioctls
+define(`proc_ged_ioctls', `{
+ GED_BRIDGE_IO_LOG_BUF_GET
+ GED_BRIDGE_IO_LOG_BUF_WRITE
+ GED_BRIDGE_IO_LOG_BUF_RESET
+ GED_BRIDGE_IO_BOOST_GPU_FREQ
+ GED_BRIDGE_IO_MONITOR_3D_FENCE
+ GED_BRIDGE_IO_QUERY_INFO
+ GED_BRIDGE_IO_NOTIFY_VSYNC
+ GED_BRIDGE_IO_DVFS_PROBE
+ GED_BRIDGE_IO_DVFS_UM_RETURN
+ GED_BRIDGE_IO_EVENT_NOTIFY
+ GED_BRIDGE_IO_WAIT_HW_VSYNC
+ GED_BRIDGE_IO_QUERY_TARGET_FPS
+ GED_BRIDGE_IO_VSYNC_WAIT
+ GED_BRIDGE_IO_GPU_HINT_TO_CPU
+ GED_BRIDGE_IO_HINT_FORCE_MDP
+ GED_BRIDGE_IO_QUERY_DVFS_FREQ_PRED
+ GED_BRIDGE_IO_QUERY_GPU_DVFS_INFO
+ GED_BRIDGE_IO_GE_ALLOC
+ GED_BRIDGE_IO_GE_GET
+ GED_BRIDGE_IO_GE_SET
+ GED_BRIDGE_IO_GPU_TIMESTAMP
+ GED_BRIDGE_IO_TARGET_FPS
+ GED_BRIDGE_IO_GE_INFO
+ GED_BRIDGE_IO_GPU_TUNER_STATUS
+ GED_BRIDGE_IO_DMABUF_SET_NAME
+ GED_BRIDGE_IO_CREATE_TIMELINE
+}')
diff --git a/basic/non_plat/ipsec_mon.te b/basic/non_plat/ipsec_mon.te
new file mode 100644
index 0000000..adab2f3
--- /dev/null
+++ b/basic/non_plat/ipsec_mon.te
@@ -0,0 +1 @@
+type ipsec_mon, domain;
diff --git a/basic/non_plat/kernel.te b/basic/non_plat/kernel.te
new file mode 100644
index 0000000..5831906
--- /dev/null
+++ b/basic/non_plat/kernel.te
@@ -0,0 +1,87 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.38
+# Operation : Migration
+# Purpose : run guitar_update for touch F/W upgrade.
+allow kernel sdcard_type:dir search;
+
+# Date : WK14.39
+# Operation : Migration
+# Purpose : ums driver can access blk_file
+allow kernel loop_device:blk_file r_file_perms;
+allow kernel vold_device:blk_file rw_file_perms;
+
+# Date : WK15.35
+# Operation : Migration
+# Purpose : grant fon_image_data_file read permission for loop device
+allow kernel fon_image_data_file:file read;
+
+# Date : WK15.38
+# Operation : Migration
+# Purpose : grant proc_thermal for dir search
+allow kernel proc_thermal:dir search;
+
+# Date : WK16.11
+# Operation : Migration
+# Purpose : grant storage_file and wifi_data_file for kernel thread mtk_wmtd to access /sdcard/wifi.cfg
+# and /data/misc/wifi/wifi.cfg to access wifi.cfg, in which, some wifi driver configuations are there.
+allow kernel mnt_user_file:dir search;
+allow kernel mnt_user_file:lnk_file r_file_perms;
+allow kernel wifi_data_file:file r_file_perms;
+allow kernel wifi_data_file:dir search;
+allow kernel storage_file:lnk_file r_file_perms;
+allow kernel sdcard_type:file open;
+
+# Data : WK16.16
+# Operation : Migration
+# Purpose : Access to TC1 partition for reading MEID
+allow kernel block_device:dir search;
+
+# Data : WK16.16
+# Operation : Migration
+# Purpose : Access to TC1 partition for reading MEID
+allow kernel misc2_block_device:blk_file rw_file_perms;
+
+# Date : WK16.30
+# Operation: SQC
+# Purpose: Allow sdcardfs workqueue to access lower file systems
+allow kernel fuseblk:dir create_dir_perms;
+allow kernel fuseblk:file create_file_perms;
+
+# Date : WK16.30
+# Operation: SQC
+# Purpose: Allow sdcardfs workqueue to access lower file systems
+allow kernel {vfat mnt_media_rw_file}:dir create_dir_perms;
+allow kernel {vfat mnt_media_rw_file}:file create_file_perms;
+allow kernel kernel:key { write search setattr };
+
+# Date : WK16.42
+# Operation: SQC
+# Purpose: Allow task of cpuset cgroup can migration to parent cgroup when cpus is NULL
+allow kernel platform_app:process setsched;
+
+# Date : WK17.01
+# Operation: SQC
+# Purpose: Allow OpenDSP kthread to write debug dump to sdcard
+allow kernel audioserver:fd use;
+
+# Date : WK18.02
+# Operation: SQC
+# Purpose: Allow SCP SmartPA kthread to write debug dump to sdcard
+allow kernel mtk_hal_audio:fd use;
+allow kernel factory:fd use;
+
+# Date : WK18.29
+# Operation: SQC
+# Purpose: Allow kernel read firmware binary on vendor partition
+allow kernel vendor_file:file r_file_perms;
+
+# Date : WK18.35
+# Operation: SQC
+# Purpose: Allow VOW kthread to write debug PCM dump
+allow kernel mtk_audiohal_data_file:file write;
+
+# Date: WK19.03
+allow kernel expdb_block_device:blk_file rw_file_perms;
diff --git a/basic/non_plat/keystore.te b/basic/non_plat/keystore.te
new file mode 100644
index 0000000..fff024b
--- /dev/null
+++ b/basic/non_plat/keystore.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.40 2014/12/26
+# Operation : CTS 5.0_r1
+# Purpose : allow access to /data/data for full CTS
+allow keystore app_data_file:file write;
diff --git a/basic/non_plat/kisd.te b/basic/non_plat/kisd.te
new file mode 100644
index 0000000..25bd23a
--- /dev/null
+++ b/basic/non_plat/kisd.te
@@ -0,0 +1,31 @@
+# ==============================================
+# Policy File of /vendor/bin/kisd Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type kisd, domain;
+type kisd_exec, exec_type, file_type, vendor_file_type;
+typeattribute kisd mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(kisd)
+
+allow kisd tee_device:chr_file rw_file_perms;
+allow kisd provision_file:dir rw_dir_perms;
+allow kisd provision_file:file create_file_perms;
+allow kisd kb_block_device:blk_file rw_file_perms;
+allow kisd kb_block_device:chr_file rw_file_perms;
+allow kisd dkb_block_device:blk_file rw_file_perms;
+allow kisd dkb_block_device:chr_file rw_file_perms;
+allow kisd key_install_data_file:dir w_dir_perms;
+allow kisd key_install_data_file:file create_file_perms;
+allow kisd key_install_data_file:dir search;
+allow kisd mtd_device:chr_file rw_file_perms;
+allow kisd mtd_device:blk_file rw_file_perms;
+allow kisd mtd_device:dir search;
+allow kisd block_device:dir search;
diff --git a/basic/non_plat/lbs_hidl_service.te b/basic/non_plat/lbs_hidl_service.te
new file mode 100644
index 0000000..2b8b512
--- /dev/null
+++ b/basic/non_plat/lbs_hidl_service.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type lbs_hidl_service, domain;
+type lbs_hidl_service_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(lbs_hidl_service)
+hal_server_domain(lbs_hidl_service, hal_mtk_lbs)
+vndbinder_use(lbs_hidl_service)
+
+unix_socket_connect(lbs_hidl_service, agpsd, mtk_agpsd)
+allow lbs_hidl_service mtk_agpsd:unix_dgram_socket sendto;
+allow lbs_hidl_service mnld:unix_dgram_socket sendto;
diff --git a/basic/non_plat/lmkd.te b/basic/non_plat/lmkd.te
new file mode 100644
index 0000000..b88d9ef
--- /dev/null
+++ b/basic/non_plat/lmkd.te
@@ -0,0 +1,26 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Data : 2015/01/14
+# Operation : MT6735 SQC bug fix
+# Purpose : ALPS01905960 - selinux_warning: audit(1420845354.752:91): avc: denied { search }
+# for pid=194 comm="lmkd" name="23573" dev="proc"
+# ino=915740 scontext=u:r:lmkd:s0 tcontext=u:r:zygote:s0 tclass=dir permissive=0
+dontaudit lmkd zygote:dir rw_dir_perms;
+
+# Data : 2015/04/17
+# Operation : tb8163p1 low memory selinux warning
+# Purpose : ALPS02038466 audit(1429079840.646:7): avc: denied { use }
+# for pid=170 comm="lmkd"
+# path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429
+# dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0
+dontaudit lmkd platform_app:fd use;
+
+# Data : 2018/05/25
+# Operation : Add for duraSpeed socket
+allow lmkd system_server:unix_stream_socket connectto;
+
+# Data : 2021/04/20
+# Operation : Add for powerhal mem index
+hal_client_domain(lmkd, hal_power)
diff --git a/basic/non_plat/md_monitor.te b/basic/non_plat/md_monitor.te
new file mode 100644
index 0000000..48c5388
--- /dev/null
+++ b/basic/non_plat/md_monitor.te
@@ -0,0 +1 @@
+type md_monitor, domain;
diff --git a/basic/non_plat/mediacodec.te b/basic/non_plat/mediacodec.te
new file mode 100644
index 0000000..c733874
--- /dev/null
+++ b/basic/non_plat/mediacodec.te
@@ -0,0 +1,147 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : VDEC/VENC device node
+allow mediacodec Vcodec_device:chr_file rw_file_perms;
+
+# Date : WK16.21
+# Operation : Migration
+# Purpose : VP & VR dump and debug
+allow mediacodec M4U_device_device:chr_file rw_file_perms;
+allow mediacodec MTK_SMI_device:chr_file r_file_perms;
+allow mediacodec storage_file:lnk_file rw_file_perms;
+allow mediacodec tmpfs:dir search;
+allow mediacodec mnt_user_file:dir rw_dir_perms;
+allow mediacodec mnt_user_file:lnk_file rw_file_perms;
+allow mediacodec sdcard_type:dir rw_dir_perms;
+allow mediacodec sdcard_type:file create_file_perms;
+allow mediacodec nvram_data_file:dir w_dir_perms;
+allow mediacodec nvram_data_file:file create_file_perms;
+allow mediacodec nvram_data_file:lnk_file r_file_perms;
+allow mediacodec nvdata_file:lnk_file r_file_perms;
+allow mediacodec nvdata_file:dir w_dir_perms;
+allow mediacodec nvdata_file:file create_file_perms;
+allow mediacodec devmap_device:chr_file r_file_perms;
+allow mediacodec proc_meminfo:file r_file_perms;
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : for SW codec VP/VR
+allow mediacodec mtk_sched_device:chr_file rw_file_perms;
+
+# Data : WK14.39
+# Operation : Migration
+# Purpose : HW encrypt SW codec
+allow mediacodec mediacodec_data_file:file create_file_perms;
+allow mediacodec mediacodec_data_file:dir create_dir_perms;
+allow mediacodec sec_device:chr_file r_file_perms;
+
+# Data: WK14.44
+# Operation : Migration
+# Purpose : VP
+allow mediacodec surfaceflinger:file getattr;
+
+# Data: WK14.44
+# Operation : Migration
+# Purpose : for low SD card latency issue
+allow mediacodec sysfs_lowmemorykiller:file r_file_perms;
+
+# Data: WK14.45
+# Operation : Migration
+# Purpose : for change thermal policy when needed
+allow mediacodec proc_mtkcooler:dir search;
+allow mediacodec proc_mtkcooler:file rw_file_perms;
+allow mediacodec proc_mtktz:dir search;
+allow mediacodec proc_mtktz:file rw_file_perms;
+allow mediacodec proc_thermal:dir search;
+allow mediacodec proc_thermal:file rw_file_perms;
+allow mediacodec thermal_manager_data_file:file create_file_perms;
+allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr };
+
+# Data : WK14.47
+# Operation : CTS
+# Purpose : cts search strange app
+allow mediacodec untrusted_app:dir search;
+
+# Date : WK14.39
+# Operation : Migration
+# Purpose : MJC Driver
+allow mediacodec MJC_device:chr_file rw_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow mediacodec proc_ged:file rw_file_perms;
+allowxperm mediacodec proc_ged:file ioctl { proc_ged_ioctls };
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow mediacodec surfaceflinger:fifo_file rw_file_perms;
+
+# Date: WK16.43
+# Operator: Whitney SQC
+# Purpose: mediacodec use gpu
+allow mediacodec gpu_device:dir search;
+
+# Date : W18.01
+# Add for turn on SElinux in enforcing mode
+allow mediacodec vndbinder_device:chr_file rw_file_perms;
+
+vndbinder_use(mediacodec)
+
+# Date : WK1721
+# Purpose: For FULL TREBLE
+allow mediacodec system_file:dir r_dir_perms;
+allow mediacodec debugfs_ion:dir search;
+
+
+# Date : WK17.30
+# Operation : O Migration
+# Purpose: Allow mediacodec to access cmdq driver
+allow mediacodec mtk_cmdq_device:chr_file r_file_perms;
+allow mediacodec mtk_mdp_device:chr_file r_file_perms;
+allow mediacodec mtk_mdp_sync_device:chr_file r_file_perms;
+allow mediacodec sw_sync_device:chr_file r_file_perms;
+
+# Date : WK17.30
+# Purpose : For Power Hal
+hal_client_domain(mediacodec, hal_power)
+
+# Date : WK17.12
+# Operation : MT6799 SQC
+# Purpose : Change thermal config
+set_prop(mediacodec, vendor_mtk_thermal_config_prop)
+
+# Date : WK17.43
+# Operation : Migration
+# Purpose : DISP access
+allow mediacodec graphics_device:chr_file r_file_perms;
+allow mediacodec graphics_device:dir search;
+
+# Date : WK19.27
+# Purpose: Android Migration for SVP
+allow mediacodec proc_m4u:file r_file_perms;
+allowxperm mediacodec proc_m4u:file ioctl {
+ MTK_M4U_T_SEC_INIT
+ MTK_M4U_T_CONFIG_PORT
+ MTK_M4U_T_CACHE_SYNC
+ MTK_M4U_T_CONFIG_PORT_ARRAY
+};
+
+# Date : 2019/12/12
+# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
+allow mediacodec sysfs_concurrency_scenario:file rw_file_perms;
+allow mediacodec sysfs_concurrency_scenario:dir search;
+
+# Date : 2020/07/10
+# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/*
+allow mediacodec sysfs_emi_ctrl_concurrency_scenario:file rw_file_perms;
+allow mediacodec sysfs_emi_ctrl_concurrency_scenario:dir search;
+
+# Date : WK20.16
+# # Operation: SQC
+# # Purpose : Allow medicodec to control video mode property
+set_prop(mediacodec, vendor_mtk_video_prop)
diff --git a/basic/non_plat/mediadrmserver.te b/basic/non_plat/mediadrmserver.te
new file mode 100644
index 0000000..3b7a2c1
--- /dev/null
+++ b/basic/non_plat/mediadrmserver.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow mediadrmserver proc_ged:file rw_file_perms;
+
+
diff --git a/basic/non_plat/mediaextractor.te b/basic/non_plat/mediaextractor.te
new file mode 100644
index 0000000..36ffb24
--- /dev/null
+++ b/basic/non_plat/mediaextractor.te
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow mediaextractor proc_ged:file rw_file_perms;
+
+#============= mediaextractor ==============
+allow mediaextractor vfat:file r_file_perms;
+
+allow mediaextractor mediaserver_service:service_manager find;
+
+allow mediaextractor platform_app:dir search;
+allow mediaextractor platform_app:file r_file_perms;
+
+hal_client_domain(mediaextractor, hal_omx)
diff --git a/basic/non_plat/mediahelper.te b/basic/non_plat/mediahelper.te
new file mode 100755
index 0000000..b1b2d63
--- /dev/null
+++ b/basic/non_plat/mediahelper.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# get prop to judge use 64-bit or not
+get_prop(mediahelper, vendor_mtk_prefer64_prop)
+
diff --git a/basic/non_plat/mediaserver.te b/basic/non_plat/mediaserver.te
new file mode 100644
index 0000000..1cc0cf4
--- /dev/null
+++ b/basic/non_plat/mediaserver.te
@@ -0,0 +1,309 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.31
+# Operation : Migration
+# Purpose : camera devices access.
+allow mediaserver camera_isp_device:chr_file rw_file_perms;
+allow mediaserver ccu_device:chr_file rw_file_perms;
+allow mediaserver vpu_device:chr_file rw_file_perms;
+allow mediaserver mdla_device:chr_file rw_file_perms;
+allow mediaserver apusys_device:chr_file rw_file_perms;
+allow mediaserver sysfs_apusys_queue:dir r_dir_perms;
+allow mediaserver sysfs_apusys_queue:file r_file_perms;
+allow mediaserver kd_camera_hw_device:chr_file rw_file_perms;
+allow mediaserver seninf_device:chr_file rw_file_perms;
+allow mediaserver self:capability { setuid ipc_lock sys_nice net_admin };
+allow mediaserver sysfs_wake_lock:file rw_file_perms;
+allow mediaserver MTK_SMI_device:chr_file r_file_perms;
+allow mediaserver camera_pipemgr_device:chr_file r_file_perms;
+allow mediaserver kd_camera_flashlight_device:chr_file rw_file_perms;
+allow mediaserver lens_device:chr_file rw_file_perms;
+
+# Date : WK14.32
+# Operation : Migration
+# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
+allow mediaserver sdcard_type:dir create_dir_perms;
+allow mediaserver sdcard_type:file create_file_perms;
+allow mediaserver nvram_data_file:lnk_file read;
+allow mediaserver nvdata_file:lnk_file read;
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose : nvram access (dumchar case for nand and legacy chip)
+allow mediaserver nvram_device:chr_file rw_file_perms;
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : media server and bt process communication for A2DP data.and other control flow
+allow mediaserver bluetooth:unix_dgram_socket sendto;
+allow mediaserver bt_a2dp_stream_socket:sock_file write;
+allow mediaserver bt_int_adp_socket:sock_file write;
+
+# Date : WK14.37
+# Operation : Migration
+# Purpose : camera ioctl
+allow mediaserver camera_sysram_device:chr_file r_file_perms;
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : VDEC/VENC device node
+allow mediaserver Vcodec_device:chr_file rw_file_perms;
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : access nvram, otp, ccci cdoec devices.
+allow mediaserver ccci_device:chr_file rw_file_perms;
+allow mediaserver eemcs_device:chr_file rw_file_perms;
+allow mediaserver devmap_device:chr_file r_file_perms;
+allow mediaserver ebc_device:chr_file rw_file_perms;
+allow mediaserver nvram_device:blk_file rw_file_perms;
+allow mediaserver bootdevice_block_device:blk_file rw_file_perms;
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : for SW codec VP/VR
+allow mediaserver mtk_sched_device:chr_file rw_file_perms;
+
+# Date : WK14.38
+# Operation : Migration
+# Purpose : FM driver access
+allow mediaserver fm_device:chr_file rw_file_perms;
+
+# Data : WK14.38
+# Operation : Migration
+# Purpose : for VP/VR
+allow mediaserver FM50AF_device:chr_file rw_file_perms;
+allow mediaserver AD5820AF_device:chr_file rw_file_perms;
+allow mediaserver DW9714AF_device:chr_file rw_file_perms;
+allow mediaserver DW9814AF_device:chr_file rw_file_perms;
+allow mediaserver AK7345AF_device:chr_file rw_file_perms;
+allow mediaserver DW9714A_device:chr_file rw_file_perms;
+allow mediaserver LC898122AF_device:chr_file rw_file_perms;
+allow mediaserver LC898212AF_device:chr_file rw_file_perms;
+allow mediaserver BU6429AF_device:chr_file rw_file_perms;
+allow mediaserver DW9718AF_device:chr_file rw_file_perms;
+allow mediaserver BU64745GWZAF_device:chr_file rw_file_perms;
+allow mediaserver MAINAF_device:chr_file rw_file_perms;
+allow mediaserver MAIN2AF_device:chr_file rw_file_perms;
+allow mediaserver MAIN3AF_device:chr_file rw_file_perms;
+allow mediaserver MAIN4AF_device:chr_file rw_file_perms;
+allow mediaserver SUBAF_device:chr_file rw_file_perms;
+allow mediaserver SUB2AF_device:chr_file rw_file_perms;
+
+# Data : WK14.38
+# Operation : Migration
+# Purpose : for boot animation.
+binder_call(mediaserver, bootanim)
+binder_call(mediaserver, mtkbootanimation)
+
+# Date : WK14.39
+# Operation : Migration
+# Purpose : FDVT Driver
+allow mediaserver camera_fdvt_device:chr_file rw_file_perms;
+
+# Date : WK14.40
+# Operation : Migration
+# Purpose : HDMI driver access
+allow mediaserver graphics_device:chr_file rw_file_perms;
+
+# Date : WK14.40
+# Operation : Migration
+# Purpose : Smartpa
+allow mediaserver smartpa_device:chr_file rw_file_perms;
+
+# Data : WK14.40
+# Operation : Migration
+# Purpose : permit 'call' by audio tunning tool audiocmdservice_atci
+binder_call(mediaserver, audiocmdservice_atci)
+
+# Date : WK14.40
+# Operation : Migration
+# Purpose : mtk_jpeg
+allow mediaserver mtk_jpeg_device:chr_file r_file_perms;
+
+# Date : WK14.41
+# Operation : Migration
+# Purpose : WFD HID Driver
+allow mediaserver uhid_device:chr_file rw_file_perms;
+
+# Date : WK14.41
+# Operation : Migration
+# Purpose : Camera EEPROM Calibration
+allow mediaserver CAM_CAL_DRV_device:chr_file rw_file_perms;
+allow mediaserver CAM_CAL_DRV1_device:chr_file rw_file_perms;
+allow mediaserver CAM_CAL_DRV2_device:chr_file rw_file_perms;
+allow mediaserver camera_eeprom_device:chr_file rw_file_perms;
+allow mediaserver seninf_n3d_device:chr_file rw_file_perms;
+
+# Date : WK14.43
+# Operation : Migration
+# Purpose : VOW
+allow mediaserver vow_device:chr_file rw_file_perms;
+
+# Date: WK14.44
+# Operation : Migration
+# Purpose : EVDO
+allow mediaserver rpc_socket:sock_file write;
+allow mediaserver ttySDIO_device:chr_file rw_file_perms;
+
+# Data: WK14.44
+# Operation : Migration
+# Purpose : VP
+allow mediaserver surfaceflinger:file getattr;
+
+# Data: WK14.44
+# Operation : Migration
+# Purpose : for low SD card latency issue
+allow mediaserver sysfs_lowmemorykiller:file r_file_perms;
+
+# Data: WK14.45
+# Operation : Migration
+# Purpose : for change thermal policy when needed
+allow mediaserver proc_mtkcooler:dir search;
+allow mediaserver proc_mtktz:dir search;
+allow mediaserver proc_thermal:dir search;
+
+# Date : WK14.46
+# Operation : Migration
+# Purpose : for MTK Emulator HW GPU
+allow mediaserver qemu_pipe_device:chr_file rw_file_perms;
+
+# Date : WK14.46
+# Operation : Migration
+# Purpose : for camera init
+allow mediaserver system_server:unix_stream_socket rw_socket_perms_no_ioctl;
+
+# Data : WK14.46
+# Operation : Migration
+# Purpose : for SMS app
+allow mediaserver radio_data_file:dir search;
+allow mediaserver radio_data_file:file open;
+
+# Data : WK14.47
+# Operation : Audio playback
+# Purpose : Music as ringtone
+allow mediaserver radio:dir r_dir_perms;
+allow mediaserver radio:file r_file_perms;
+
+# Data : WK14.47
+# Operation : CTS
+# Purpose : cts search strange app
+allow mediaserver untrusted_app:dir search;
+
+# Date : WK15.03
+# Operation : Migration
+# Purpose : offloadservice
+allow mediaserver offloadservice_device:chr_file rw_file_perms;
+
+# Date : WK15.32
+# Operation : Pre-sanity
+# Purpose : 3A algorithm need to access sensor service
+allow mediaserver sensorservice_service:service_manager find;
+
+# Date : WK15.34
+# Operation : Migration
+# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
+allow mediaserver storage_file:lnk_file rw_file_perms;
+allow mediaserver mnt_user_file:dir rw_dir_perms;
+allow mediaserver mnt_user_file:lnk_file rw_file_perms;
+
+# Date : WK15.35
+# Operation : Migration
+# Purpose: Allow mediaserver to read binder from surfaceflinger
+allow mediaserver surfaceflinger:fifo_file rw_file_perms;
+
+# Date : WK15.46
+# Operation : Migration
+# Purpose : DPE Driver
+allow mediaserver camera_dpe_device:chr_file rw_file_perms;
+
+# Date : WK15.46
+# Operation : Migration
+# Purpose : TSF Driver
+allow mediaserver camera_tsf_device:chr_file rw_file_perms;
+
+# Date : WK16.32
+# Operation : N Migration
+# Purpose : RSC Driver
+allow mediaserver camera_rsc_device:chr_file rw_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow mediaserver proc_ged:file rw_file_perms;
+allowxperm mediaserver proc_ged:file ioctl { proc_ged_ioctls };
+
+# Date : WK16.33
+# Operation : N Migration
+# Purpose : GEPF Driver
+allow mediaserver camera_gepf_device:chr_file rw_file_perms;
+
+# Date : WK16.35
+# Operation : Migration
+# Purpose : Update camera flashlight driver device file
+allow mediaserver flashlight_device:chr_file rw_file_perms;
+
+# Date : WK16.43
+# Operation : N Migration
+# Purpose : WPE Driver
+allow mediaserver camera_wpe_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir search;
+allow mediaserver sw_sync_device:chr_file rw_file_perms;
+
+# Date : WK17.19
+# Operation : N Migration
+# Purpose : OWE Driver
+allow mediaserver camera_owe_device:chr_file rw_file_perms;
+
+# Date : WK17.30
+# Operation : O Migration
+# Purpose: Allow to access cmdq driver
+allow mediaserver mtk_cmdq_device:chr_file r_file_perms;
+allow mediaserver mtk_mdp_device:chr_file r_file_perms;
+allow mediaserver mtk_mdp_sync_device:chr_file r_file_perms;
+hal_client_domain(mediaserver, hal_mtk_mms)
+
+# Date : WK17.43
+# Operation : Migration
+# Purpose : DISP access
+allow mediaserver graphics_device:dir search;
+
+# Date : WK17.44
+# Operation : Migration
+# Purpose : DIP Driver
+allow mediaserver camera_dip_device:chr_file rw_file_perms;
+
+# Date : WK17.44
+# Operation : Migration
+# Purpose : MFB Driver
+allow mediaserver camera_mfb_device:chr_file rw_file_perms;
+
+# Date : WK17.49
+# Operation : MT6771 SQC
+# Purpose : Allow permgr access
+allow mediaserver proc_perfmgr:dir r_dir_perms;
+allow mediaserver proc_perfmgr:file r_file_perms;
+allowxperm mediaserver proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_BQID
+};
+
+# Date : WK18.18
+# Operation : Migration
+# Purpose : wifidisplay hdcp
+# DRM Key Manage HIDL
+binder_call(mediaserver, mtk_hal_keymanage)
+
+# Date : WK21.25
+# Operation : Migration
+# Purpose : PDA Driver
+allow mediaserver camera_pda_device:chr_file rw_file_perms;
+
+# Purpose : Allow mediadrmserver to call vendor.mediatek.hardware.keymanage@1.0-service.
+hal_client_domain(mediaserver, hal_keymaster)
+hal_client_domain(mediaserver, hal_power)
+
+allow mediaserver vpud_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/mediaswcodec.te b/basic/non_plat/mediaswcodec.te
new file mode 100644
index 0000000..d5ed060
--- /dev/null
+++ b/basic/non_plat/mediaswcodec.te
@@ -0,0 +1,16 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK19.25
+# Operation : Migration
+# Purpose : [ALPS04669482] DRTS failed due to avc denied
+allow mediaswcodec debugfs_ion:dir rw_dir_perms;
+allow mediaswcodec gpu_device:dir rw_dir_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
+allow mediaswcodec dri_device:chr_file rw_file_perms;
+
+# Date : WK20.38
+# Purpose: Allow to access ged for gralloc_extra functions
+allow mediaswcodec proc_ged:file rw_file_perms;
+allowxperm mediaswcodec proc_ged:file ioctl { proc_ged_ioctls };
diff --git a/basic/non_plat/merged_hal_service.te b/basic/non_plat/merged_hal_service.te
new file mode 100644
index 0000000..d0f003c
--- /dev/null
+++ b/basic/non_plat/merged_hal_service.te
@@ -0,0 +1,68 @@
+# ==============================================================================
+# Type Declaration
+# ==============================================================================
+type merged_hal_service, domain;
+type merged_hal_service_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(merged_hal_service)
+
+hal_server_domain(merged_hal_service, hal_vibrator)
+hal_server_domain(merged_hal_service, hal_light)
+hal_server_domain(merged_hal_service, hal_power)
+hal_server_domain(merged_hal_service, hal_thermal)
+hal_server_domain(merged_hal_service, hal_memtrack)
+
+#mtk libs_hidl_service permissions
+hal_server_domain(merged_hal_service, hal_mtk_lbs)
+
+vndbinder_use(merged_hal_service)
+unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd)
+allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto;
+
+#mtk_gnss permissions
+hal_server_domain(merged_hal_service, hal_gnss)
+allow merged_hal_service mnld_data_file:sock_file create_file_perms;
+allow merged_hal_service mnld_data_file:dir create_dir_perms;
+allow merged_hal_service mnld:unix_dgram_socket sendto;
+
+#graphics allocator permissions
+hal_server_domain(merged_hal_service, hal_graphics_allocator)
+allow merged_hal_service gpu_device:dir search;
+allow merged_hal_service sw_sync_device:chr_file rw_file_perms;
+allow merged_hal_service debugfs_tracing:file w_file_perms;
+
+#for ape hidl permissions
+hal_server_domain(merged_hal_service, hal_mtk_codecservice)
+hal_client_domain(merged_hal_service, hal_allocator)
+
+#for default drm permissions
+hal_server_domain(merged_hal_service, hal_drm)
+allow merged_hal_service mediacodec:fd use;
+allow merged_hal_service { appdomain -isolated_app }:fd use;
+
+# Date : WK18.23
+# Operation : P Migration
+# Purpose : add grant permission for Thermal HAL mtktz and proc
+allow merged_hal_service proc_mtktz:dir search;
+allow merged_hal_service proc_mtktz:file r_file_perms;
+allow merged_hal_service proc_stat:file r_file_perms;
+
+#for uevent handle
+allow merged_hal_service self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+#for thermal sysfs
+allow merged_hal_service sysfs_therm:file rw_file_perms;
+allow merged_hal_service sysfs_therm:dir search;
+
+
+# Date : WK19.11
+# Operation : Q Migration
+allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls };
+
+# Date: 2019/06/14
+# Operation : Migration
+hal_client_domain(merged_hal_service, hal_mtk_nvramagent)
diff --git a/basic/non_plat/meta_tst.te b/basic/non_plat/meta_tst.te
new file mode 100644
index 0000000..bdb87cb
--- /dev/null
+++ b/basic/non_plat/meta_tst.te
@@ -0,0 +1,414 @@
+# ==============================================
+# Policy File of /vendor/bin/meta_tst Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type meta_tst, domain;
+type meta_tst_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(meta_tst)
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : for meta mode device node USB
+allow meta_tst ttyGS_device:chr_file rw_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : for meta mode device node UART
+allow meta_tst ttyMT_device:chr_file rw_file_perms;
+
+# Date: WK17.12
+# Operation : Migration
+# Purpose : for meta mode device node UART
+allow meta_tst ttyS_device:chr_file rw_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : for meta mode device node CCCI
+allow meta_tst ccci_device:chr_file rw_file_perms;
+allow meta_tst eemcs_device:chr_file rw_file_perms;
+allow meta_tst emd_device:chr_file rw_file_perms;
+allow meta_tst ttyACM_device:chr_file rw_file_perms;
+allow meta_tst mdlog_device:chr_file rw_file_perms;
+
+# Data: WK15.07
+# Purpose : SDIO
+allow meta_tst ttySDIO_device:chr_file rw_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : for meta mode file system
+allow meta_tst bootdevice_block_device:blk_file rw_file_perms;
+allow meta_tst mmcblk1_block_device:blk_file rw_file_perms;
+allow meta_tst userdata_block_device:blk_file rw_file_perms;
+allow meta_tst cache_block_device:blk_file rw_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : for meta mode nvram
+allow meta_tst nvram_data_file:dir create_dir_perms;
+allow meta_tst nvram_data_file:file create_file_perms;
+allow meta_tst nvram_data_file:lnk_file r_file_perms;
+allow meta_tst nvdata_file:lnk_file r_file_perms;
+allow meta_tst nvdata_file:dir create_dir_perms;
+allow meta_tst nvdata_file:file create_file_perms;
+allow meta_tst nvram_device:chr_file rw_file_perms;
+allow meta_tst nvram_device:blk_file rw_file_perms;
+allow meta_tst nvdata_device:blk_file rw_file_perms;
+read_fstab(meta_tst)
+get_prop(meta_tst, vendor_mtk_rat_config_prop)
+
+# Date: WK14.47
+# Operation : Migration
+# Purpose : for meta mode audio
+allow meta_tst audio_device:chr_file rw_file_perms;
+allow meta_tst audio_device:dir rw_dir_perms;
+allow meta_tst audio_ipi_device:chr_file rw_file_perms;
+set_prop(meta_tst, vendor_mtk_audiohal_prop)
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : for meta mode RTC and PMIC
+allow meta_tst rtc_device:chr_file r_file_perms;
+allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms;
+
+# Date: WK14.46
+# Operation : Migration
+# Purpose : Camera
+allow meta_tst devmap_device:chr_file rw_file_perms;
+allow meta_tst camera_pipemgr_device:chr_file rw_file_perms;
+allow meta_tst MTK_SMI_device:chr_file rw_file_perms;
+allow meta_tst camera_isp_device:chr_file rw_file_perms;
+allow meta_tst camera_sysram_device:chr_file r_file_perms;
+allow meta_tst kd_camera_flashlight_device:chr_file rw_file_perms;
+allow meta_tst kd_camera_hw_device:chr_file rw_file_perms;
+allow meta_tst AD5820AF_device:chr_file rw_file_perms;
+allow meta_tst DW9714AF_device:chr_file rw_file_perms;
+allow meta_tst DW9714A_device:chr_file rw_file_perms;
+allow meta_tst LC898122AF_device:chr_file rw_file_perms;
+allow meta_tst LC898212AF_device:chr_file rw_file_perms;
+allow meta_tst BU6429AF_device:chr_file rw_file_perms;
+allow meta_tst DW9718AF_device:chr_file rw_file_perms;
+allow meta_tst BU64745GWZAF_device:chr_file rw_file_perms;
+allow meta_tst MAINAF_device:chr_file rw_file_perms;
+allow meta_tst MAIN2AF_device:chr_file rw_file_perms;
+allow meta_tst MAIN3AF_device:chr_file rw_file_perms;
+allow meta_tst MAIN4AF_device:chr_file rw_file_perms;
+allow meta_tst SUBAF_device:chr_file rw_file_perms;
+allow meta_tst SUB2AF_device:chr_file rw_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : meta mode LCM
+allow meta_tst graphics_device:chr_file rw_file_perms;
+allow meta_tst graphics_device:dir search;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : meta mode sensor
+allow meta_tst als_ps_device:chr_file r_file_perms;
+allow meta_tst gsensor_device:chr_file r_file_perms;
+allow meta_tst msensor_device:chr_file r_file_perms;
+allow meta_tst gyroscope_device:chr_file r_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : meta mode FM
+allow meta_tst fm_device:chr_file rw_file_perms;
+allow meta_tst FM50AF_device:chr_file rw_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : meta mode wifi
+allow meta_tst wmtWifi_device:chr_file w_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : meta mode BT
+allow meta_tst stpbt_device:chr_file rw_file_perms;
+
+# Date: WK16.12
+# Operation : Migration
+# Purpose : meta mode GPS
+allow meta_tst gps_data_file:dir { w_dir_perms unlink};
+allow meta_tst gps_data_file:file create_file_perms;
+allow meta_tst gps_data_file:lnk_file r_file_perms;
+allow meta_tst tmpfs:lnk_file r_file_perms;
+allow meta_tst agpsd_data_file:dir search;
+allow meta_tst agpsd_data_file:sock_file w_file_perms;
+allow meta_tst mnld_device:chr_file rw_file_perms;
+allow meta_tst stpgps_device:chr_file rw_file_perms;
+allow meta_tst mnld_exec:file rx_file_perms;
+allow meta_tst mnld:unix_dgram_socket sendto;
+set_prop(meta_tst, vendor_mtk_mnld_prop)
+
+#Date WK14.49
+#Operation : Migration
+#Purpose : DRM key installation
+allow meta_tst key_install_data_file:dir w_dir_perms;
+allow meta_tst key_install_data_file:file create_file_perms;
+
+# Date: WK14.51
+# Purpose : set/get cryptfs cfg in sys env
+allow meta_tst misc_device:chr_file rw_file_perms;
+allow meta_tst proc_lk_env:file rw_file_perms;
+
+# Purpose : FT_EMMC_OP_FORMAT_TCARD
+allow meta_tst system_block_device:blk_file getattr;
+
+# Date: WK15.52
+# Purpose : NVRAM related LID
+allow meta_tst pro_info_device:chr_file rw_file_perms;
+
+# Date: WK15.13
+# Purpose: for nand project
+allow meta_tst mtd_device:dir search;
+allow meta_tst mtd_device:chr_file rw_file_perms;
+
+# Date: WK16.17
+# Purpose: N Migration For ccci sysfs node
+allow meta_tst sysfs_ccci:dir search;
+allow meta_tst sysfs_ccci:file r_file_perms;
+
+#Date: W18.22
+# Purpose: P Migration meta_tst get com port type/uart port info/boot mode/usb state/usb close
+allow meta_tst sysfs_comport_type:file rw_file_perms;
+allow meta_tst sysfs_uart_info:file rw_file_perms;
+allow meta_tst sysfs_boot_mode:file rw_file_perms;
+allow meta_tst sysfs_boot_type:file r_file_perms;
+allow meta_tst sysfs_android_usb:file rw_file_perms;
+allow meta_tst sysfs_android_usb:dir search;
+allow meta_tst sysfs_usb_nonplat:file rw_file_perms;
+allow meta_tst sysfs_usb_nonplat:dir search;
+allow meta_tst sysfs_batteryinfo:file rw_file_perms;
+allow meta_tst sysfs_batteryinfo:dir search;
+
+#Date: W16.17
+# Purpose: N Migration For meta_tst load MD NVRAM database
+# Detail avc log: [04-23-20:41:58][ 160.687655] <1>.(1)[230:logd.auditd]type=
+#1400 audit(1262304165.560:24): avc: denied { read } for pid=228 comm=
+#"meta_tst" name="mddb" dev="mmcblk0p20" ino=664 scontext=u:r:meta_tst:
+#s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
+allow meta_tst system_file:dir r_dir_perms;
+
+# Date: WK16.18
+# Purpose: for CCCI reboot modem
+allow meta_tst gsm0710muxd_device:chr_file rw_file_perms;
+
+# Date : WK16.35
+# Purpose : Update camera flashlight driver device file
+allow meta_tst flashlight_device:chr_file rw_file_perms;
+
+#Date: W16.36
+# Purpose: meta_tst use libmeta_rat to write libsysenv
+# Detail avc log:[ 25.307141] .(5)[264:logd.auditd]type=1400 audit(1469438818.570:7):
+#avc: denied { read write } for pid=312 comm="meta_tst" name="mmcblk0p2" dev="tmpfs"
+#ino=4561 scontext=u:r:meta_tst:s0 tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0
+allow meta_tst para_block_device:blk_file rw_file_perms;
+
+#Date: W16.44
+allow meta_tst nvcfg_file:dir r_dir_perms;
+
+#Date: W16.45
+# Purpose : Allow unmount sdcardfs mounted on /data/media
+allow meta_tst sdcard_type:filesystem unmount;
+allow meta_tst storage_stub_file:dir search;
+
+# Date : WK16.19
+# Operation: meta_tst set persist.meta.connecttype property
+# Purpose: Switch meta connect type, set persist.meta.connecttype as "wifi" or "usb".
+set_prop(meta_tst, vendor_mtk_meta_connecttype_prop)
+
+# Date : WK16.23
+# Purpose: support meta_tst check key event
+allow meta_tst input_device:dir r_dir_perms;
+allow meta_tst input_device:chr_file r_file_perms;
+
+# Date : WK16.29
+# Purpose: support meta mode show string on screen
+allow meta_tst ashmem_device:chr_file x_file_perms;
+
+#Date: W16.50
+# Purpose : Allow meta_tst stop service which occupy data partition.
+set_prop(meta_tst, ctl_default_prop)
+
+#Date: W17.25
+# Purpose : Allow meta_tst stop service which occupy data partition.
+set_prop(meta_tst, system_mtk_ctl_emdlogger1_prop)
+
+#Date: W17.27
+# Purpose: STMicro NFC solution integration
+allow meta_tst vendor_file:file rx_file_perms;
+allow meta_tst debugfs_tracing:file w_file_perms;
+
+# Date: W17.29
+# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service.
+hal_client_domain(meta_tst, hal_mtk_keyattestation)
+
+# Date : WK17.30
+# Operation : Android O migration
+# Purpose : add sepolicy for accessing sysfs_leds
+allow meta_tst sysfs_leds:lnk_file r_file_perms;
+allow meta_tst sysfs_leds:file rw_file_perms;
+allow meta_tst sysfs_leds:dir r_dir_perms;
+
+# Date: WK17.43
+# Purpose: add permission for meta_tst access md image
+allow meta_tst md_block_device:blk_file r_file_perms;
+allow meta_tst mddb_data_file:file create_file_perms;
+allow meta_tst mddb_data_file:dir create_dir_perms;
+
+# Date: W17.43
+# Purpose : Allow meta_tst to call Audio HAL service
+binder_call(meta_tst, mtk_hal_audio)
+allow meta_tst mtk_audiohal_data_file:dir r_dir_perms;
+
+#Data:W1745
+# Purpose : Allow meta_tst to open and read proc/bootprof
+allow meta_tst proc_bootprof:file rw_file_perms;
+
+# Date:W17.51
+# Operation : lbs hal
+# Purpose : lbs hidl interface permission
+hal_client_domain(meta_tst, hal_mtk_lbs)
+
+# Data:W1750
+# Purpose : Allow meta_tst to access mtd device
+allow meta_tst mtd_device:blk_file rw_file_perms;
+
+#Date: W17.51
+#Purpose : Allow meta_tst to access pesist.atm.mdmode in ATM.
+set_prop(meta_tst, vendor_mtk_atm_mdmode_prop)
+
+#Date: W17.51
+#Purpose : Allow meta_tst to access pesist.atm.ipaddress in ATM.
+set_prop(meta_tst, vendor_mtk_atm_ipaddr_prop)
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow meta_tst to get vendor_mtk_tel_switch_prop
+get_prop(meta_tst, vendor_mtk_tel_switch_prop)
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose : Allow meta_tst to call nvram hal
+hal_client_domain(meta_tst, hal_mtk_nvramagent)
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose : Allow meta_tst to write misc partition
+allow meta_tst block_device:dir search;
+
+# Date : W18.24
+# Operation: P migration
+# Purpose : Allow meta_tst to access tpd sysfs nodes for CTP test
+allow meta_tst sysfs_tpd_setting:dir search;
+allow meta_tst sysfs_tpd_setting:file r_file_perms;
+
+# Date : WK18.24
+# Operation: P migration
+# Purpose : Allow meta_tst to unmount partition, stop service, and then erase partition
+allow meta_tst vendor_shell_exec:file rx_file_perms;
+allow meta_tst vendor_toolbox_exec:file x_file_perms;
+allow meta_tst labeledfs:filesystem { unmount };
+allow meta_tst proc_cmdline:file r_file_perms;
+allow meta_tst self:capability { sys_admin sys_module net_admin net_raw sys_time };
+allow meta_tst sysfs_dt_firmware_android:file r_file_perms;
+allow meta_tst sysfs_dt_firmware_android:dir r_dir_perms;
+
+# Purpose : Allow meta_tst to communicate with driver thru socket
+allow meta_tst self:udp_socket create_socket_perms;
+allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls;
+
+# Date : WK18.25
+# Operation: P migration
+# Purpose : GPS test, Allow meta_tst to write/connect tcp socket
+allow meta_tst node:tcp_socket node_bind;
+allow meta_tst port:tcp_socket { name_bind name_connect };
+
+# Date : WK18.28
+# Operation: P migration
+# Purpose : AUDIO test, Allow meta_tst to write/read asound
+allow meta_tst proc_asound:dir r_dir_perms;
+allow meta_tst proc_asound:file rw_file_perms;
+allow meta_tst sysfs_headset:file r_file_perms;
+
+# Date: W18.05
+# Purpose : Allow meta_tst to use socket for listening uevent
+allow meta_tst meta_tst:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Date : WK18.28
+# Operation: P migration
+# Purpose :
+set_prop(meta_tst, vendor_mtk_usb_prop)
+
+# Date: W18.32
+# Operation: Android P migration
+# Purpose : Allow meta_tst to set powerctl property
+# avc: denied { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0
+# tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0
+set_prop(meta_tst, powerctl_prop)
+
+# Data: W18.42
+# Operation: Android P migration
+# Purpose : add socket permission for meta
+allow meta_tst fwmarkd_socket:sock_file write;
+
+#Date: W18.42
+# Operation: Android P migration
+# Purpose : Add ATM meta mvram sepolicy
+allow meta_tst mnt_vendor_file:dir search;
+
+# Date : WK18.44
+# Operation: P migration
+# Purpose : adsp
+allow meta_tst adsp_device:chr_file rw_file_perms;
+
+# Date : WK19.08
+# Operation: P migration
+# Purpose : audio scp recovery
+allow meta_tst audio_scp_device:chr_file r_file_perms;
+
+# Date : WK19.50
+# Purpose: Allow bt process or tool to control bt_dbg
+allow meta_tst proc_btdbg:file rw_file_perms;
+
+# Date : WK20.07
+# Operation: R migration
+# Purpose : Add permission for new device node.
+allow meta_tst sysfs_boot_info:file r_file_perms;
+allow meta_tst sysfs_meta_info:file r_file_perms;
+
+# Date : WK20.16
+# Operation: R migration
+# Purpose : Allow meta_tst to access /sys/power/*
+allow meta_tst sysfs_power:file rw_file_perms;
+allow meta_tst sysfs_power:dir r_dir_perms;
+allow meta_tst self:capability2 block_suspend;
+
+# Date : WK20.14
+# Purpose: Allow meta connect GPS MNLD
+allow meta_tst mnld:unix_stream_socket connectto;
+
+# Date : WK20.25
+# Operation: Android R migration
+# Purpose : for sensor test
+allow meta_tst hf_manager_device:chr_file rw_file_perms;
+
+# Date : WK20.25
+# Operation: Android S migration
+# Purpose : Allow meta_tst to operate tcp socket
+allow meta_tst self:tcp_socket { listen accept create_socket_perms_no_ioctl };
+
+allow meta_tst meta_atci_socket:sock_file w_file_perms;
+
+# Date : WK21.40
+# Operation: Android S migration
+# Purpose : Allow meta_tst to read/write ccci/ccb
+allow meta_tst ccci_ccb_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/basic/non_plat/mmc_ffu.te b/basic/non_plat/mmc_ffu.te
new file mode 100644
index 0000000..c2bfb40
--- /dev/null
+++ b/basic/non_plat/mmc_ffu.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Policy File of /system/bin/mmc_ffu Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mmc_ffu, domain;
+type mmc_ffu_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(mmc_ffu)
+
+# Purpose: ioctl to /dev/misc-sd and for obtaining emmc vendor id and firmware revision
+allow mmc_ffu misc_sd_device:chr_file r_file_perms;
+
+#Purpose: Write eMMC firmware data to /dev/block/mmcblk0 for upgrade firmware
+allow mmc_ffu bootdevice_block_device:blk_file rw_file_perms;
diff --git a/basic/non_plat/mnld.te b/basic/non_plat/mnld.te
new file mode 100644
index 0000000..996dea4
--- /dev/null
+++ b/basic/non_plat/mnld.te
@@ -0,0 +1,121 @@
+# ==============================================
+# Policy File of /vendor/bin/mnld Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mnld, domain;
+type mnld_exec, exec_type, file_type, vendor_file_type;
+typeattribute mnld mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# STOPSHIP: Permissive is not allowed. CTS violation!
+init_daemon_domain(mnld)
+
+net_domain(mnld)
+
+# Purpose : For communicate with AGPSD by socket
+allow mnld agpsd_data_file:dir create_dir_perms;
+allow mnld agpsd_data_file:sock_file create_file_perms;
+allow mnld mtk_agpsd:unix_dgram_socket sendto;
+allow mnld sysfs_wake_lock:file rw_file_perms;
+
+# Purpose : For access NVRAM data
+allow mnld nvram_data_file:dir create_dir_perms;
+allow mnld nvram_data_file:file create_file_perms;
+allow mnld nvram_data_file:lnk_file r_file_perms;
+allow mnld nvdata_file:lnk_file r_file_perms;
+allow mnld nvram_device:blk_file rw_file_perms;
+allow mnld nvram_device:chr_file rw_file_perms;
+allow mnld nvdata_file:dir create_dir_perms;
+allow mnld nvdata_file:file create_file_perms;
+allow mnld gsi_metadata_file:dir search;
+
+# Purpose : For access kernel device
+allow mnld mnld_data_file:dir rw_dir_perms;
+allow mnld mnld_data_file:sock_file create_file_perms;
+allow mnld mnld_device:chr_file rw_file_perms;
+allow mnld stpgps_device:chr_file rw_file_perms;
+allow mnld gps2scp_device:chr_file rw_file_perms;
+allow mnld gps_pwr_device:chr_file rw_file_perms;
+allow mnld mnld_data_file:file create_file_perms;
+allow mnld mnld_data_file:fifo_file create_file_perms;
+allow mnld gps_emi_device:chr_file rw_file_perms;
+
+# Purpose : For init process
+allow mnld init:udp_socket rw_socket_perms_no_ioctl;
+
+# Purpose : For RTKSDK
+allow mnld proc_net:file r_file_perms;
+allow mnld gps_data_file:sock_file create_file_perms;
+
+# Send the message to the LBS HIDL Service to forward to applications
+allow mnld lbs_hidl_service:unix_dgram_socket sendto;
+
+# Send the message to the merged hal Service to forward to applications
+allow mnld merged_hal_service:unix_dgram_socket sendto;
+
+# Purpose : For access system data
+allow mnld block_device:dir search;
+set_prop(mnld, vendor_mtk_mnld_prop)
+allow mnld mdlog_device:chr_file rw_file_perms;
+allow mnld self:capability fsetid;
+allow mnld stpbt_device:chr_file rw_file_perms;
+allow mnld gpsdl_device:chr_file rw_file_perms;
+allow mnld ttyGS_device:chr_file rw_file_perms;
+
+# Purpose : For file system operations
+allow mnld sdcard_type:dir create_dir_perms;
+allow mnld sdcard_type:file create_file_perms;
+allow mnld tmpfs:lnk_file create_file_perms;
+allow mnld mtd_device:dir search;
+allow mnld mnt_user_file:lnk_file r_file_perms;
+allow mnld mnt_user_file:dir search;
+allow mnld gps_data_file:dir { create_dir_perms unlink };
+allow mnld gps_data_file:file create_file_perms;
+allow mnld gps_data_file:lnk_file r_file_perms;
+
+allow mnld storage_file:lnk_file r_file_perms;
+
+# Date : WK15.30
+# Operation : Migration
+# Purpose : for device bring up, not to block early migration/sanity
+allow mnld proc_lk_env:file rw_file_perms;
+
+# For HIDL, communicate mtk_hal_gnss instead of system_server
+allow mnld mtk_hal_gnss:unix_dgram_socket sendto;
+
+# Purpose : MPE sensor HIDL policy
+hwbinder_use(mnld)
+binder_call(mnld, system_server)
+allow mnld fwk_sensor_hwservice:hwservice_manager find;
+get_prop(mnld, hwservicemanager_prop)
+allow mnld debugfs_tracing:file w_file_perms;
+
+allow mnld mnt_vendor_file:dir search;
+
+#get waks_alarm timer create prop
+allow mnld mnld:capability2 wake_alarm;
+
+# Date : WK18.26
+# Purpose : for atci gps test
+allow mnld atci_service:unix_dgram_socket sendto;
+
+allow mnld sysfs_boot_mode:file r_file_perms;
+
+set_prop(mnld, vendor_mtk_radio_prop)
+
+allow mnld proc_cmdline:file r_file_perms;
+allow mnld sysfs_dt_firmware_android:dir search;
+allow mnld sysfs_dt_firmware_android:file r_file_perms;
+allow mnld metadata_file:dir search;
+
+#for mnld get screen on/off
+allow mnld sysfs_leds:dir search;
+allow mnld sysfs_leds:file r_file_perms;
+
+#Add for /nvcfg/almanac.dat
+allow mnld nvcfg_file:dir w_dir_perms;
+allow mnld nvcfg_file:file create_file_perms;
diff --git a/basic/non_plat/mobicore.te b/basic/non_plat/mobicore.te
new file mode 100644
index 0000000..1f00d94
--- /dev/null
+++ b/basic/non_plat/mobicore.te
@@ -0,0 +1 @@
+type mobicore, domain;
diff --git a/basic/non_plat/mobicore_app.te b/basic/non_plat/mobicore_app.te
new file mode 100644
index 0000000..f501355
--- /dev/null
+++ b/basic/non_plat/mobicore_app.te
@@ -0,0 +1 @@
+type mobicore_app, domain;
diff --git a/basic/non_plat/mtk_agpsd.te b/basic/non_plat/mtk_agpsd.te
new file mode 100644
index 0000000..127ff34
--- /dev/null
+++ b/basic/non_plat/mtk_agpsd.te
@@ -0,0 +1,68 @@
+# ==============================================
+# Policy File of /vendor/bin/mtk_agpsd Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mtk_agpsd_exec, exec_type, file_type, vendor_file_type;
+type mtk_agpsd, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(mtk_agpsd)
+
+net_domain(mtk_agpsd)
+
+wakelock_use(mtk_agpsd)
+
+# Access channels to modem for E-CID, RRLP, and LPP
+allow mtk_agpsd agps_device:chr_file rw_file_perms;
+allow mtk_agpsd ttySDIO_device:chr_file { create setattr unlink rw_file_perms };
+
+# Access folders, files, and sockets in /data/agps_supl
+allow mtk_agpsd agpsd_data_file:dir create_dir_perms;
+allow mtk_agpsd agpsd_data_file:file create_file_perms;
+allow mtk_agpsd agpsd_data_file:sock_file create_file_perms;
+
+# Access file system partitions like /system, /data and SD Card
+allow mtk_agpsd sdcard_type:dir create_dir_perms;
+allow mtk_agpsd sdcard_type:file create_file_perms;
+allow mtk_agpsd eemcs_device:chr_file rw_file_perms;
+allow mtk_agpsd mnt_user_file:dir create_dir_perms;
+allow mtk_agpsd mnt_vendor_file:dir create_dir_perms;
+allow mtk_agpsd mnt_vendor_file:file create_file_perms;
+allow mtk_agpsd gps_data_file:dir create_dir_perms;
+allow mtk_agpsd gps_data_file:file create_file_perms;
+
+# Access symbolic link files like /etc and /sdcard
+allow mtk_agpsd tmpfs:lnk_file create_file_perms;
+allow mtk_agpsd mnt_user_file:lnk_file create_file_perms;
+allow mtk_agpsd storage_file:dir create_dir_perms;
+allow mtk_agpsd storage_file:file create_file_perms;
+
+# Send supl profile configuration to SLPD (to get SUPL Reference Location for HW Fused Location)
+allow mtk_agpsd slpd:unix_dgram_socket sendto;
+
+# Operators will send agps settings via OMADM.
+# Operators ask UE to save these settings into NVRAM.
+allow mtk_agpsd nvcfg_file:dir create_dir_perms;
+allow mtk_agpsd nvcfg_file:file create_file_perms;
+
+# Send GNSS assistance data and AGPS commands to MTK's GPS module 'mnld'
+allow mtk_agpsd mnld:unix_dgram_socket sendto;
+
+# Send the message to the LBS HIDL Service to forward to system partitions
+allow mtk_agpsd lbs_hidl_service:unix_dgram_socket sendto;
+
+# Send the message to the merged hal Service to forward to system partitions
+allow mtk_agpsd merged_hal_service:unix_dgram_socket sendto;
+
+# Allow send socket to fusion rild
+allow mtk_agpsd rild:unix_dgram_socket sendto;
+
+# Read the property of vendor.debug.gps.mnld.ne
+get_prop(mtk_agpsd, vendor_mtk_mnld_prop)
+
+# Read the property of ro.vendor.mtk_log_hide_gps
+get_prop(mtk_agpsd, vendor_mtk_gps_support_prop)
diff --git a/basic/non_plat/mtk_hal_audio.te b/basic/non_plat/mtk_hal_audio.te
new file mode 100644
index 0000000..f02354c
--- /dev/null
+++ b/basic/non_plat/mtk_hal_audio.te
@@ -0,0 +1,239 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type mtk_hal_audio, domain;
+
+type mtk_hal_audio_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mtk_hal_audio)
+
+hal_server_domain(mtk_hal_audio, hal_audio)
+hal_client_domain(mtk_hal_audio, hal_allocator)
+
+wakelock_use(mtk_hal_audio)
+
+add_hwservice(mtk_hal_audio, mtk_hal_bluetooth_audio_hwservice)
+allow mtk_hal_audio ion_device:chr_file r_file_perms;
+
+allow mtk_hal_audio system_file:dir r_dir_perms;
+
+r_dir_file(mtk_hal_audio, proc)
+allow mtk_hal_audio audio_device:dir r_dir_perms;
+allow mtk_hal_audio audio_device:chr_file rw_file_perms;
+
+# mtk_hal_audio should never execute any executable without
+# a domain transition
+neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans;
+
+# mtk_hal_audio should never need network access.
+# Disallow network sockets.
+neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Date : WK14.32
+# Operation : Migration
+# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
+allow mtk_hal_audio sdcard_type:dir create_dir_perms;
+allow mtk_hal_audio sdcard_type:file create_file_perms;
+allow mtk_hal_audio nvram_data_file:dir w_dir_perms;
+allow mtk_hal_audio nvram_data_file:file create_file_perms;
+allow mtk_hal_audio nvram_data_file:lnk_file r_file_perms;
+allow mtk_hal_audio nvdata_file:lnk_file r_file_perms;
+allow mtk_hal_audio nvdata_file:dir create_dir_perms;
+allow mtk_hal_audio nvdata_file:file create_file_perms;
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose : nvram access (dumchar case for nand and legacy chip)
+allow mtk_hal_audio nvram_device:chr_file rw_file_perms;
+allow mtk_hal_audio self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : media server and bt process communication for A2DP data.and other control flow
+allow mtk_hal_audio bt_a2dp_stream_socket:sock_file w_file_perms;
+allow mtk_hal_audio bt_int_adp_socket:sock_file w_file_perms;
+
+# Date : WK14.36
+# Operation : Migration
+# Purpose : access nvram, otp, ccci cdoec devices.
+allow mtk_hal_audio ccci_device:chr_file rw_file_perms;
+allow mtk_hal_audio eemcs_device:chr_file rw_file_perms;
+allow mtk_hal_audio devmap_device:chr_file r_file_perms;
+allow mtk_hal_audio ebc_device:chr_file rw_file_perms;
+allow mtk_hal_audio nvram_device:blk_file rw_file_perms;
+
+# Date : WK14.38
+# Operation : Migration
+# Purpose : FM driver access
+allow mtk_hal_audio fm_device:chr_file rw_file_perms;
+
+# Data : WK14.39
+# Operation : Migration
+# Purpose : dump for debug
+set_prop(mtk_hal_audio, vendor_mtk_audiohal_prop)
+
+# Date : WK14.40
+# Operation : Migration
+# Purpose : HDMI driver access
+allow mtk_hal_audio graphics_device:chr_file rw_file_perms;
+
+# Date : WK14.40
+# Operation : Migration
+# Purpose : Smartpa
+allow mtk_hal_audio smartpa_device:chr_file rw_file_perms;
+allow mtk_hal_audio sysfs_rt_param:file rw_file_perms;
+allow mtk_hal_audio sysfs_rt_param:dir r_dir_perms;
+allow mtk_hal_audio sysfs_rt_calib:file rw_file_perms;
+allow mtk_hal_audio sysfs_rt_calib:dir r_dir_perms;
+
+# Date : WK14.41
+# Operation : Migration
+# Purpose : WFD HID Driver
+allow mtk_hal_audio uhid_device:chr_file rw_file_perms;
+
+# Date : WK14.43
+# Operation : Migration
+# Purpose : VOW
+allow mtk_hal_audio vow_device:chr_file rw_file_perms;
+
+# Date: WK14.44
+# Operation : Migration
+# Purpose : EVDO
+allow mtk_hal_audio rpc_socket:sock_file w_file_perms;
+allow mtk_hal_audio ttySDIO_device:chr_file rw_file_perms;
+
+# Data: WK14.44
+# Operation : Migration
+# Purpose : for low SD card latency issue
+allow mtk_hal_audio sysfs_lowmemorykiller:file r_file_perms;
+
+# Data: WK14.45
+# Operation : Migration
+# Purpose : for change thermal policy when needed
+allow mtk_hal_audio proc_mtkcooler:dir search;
+allow mtk_hal_audio proc_mtktz:dir search;
+allow mtk_hal_audio proc_thermal:dir search;
+allow mtk_hal_audio thermal_manager_data_file:file create_file_perms;
+allow mtk_hal_audio thermal_manager_data_file:dir { rw_dir_perms setattr };
+
+# for as33970
+allow mtk_hal_audio sysfs_reset_dsp:file rw_file_perms;
+allow mtk_hal_audio tahiti_device:chr_file rw_file_perms_no_map;
+# for smartpa
+allow mtk_hal_audio sysfs_chip_vendor:file r_file_perms;
+allow mtk_hal_audio sysfs_pa_num:file rw_file_perms;
+
+# Data : WK14.47
+# Operation : Audio playback
+# Purpose : Music as ringtone
+allow mtk_hal_audio radio:dir r_dir_perms;
+allow mtk_hal_audio radio:file r_file_perms;
+
+# Data : WK14.47
+# Operation : CTS
+# Purpose : cts search strange app
+allow mtk_hal_audio untrusted_app:dir search;
+
+# Date : WK15.03
+# Operation : Migration
+# Purpose : offloadservice
+allow mtk_hal_audio offloadservice_device:chr_file rw_file_perms;
+
+# Date : WK15.34
+# Operation : Migration
+# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
+allow mtk_hal_audio storage_file:dir search;
+allow mtk_hal_audio storage_file:lnk_file rw_file_perms;
+allow mtk_hal_audio mnt_user_file:dir rw_dir_perms;
+allow mtk_hal_audio mnt_user_file:lnk_file rw_file_perms;
+
+# Date : WK16.17
+# Operation : Migration
+# Purpose: read/open sysfs node
+allow mtk_hal_audio sysfs_ccci:file r_file_perms;
+allow mtk_hal_audio sysfs_ccci:dir search;
+
+# Date : WK16.18
+# Operation : Migration
+# Purpose: research root dir "/"
+allow mtk_hal_audio tmpfs:dir search;
+
+# Purpose: Dump debug info
+allow mtk_hal_audio kmsg_device:chr_file w_file_perms;
+allow mtk_hal_audio fuse:file rw_file_perms;
+
+# Date : WK16.27
+# Operation : Migration
+# Purpose: tunning tool update parameters
+binder_call(mtk_hal_audio, radio)
+allow mtk_hal_audio mtk_audiohal_data_file:dir create_dir_perms;
+allow mtk_hal_audio mtk_audiohal_data_file:file create_file_perms;
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow mtk_hal_audio proc_ged:file rw_file_perms;
+
+# Fix bootup violation
+allow mtk_hal_audio fuse:dir r_dir_perms;
+
+# for usb phone call, allow sys_nice
+allow mtk_hal_audio self:capability sys_nice;
+
+# Date : W17.29
+# Boot for opening trace file: Permission denied (13)
+allow mtk_hal_audio debugfs_tracing:file w_file_perms;
+
+# Audio Tuning Tool Android O porting
+binder_call(mtk_hal_audio, audiocmdservice_atci)
+
+# Add for control PowerHAL
+hal_client_domain(mtk_hal_audio, hal_power)
+
+# cm4 smartpa
+allow mtk_hal_audio audio_ipi_device:chr_file rw_file_perms;
+allow mtk_hal_audio audio_scp_device:chr_file r_file_perms;
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
+allow mtk_hal_audio mnt_vendor_file:dir search;
+
+# Date: 2019/06/14
+# Operation : Migration
+allow mtk_hal_audio audioserver:fifo_file w_file_perms;
+allow mtk_hal_audio sysfs_boot_mode:file r_file_perms;
+allow mtk_hal_audio sysfs_dt_firmware_android:dir search;
+
+# Date : WK18.44
+# Operation: adsp
+allow mtk_hal_audio adsp_device:file rw_file_perms;
+allow mtk_hal_audio adsp_device:chr_file rw_file_perms;
+
+# Date : 2020/3/21
+# Operation: audio dptx
+allow mtk_hal_audio dri_device:chr_file rw_file_perms;
+allow mtk_hal_audio gpu_device:dir search;
+
+# Date : WK20.26
+allow mtk_hal_audio sysfs_dt_firmware_android:file r_file_perms;
+
+# Date : WK20.36
+# Operation : Migration
+# Purpose : AAudio HAL
+allow mtk_hal_audio debugfs_ion:dir search;
+
+# Date : 2021/06/15
+# Purpose: Allow to change mtk MMQoS scenario
+allow mtk_hal_audio sysfs_mtk_mmqos_scen:file w_file_perms;
+allow mtk_hal_audio sysfs_mtk_mmqos_scen_v2:file w_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(mtk_hal_audio)
+
+# Date : WK21.23
+# Operation : Migration
+# Purpose : factory mode
+allow mtk_hal_audio sysfs_boot_info:file r_file_perms;
+
+# Date : WK21.32
+# Operation : Migration
+# Purpose: permission for audioserver to use ccci node
+allow mtk_hal_audio ccci_aud_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/mtk_hal_bluetooth.te b/basic/non_plat/mtk_hal_bluetooth.te
new file mode 100644
index 0000000..0bccd29
--- /dev/null
+++ b/basic/non_plat/mtk_hal_bluetooth.te
@@ -0,0 +1,61 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type mtk_hal_bluetooth, domain;
+type mtk_hal_bluetooth_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mtk_hal_bluetooth)
+
+wakelock_use(mtk_hal_bluetooth)
+
+hal_server_domain(mtk_hal_bluetooth, hal_bluetooth)
+
+# call into the Bluetooth process (callbacks)
+binder_call(mtk_hal_bluetooth, bluetooth)
+
+# bluetooth factory file accesses.
+r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file)
+
+allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# sysfs access.
+allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow mtk_hal_bluetooth self:capability2 wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(mtk_hal_bluetooth, bluetooth_prop)
+
+# /proc access (bluesleep etc.).
+allow mtk_hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# VTS tests need to be able to toggle rfkill
+allow mtk_hal_bluetooth self:capability net_admin;
+
+# Purpose : Set to access stpbt driver & NVRAM
+allow mtk_hal_bluetooth stpbt_device:chr_file rw_file_perms;
+
+allow mtk_hal_bluetooth nvdata_file:dir search;
+allow mtk_hal_bluetooth nvdata_file:file rw_file_perms;
+allow mtk_hal_bluetooth nvdata_file:lnk_file r_file_perms;
+allow mtk_hal_bluetooth nvram_data_file:lnk_file r_file_perms;
+
+# Purpose: Allow to search /mnt/vendor/* for fstab when using NVM_Init()
+allow mtk_hal_bluetooth mnt_vendor_file:dir search;
+
+# Purpose: Allow BT Driver to insmod
+set_prop(mtk_hal_bluetooth, vendor_mtk_wmt_prop)
+
+# Date : 2019/10/30
+# Operation : get bt fw branch info, set to property for eng mode
+# Purpose: get bt fw branch info, set to property for eng mode
+allow mtk_hal_bluetooth proc_btdbg:file rw_file_perms;
+
+# Date : 2019/12/03
+# Operation : ability to enable bt driver thread as RT priority
+# Purpose: ability to enable bt driver thread as RT priority
+allow mtk_hal_bluetooth kernel:process setsched;
+
+# Date : 2021/04/27
+# Allow ReadDefaultFstab().
+read_fstab(mtk_hal_bluetooth)
+
diff --git a/basic/non_plat/mtk_hal_c2.te b/basic/non_plat/mtk_hal_c2.te
new file mode 100644
index 0000000..b15e2c9
--- /dev/null
+++ b/basic/non_plat/mtk_hal_c2.te
@@ -0,0 +1,64 @@
+type mtk_hal_c2, domain;
+type mtk_hal_c2_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mtk_hal_c2)
+
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mtk_hal_c2)
+
+hal_server_domain(mtk_hal_c2, hal_codec2)
+
+# mediacodec may use an input surface from a different Codec2 or OMX service
+hal_client_domain(mtk_hal_c2, hal_codec2)
+
+hal_client_domain(mtk_hal_c2, hal_allocator)
+hal_client_domain(mtk_hal_c2, hal_graphics_allocator)
+
+allow mtk_hal_c2 gpu_device:chr_file rw_file_perms;
+allow mtk_hal_c2 ion_device:chr_file rw_file_perms;
+allow mtk_hal_c2 video_device:chr_file rw_file_perms;
+allow mtk_hal_c2 video_device:dir search;
+
+crash_dump_fallback(mtk_hal_c2)
+
+# mediacodec should never execute any executable without a domain transition
+neverallow mtk_hal_c2 { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mtk_hal_c2 domain:{ tcp_socket udp_socket rawip_socket } *;
+
+#============= mtk_hal_c2 ==============
+allow mtk_hal_c2 debugfs_ion:dir search;
+allow mtk_hal_c2 proc_ged:file rw_file_perms;
+allowxperm mtk_hal_c2 proc_ged:file ioctl { proc_ged_ioctls };
+allow mtk_hal_c2 gpu_device:dir search;
+allow mtk_hal_c2 mtk_cmdq_device:chr_file r_file_perms;
+hal_client_domain(mtk_hal_c2, hal_mtk_pq)
+allow mtk_hal_c2 vcodec_file:dir w_dir_perms;
+allow mtk_hal_c2 vcodec_file:file create_file_perms;
+allow mtk_hal_c2 mtk_mdp_device:chr_file r_file_perms;
+allow mtk_hal_c2 mtk_mdp_sync_device:chr_file r_file_perms;
+allow mtk_hal_c2 mtk_fmt_sync_device:chr_file r_file_perms_no_map;
+allow mtk_hal_c2 mtk_fmt_device:chr_file rw_file_perms_no_map;
+allow mtk_hal_c2 proc_meminfo:file r_file_perms;
+dontaudit mtk_hal_c2 vcodec_file:file ioctl;
+
+#============= mtk_hal_c2 for legacy vcodec ==============
+allow mtk_hal_c2 tmpfs:dir search;
+allow mtk_hal_c2 Vcodec_device:chr_file rw_file_perms;
+allow mtk_hal_c2 MTK_SMI_device:chr_file r_file_perms;
+allow mtk_hal_c2 sysfs_concurrency_scenario:file rw_file_perms;
+allow mtk_hal_c2 sysfs_concurrency_scenario:dir search;
+
+#============= mtk_hal_c2 for dmabuf heap ==============
+allow mtk_hal_c2 dmabuf_system_heap_device:chr_file r_file_perms;
+allow mtk_hal_c2 dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+#============= mtk_hal_c2 for log properties ==============
+get_prop(mtk_hal_c2, vendor_mtk_c2_log_prop)
+
+#============= mtk_hal_c2 for power hal ==============
+hal_client_domain(mtk_hal_c2, hal_power)
diff --git a/basic/non_plat/mtk_hal_camera.te b/basic/non_plat/mtk_hal_camera.te
new file mode 100644
index 0000000..aef1201
--- /dev/null
+++ b/basic/non_plat/mtk_hal_camera.te
@@ -0,0 +1,380 @@
+# ==============================================================================
+# Policy File of /vendor/bin/hw/camerahalserver Executable File
+
+# ==============================================================================
+# Common SEPolicy Rule
+# ==============================================================================
+
+type mtk_hal_camera, domain;
+type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type;
+
+# Set up a transition from init to the camerahalserver upon executing its binary.
+init_daemon_domain(mtk_hal_camera)
+
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+hal_server_domain(mtk_hal_camera, hal_camera)
+hal_server_domain(mtk_hal_camera, hal_mtk_bgs)
+
+# Allow camerahalserver to use vendor binder IPC.
+vndbinder_use(mtk_hal_camera)
+
+# callback to cameraserver
+binder_call(mtk_hal_camera, cameraserver)
+
+# callback to shell for debugging
+binder_call(mtk_hal_camera, shell)
+
+# call the graphics allocator hal
+binder_call(mtk_hal_camera, hal_graphics_allocator)
+
+# call to surfaceflinger
+binder_call(mtk_hal_camera, surfaceflinger)
+
+# call PowerHal
+hal_client_domain(mtk_hal_camera, hal_power)
+
+# -----------------------------------
+# Purpose: Allow camerahalserver to find a service from hwservice_manager
+# -----------------------------------
+allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find;
+allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find;
+allow mtk_hal_camera nvram_data_file:lnk_file create_file_perms;
+allow mtk_hal_camera nvdata_file:lnk_file create_file_perms;
+allow mtk_hal_camera fwk_display_hwservice:hwservice_manager find;
+hal_client_domain(mtk_hal_camera, hal_graphics_allocator)
+
+# -----------------------------------
+# Purpose: Camera-related devices (driver)
+# -----------------------------------
+allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms;
+allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_ENC_IO_INIT
+ JPG_BRIDGE_ENC_IO_CONFIG
+ JPG_BRIDGE_ENC_IO_WAIT
+ JPG_BRIDGE_ENC_IO_DEINIT
+ JPG_BRIDGE_ENC_IO_START
+ };
+
+allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms;
+allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms;
+allow mtk_hal_camera camera_mem_device:chr_file rw_file_perms;
+allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms;
+allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms;
+allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms;
+allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms;
+allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms;
+allow mtk_hal_camera flashlight_device:chr_file rw_file_perms;
+allow mtk_hal_camera lens_device:chr_file rw_file_perms;
+allow mtk_hal_camera seninf_device:chr_file rw_file_perms;
+
+# FDVT Driver
+allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms;
+
+# DPE Driver
+allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms;
+
+# MFB Driver
+allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms;
+
+# WPE Driver
+allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms;
+
+# PDA Driver
+allow mtk_hal_camera camera_pda_device:chr_file rw_file_perms;
+
+# mtk_jpeg
+allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms;
+
+allow mtk_hal_camera ccu_device:chr_file rw_file_perms;
+
+# APUSYS
+allow mtk_hal_camera vpu_device:chr_file rw_file_perms;
+allow mtk_hal_camera mdla_device:chr_file rw_file_perms;
+allow mtk_hal_camera apusys_device:chr_file rw_file_perms;
+allow mtk_hal_camera sysfs_apusys_queue:dir r_dir_perms;
+allow mtk_hal_camera sysfs_apusys_queue:file r_file_perms;
+
+# Date: 2021/12/10
+# Operation : allow camera hal server to read dla network file
+allow mtk_hal_camera vendor_etc_nn_file:dir r_dir_perms;
+allow mtk_hal_camera vendor_etc_nn_file:file r_file_perms;
+allowxperm mtk_hal_camera vendor_etc_nn_file:file ioctl VT_SENDSIG;
+
+# Purpose: RSC driver
+allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms;
+
+# Purpose: OWE driver
+allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms;
+
+# Purpose: AF related
+allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms;
+allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera MAIN3AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera MAIN4AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms;
+allow mtk_hal_camera SUB2AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms;
+allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms;
+allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms;
+
+# Purpose: Camera EEPROM Calibration
+allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms;
+allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms;
+allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms;
+allow mtk_hal_camera camera_eeprom_device:chr_file rw_file_perms;
+allow mtk_hal_camera seninf_n3d_device:chr_file rw_file_perms;
+
+# -----------------------------------
+# Purpose: Other device drivers used by camera
+# -----------------------------------
+allow mtk_hal_camera ion_device:chr_file rw_file_perms;
+allow mtk_hal_camera sw_sync_device:chr_file rw_file_perms;
+allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms;
+
+# -----------------------------------
+# Purpose: Filesystem in Userspace (FUSE)
+# - sdcard access (buffer dump for EM mode)
+# -----------------------------------
+allow mtk_hal_camera fuse:dir rw_dir_perms;
+allow mtk_hal_camera fuse:file rw_file_perms;
+
+# -----------------------------------
+# Purpose: Storage access
+# -----------------------------------
+## Date : WK14.XX-15.XX
+## nvram access
+allow mtk_hal_camera nvram_data_file:dir create_dir_perms;
+allow mtk_hal_camera nvram_data_file:file create_file_perms;
+
+## nvram access (dumchar case for nand and legacy chip)
+allow mtk_hal_camera nvram_device:chr_file rw_file_perms;
+allow mtk_hal_camera self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+## Date : WK14.XX-15.XX
+## sdcard access - dump for debug
+allow mtk_hal_camera sdcard_type:dir create_dir_perms;
+allow mtk_hal_camera sdcard_type:file create_file_perms;
+
+# -----------------------------------
+# Android O
+# Purpose: Shell Debugging
+# -----------------------------------
+# Purpose: Allow shell to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
+# (used in user build)
+allow mtk_hal_camera shell:unix_stream_socket { read write };
+allow mtk_hal_camera shell:fifo_file w_file_perms;
+
+# -----------------------------------
+# Android O
+# Purpose: Debugging
+# -----------------------------------
+# Purpose: libmemunreachable.so/GetUnreachableMemory()
+allow mtk_hal_camera self:process { ptrace };
+
+##########################
+# Date : WK14.XX-15.XX
+# Operation : Copy from Media server
+allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice };
+allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms;
+allow mtk_hal_camera nvdata_file:file create_file_perms;
+allow mtk_hal_camera proc_meminfo:file r_file_perms;
+
+## Purpose : for low SD card latency issue
+allow mtk_hal_camera sysfs_lowmemorykiller:file r_file_perms;
+
+## Purpose : for change thermal policy when needed
+allow mtk_hal_camera proc_mtkcooler:dir search;
+allow mtk_hal_camera proc_mtktz:dir search;
+allow mtk_hal_camera proc_thermal:dir search;
+allow mtk_hal_camera thermal_manager_data_file:file create_file_perms;
+allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr };
+
+## Purpose : cts search strange app
+allow mtk_hal_camera untrusted_app:dir search;
+
+## Purpose : offloadservice
+allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms;
+
+## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
+allow mtk_hal_camera storage_file:lnk_file rw_file_perms;
+allow mtk_hal_camera mnt_user_file:dir rw_dir_perms;
+allow mtk_hal_camera mnt_user_file:lnk_file rw_file_perms;
+
+## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger
+allow mtk_hal_camera surfaceflinger:fifo_file rw_file_perms;
+
+## Purpose : camera read/write /nvcfg/camera data
+allow mtk_hal_camera nvcfg_file:dir create_dir_perms;
+allow mtk_hal_camera nvcfg_file:file create_file_perms;
+
+# Purpose : for camera init
+allow mtk_hal_camera system_server:unix_stream_socket { read write };
+
+##########################
+# Date : WK16
+# Operation : N Migration
+## Purpose: research root dir "/"
+allow mtk_hal_camera tmpfs:dir search;
+
+## Purpose : EGL file access
+allow mtk_hal_camera system_file:dir r_dir_perms;
+allow mtk_hal_camera gpu_device:dir search;
+allow mtk_hal_camera gpu_device:chr_file rw_file_perms;
+
+## Purpose: Allow to access ged for gralloc_extra functions
+allow mtk_hal_camera proc_ged:file rw_file_perms;
+allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls };
+
+allow mtk_hal_camera debugfs_tracing:file w_file_perms;
+
+## Purpose : camera3 IT/CTS
+allow mtk_hal_camera debugfs_ion:dir search;
+allow mtk_hal_camera hal_graphics_composer_default:fd use;
+
+# Date : WK17.30
+# Operation : O Migration
+# Purpose: Allow to access cmdq driver
+allow mtk_hal_camera mtk_cmdq_device:chr_file r_file_perms;
+allow mtk_hal_camera mtk_mdp_device:chr_file r_file_perms;
+allow mtk_hal_camera mtk_mdp_sync_device:chr_file r_file_perms;
+
+# Date : WK17.36
+# Operation : O Migration
+# Purpose: Allow to access battery status
+allow mtk_hal_camera sysfs_batteryinfo:dir search;
+allow mtk_hal_camera sysfs_batteryinfo:file r_file_perms;
+
+# Date : WK17.39
+# Operation : O Migration
+# Purpose: Change thermal config
+set_prop(mtk_hal_camera, vendor_mtk_thermal_config_prop)
+
+# Date : WK18.31
+# Stage: P Migration
+# Purpose: CCT
+allow mtk_hal_camera graphics_device:chr_file rw_file_perms;
+allow mtk_hal_camera graphics_device:dir search;
+allow mtk_hal_camera cct_data_file:dir create_dir_perms;
+allow mtk_hal_camera cct_data_file:file create_file_perms;
+allow mtk_hal_camera cct_data_file:fifo_file create_file_perms;
+allow mtk_hal_camera sysfs_boot_mode:file r_file_perms;
+allow mtk_hal_camera mnt_vendor_file:dir create_dir_perms;
+allow mtk_hal_camera mnt_vendor_file:fifo_file create_file_perms;
+
+# Date : WK18.02
+# Stage: O Migration
+# Purpose: ISP tuning remapping
+set_prop(mtk_hal_camera, vendor_mtk_mediatek_prop)
+
+# Date : WK18.22
+# Stage: p Migration
+# Purpose: NVRAM
+allow mtk_hal_camera nvdata_file:dir create_dir_perms;
+allow mtk_hal_camera nvcfg_file:lnk_file r_file_perms;
+allow mtk_hal_camera mnt_vendor_file:file create_file_perms;
+
+# AAO
+allow mtk_hal_camera data_vendor_aao_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_aao_file:file create_file_perms;
+allow mtk_hal_camera data_vendor_aaoHwBuf_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_aaoHwBuf_file:file create_file_perms;
+allow mtk_hal_camera data_vendor_AAObitTrue_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_AAObitTrue_file:file create_file_perms;
+
+# Flash
+allow mtk_hal_camera data_vendor_flash_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_flash_file:file create_file_perms;
+
+# Flicker
+allow mtk_hal_camera data_vendor_flicker_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_flicker_file:file create_file_perms;
+
+# AFO
+allow mtk_hal_camera data_vendor_afo_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_afo_file:file create_file_perms;
+
+# PDO
+allow mtk_hal_camera data_vendor_pdo_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_pdo_file:file create_file_perms;
+
+# Date : WK18.35
+# Purpose: allow mtk_hal_camera to access gz_device node
+allow mtk_hal_camera gz_device:chr_file rw_file_perms;
+
+#data/dipdebug
+allow mtk_hal_camera aee_dipdebug_vendor_file:dir rw_dir_perms;
+allow mtk_hal_camera aee_dipdebug_vendor_file:file create_file_perms;
+
+allow mtk_hal_camera proc_isp_p2:dir search;
+allow mtk_hal_camera proc_isp_p2:file create_file_perms;
+
+# Date: 2019/06/14
+# Operation : Migration
+allow mtk_hal_camera sysfs_dt_firmware_android:dir search;
+
+# Date: 2019/07/09
+# Operation : For M4U security
+allow mtk_hal_camera proc_m4u:file r_file_perms;
+allowxperm mtk_hal_camera proc_m4u:file ioctl{
+MTK_M4U_T_ALLOC_MVA
+MTK_M4U_T_DEALLOC_MVA
+MTK_M4U_T_CONFIG_PORT
+MTK_M4U_T_DMA_OP
+MTK_M4U_T_SEC_INIT
+MTK_M4U_GZ_SEC_INIT
+};
+
+# Date: 2019/07/04
+binder_call(mtk_hal_camera, platform_app)
+
+# Date : 2020/09/03
+# Purpose: mtk MMQoS set camera max BW
+allow mtk_hal_camera sysfs_camera_max_bw:file { w_file_perms ioctl };
+allow mtk_hal_camera sysfs_camera_max_bw_v2:file { w_file_perms ioctl };
+allowxperm mtk_hal_camera sysfs_camera_max_bw:file ioctl VT_SENDSIG;
+allowxperm mtk_hal_camera sysfs_camera_max_bw_v2:file ioctl VT_SENDSIG;
+
+# Date : 2020/09/24
+# Purpose: mtk camsys raw dump file
+allow mtk_hal_camera data_vendor_raw_file:dir create_dir_perms;
+allow mtk_hal_camera data_vendor_raw_file:file create_file_perms;
+
+# Date : 2020/12/05
+# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
+allow mtk_hal_camera sysfs_concurrency_scenario:file rw_file_perms;
+
+# Date : 2020/07/10
+# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/*
+allow mtk_hal_camera sysfs_emi_ctrl_concurrency_scenario:file rw_file_perms;
+
+# Date : 2020/12/21
+# Operation : To access imgsys daemon driver
+allow mtk_hal_camera mtk_hcp_device:chr_file rw_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(mtk_hal_camera)
+
+# Data : 2020/12/30
+# Purpose : DBReleasePlan
+allow mtk_hal_camera vendor_bin_crossbuild_file:file r_file_perms;
+
+# Date: 2021/08/27
+# Operation : For DMABUF security
+allow mtk_hal_camera dmabuf_system_secure_heap_device:chr_file r_file_perms_no_map;
+
+# Date : 2021/08/31
+# Purpose : allow camera hal to access /dev/hfmanager/*
+allow mtk_hal_camera hf_manager_device:chr_file rw_file_perms_no_map;
+
+# Data : 2021/10/27
+# Purpose : DBReleasePlan
+allowxperm mtk_hal_camera vendor_bin_crossbuild_file:file ioctl VT_SENDSIG;
diff --git a/basic/non_plat/mtk_hal_codecservice_default.te b/basic/non_plat/mtk_hal_codecservice_default.te
new file mode 100644
index 0000000..7e1ea6f
--- /dev/null
+++ b/basic/non_plat/mtk_hal_codecservice_default.te
@@ -0,0 +1 @@
+type mtk_hal_codecservice_default, domain;
diff --git a/basic/non_plat/mtk_hal_dfps.te b/basic/non_plat/mtk_hal_dfps.te
new file mode 100644
index 0000000..9772577
--- /dev/null
+++ b/basic/non_plat/mtk_hal_dfps.te
@@ -0,0 +1 @@
+type mtk_hal_dfps, domain;
diff --git a/basic/non_plat/mtk_hal_dplanner.te b/basic/non_plat/mtk_hal_dplanner.te
new file mode 100644
index 0000000..57de0c6
--- /dev/null
+++ b/basic/non_plat/mtk_hal_dplanner.te
@@ -0,0 +1 @@
+type mtk_hal_dplanner, domain;
diff --git a/basic/non_plat/mtk_hal_gnss.te b/basic/non_plat/mtk_hal_gnss.te
new file mode 100644
index 0000000..3e4d450
--- /dev/null
+++ b/basic/non_plat/mtk_hal_gnss.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_hal_gnss, domain;
+type mtk_hal_gnss_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mtk_hal_gnss)
+
+hal_server_domain(mtk_hal_gnss, hal_gnss)
+
+#TODO:: work around solution, wait for correct solution from google
+vndbinder_use(mtk_hal_gnss)
+
+# Communicate over a socket created by mnld process.
+allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms;
+allow mtk_hal_gnss mnld_data_file:dir create_dir_perms;
+
+allow mtk_hal_gnss mnld:unix_dgram_socket sendto;
+#get waks_alarm timer create prop
+allow mtk_hal_gnss mtk_hal_gnss:capability2 wake_alarm;
+
diff --git a/basic/non_plat/mtk_hal_hdmi.te b/basic/non_plat/mtk_hal_hdmi.te
new file mode 100644
index 0000000..1ac1184
--- /dev/null
+++ b/basic/non_plat/mtk_hal_hdmi.te
@@ -0,0 +1,34 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.hdmi@1.0-service Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type mtk_hal_hdmi, domain;
+type mtk_hal_hdmi_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_hdmi)
+
+# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
+hal_server_domain(mtk_hal_hdmi, hal_mtk_hdmi)
+
+# Purpose : Allow to use kernel driver
+allow mtk_hal_hdmi graphics_device:chr_file rw_file_perms;
+
+# Purpose : Allow permission to get AmbientLux from hwservice_manager
+allow mtk_hal_hdmi fwk_sensor_hwservice:hwservice_manager find;
+
+#for hdmi uevent
+allow mtk_hal_hdmi self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Purpose : Allow hdmi to call vendor.mediatek.hardware.keymanage@1.0-service.
+hal_client_domain(mtk_hal_hdmi, hal_keymaster)
+
+# Purpose : Allow permission to set hdmi property
+set_prop(mtk_hal_hdmi, vendor_mtk_hdmi_prop)
diff --git a/basic/non_plat/mtk_hal_imsa.te b/basic/non_plat/mtk_hal_imsa.te
new file mode 100644
index 0000000..d5bc3e9
--- /dev/null
+++ b/basic/non_plat/mtk_hal_imsa.te
@@ -0,0 +1,28 @@
+# ==============================================================================
+# Type Declaration
+# ==============================================================================
+type mtk_hal_imsa, domain, mtkimsapdomain;
+type mtk_hal_imsa_exec, exec_type, vendor_file_type, file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(mtk_hal_imsa)
+
+# hwbinder access
+hal_server_domain(mtk_hal_imsa, hal_mtk_imsa)
+
+# call into system_server process (callbacks)
+binder_call(mtk_hal_imsa, system_server)
+
+# Date : 2017/05/18
+# Operation : VoLTE sanity
+# Purpose : Add permission for IMSA connect to IMSM
+allow mtk_hal_imsa rild_imsm_socket:sock_file w_file_perms;
+
+# Date : 2017/06/13
+# Operation : IMSA sanity
+# Purpose : Add permission for IMSA to access radio
+allow mtk_hal_imsa radio:binder call;
+allow mtk_hal_imsa debugfs_tracing:file w_file_perms;
diff --git a/basic/non_plat/mtk_hal_keyinstall.te b/basic/non_plat/mtk_hal_keyinstall.te
new file mode 100644
index 0000000..872dc3d
--- /dev/null
+++ b/basic/non_plat/mtk_hal_keyinstall.te
@@ -0,0 +1,3 @@
+# Set a new domain
+type mtk_hal_keyinstall, domain;
+
diff --git a/basic/non_plat/mtk_hal_keymanage.te b/basic/non_plat/mtk_hal_keymanage.te
new file mode 100644
index 0000000..016b8ec
--- /dev/null
+++ b/basic/non_plat/mtk_hal_keymanage.te
@@ -0,0 +1,24 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Set a new domain
+type mtk_hal_keymanage, domain;
+
+# Set exec file type
+type mtk_hal_keymanage_exec, exec_type, file_type, vendor_file_type;
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_keymanage)
+
+# Set mtk_hal_keymanage as server domain of hal_keymaster
+hal_server_domain(mtk_hal_keymanage, hal_keymaster)
+
+# Give permission for hal_key_manage to access kisd service
+allow mtk_hal_keymanage kisd:unix_stream_socket connectto;
+
+# Allow mtk_hal_keyinstall to access /data/key_provisioning
+allow mtk_hal_keymanage key_install_data_file:dir w_dir_perms;
+allow mtk_hal_keymanage key_install_data_file:file create_file_perms;
+
+allow mtk_hal_keymanage debugfs_tracing:file w_file_perms;
diff --git a/basic/non_plat/mtk_hal_light.te b/basic/non_plat/mtk_hal_light.te
new file mode 100644
index 0000000..0687c80
--- /dev/null
+++ b/basic/non_plat/mtk_hal_light.te
@@ -0,0 +1,14 @@
+# ==============================================================================
+# Type Declaration
+# ==============================================================================
+type mtk_hal_light, domain;
+type mtk_hal_light_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(mtk_hal_light)
+
+hal_server_domain(mtk_hal_light, hal_light)
+
diff --git a/basic/non_plat/mtk_hal_memtrack.te b/basic/non_plat/mtk_hal_memtrack.te
new file mode 100644
index 0000000..7bc8fef
--- /dev/null
+++ b/basic/non_plat/mtk_hal_memtrack.te
@@ -0,0 +1,19 @@
+# ==============================================================================
+# Type Declaration
+# ==============================================================================
+type mtk_hal_memtrack, domain;
+type mtk_hal_memtrack_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(mtk_hal_memtrack)
+
+hal_server_domain(mtk_hal_memtrack, hal_memtrack)
+
+# Date : 2021/08/24
+# Operation: S migration
+# Purpose: Add permission for access /proc/dmaheap/*
+allow mtk_hal_memtrack proc_dmaheap:dir r_dir_perms;
+allow mtk_hal_memtrack proc_dmaheap:file rw_file_perms;
\ No newline at end of file
diff --git a/basic/non_plat/mtk_hal_mmagent.te b/basic/non_plat/mtk_hal_mmagent.te
new file mode 100644
index 0000000..1fcc8a0
--- /dev/null
+++ b/basic/non_plat/mtk_hal_mmagent.te
@@ -0,0 +1,28 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.mmagent@1.0-service Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type mtk_hal_mmagent, domain;
+type mtk_hal_mmagent_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_mmagent)
+
+# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
+hal_server_domain(mtk_hal_mmagent, hal_mtk_mmagent)
+
+# Purpose : Allow to use kernel driver
+allow mtk_hal_mmagent ion_device:chr_file rw_file_perms;
+
+# Purpose : Allow to set property for AI function
+allow mtk_hal_mmagent apusys_device:chr_file rw_file_perms;
+
+# Purpose : Allow use gralloc buffer
+allow mtk_hal_mmagent hal_graphics_allocator_default:fd use;
diff --git a/basic/non_plat/mtk_hal_mms.te b/basic/non_plat/mtk_hal_mms.te
new file mode 100644
index 0000000..9329eb7
--- /dev/null
+++ b/basic/non_plat/mtk_hal_mms.te
@@ -0,0 +1,60 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.mms@1.0-service Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type mtk_hal_mms, domain, mtk_safe_halserverdomain_type;
+type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_mms)
+
+# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
+hal_server_domain(mtk_hal_mms, hal_mtk_mms)
+
+# Purpose : Allow to use kernel driver
+allow mtk_hal_mms graphics_device:chr_file rw_file_perms;
+allow mtk_hal_mms ion_device:chr_file r_file_perms;
+allow mtk_hal_mms mtk_cmdq_device:chr_file r_file_perms;
+allow mtk_hal_mms mtk_mdp_device:chr_file r_file_perms;
+allow mtk_hal_mms mtk_mdp_sync_device:chr_file r_file_perms;
+allow mtk_hal_mms sw_sync_device:chr_file r_file_perms;
+allow mtk_hal_mms proc_ged:file r_file_perms;
+allowxperm mtk_hal_mms proc_ged:file ioctl { proc_ged_ioctls };
+
+# Purpose : Allow to use allocator for JPEG
+hal_client_domain(mtk_hal_mms, hal_allocator)
+hal_client_domain(mtk_hal_mms, hal_graphics_allocator)
+hal_client_domain(mtk_hal_mms, hal_mtk_pq)
+
+# Purpose : Allow to use graphics allocator fd for gralloc_extra
+allow mtk_hal_mms hal_graphics_allocator_default:fd use;
+allow mtk_hal_mms debugfs_ion:dir search;
+allow mtk_hal_mms merged_hal_service:fd use;
+
+# Purpose : VDEC/VENC device node
+allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms;
+
+allow mtk_hal_mms proc_mtk_jpeg:file r_file_perms;
+allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_ENC_IO_INIT
+ JPG_BRIDGE_ENC_IO_CONFIG
+ JPG_BRIDGE_ENC_IO_WAIT
+ JPG_BRIDGE_ENC_IO_DEINIT
+ JPG_BRIDGE_ENC_IO_START
+ };
+
+# Purpose : Allow to use mms by JPEG with handle
+allow mtk_hal_mms platform_app:fd use;
+
+# Purpose : Allow Miravision to set Sharpness
+allow mtk_hal_mms system_app:fd use;
+
+# Purpose : Allow to set property for AIPQ
+allow mtk_hal_mms apusys_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/mtk_hal_neuralnetworks.te b/basic/non_plat/mtk_hal_neuralnetworks.te
new file mode 100644
index 0000000..26f75a4
--- /dev/null
+++ b/basic/non_plat/mtk_hal_neuralnetworks.te
@@ -0,0 +1,5 @@
+type mtk_hal_neuralnetworks, domain;
+
+# Date : 2021/09/10
+# Purpose: Allow Neuron Hidl read data
+allow mtk_hal_neuralnetworks media_rw_data_file:file {read map};
diff --git a/basic/non_plat/mtk_hal_nvramagent.te b/basic/non_plat/mtk_hal_nvramagent.te
new file mode 100644
index 0000000..da493ab
--- /dev/null
+++ b/basic/non_plat/mtk_hal_nvramagent.te
@@ -0,0 +1,52 @@
+# ==============================================
+# Policy File of /vendor/bin/mtk_hal_nvramagent Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mtk_hal_nvramagent_exec, exec_type, file_type, vendor_file_type;
+type mtk_hal_nvramagent, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(mtk_hal_nvramagent)
+
+# Date : WK14.43
+# Operation : 2rd Selinux Migration
+# Purpose : the role of mtk_hal_nvramagent is same with nvram_daemon except property_set & exect permission
+allow mtk_hal_nvramagent nvram_device:blk_file rw_file_perms;
+allow mtk_hal_nvramagent nvdata_device:blk_file rw_file_perms;
+allow mtk_hal_nvramagent nvram_data_file:dir create_dir_perms;
+allow mtk_hal_nvramagent nvram_data_file:file create_file_perms;
+allow mtk_hal_nvramagent nvram_data_file:lnk_file r_file_perms;
+allow mtk_hal_nvramagent nvdata_file:lnk_file r_file_perms;
+allow mtk_hal_nvramagent nvdata_file:dir create_dir_perms;
+allow mtk_hal_nvramagent nvdata_file:file create_file_perms;
+
+allow mtk_hal_nvramagent als_ps_device:chr_file r_file_perms;
+allow mtk_hal_nvramagent mtk-adc-cali_device:chr_file rw_file_perms;
+allow mtk_hal_nvramagent gsensor_device:chr_file r_file_perms;
+allow mtk_hal_nvramagent gyroscope_device:chr_file r_file_perms;
+allow mtk_hal_nvramagent self:capability { fowner chown fsetid };
+
+# Purpose: for backup
+allow mtk_hal_nvramagent nvram_device:chr_file rw_file_perms;
+allow mtk_hal_nvramagent pro_info_device:chr_file rw_file_perms;
+allow mtk_hal_nvramagent block_device:dir search;
+
+# for MLC device
+allow mtk_hal_nvramagent mtd_device:dir search;
+allow mtk_hal_nvramagent mtd_device:chr_file rw_file_perms;
+
+# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
+hal_server_domain(mtk_hal_nvramagent, hal_mtk_nvramagent)
+read_fstab(mtk_hal_nvramagent)
+get_prop(mtk_hal_nvramagent, vendor_mtk_rat_config_prop)
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow to search /mnt/vendor/nvdata when using nvram function
+allow mtk_hal_nvramagent mnt_vendor_file:dir search;
+
+allow mtk_hal_nvramagent sysfs_boot_mode:file r_file_perms;
diff --git a/basic/non_plat/mtk_hal_nwk_opt.te b/basic/non_plat/mtk_hal_nwk_opt.te
new file mode 100644
index 0000000..3a8a5f6
--- /dev/null
+++ b/basic/non_plat/mtk_hal_nwk_opt.te
@@ -0,0 +1 @@
+type mtk_hal_nwk_opt, domain;
diff --git a/basic/non_plat/mtk_hal_omadm.te b/basic/non_plat/mtk_hal_omadm.te
new file mode 100644
index 0000000..91d8785
--- /dev/null
+++ b/basic/non_plat/mtk_hal_omadm.te
@@ -0,0 +1 @@
+type mtk_hal_omadm, domain, mtkimsapdomain;
diff --git a/basic/non_plat/mtk_hal_power.te b/basic/non_plat/mtk_hal_power.te
new file mode 100644
index 0000000..91fba99
--- /dev/null
+++ b/basic/non_plat/mtk_hal_power.te
@@ -0,0 +1,317 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_hal_power, domain;
+type mtk_hal_power_exec, exec_type, file_type, vendor_file_type;
+
+# hwbinder access
+init_daemon_domain(mtk_hal_power)
+
+hal_server_domain(mtk_hal_power, hal_power)
+hal_server_domain(mtk_hal_power, hal_wifi)
+
+# sysfs
+allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms;
+allow mtk_hal_power sysfs_mtk_core_ctl:dir r_dir_perms;
+allow mtk_hal_power sysfs_mtk_core_ctl:file rw_file_perms;
+
+
+# proc_thermal
+allow mtk_hal_power proc_thermal:file rw_file_perms;
+
+# proc info
+allow mtk_hal_power mtk_hal_audio:dir r_dir_perms;
+
+# Date : 2017/10/02
+# Operation: SQC
+# Purpose : Allow powerHAL to access perfmgr
+allow mtk_hal_power proc_perfmgr:dir r_dir_perms;
+allow mtk_hal_power proc_perfmgr:file rw_file_perms;
+allowxperm mtk_hal_power proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_TOUCH
+ PERFMGR_FPSGO_GET_FPS
+ PERFMGR_FPSGO_GET_FSTB_ACTIVE
+ PERFMGR_FPSGO_WAIT_FSTB_ACTIVE
+ PERFMGR_FPSGO_SBE_RESCUE
+ EAS_SYNC_SET
+ EAS_PERTASK_LS_SET
+ CORE_CTL_FORCE_PAUSE_CPU
+ CORE_CTL_SET_OFFLINE_THROTTLE_MS
+ CORE_CTL_SET_LIMIT_CPUS
+ CORE_CTL_SET_NOT_PREFERRED
+ CORE_CTL_SET_BOOST
+ CORE_CTL_SET_UP_THRES
+ CPUQOS_V3_SET_CPUQOS_MODE
+ CPUQOS_V3_SET_CT_TASK
+ CPUQOS_V3_SET_CT_GROUP
+ EAS_NEWLY_IDLE_BALANCE_INTERVAL_SET
+ EAS_GET_THERMAL_HEADROOM_INTERVAL_SET
+ };
+
+# Date : 2017/10/11
+# Operation: SQC
+# Purpose : Allow powerHAL to access powerhal folder
+allow mtk_hal_power sdcard_type:dir create_dir_perms;
+allow mtk_hal_power sdcard_type:file create_file_perms;
+allow mtk_hal_power eemcs_device:chr_file rw_file_perms;
+allow mtk_hal_power mnt_user_file:dir create_dir_perms;
+
+allow mtk_hal_power mtk_powerhal_data_file:dir create_dir_perms;
+allow mtk_hal_power mtk_powerhal_data_file:file create_file_perms;
+allow mtk_hal_power mtk_powerhal_data_file:sock_file create_file_perms;
+
+#camera contorl cpu
+allow mtk_hal_power mtk_hal_camera:dir r_dir_perms;
+allow mtk_hal_power mtk_hal_camera:file r_file_perms;
+
+# Date : 2017/10/24
+# Operation: SQC
+# Purpose : Allow powerHAL to access thermal
+allow mtk_hal_power proc_thermal:dir r_dir_perms;
+
+# Date : 2017/12/19
+# Operation: SQC
+# Purpose : Allow powerHAL to access wlan
+allow mtk_hal_power proc_net:file w_file_perms;
+
+# Date : 2017/12/21
+# Operation: SQC
+# Purpose : Allow powerHAL to access mediacodec
+allow mtk_hal_power mediacodec:dir r_dir_perms;
+allow mtk_hal_power mediacodec:file r_file_perms;
+
+allow mtk_hal_power mediaserver:dir r_dir_perms;
+allow mtk_hal_power mediaserver:file r_file_perms;
+
+set_prop(mtk_hal_power, vendor_mtk_thermal_config_prop)
+
+
+# Date : 2018/06/26
+# Operation: Thermal change policy in perfservice
+allow mtk_hal_power thermal_manager_data_file:file create_file_perms;
+allow mtk_hal_power thermal_manager_data_file:dir { rw_dir_perms setattr };
+allow mtk_hal_power thermalloadalgod:unix_stream_socket connectto;
+
+allow mtk_hal_power proc_mtkcooler:dir r_dir_perms;
+allow mtk_hal_power proc_mtkcooler:file rw_file_perms;
+allow mtk_hal_power proc_mtktz:dir r_dir_perms;
+allow mtk_hal_power proc_mtktz:file rw_file_perms;
+
+# Date : 2019/05/08
+# Operation: SQC
+# Purpose : Allow powerHAL to access /proc/[pid]
+allow mtk_hal_power system_server:dir r_dir_perms;
+allow mtk_hal_power system_server:file r_file_perms;
+
+
+allow mtk_hal_power rild_oem_socket:sock_file w_file_perms;
+allow mtk_hal_power rild:unix_stream_socket connectto;
+
+# Date : 2019/05/22
+# Operation: SQC
+# Purpose : Allow powerHAL to access block read ahead
+allow mtk_hal_power sysfs_dm:dir r_dir_perms;
+allow mtk_hal_power sysfs_dm:file rw_file_perms;
+allow mtk_hal_power sysfs_devices_block:dir r_dir_perms;
+allow mtk_hal_power sysfs_devices_block:file rw_file_perms;
+
+
+# Date : 2019/05/22
+# Operation: SQC
+# Purpose : Allow powerHAL to access prop
+set_prop(mtk_hal_power, vendor_mtk_powerhal_prop)
+
+# Date : 2019/05/29
+# Operation: SQC
+# Purpose : Allow powerHAL to access wifi driver
+allow mtk_hal_power self:udp_socket create_socket_perms_no_ioctl;
+allow mtk_hal_power kernel:system module_request;
+allow mtk_hal_power self:capability sys_module;
+allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls;
+
+# Date : 2019/09/05
+# Operation: SQC
+# Purpose : Add procfs, sysfs policy
+allow mtk_hal_power proc_ppm:dir r_dir_perms;
+allow mtk_hal_power proc_ppm:file rw_file_perms;
+allow mtk_hal_power proc_cpufreq:dir r_dir_perms;
+allow mtk_hal_power proc_cpufreq:file rw_file_perms;
+allow mtk_hal_power proc_hps:dir r_dir_perms;
+allow mtk_hal_power proc_hps:file rw_file_perms;
+allow mtk_hal_power proc_cm_mgr:dir r_dir_perms;
+allow mtk_hal_power proc_cm_mgr:file rw_file_perms;
+allow mtk_hal_power proc_fliperfs:dir r_dir_perms;
+allow mtk_hal_power proc_fliperfs:file rw_file_perms;
+allow mtk_hal_power sysfs_ged:dir r_dir_perms;
+allow mtk_hal_power sysfs_ged:file rw_file_perms;
+allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms;
+allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms;
+allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms;
+allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms;
+allow mtk_hal_power sysfs_xgf:dir r_dir_perms;
+allow mtk_hal_power sysfs_xgf:file rw_file_perms;
+allow mtk_hal_power sysfs_mtk_fpsgo:dir r_dir_perms;
+allow mtk_hal_power sysfs_mtk_fpsgo:file rw_file_perms;
+allow mtk_hal_power sysfs_fpsgo:dir r_dir_perms;
+allow mtk_hal_power sysfs_fpsgo:file rw_file_perms;
+allow mtk_hal_power sysfs_gbe:dir r_dir_perms;
+allow mtk_hal_power sysfs_gbe:file rw_file_perms;
+allow mtk_hal_power gbe_native:dir r_dir_perms;
+allow mtk_hal_power gbe_native:file r_file_perms;
+allow mtk_hal_power fpsgo_native:dir r_dir_perms;
+allow mtk_hal_power fpsgo_native:file r_file_perms;
+
+# Date : 2019/09/17
+# Operation: SQC
+# Purpose : Add cache audit
+allow mtk_hal_power sysfs_cache_ctrl:dir r_dir_perms;
+allow mtk_hal_power sysfs_cache_ctrl:file rw_file_perms;
+allow mtk_hal_power sysfs_pftch_qos:dir r_dir_perms;
+allow mtk_hal_power sysfs_pftch_qos:file rw_file_perms;
+
+# Date : 2019/09/18
+# Operation: SQC
+# Purpose : Add f2fs permission
+allow mtk_hal_power sysfs_fs_f2fs:dir r_dir_perms;
+allow mtk_hal_power sysfs_fs_f2fs:file rw_file_perms;
+
+# Date : 2019/09/19
+# Operation: SQC
+# Purpose : Add task turbo
+allow mtk_hal_power sysfs_task_turbo:dir r_dir_perms;
+allow mtk_hal_power sysfs_task_turbo:file rw_file_perms;
+
+# Date : 2019/09/23
+# Operation: SQC
+# Purpose : Allow powerHAL to access touch boost
+allow mtk_hal_power sysfs_change_rate:file rw_file_perms;
+
+# Date : 2019/10/16
+# Operation: SQC
+allow mtk_hal_power sysfs_ext4_disable_barrier:file w_file_perms;
+allow mtk_hal_power block_device:dir search;
+
+# Date : 2019/11/14
+# Operation: SQC
+# Purpose : Allow powerhal to control MCDI
+allow mtk_hal_power proc_cpuidle:dir r_dir_perms;
+allow mtk_hal_power proc_cpuidle:file rw_file_perms;
+
+# Date : 2020/06/12
+# Operation: SQC
+# Purpose : Allow powerhal to control mali power policy
+allow mtk_hal_power sysfs_mali_power_policy:file rw_file_perms;
+
+# Date : 2020/06/12
+# Operation: SQC
+# Purpose : Allow powerhal to control displowpower
+allow mtk_hal_power proc_displowpower:dir r_dir_perms;
+allow mtk_hal_power proc_displowpower:file rw_file_perms;
+
+# Date : 2020/07/31
+# Purpose: add permission for /sys/kernel/apusys/
+allow mtk_hal_power sysfs_apusys:dir r_dir_perms;
+allow mtk_hal_power sysfs_apusys:file rw_file_perms;
+
+# vpud_native control CPU
+# Date : 2020/8/7
+# Operation: video playback
+allow mtk_hal_power vpud_native:dir r_dir_perms;
+allow mtk_hal_power vpud_native:file rw_file_perms;
+allow mtk_hal_power mtk_hal_c2:dir r_dir_perms;
+allow mtk_hal_power mtk_hal_c2:file rw_file_perms;
+
+# Date : 2020/08/19
+# Purpose: add permission for /sys/class/devfreq/mtk-dvfsrc-devfreq/userspace
+allow mtk_hal_power sysfs_dvfsrc_devfreq:dir r_dir_perms;
+allow mtk_hal_power sysfs_dvfsrc_devfreq:file rw_file_perms;
+
+# Date : 2020/04/15
+# Operation: SQC
+# Purpose : Allow powerhal to control video mode property
+set_prop(mtk_hal_power, vendor_mtk_video_prop)
+
+# Date : 2020/09/18
+# Purpose: allow powerhal to control mcdi
+allow mtk_hal_power proc_mcdi:dir r_dir_perms;
+allow mtk_hal_power proc_mcdi:file rw_file_perms;
+
+# Date : 2020/09/29
+# Purpose: add permission for /sys/kernel/eara_thermal/
+allow mtk_hal_power sysfs_eara_thermal:dir r_dir_perms;
+allow mtk_hal_power sysfs_eara_thermal:file rw_file_perms;
+
+# Date : 2021/3/12
+# Purpose: add permission for /sys/class/misc/mali0/device/pm_poweroff
+allow mtk_hal_power sysfs_mali_poweroff:dir r_dir_perms;
+allow mtk_hal_power sysfs_mali_poweroff:file rw_file_perms;
+
+# Date : 2021/03/19
+# Purpose: add permission for EARA IO Service
+allow mtk_hal_power eara_io:dir r_dir_perms;
+allow mtk_hal_power eara_io:file r_file_perms;
+
+# Date : 2021/03/15
+# Purpose: add permission for /dev/cpu_dma_latency
+allow mtk_hal_power cpu_dma_latency_device:chr_file rw_file_perms;
+
+# Date : 2021/4/14
+# change policy via socket to thermal core
+allow mtk_hal_power thermal_socket:sock_file write;
+allow mtk_hal_power thermal_core:unix_stream_socket connectto;
+
+# Date : 2021/03/15
+# Purpose: add powerhal to control eara property
+set_prop(mtk_hal_power, vendor_mtk_frs_prop)
+
+# Date : 2021/04/20
+# Purpose: add permission for vendor.sys.vm.swappiness/dropcaches/extrafreekbytesadj/watermarkscalefactor
+set_prop(mtk_hal_power, vendor_mtk_vm_prop)
+
+# Date : 2021/04/26
+# Purpose: allow thermal core to limit CPU and GPU
+allow mtk_hal_power thermal_core:dir { getattr search };
+allow mtk_hal_power thermal_core:file r_file_perms;
+
+# Date : 2021/05/07
+# add permission for dev/cpuctl/
+allow mtk_hal_power cgroup:file rw_file_perms_no_map;
+allow mtk_hal_power cgroup:dir r_dir_perms;
+
+allow mtk_hal_power mtk_hal_bluetooth_audio_hwservice:hwservice_manager find;
+
+# Date: WK21.33
+# Purpose: allow Power-HAL to access /proc/[surfaceflinger_pid]
+allow mtk_hal_power surfaceflinger:dir r_dir_perms;
+allow mtk_hal_power surfaceflinger:file r_file_perms;
+
+# 2021/8/25
+# allow powerhal to access /proc/cpuhvfs/cpufreq_cci_mode
+allow mtk_hal_power proc_cpuhvfs:dir r_dir_perms;
+allow mtk_hal_power proc_cpuhvfs:file rw_file_perms;
+
+# 2021/8/25
+# allow powerhal to access /sys/kernel/cm_mgr/dbg_cm_mgr
+allow mtk_hal_power sysfs_cm_mgr:dir r_dir_perms;
+allow mtk_hal_power sysfs_cm_mgr:file rw_file_perms;
+
+set_prop(mtk_hal_power, vendor_mtk_bt_perf_prop)
+
+# Date : 2021/10/14
+# Purpose: add permission for get lmkd_config_prop
+get_prop(mtk_hal_power, lmkd_config_prop)
+
+# Date: 2021/12/08
+# allow powerhal to access /sys/kernel/thermal/sports_mode
+allow mtk_hal_power sysfs_thermal_sram:file w_file_perms;
+
+# Date: 2022/01/17
+# allow powerhal to access /sys/kernel/helio-dvfsrc/dvfsrc_qos_mode
+allow mtk_hal_power sysfs_dvfsrc_dbg:dir r_dir_perms;
+allow mtk_hal_power sysfs_dvfsrc_dbg:file rw_file_perms;
+
+# Date: 2021/12/24
+# allow powerhal to access /proc/mgq
+allow mtk_hal_power proc_mgq:dir r_dir_perms;
+allow mtk_hal_power proc_mgq:file w_file_perms;
diff --git a/basic/non_plat/mtk_hal_pq.te b/basic/non_plat/mtk_hal_pq.te
new file mode 100644
index 0000000..e64c09f
--- /dev/null
+++ b/basic/non_plat/mtk_hal_pq.te
@@ -0,0 +1,48 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.pq@2.0-service Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type mtk_hal_pq, domain;
+type mtk_hal_pq_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_pq)
+
+# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
+hal_server_domain(mtk_hal_pq, hal_mtk_pq)
+
+# Allow to allocate hidl memory
+hal_client_domain(mtk_hal_pq, hal_allocator)
+
+# Purpose : Allow to use kernel driver
+allow mtk_hal_pq graphics_device:chr_file rw_file_perms;
+
+# Purpose : Allow permission to get AmbientLux from hwservice_manager
+allow mtk_hal_pq fwk_sensor_hwservice:hwservice_manager find;
+
+# Purpose : Allow permission to set pq property
+set_prop(mtk_hal_pq, vendor_mtk_pq_prop)
+
+# Purpose : Allow permission to get pq property
+get_prop(mtk_hal_pq, vendor_mtk_pq_ro_prop)
+
+# Purpose :
+allow mtk_hal_pq gpu_device:dir search;
+allow mtk_hal_pq dri_device:chr_file rw_file_perms;
+allow mtk_hal_pq mml_pq_device:chr_file rw_file_perms;
+
+# Purpose : Allow permission to get MMAgent from hwservice_manager
+hal_client_domain(mtk_hal_pq, hal_mtk_mmagent)
+
+# Purpose : Allow permission to use DMABuffer
+allow mtk_hal_pq dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Purpose : Allow change priority
+allow mtk_hal_pq self:capability sys_nice;
\ No newline at end of file
diff --git a/basic/non_plat/mtk_hal_secure_element.te b/basic/non_plat/mtk_hal_secure_element.te
new file mode 100644
index 0000000..ba05b00
--- /dev/null
+++ b/basic/non_plat/mtk_hal_secure_element.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type mtk_hal_secure_element, domain;
+type mtk_hal_secure_element_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mtk_hal_secure_element)
+
+hal_server_domain(mtk_hal_secure_element, hal_secure_element)
+
+# Allow to get android.hardware.radio HIDL interface
+hal_client_domain(mtk_hal_secure_element, hal_telephony)
+binder_call(mtk_hal_secure_element, rild)
+
+allow mtk_hal_secure_element secure_element_device:chr_file rw_file_perms;
+
+# Allow to use persist.radio.multisim.config
+get_prop(mtk_hal_secure_element, radio_control_prop)
diff --git a/basic/non_plat/mtk_hal_sensors.te b/basic/non_plat/mtk_hal_sensors.te
new file mode 100644
index 0000000..9de5caa
--- /dev/null
+++ b/basic/non_plat/mtk_hal_sensors.te
@@ -0,0 +1,78 @@
+# ==============================================================================
+# Type Declaration
+# ==============================================================================
+type mtk_hal_sensors, domain;
+type mtk_hal_sensors_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(mtk_hal_sensors)
+
+# call into system_server process (callbacks)
+binder_call(mtk_hal_sensors, system_server)
+
+#hwservicemanager
+hal_server_domain(mtk_hal_sensors, hal_sensors)
+
+# graphics allocator
+allow mtk_hal_sensors hal_graphics_allocator_default:fd use;
+
+# gpu device
+allow mtk_hal_sensors gpu_device:dir create_dir_perms;
+allow mtk_hal_sensors gpu_device:chr_file rw_file_perms;
+allow mtk_hal_sensors dri_device:chr_file rw_file_perms;
+
+# ion device
+allow mtk_hal_sensors ion_device:dir create_dir_perms;
+allow mtk_hal_sensors ion_device:chr_file rw_file_perms;
+
+# system file
+allow mtk_hal_sensors system_file:dir r_dir_perms;
+
+# sensors input rw access
+allow mtk_hal_sensors sysfs_sensor:dir r_dir_perms;
+allow mtk_hal_sensors sysfs_sensor:file rw_file_perms;
+
+# hal sensor for chr_file
+allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms;
+
+# Access sensor bio devices
+allow mtk_hal_sensors sensorlist_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_acc_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_als_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_ps_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_mag_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_gyro_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_baro_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_hmdy_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_act_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_pedo_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_situ_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_step_c_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_fusion_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors m_bio_misc_device:chr_file rw_file_perms;
+allow mtk_hal_sensors hf_manager_device:chr_file rw_file_perms;
+
+# Access mtk sensor setting and calibration node.
+# for data
+allow mtk_hal_sensors sensor_data_file:file create_file_perms;
+allow mtk_hal_sensors sensor_data_file:dir create_dir_perms;
+
+# for nvcfg
+allow mtk_hal_sensors nvcfg_file:file create_file_perms;
+allow mtk_hal_sensors nvcfg_file:dir create_dir_perms;
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
+allow mtk_hal_sensors mnt_vendor_file:dir search;
+
+# Date : WK19.48
+# Purpose: fix [vts_10.0_r2]VtsHalSensorsV2_0Target fail
+allow mtk_hal_sensors merged_hal_service:fd use;
+
+# Date : WK20.25
+# Purpose: Allow to read /bus/platform/drivers/mtk_nanohub/state
+allow mtk_hal_sensors sysfs_mtk_nanohub_state:file r_file_perms;
diff --git a/basic/non_plat/mtk_hal_thp.te b/basic/non_plat/mtk_hal_thp.te
new file mode 100644
index 0000000..8f81364
--- /dev/null
+++ b/basic/non_plat/mtk_hal_thp.te
@@ -0,0 +1 @@
+type mtk_hal_thp, domain;
diff --git a/basic/non_plat/mtk_hal_touchll.te b/basic/non_plat/mtk_hal_touchll.te
new file mode 100644
index 0000000..75d9723
--- /dev/null
+++ b/basic/non_plat/mtk_hal_touchll.te
@@ -0,0 +1 @@
+type mtk_hal_touchll, domain;
diff --git a/basic/non_plat/mtk_hal_usb.te b/basic/non_plat/mtk_hal_usb.te
new file mode 100644
index 0000000..be28b9b
--- /dev/null
+++ b/basic/non_plat/mtk_hal_usb.te
@@ -0,0 +1,16 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type mtk_hal_usb, domain;
+type mtk_hal_usb_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(mtk_hal_usb)
+
+hal_server_domain(mtk_hal_usb, hal_usb)
+hal_server_domain(mtk_hal_usb, hal_usb_gadget)
+
+r_dir_file(mtk_hal_usb, sysfs_usb_nonplat)
+allow mtk_hal_usb sysfs_usb_nonplat:file w_file_perms;
+
+set_prop(mtk_hal_usb, vendor_mtk_usb_prop)
+get_prop(mtk_hal_usb, usb_control_prop)
diff --git a/basic/non_plat/mtk_hal_wfo.te b/basic/non_plat/mtk_hal_wfo.te
new file mode 100644
index 0000000..a9b9e2a
--- /dev/null
+++ b/basic/non_plat/mtk_hal_wfo.te
@@ -0,0 +1 @@
+type mtk_hal_wfo, domain, mtkimsapdomain;
diff --git a/basic/non_plat/mtk_hal_wifi.te b/basic/non_plat/mtk_hal_wifi.te
new file mode 100644
index 0000000..0382e05
--- /dev/null
+++ b/basic/non_plat/mtk_hal_wifi.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_hal_wifi, domain;
+type mtk_hal_wifi_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mtk_hal_wifi)
+hal_server_domain(mtk_hal_wifi, hal_wifi)
+
+allow mtk_hal_wifi self:capability sys_module;
+allow mtk_hal_wifi vendor_file:system module_load;
+allow mtk_hal_wifi kernel:system module_request;
diff --git a/basic/non_plat/mtk_pkm_service.te b/basic/non_plat/mtk_pkm_service.te
new file mode 100644
index 0000000..2f39902
--- /dev/null
+++ b/basic/non_plat/mtk_pkm_service.te
@@ -0,0 +1 @@
+type mtk_pkm_service, domain;
diff --git a/basic/non_plat/mtk_safe_halserverdomain_type.te b/basic/non_plat/mtk_safe_halserverdomain_type.te
new file mode 100644
index 0000000..74cb3b2
--- /dev/null
+++ b/basic/non_plat/mtk_safe_halserverdomain_type.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : W20.26
+# Operation : Migration
+# Purpose : For apps other than isolated_app call hidl
+binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app })
diff --git a/basic/non_plat/mtk_wmt_launcher.te b/basic/non_plat/mtk_wmt_launcher.te
new file mode 100644
index 0000000..6e09e09
--- /dev/null
+++ b/basic/non_plat/mtk_wmt_launcher.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Policy File of /vendor/bin/mtk_wmt_launcher Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mtk_wmt_launcher, domain;
+type mtk_wmt_launcher_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(mtk_wmt_launcher)
+
+# set the property
+set_prop(mtk_wmt_launcher, vendor_mtk_wmt_prop)
+
+# add ioctl/open/read/write permission for mtk_wmt_launcher with /dev/stpwmt
+allow mtk_wmt_launcher stpwmt_device:chr_file rw_file_perms;
+allow mtk_wmt_launcher devpts:chr_file rw_file_perms;
+allow mtk_wmt_launcher system_file:dir r_dir_perms;
+
+# Date : W18.01
+# Add for turn on SElinux in enforcing mode
+allow mtk_wmt_launcher vendor_file:dir r_dir_perms;
\ No newline at end of file
diff --git a/basic/non_plat/mtkbootanimation.te b/basic/non_plat/mtkbootanimation.te
new file mode 100644
index 0000000..fd6a37c
--- /dev/null
+++ b/basic/non_plat/mtkbootanimation.te
@@ -0,0 +1,28 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.46
+# Operation : Migration
+# Purpose : For MTK Emulator HW GPU
+allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow mtkbootanimation proc_ged:file rw_file_perms;
+
+# Date : WK14.31
+# Operation : Migration
+# Purpose : access to sec mem proc interface.
+allow mtkbootanimation proc_secmem:file r_file_perms;
+
+# Date : WK16.29
+# Operation : Migration
+# Purpose : for gpu access
+allow mtkbootanimation dri_device:chr_file rw_file_perms;
+
+# Date : WK17.48
+# Operation : Migration
+# Purpose : FPSGO integration
+allow mtkbootanimation proc_perfmgr:dir r_dir_perms;
+allow mtkbootanimation proc_perfmgr:file r_file_perms;
diff --git a/basic/non_plat/mtkrild.te b/basic/non_plat/mtkrild.te
new file mode 100644
index 0000000..355b34f
--- /dev/null
+++ b/basic/non_plat/mtkrild.te
@@ -0,0 +1,143 @@
+# ==============================================
+# Policy File of /vendor/bin/mtkrild Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mtkrild_exec, exec_type, file_type, vendor_file_type;
+type mtkrild, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(mtkrild)
+net_domain(mtkrild)
+
+# Access to wake locks
+wakelock_use(mtkrild)
+
+# Allow to use vendor binder
+vndbinder_use(mtkrild)
+
+# Trigger module auto-load.
+allow mtkrild kernel:system module_request;
+
+# Capabilities assigned for mtkrild
+allow mtkrild self:capability { setuid net_admin net_raw };
+
+# Control cgroups
+allow mtkrild cgroup:dir create_dir_perms;
+
+# Property service
+# allow set RIL related properties (radio./net./system./etc)
+set_prop(mtkrild, vendor_mtk_ril_active_md_prop)
+
+# allow set muxreport control properties
+set_prop(mtkrild, vendor_mtk_ril_cdma_report_prop)
+set_prop(mtkrild, vendor_mtk_ril_mux_report_case_prop)
+set_prop(mtkrild, vendor_mtk_ctl_muxreport-daemon_prop)
+
+#Dat: 2017/02/14
+#Purpose: allow set telephony Sensitive property
+set_prop(mtkrild, vendor_mtk_telephony_sensitive_prop)
+
+# Allow access permission to efs files
+allow mtkrild efs_file:dir create_dir_perms;
+allow mtkrild efs_file:file create_file_perms;
+allow mtkrild bluetooth_efs_file:file r_file_perms;
+allow mtkrild bluetooth_efs_file:dir r_dir_perms;
+
+# Allow access permission to dir/files
+# (radio data/system data/proc/etc)
+
+allow mtkrild sdcardfs:dir r_dir_perms;
+
+allow mtkrild proc_net:file w_file_perms;
+
+# Set and get routes directly via netlink.
+allow mtkrild self:netlink_route_socket nlmsg_write;
+
+# Allow read/write to devices/files
+allow mtkrild mtk_radio_device:dir search;
+allow mtkrild radio_device:chr_file rw_file_perms;
+allow mtkrild radio_device:blk_file r_file_perms;
+allow mtkrild mtd_device:dir search;
+
+# Allow read/write to tty devices
+allow mtkrild tty_device:chr_file rw_file_perms;
+allow mtkrild eemcs_device:chr_file rw_file_perms;
+
+allow mtkrild devmap_device:chr_file r_file_perms;
+allow mtkrild devpts:chr_file rw_file_perms;
+allow mtkrild ccci_device:chr_file rw_file_perms;
+allow mtkrild misc_device:chr_file rw_file_perms;
+allow mtkrild proc_lk_env:file rw_file_perms;
+allow mtkrild para_block_device:blk_file rw_file_perms;
+
+# Allow dir search, fd uses
+allow mtkrild block_device:dir search;
+allow mtkrild platform_app:fd use;
+allow mtkrild radio:fd use;
+
+# For MAL MFI
+allow mtkrild mal_mfi_socket:sock_file w_file_perms;
+
+# For ccci sysfs node
+allow mtkrild sysfs_ccci:dir search;
+allow mtkrild sysfs_ccci:file r_file_perms;
+
+# Allow ioctl in order to control network interface
+allowxperm mtkrild self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1};
+
+# Allow to trigger IPv6 RS
+allow mtkrild node:rawip_socket node_bind;
+
+#Date : W18.15
+#Purpose: allow rild access to vendor.ril.ipo system property
+set_prop(mtkrild, vendor_mtk_ril_ipo_prop)
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow mtkrild to get vendor_mtk_tel_switch_prop
+get_prop(mtkrild, vendor_mtk_tel_switch_prop)
+
+#Date: W1817
+#Purpose: allow rild access property of vendor_mtk_radio_prop
+set_prop(mtkrild, vendor_mtk_radio_prop)
+
+# Date : WK18.26
+# Operation: P migration
+# Purpose: Allow carrier express HIDL to set vendor property
+set_prop(mtkrild, vendor_mtk_cxp_vendor_prop)
+allow mtkrild mnt_vendor_file:dir search;
+allow mtkrild mnt_vendor_file:file create_file_perms;
+allow mtkrild nvdata_file:dir create_dir_perms;
+allow mtkrild nvdata_file:file create_file_perms;
+
+# Date : WK18.31
+# Operation: P migration
+# Purpose: Allow supplementary service HIDL to set vendor property
+set_prop(mtkrild, vendor_mtk_ss_vendor_prop)
+
+# Date : W19.16
+# Operation: Q migration
+# Purpose: Allow mtkrild access to send SUPL INIT to mnld
+allow mtkrild mnld:unix_dgram_socket sendto;
+
+# Date : WK19.43
+# Purpose: Allow wfc module from rild read system property from wfc module
+get_prop(mtkrild, vendor_mtk_wfc_serv_prop)
+
+# Date : 2020/06/11
+# Operation: R migration
+# Purpose: Allow mtkrild to get system_boot_reason_prop
+get_prop(mtkrild, system_boot_reason_prop)
+
+# Date: WK20.31
+# Operation: RILD init flow
+# Purpose: To handle illegal rild started
+set_prop(mtkrild, vendor_mtk_gsm0710muxd_prop)
+
+# Date : 2020/08/17
+# Purpose: Allow mtkrild to access netlink_xfrm_socket
+allow mtkrild self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
diff --git a/basic/non_plat/muxreport.te b/basic/non_plat/muxreport.te
new file mode 100644
index 0000000..4449058
--- /dev/null
+++ b/basic/non_plat/muxreport.te
@@ -0,0 +1,36 @@
+# ==============================================
+# Policy File of /vendor/bin/muxreport Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type muxreport_exec, exec_type, file_type, vendor_file_type;
+type muxreport, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(muxreport)
+
+# Property service
+# allow set muxreport control properties
+set_prop(muxreport, vendor_mtk_ril_mux_report_case_prop)
+
+# Allow read/write to devices/files
+allow muxreport ccci_device:chr_file rw_file_perms;
+allow muxreport devpts:chr_file rw_file_perms;
+allow muxreport eemcs_device:chr_file rw_file_perms;
+allow muxreport emd_device:chr_file rw_file_perms;
+
+# Allow read to sys/kernel/ccci/* files
+allow muxreport sysfs_ccci:dir search;
+allow muxreport sysfs_ccci:file r_file_perms;
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow muxreport to get vendor_mtk_tel_switch_prop
+get_prop(muxreport, vendor_mtk_tel_switch_prop)
+
+#Date: W1824
+#Purpose: allow muxreport access property of vendor_mtk_radio_prop
+set_prop(muxreport, vendor_mtk_radio_prop)
diff --git a/basic/non_plat/netd.te b/basic/non_plat/netd.te
new file mode 100644
index 0000000..f93ff1f
--- /dev/null
+++ b/basic/non_plat/netd.te
@@ -0,0 +1,42 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose : For WIFI SANITY test to set FW path(STA/P2P/AP)
+# Owner: TingTing Lei
+allow netd wmtWifi_device:chr_file w_file_perms;
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose : NA
+# Owner: Changqing Sun
+allow netd self:capability { fsetid setuid setgid };
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose: APP
+allow netd platform_app:fd use;
+
+# Date : WK14.37
+# Operation : Migration
+# Purpose : PPPOE Test
+# Owner : lina wang
+allow netd ppp:process sigkill;
+
+allow netd untrusted_app:fd use;
+
+# Date : W15.02
+# Operation : SQC
+# Purpose : CTS for wifi
+allow netd untrusted_app:unix_stream_socket rw_socket_perms_no_ioctl;
+allow netd isolated_app:fd use;
+
+# MTK support app feature
+get_prop(netd, vendor_mtk_app_prop)
+
+
+allow netd bip_ap:fd use;
+allow netd bip_ap:tcp_socket { read write setopt getopt };
+allow netd bip_ap:udp_socket {read write setopt getopt};
diff --git a/basic/non_plat/netdagent.te b/basic/non_plat/netdagent.te
new file mode 100644
index 0000000..88a30d5
--- /dev/null
+++ b/basic/non_plat/netdagent.te
@@ -0,0 +1 @@
+type netdagent, domain;
diff --git a/basic/non_plat/nfcstackp_vendor.te b/basic/non_plat/nfcstackp_vendor.te
new file mode 100644
index 0000000..a4431cc
--- /dev/null
+++ b/basic/non_plat/nfcstackp_vendor.te
@@ -0,0 +1 @@
+type nfcstackp_vendor, domain;
diff --git a/basic/non_plat/nvram_daemon.te b/basic/non_plat/nvram_daemon.te
new file mode 100644
index 0000000..eba4cf6
--- /dev/null
+++ b/basic/non_plat/nvram_daemon.te
@@ -0,0 +1,79 @@
+# ==============================================
+# Policy File of /vendor/bin/nvram_daemon Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type nvram_daemon_exec, exec_type, file_type, vendor_file_type;
+type nvram_daemon, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(nvram_daemon)
+
+# Date : WK14.31
+# Operation : Migration
+# Purpose : the device is used to store Nvram backup data that can not be lost.
+allow nvram_daemon nvram_device:blk_file rw_file_perms;
+allow nvram_daemon nvdata_device:blk_file rw_file_perms;
+
+# Date : WK14.35
+# Operation : chown folder and file permission
+# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L.
+allow nvram_daemon nvram_data_file:dir create_dir_perms;
+allow nvram_daemon nvram_data_file:file create_file_perms;
+allow nvram_daemon nvram_data_file:lnk_file { r_file_perms unlink };
+allow nvram_daemon nvdata_file:lnk_file r_file_perms;
+allow nvram_daemon nvdata_file:dir create_dir_perms;
+allow nvram_daemon nvdata_file:file create_file_perms;
+
+allow nvram_daemon als_ps_device:chr_file r_file_perms;
+allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms;
+allow nvram_daemon gsensor_device:chr_file r_file_perms;
+allow nvram_daemon gyroscope_device:chr_file r_file_perms;
+
+# Purpose: for property set
+allow nvram_daemon self:capability { fowner chown fsetid };
+
+# Purpose: for backup
+allow nvram_daemon nvram_device:chr_file rw_file_perms;
+allow nvram_daemon pro_info_device:chr_file rw_file_perms;
+
+allow nvram_daemon block_device:dir search;
+
+# Purpose: for nand project
+allow nvram_daemon mtd_device:dir search;
+allow nvram_daemon mtd_device:chr_file rw_file_perms;
+
+# Purpose: for fstab parser
+allow nvram_daemon kmsg_device:chr_file w_file_perms;
+allow nvram_daemon proc_lk_env:file rw_file_perms;
+
+# Purpose: property set
+set_prop(nvram_daemon, vendor_mtk_service_nvram_init_prop)
+
+# Purpose: copy /fstab*
+allow nvram_daemon rootfs:dir r_dir_perms;
+allow nvram_daemon rootfs:file r_file_perms;
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow nvram_daemon to get vendor_mtk_tel_switch_prop
+get_prop(nvram_daemon, vendor_mtk_tel_switch_prop)
+get_prop(nvram_daemon, vendor_mtk_rat_config_prop)
+
+# Date : WK18.21
+# Operation: P migration
+# Purpose: Allow nvram_daemon to search /mnt/vendor/nvdata for fstab
+allow nvram_daemon mnt_vendor_file:dir search;
+
+allow nvram_daemon sysfs_boot_mode:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(nvram_daemon)
+
+# Purpose: Wifi NVRAM ConnFem Kernel node access
+allow nvram_daemon connfem_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/basic/non_plat/platform_app.te b/basic/non_plat/platform_app.te
new file mode 100644
index 0000000..73d34c7
--- /dev/null
+++ b/basic/non_plat/platform_app.te
@@ -0,0 +1,40 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK18.21
+# Operation : Migration
+# Purpose : Do FM operation via hal_mtk_fm
+hal_client_domain(platform_app, hal_mtk_fm)
+
+# Date: 2019/07/04
+# Stage: Migration
+# Purpose: Allow to use lomo effect
+# Package: com.mediatek.camera
+allow platform_app sw_sync_device:chr_file rw_file_perms;
+
+# Date: 2019/07/04
+# Purpose: Allow platform app to use BGService HIDL and access mtk_hal_camera
+hal_client_domain(platform_app, hal_mtk_bgs)
+binder_call(platform_app, mtk_hal_camera)
+
+# Date: 2020/06/08
+# Purpose: Allow platform app to access mtk jpeg
+allow platform_app proc_mtk_jpeg:file rw_file_perms;
+allowxperm platform_app proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_DEC_IO_LOCK
+ JPG_BRIDGE_DEC_IO_WAIT
+ JPG_BRIDGE_DEC_IO_UNLOCK
+};
+
+# Date : 2021/04/22
+# Operation : Migration
+# Purpose : DebugLoggerUI need copy & delete /data/vendor/vcodec/ folder
+# Package: com.debug.loggerui
+allow platform_app vcodec_file:dir create_dir_perms;
+allow platform_app vcodec_file:file create_file_perms;
+# DebugLoggerUI can get c2 log properties
+get_prop(platform_app, vendor_mtk_c2_log_prop)
+
+# Allow FMRadio to talk to /dev/fm
+allow platform_app fm_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/postinstall.te b/basic/non_plat/postinstall.te
new file mode 100644
index 0000000..9db77b6
--- /dev/null
+++ b/basic/non_plat/postinstall.te
@@ -0,0 +1,7 @@
+allow postinstall dm_device:chr_file rw_file_perms;
+allow postinstall preloader_block_device:blk_file rw_file_perms;
+allow postinstall postinstall_block_device:blk_file rw_file_perms;
+allow postinstall sysfs_devices_block:dir search;
+allowxperm postinstall preloader_block_device:blk_file ioctl BLKROSET;
+allow postinstall block_device:dir search;
+allow postinstall self:capability sys_admin;
diff --git a/basic/non_plat/ppl_agent.te b/basic/non_plat/ppl_agent.te
new file mode 100644
index 0000000..7a3e8d9
--- /dev/null
+++ b/basic/non_plat/ppl_agent.te
@@ -0,0 +1 @@
+type ppl_agent, domain;
diff --git a/basic/non_plat/priv_app.te b/basic/non_plat/priv_app.te
new file mode 100644
index 0000000..f5ac8d4
--- /dev/null
+++ b/basic/non_plat/priv_app.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2020/06/08
+# Purpose: Allow private app to access mtk jpeg
+allow priv_app proc_mtk_jpeg:file rw_file_perms;
+allowxperm priv_app proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_DEC_IO_LOCK
+ JPG_BRIDGE_DEC_IO_WAIT
+ JPG_BRIDGE_DEC_IO_UNLOCK
+};
diff --git a/basic/non_plat/property.te b/basic/non_plat/property.te
new file mode 100644
index 0000000..92335ba
--- /dev/null
+++ b/basic/non_plat/property.te
@@ -0,0 +1,201 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
+
+# Properties used only in /vendor
+vendor_internal_prop(vendor_mtk_ctl_ccci2_fsd_prop)
+vendor_internal_prop(vendor_mtk_ctl_ccci3_fsd_prop)
+vendor_internal_prop(vendor_mtk_ctl_ccci_fsd_prop)
+vendor_internal_prop(vendor_mtk_ctl_fusion_ril_mtk_prop)
+vendor_internal_prop(vendor_mtk_ctl_gsm0710muxd_prop)
+vendor_internal_prop(vendor_mtk_ctl_muxreport-daemon_prop)
+vendor_internal_prop(vendor_mtk_ctl_ril-daemon-mtk_prop)
+vendor_internal_prop(vendor_mtk_ctl_ril-proxy_prop)
+vendor_internal_prop(vendor_mtk_ctl_viarild_prop)
+vendor_internal_prop(vendor_mtk_powerhal_prop)
+vendor_internal_prop(vendor_mtk_wfc_serv_prop)
+vendor_internal_prop(vendor_mtk_factory_prop)
+vendor_internal_prop(vendor_mtk_factory_start_prop)
+vendor_internal_prop(vendor_mtk_eara_io_prop)
+
+# Properties which can't be written outside vendor
+vendor_restricted_prop(vendor_mtk_aal_ro_prop)
+vendor_restricted_prop(vendor_mtk_anr_support_prop)
+vendor_restricted_prop(vendor_mtk_app_prop)
+vendor_restricted_prop(vendor_mtk_appresolutiontuner_prop)
+vendor_restricted_prop(vendor_mtk_atci_prop)
+vendor_restricted_prop(vendor_mtk_atm_ipaddr_prop)
+vendor_restricted_prop(vendor_mtk_atm_mdmode_prop)
+vendor_restricted_prop(vendor_mtk_audiohal_prop)
+vendor_restricted_prop(vendor_mtk_bt_sap_enable_prop)
+vendor_restricted_prop(vendor_mtk_coredump_prop)
+vendor_restricted_prop(vendor_mtk_ct_ir_engmode_prop)
+vendor_restricted_prop(vendor_mtk_ct_volte_prop)
+vendor_restricted_prop(vendor_mtk_cxp_vendor_prop)
+vendor_restricted_prop(vendor_mtk_debug_md_reset_prop)
+vendor_restricted_prop(vendor_mtk_default_prop)
+vendor_restricted_prop(vendor_mtk_disable_c2k_cap_prop)
+vendor_restricted_prop(vendor_mtk_display_ro_prop)
+vendor_restricted_prop(vendor_mtk_dsbp_support_prop)
+vendor_restricted_prop(vendor_mtk_em_hidl_prop)
+vendor_restricted_prop(vendor_mtk_emmc_support_prop)
+vendor_restricted_prop(vendor_mtk_em_prop)
+vendor_restricted_prop(vendor_mtk_em_usb_prop)
+vendor_restricted_prop(vendor_mtk_factory_idle_state_prop)
+vendor_restricted_prop(vendor_mtk_fullscreenswitch_prop)
+vendor_restricted_prop(vendor_mtk_gprs_prefer_prop)
+vendor_restricted_prop(vendor_mtk_gps_support_prop)
+vendor_restricted_prop(vendor_mtk_graphics_hwc_hdr_prop)
+vendor_restricted_prop(vendor_mtk_graphics_hwc_pid_prop)
+vendor_restricted_prop(vendor_mtk_graphics_hwc_validate_separate_prop)
+vendor_restricted_prop(vendor_mtk_gsm0710muxd_prop)
+vendor_restricted_prop(vendor_mtk_hdmi_prop)
+vendor_restricted_prop(vendor_mtk_imstestmode_prop)
+vendor_restricted_prop(vendor_mtk_malloc_debug_backtrace_prop)
+vendor_restricted_prop(vendor_mtk_md_prop)
+vendor_restricted_prop(vendor_mtk_md_version_prop)
+vendor_restricted_prop(vendor_mtk_mediatek_prop)
+vendor_restricted_prop(vendor_mtk_meta_connecttype_prop)
+vendor_restricted_prop(vendor_mtk_mnld_prop)
+vendor_restricted_prop(vendor_mtk_modem_warning_prop)
+vendor_restricted_prop(vendor_mtk_net_cdma_mdmstat_prop)
+vendor_restricted_prop(vendor_mtk_nn_option_prop)
+vendor_restricted_prop(vendor_mtk_gbe_prop)
+vendor_restricted_prop(vendor_mtk_nvram_ready_prop)
+vendor_restricted_prop(vendor_mtk_omx_log_prop)
+vendor_restricted_prop(vendor_mtk_operator_id_prop)
+vendor_restricted_prop(vendor_mtk_persist_service_atci_prop)
+vendor_restricted_prop(vendor_mtk_pq_prop)
+vendor_restricted_prop(vendor_mtk_pq_ro_prop)
+vendor_restricted_prop(vendor_mtk_radio_prop)
+vendor_restricted_prop(vendor_mtk_rat_config_prop)
+vendor_restricted_prop(vendor_mtk_ril_active_md_prop)
+vendor_restricted_prop(vendor_mtk_ril_cdma_report_prop)
+vendor_restricted_prop(vendor_mtk_ril_ipo_prop)
+vendor_restricted_prop(vendor_mtk_ril_mode_prop)
+vendor_restricted_prop(vendor_mtk_ril_mux_report_case_prop)
+vendor_restricted_prop(vendor_mtk_service_nvram_init_prop)
+vendor_restricted_prop(vendor_mtk_simswitch_emmode_prop)
+vendor_restricted_prop(vendor_mtk_smsformat_prop)
+vendor_restricted_prop(vendor_mtk_ss_vendor_prop)
+vendor_restricted_prop(vendor_mtk_telephony_sensitive_prop)
+vendor_restricted_prop(vendor_mtk_tel_switch_prop)
+vendor_restricted_prop(vendor_mtk_testsim_cardtype_prop)
+vendor_restricted_prop(vendor_mtk_thermal_config_prop)
+vendor_restricted_prop(vendor_mtk_usb_otg_switch_prop)
+vendor_restricted_prop(vendor_mtk_usb_prop)
+vendor_restricted_prop(vendor_mtk_c2_log_prop)
+vendor_restricted_prop(vendor_mtk_vdec_log_prop)
+vendor_restricted_prop(vendor_mtk_vdectlc_log_prop)
+vendor_restricted_prop(vendor_mtk_venc_h264_showlog_prop)
+vendor_restricted_prop(vendor_mtk_voicerecgnize_prop)
+vendor_restricted_prop(vendor_mtk_volte_prop)
+vendor_restricted_prop(vendor_mtk_wifi_hotspot_prop)
+vendor_restricted_prop(vendor_mtk_wifi_hal_prop)
+vendor_restricted_prop(vendor_mtk_wmt_prop)
+vendor_restricted_prop(vendor_mtk_gpu_prop)
+vendor_restricted_prop(vendor_mtk_powerhal_gpu_prop)
+vendor_restricted_prop(vendor_mtk_sensor_prop)
+vendor_restricted_prop(vendor_mtk_device_prop)
+vendor_restricted_prop(vendor_mtk_input_resample_latency_prop)
+vendor_restricted_prop(vendor_mtk_input_report_rate_prop)
+vendor_restricted_prop(vendor_mtk_video_prop)
+vendor_restricted_prop(vendor_mtk_frs_prop)
+vendor_restricted_prop(vendor_mtk_vm_prop)
+vendor_restricted_prop(vendor_mtk_aod_support_prop)
+vendor_restricted_prop(vendor_mtk_soc_prop)
+vendor_restricted_prop(vendor_mtk_prefer64_prop)
+vendor_restricted_prop(vendor_mtk_bt_aac_vbr_prop)
+vendor_restricted_prop(vendor_mtk_bt_perf_prop)
+vendor_restricted_prop(vendor_mtk_hwc_debug_log_prop)
+vendor_restricted_prop(vendor_mtk_mdp_debug_log_prop)
+vendor_restricted_prop(vendor_mtk_debug_sf_cpupolicy_prop)
+vendor_restricted_prop(vendor_mtk_neuropilot_flag_prop)
+vendor_restricted_prop(vendor_mtk_mdrsra_v2_support_prop)
+vendor_restricted_prop(vendor_mtk_xfrm_support_prop)
+vendor_restricted_prop(vendor_debug_logger_prop)
+
+# Properties with can be read by all domains
+typeattribute vendor_mtk_aal_ro_prop mtk_core_property_type;
+typeattribute vendor_mtk_anr_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_app_prop mtk_core_property_type;
+typeattribute vendor_mtk_appresolutiontuner_prop mtk_core_property_type;
+typeattribute vendor_mtk_atci_prop mtk_core_property_type;
+typeattribute vendor_mtk_audiohal_prop mtk_core_property_type;
+typeattribute vendor_mtk_bt_sap_enable_prop mtk_core_property_type;
+typeattribute vendor_mtk_coredump_prop mtk_core_property_type;
+typeattribute vendor_mtk_ct_ir_engmode_prop mtk_core_property_type;
+typeattribute vendor_mtk_ct_volte_prop mtk_core_property_type;
+typeattribute vendor_mtk_cxp_vendor_prop mtk_core_property_type;
+typeattribute vendor_mtk_debug_md_reset_prop mtk_core_property_type;
+typeattribute vendor_mtk_default_prop mtk_core_property_type;
+typeattribute vendor_mtk_disable_c2k_cap_prop mtk_core_property_type;
+typeattribute vendor_mtk_dsbp_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_em_hidl_prop mtk_core_property_type;
+typeattribute vendor_mtk_emmc_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_em_prop mtk_core_property_type;
+typeattribute vendor_mtk_em_usb_prop mtk_core_property_type;
+typeattribute vendor_mtk_factory_idle_state_prop mtk_core_property_type;
+typeattribute vendor_mtk_fullscreenswitch_prop mtk_core_property_type;
+typeattribute vendor_mtk_gprs_prefer_prop mtk_core_property_type;
+typeattribute vendor_mtk_gps_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_gsm0710muxd_prop mtk_core_property_type;
+typeattribute vendor_mtk_hdmi_prop mtk_core_property_type;
+typeattribute vendor_mtk_imstestmode_prop mtk_core_property_type;
+typeattribute vendor_mtk_malloc_debug_backtrace_prop mtk_core_property_type;
+typeattribute vendor_mtk_md_prop mtk_core_property_type;
+typeattribute vendor_mtk_md_version_prop mtk_core_property_type;
+typeattribute vendor_mtk_mediatek_prop mtk_core_property_type;
+typeattribute vendor_mtk_mnld_prop mtk_core_property_type;
+typeattribute vendor_mtk_modem_warning_prop mtk_core_property_type;
+typeattribute vendor_mtk_net_cdma_mdmstat_prop mtk_core_property_type;
+typeattribute vendor_mtk_nvram_ready_prop mtk_core_property_type;
+typeattribute vendor_mtk_omx_log_prop mtk_core_property_type;
+typeattribute vendor_mtk_operator_id_prop mtk_core_property_type;
+typeattribute vendor_mtk_persist_service_atci_prop mtk_core_property_type;
+typeattribute vendor_mtk_pq_prop mtk_core_property_type;
+typeattribute vendor_mtk_pq_ro_prop mtk_core_property_type;
+typeattribute vendor_mtk_radio_prop mtk_core_property_type;
+typeattribute vendor_mtk_rat_config_prop mtk_core_property_type;
+typeattribute vendor_mtk_ril_active_md_prop mtk_core_property_type;
+typeattribute vendor_mtk_ril_cdma_report_prop mtk_core_property_type;
+typeattribute vendor_mtk_ril_ipo_prop mtk_core_property_type;
+typeattribute vendor_mtk_ril_mode_prop mtk_core_property_type;
+typeattribute vendor_mtk_ril_mux_report_case_prop mtk_core_property_type;
+typeattribute vendor_mtk_service_nvram_init_prop mtk_core_property_type;
+typeattribute vendor_mtk_simswitch_emmode_prop mtk_core_property_type;
+typeattribute vendor_mtk_smsformat_prop mtk_core_property_type;
+typeattribute vendor_mtk_ss_vendor_prop mtk_core_property_type;
+typeattribute vendor_mtk_tel_switch_prop mtk_core_property_type;
+typeattribute vendor_mtk_testsim_cardtype_prop mtk_core_property_type;
+typeattribute vendor_mtk_usb_otg_switch_prop mtk_core_property_type;
+typeattribute vendor_mtk_vdec_log_prop mtk_core_property_type;
+typeattribute vendor_mtk_vdectlc_log_prop mtk_core_property_type;
+typeattribute vendor_mtk_venc_h264_showlog_prop mtk_core_property_type;
+typeattribute vendor_mtk_voicerecgnize_prop mtk_core_property_type;
+typeattribute vendor_mtk_volte_prop mtk_core_property_type;
+typeattribute vendor_mtk_wifi_hotspot_prop mtk_core_property_type;
+typeattribute vendor_mtk_wifi_hal_prop mtk_core_property_type;
+typeattribute vendor_mtk_wmt_prop mtk_core_property_type;
+typeattribute vendor_mtk_gpu_prop mtk_core_property_type;
+typeattribute vendor_mtk_powerhal_gpu_prop mtk_core_property_type;
+typeattribute vendor_mtk_sensor_prop mtk_core_property_type;
+typeattribute vendor_mtk_input_resample_latency_prop mtk_core_property_type;
+typeattribute vendor_mtk_video_prop mtk_core_property_type;
+typeattribute vendor_mtk_vm_prop mtk_core_property_type;
+typeattribute vendor_mtk_aod_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_bt_aac_vbr_prop mtk_core_property_type;
+typeattribute vendor_mtk_hwc_debug_log_prop mtk_core_property_type;
+typeattribute vendor_mtk_mdp_debug_log_prop mtk_core_property_type;
+typeattribute vendor_mtk_neuropilot_flag_prop mtk_core_property_type;
+typeattribute vendor_mtk_mdrsra_v2_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_xfrm_support_prop mtk_core_property_type;
+typeattribute vendor_debug_logger_prop mtk_core_property_type;
diff --git a/basic/non_plat/property_contexts b/basic/non_plat/property_contexts
new file mode 100644
index 0000000..6f5933e
--- /dev/null
+++ b/basic/non_plat/property_contexts
@@ -0,0 +1,382 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+ctl.vendor.gsm0710muxd u:object_r:vendor_mtk_ctl_gsm0710muxd_prop:s0
+
+vendor.ril.ipo u:object_r:vendor_mtk_ril_ipo_prop:s0
+
+vendor.usb. u:object_r:vendor_mtk_usb_prop:s0
+persist.vendor.usb. u:object_r:vendor_mtk_usb_prop:s0
+
+vendor.ril.mux. u:object_r:vendor_mtk_gsm0710muxd_prop:s0
+
+ctl.vendor.ril-daemon-mtk u:object_r:vendor_mtk_ctl_ril-daemon-mtk_prop:s0
+ctl.vendor.fusion_ril_mtk u:object_r:vendor_mtk_ctl_fusion_ril_mtk_prop:s0
+ctl.vendor.ril-proxy u:object_r:vendor_mtk_ctl_ril-proxy_prop:s0
+ctl.vendor.viarild u:object_r:vendor_mtk_ctl_viarild_prop:s0
+
+ctl.vendor.muxreport-daemon u:object_r:vendor_mtk_ctl_muxreport-daemon_prop:s0
+ctl.vendor.ccci_fsd u:object_r:vendor_mtk_ctl_ccci_fsd_prop:s0
+ctl.vendor.ccci2_fsd u:object_r:vendor_mtk_ctl_ccci2_fsd_prop:s0
+ctl.vendor.ccci3_fsd u:object_r:vendor_mtk_ctl_ccci3_fsd_prop:s0
+
+vendor.ril.active.md u:object_r:vendor_mtk_ril_active_md_prop:s0
+vendor.ril.mux.report.case u:object_r:vendor_mtk_ril_mux_report_case_prop:s0
+vendor.ril.cdma.report u:object_r:vendor_mtk_ril_cdma_report_prop:s0
+
+# dynamic telephony switch
+ro.boot.opt_md2_support u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.boot.opt_md5_support u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.boot.opt_sim_count u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.boot.opt_using_default u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.vendor.mtk_c2k_lte_mode u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.vendor.mtk_c2k_support u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.vendor.mtk_eccci_c2k u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.vendor.mtk_lte_support u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.vendor.mtk_md1_support u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.vendor.mtk_md3_support u:object_r:vendor_mtk_tel_switch_prop:s0
+ro.vendor.mtk_ps1_rat u:object_r:vendor_mtk_tel_switch_prop:s0
+
+vendor.gps.clock.type u:object_r:vendor_mtk_mnld_prop:s0
+vendor.gps.gps.version u:object_r:vendor_mtk_mnld_prop:s0
+vendor.gpsdbglog.enable u:object_r:vendor_mtk_mnld_prop:s0
+vendor.gpsdbglog. u:object_r:vendor_mtk_mnld_prop:s0
+vendor.debug.gps. u:object_r:vendor_mtk_mnld_prop:s0
+
+vendor.streamout. u:object_r:vendor_mtk_audiohal_prop:s0
+vendor.streamin. u:object_r:vendor_mtk_audiohal_prop:s0
+vendor.a2dp. u:object_r:vendor_mtk_audiohal_prop:s0
+vendor.audiohal. u:object_r:vendor_mtk_audiohal_prop:s0
+persist.vendor.audiohal. u:object_r:vendor_mtk_audiohal_prop:s0
+persist.vendor.vow. u:object_r:vendor_mtk_audiohal_prop:s0
+
+persist.vendor.connsys.coredump.mode u:object_r:vendor_mtk_coredump_prop:s0
+persist.vendor.connsys. u:object_r:vendor_mtk_wmt_prop:s0
+vendor.connsys. u:object_r:vendor_mtk_wmt_prop:s0
+
+# c2k_prop
+vendor.net.cdma.mdmstat u:object_r:vendor_mtk_net_cdma_mdmstat_prop:s0
+
+# md status
+vendor.mtk.md u:object_r:vendor_mtk_md_prop:s0
+
+# factory idle current prop
+vendor.debug.factory.idle_state u:object_r:vendor_mtk_factory_idle_state_prop:s0
+
+vendor.service.nvram_init u:object_r:vendor_mtk_service_nvram_init_prop:s0
+
+# Camera APP Mode
+vendor.client. u:object_r:vendor_mtk_em_prop:s0
+
+vendor.debug.camera.p2plug.log u:object_r:vendor_mtk_mediatek_prop:s0
+vendor.client.em.appmode u:object_r:vendor_mtk_mediatek_prop:s0
+
+# EM test/debug purpose
+persist.vendor.em.hidl. u:object_r:vendor_mtk_em_hidl_prop:s0
+
+# ims operator property
+vendor.ril.volte.mal.pctid u:object_r:vendor_mtk_operator_id_prop:s0
+
+persist.vendor.radio.simswitch.emmode u:object_r:vendor_mtk_simswitch_emmode_prop:s0
+
+persist.vendor.radio.mtk_dsbp_support u:object_r:vendor_mtk_dsbp_support_prop:s0
+
+persist.vendor.radio.imstestmode u:object_r:vendor_mtk_imstestmode_prop:s0
+
+persist.vendor.radio.smsformat u:object_r:vendor_mtk_smsformat_prop:s0
+
+persist.vendor.radio.gprs.prefer u:object_r:vendor_mtk_gprs_prefer_prop:s0
+
+persist.vendor.radio.testsim.cardtype u:object_r:vendor_mtk_testsim_cardtype_prop:s0
+
+persist.vendor.radio.ct.ir.engmode u:object_r:vendor_mtk_ct_ir_engmode_prop:s0
+
+persist.vendor.radio.disable_c2k_cap u:object_r:vendor_mtk_disable_c2k_cap_prop:s0
+
+# modem reset delay property
+vendor.mediatek.debug.md.reset.wait u:object_r:vendor_mtk_debug_md_reset_prop:s0
+
+# video c2 log property
+vendor.mtk.c2 u:object_r:vendor_mtk_c2_log_prop:s0
+
+# video log omx.* property
+vendor.mtk.omx. u:object_r:vendor_mtk_omx_log_prop:s0
+
+vendor.mtk.vdec.log u:object_r:vendor_mtk_vdec_log_prop:s0
+
+vendor.mtk.vdectlc.log u:object_r:vendor_mtk_vdectlc_log_prop:s0
+
+vendor.mtk.venc.h264.showlog u:object_r:vendor_mtk_venc_h264_showlog_prop:s0
+
+persist.vendor.radio.modem.warning u:object_r:vendor_mtk_modem_warning_prop:s0
+
+persist.vendor.meta.connecttype u:object_r:vendor_mtk_meta_connecttype_prop:s0
+
+# Telephony Sensitive property
+vendor.ril.iccid.sim u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+vendor.ril.uim.subscriberid u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.last_iccid_sim u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+vendor.ril.ia.iccid u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+vendor.ril.radio.ia u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+vendor.ril.c2kirat.ia.sim1 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+vendor.ril.c2kirat.ia.sim2 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+vendor.ril.c2kirat.ia.sim3 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+vendor.ril.c2kirat.ia.sim4 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ia u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ia.1 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ia.2 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ia.3 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.data.iccid u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.mobile.data u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ls1icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ls2icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ls3icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ls4icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.mtk.provision.mccmnc. u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ss.hashed_last_iccid1 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ss.hashed_last_iccid2 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ss.hashed_last_iccid3 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+persist.vendor.radio.ss.hashed_last_iccid4 u:object_r:vendor_mtk_telephony_sensitive_prop:s0
+
+# change thermal config
+vendor.thermal.manager.data u:object_r:vendor_mtk_thermal_config_prop:s0
+
+vendor.debug.sf.hwc_pid u:object_r:vendor_mtk_graphics_hwc_pid_prop:s0
+vendor.debug.sf.hdr_enable u:object_r:vendor_mtk_graphics_hwc_hdr_prop:s0
+vendor.debug.sf.validate_separate u:object_r:vendor_mtk_graphics_hwc_validate_separate_prop:s0
+
+# sf vendor cpupolicy config
+vendor.debug.sf.cpupolicy u:object_r:vendor_mtk_debug_sf_cpupolicy_prop:s0
+vendor.debug.sf.cpupolicy. u:object_r:vendor_mtk_debug_sf_cpupolicy_prop:s0
+
+# atm modem mode property(ATM)
+persist.vendor.atm.mdmode u:object_r:vendor_mtk_atm_mdmode_prop:s0
+
+# atm ip address property(ATM)
+persist.vendor.atm.ipaddress u:object_r:vendor_mtk_atm_ipaddr_prop:s0
+
+# atm boot property(ATM)
+ro.boot.atm u:object_r:vendor_mtk_default_prop:s0
+
+# telephony property
+vendor.ril. u:object_r:vendor_mtk_radio_prop:s0
+ro.vendor.ril. u:object_r:vendor_mtk_radio_prop:s0
+vendor.gsm. u:object_r:vendor_mtk_radio_prop:s0
+persist.vendor.radio. u:object_r:vendor_mtk_radio_prop:s0
+
+persist.vendor.mtk_ct_volte_support u:object_r:vendor_mtk_ct_volte_prop:s0
+
+ro.vendor.mtk_ril_mode u:object_r:vendor_mtk_ril_mode_prop:s0
+
+# GPS support properties
+ro.vendor.mtk_gps_support u:object_r:vendor_mtk_gps_support_prop:s0
+ro.vendor.mtk_agps_app u:object_r:vendor_mtk_gps_support_prop:s0
+ro.vendor.mtk_log_hide_gps u:object_r:vendor_mtk_gps_support_prop:s0
+ro.vendor.mtk_hidl_consolidation u:object_r:vendor_mtk_gps_support_prop:s0
+
+# MTK GMS
+ro.vendor.soc u:object_r:vendor_mtk_soc_prop:s0
+
+# rat config
+ro.vendor.mtk_protocol1_rat_config u:object_r:vendor_mtk_rat_config_prop:s0
+
+# mtk aal
+ro.vendor.mtk_aal_support u:object_r:vendor_mtk_aal_ro_prop:s0
+ro.vendor.mtk_ultra_dimming_support u:object_r:vendor_mtk_aal_ro_prop:s0
+ro.vendor.mtk_dre30_support u:object_r:vendor_mtk_aal_ro_prop:s0
+
+# mtk pq
+persist.vendor.sys.pq. u:object_r:vendor_mtk_pq_prop:s0
+vendor.debug.pq. u:object_r:vendor_mtk_pq_prop:s0
+persist.vendor.sys.isp. u:object_r:vendor_mtk_pq_prop:s0
+persist.vendor.sys.mtkaal. u:object_r:vendor_mtk_pq_prop:s0
+ro.vendor.mtk_pq_color_mode u:object_r:vendor_mtk_pq_ro_prop:s0
+ro.vendor.mtk_blulight_def_support u:object_r:vendor_mtk_pq_ro_prop:s0
+ro.vendor.mtk_chameleon_support u:object_r:vendor_mtk_pq_ro_prop:s0
+ro.vendor.mtk_pq_support u:object_r:vendor_mtk_pq_ro_prop:s0
+ro.vendor.mtk_appgamepq_support u:object_r:vendor_mtk_pq_ro_prop:s0
+ro.vendor.mtk_gamehdr_support u:object_r:vendor_mtk_pq_ro_prop:s0
+ro.vendor.pq. u:object_r:vendor_mtk_pq_ro_prop:s0
+
+# mtk display
+ro.vendor.mtk_ovl u:object_r:vendor_mtk_display_ro_prop:s0
+
+# Mtk properties that allow all system/vendor processes to read.
+# Usually they are config properties (but not limited to)
+ro.vendor.mtk_tdd_data_only_support u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_audio_alac_support u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_support_mp2_playback u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_audio_ape_support u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_flv_playback_support u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_mtkps_playback_support u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_wearable_platform u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mediatek.platform u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mediatek.version.branch u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mediatek.version.release u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_exchange_support u:object_r:vendor_mtk_default_prop:s0
+vendor.met.running u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_disable_cap_switch u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_sim_card_onoff u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_perf_plus u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.pref_scale_enable_cfg u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_flight_mode_power_off_md u:object_r:vendor_mtk_default_prop:s0
+
+# mtk emmc
+ro.vendor.mtk_emmc_support u:object_r:vendor_mtk_emmc_support_prop:s0
+
+# MTK connsys log feature
+ro.vendor.connsys.dedicated.log u:object_r:vendor_mtk_default_prop:s0
+
+# em usb property
+vendor.usb.port.mode u:object_r:vendor_mtk_em_usb_prop:s0
+vendor.em.usb. u:object_r:vendor_mtk_em_usb_prop:s0
+
+persist.vendor.usb.otg.switch u:object_r:vendor_mtk_usb_otg_switch_prop:s0
+
+# mtk rsc
+ro.boot.rsc u:object_r:vendor_mtk_default_prop:s0
+
+# mtk anr property
+persist.vendor.dbg.anrflow u:object_r:vendor_mtk_anr_support_prop:s0
+persist.vendor.anr. u:object_r:vendor_mtk_anr_support_prop:s0
+vendor.anr.autotest u:object_r:vendor_mtk_anr_support_prop:s0
+
+# mtk app resolution tuner
+ro.vendor.app_resolution_tuner u:object_r:vendor_mtk_appresolutiontuner_prop:s0
+persist.vendor.dbg.disable.art u:object_r:vendor_mtk_appresolutiontuner_prop:s0
+
+# mtk fullscreen switch
+ro.vendor.fullscreen_switch u:object_r:vendor_mtk_fullscreenswitch_prop:s0
+
+# ims xcap property
+persist.vendor.ss. u:object_r:vendor_mtk_ss_vendor_prop:s0
+
+# MTK App feature
+ro.vendor.net.upload.mark.default u:object_r:vendor_mtk_app_prop:s0
+
+# malloc debug unwind backtrace switch property
+vendor.debug.malloc.bt.switch u:object_r:vendor_mtk_malloc_debug_backtrace_prop:s0
+
+ro.vendor.gmo.ram_optimize u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.gmo.rom_optimize u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_config_max_dram_size u:object_r:vendor_mtk_default_prop:s0
+
+# MTK Voice Recognize property
+vendor.voicerecognize.raw u:object_r:vendor_mtk_voicerecgnize_prop:s0
+vendor.voicerecognize_data.raw u:object_r:vendor_mtk_voicerecgnize_prop:s0
+vendor.voicerecognize.noDL u:object_r:vendor_mtk_voicerecgnize_prop:s0
+
+# mtk bt enable SAP profile property
+ro.vendor.mtk.bt_sap_enable u:object_r:vendor_mtk_bt_sap_enable_prop:s0
+
+# powerhal config
+persist.vendor.powerhal. u:object_r:vendor_mtk_powerhal_prop:s0
+vendor.powerhal. u:object_r:vendor_mtk_powerhal_prop:s0
+vendor.powerhal.gpu. u:object_r:vendor_mtk_powerhal_gpu_prop:s0
+
+# MTK Wifi wlan_assistant property
+vendor.mtk.nvram.ready u:object_r:vendor_mtk_nvram_ready_prop:s0
+
+# Wi-Fi Hotspot
+ro.vendor.wifi.sap.interface u:object_r:vendor_mtk_wifi_hotspot_prop:s0
+ro.vendor.wifi.sap.concurrent.iface u:object_r:vendor_mtk_wifi_hotspot_prop:s0
+
+# Wi-Fi HAL
+vendor.wlan.firmware.version u:object_r:vendor_mtk_wifi_hal_prop:s0
+vendor.wlan.driver.version u:object_r:vendor_mtk_wifi_hal_prop:s0
+
+# mtk hdmi
+persist.vendor.sys.hdmi_hidl. u:object_r:vendor_mtk_hdmi_prop:s0
+
+# mtk nn option
+ro.vendor.mtk_nn.option u:object_r:vendor_mtk_nn_option_prop:s0
+
+# mtk gbe
+vendor.performance.gbe u:object_r:vendor_mtk_gbe_prop:s0
+
+# system wfc service property
+persist.vendor.wfc. u:object_r:vendor_mtk_wfc_serv_prop:s0
+
+# config no bt consys chip
+ro.vendor.bluetooth.noconsyschip u:object_r:vendor_mtk_default_prop:s0
+
+# mtk gpu property
+vendor.debug.gpu. u:object_r:vendor_mtk_gpu_prop:s0
+vendor.debug.gpud. u:object_r:vendor_mtk_gpu_prop:s0
+vendor.mali.config u:object_r:vendor_mtk_gpu_prop:s0
+ro.vendor.game_aisr_enable u:object_r:vendor_mtk_gpu_prop:s0
+ro.vendor.mtk.gpu. u:object_r:vendor_mtk_gpu_prop:s0
+
+# mtk aod property
+ro.vendor.mtk_aod_support u:object_r:vendor_mtk_aod_support_prop:s0
+
+# mtk hwc property
+ro.vendor.composer_version u:object_r:vendor_mtk_default_prop:s0
+
+#============= mtk sensor property ==============
+ro.vendor.init.sensor.rc u:object_r:vendor_mtk_sensor_prop:s0
+ro.vendor.mtk.sensor.support u:object_r:vendor_mtk_sensor_prop:s0
+ro.vendor.mag.calibration.in.sensorhub u:object_r:vendor_mtk_sensor_prop:s0
+ro.vendor.fusion.algorithm.in.sensorhub u:object_r:vendor_mtk_sensor_prop:s0
+
+vendor.bluetooth.ldac.abr u:object_r:vendor_mtk_default_prop:s0
+
+# input resample latency property
+ro.vendor.input.resample_latency_ms u:object_r:vendor_mtk_input_resample_latency_prop:s0
+
+# allow input report rate property
+ro.vendor.input.touch_report_rate u:object_r:vendor_mtk_input_report_rate_prop:s0
+
+# video property
+vendor.mtkomx.color.convert u:object_r:vendor_mtk_video_prop:s0
+vendor.mtk.c2.vdec.fmt.disabled.whitelist u:object_r:vendor_mtk_video_prop:s0
+
+# config no bt multidevice performance according to chip
+ro.vendor.bluetooth.bt_multidevice_perform u:object_r:vendor_mtk_default_prop:s0
+
+# factory mode property
+persist.vendor.factory. u:object_r:vendor_mtk_factory_prop:s0
+vendor.mtk.factory.start u:object_r:vendor_mtk_factory_start_prop:s0
+
+#=============mtk loading module property====================
+vendor.all.modules.ready u:object_r:vendor_mtk_device_prop:s0
+
+#=============mtk wifi driver log property====================
+ro.vendor.wlan.standalone.log u:object_r:vendor_mtk_default_prop:s0
+
+#=============mtk eara==============
+vendor.performance.frs u:object_r:vendor_mtk_frs_prop:s0
+
+# mtkperf powerhal memory property
+vendor.sys.vm. u:object_r:vendor_mtk_vm_prop:s0
+
+# mediaserver support 64-bit
+ro.vendor.mtk_prefer_64bit_proc u:object_r:vendor_mtk_prefer64_prop:s0
+
+#=============mtk bt property====================
+ro.vendor.bluetooth.a2dp_aac_vbr.is_disabled u:object_r:vendor_mtk_bt_aac_vbr_prop:s0
+persist.vendor.bluetooth.leaudio_mode u:object_r:vendor_mtk_default_prop:s0
+persist.vendor.bluetooth.a2dp_src_sink_both_enable u:object_r:vendor_mtk_default_prop:s0
+persist.vendor.bluetooth.blemesh_enable u:object_r:vendor_mtk_default_prop:s0
+persist.vendor.bluetooth.mtk_bt_consumer_feature u:object_r:vendor_mtk_default_prop:s0
+persist.vendor.bluetooth.fw_log_switch u:object_r:vendor_mtk_default_prop:s0
+
+vendor.bluetooth.performance. u:object_r:vendor_mtk_bt_perf_prop:s0
+
+# display debug log property
+persist.vendor.debug.hwc.log u:object_r:vendor_mtk_hwc_debug_log_prop:s0
+vendor.debug.hwc. u:object_r:vendor_mtk_hwc_debug_log_prop:s0
+vendor.dp.log.enable u:object_r:vendor_mtk_mdp_debug_log_prop:s0
+vendor.dp.frameChange.disable u:object_r:vendor_mtk_mdp_debug_log_prop:s0
+vendor.debug.logger. u:object_r:vendor_debug_logger_prop:s0
+
+# neuropilot flag
+ro.vendor.neuropilot.flag u:object_r:vendor_mtk_neuropilot_flag_prop:s0
+
+#=============mtk eara_io property====================
+persist.vendor.eara_io. u:object_r:vendor_mtk_eara_io_prop:s0
+
+# xfrm and mdrsra property for non 5G GKI platform
+persist.vendor.mdrsra_v2_support u:object_r:vendor_mtk_mdrsra_v2_support_prop:s0
+persist.vendor.xfrm_support u:object_r:vendor_mtk_xfrm_support_prop:s0
diff --git a/basic/non_plat/radio.te b/basic/non_plat/radio.te
new file mode 100644
index 0000000..255d63e
--- /dev/null
+++ b/basic/non_plat/radio.te
@@ -0,0 +1,55 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose : allow to access kpd driver file
+allow radio sysfs_keypad_file:dir r_dir_perms;
+allow radio sysfs_keypad_file:file w_file_perms;
+
+# Date : 2014/12/13
+# Operation : IT
+# Purpose : for bluetooth relayer mode
+allow radio block_device:dir search;
+allow radio ttyGS_device:chr_file rw_file_perms;
+
+# Date : 2016/07/05
+# Purpose :
+# Write IMEI - presanity item write imei should read the file on storage
+# Swift APK integration - access TTL scripts and logs on external storage
+# eng mode camera - save iamges files and log files on external storage
+# eng mode ygps - save location information on external storage
+allow radio media_rw_data_file:dir create_dir_perms;
+allow radio media_rw_data_file:file create_file_perms;
+
+# Date : 2016/08/02
+# Purpose :
+# Swift APK integration - access ccci dir/file
+allow radio ccci_mdinit:dir r_dir_perms;
+
+# Date : WK17.03
+# Operation : O Migration
+# Purpose : HIDL for rilproxy
+binder_call(radio, hal_telephony)
+
+#Dat: 2017/02/14
+#Purpose: allow get telephony Sensitive property
+get_prop(radio, vendor_mtk_telephony_sensitive_prop)
+
+# Date : WK17.26
+# Operation : O Migration
+# Purpose : HIDL for imsa
+binder_call(radio, mtk_hal_imsa)
+
+# Date : WK1727 2017/07/04
+# Operation : IT
+# Purpose : Allow to use HAL imsa
+hal_client_domain(radio, hal_mtk_imsa)
+
+#Dat: 2017/06/29
+#Purpose: For audio parameter tuning
+binder_call(radio, mtk_hal_audio)
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow radio to get vendor_mtk_tel_switch_prop
+get_prop(radio, vendor_mtk_tel_switch_prop)
diff --git a/basic/non_plat/rcs_volte_stack.te b/basic/non_plat/rcs_volte_stack.te
new file mode 100644
index 0000000..b670a7f
--- /dev/null
+++ b/basic/non_plat/rcs_volte_stack.te
@@ -0,0 +1 @@
+type rcs_volte_stack, domain, mtkimsapdomain;
diff --git a/basic/non_plat/recovery.te b/basic/non_plat/recovery.te
new file mode 100644
index 0000000..aad62a6
--- /dev/null
+++ b/basic/non_plat/recovery.te
@@ -0,0 +1,54 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# recovery console (used in recovery init.rc for /sbin/recovery)
+
+# Date : WK18.16
+# Operation : UT
+# Purpose : Refine policy
+allow recovery misc_sd_device:chr_file rw_file_perms;
+allow recovery vfat:dir r_dir_perms;
+allow recovery vfat:file r_file_perms;
+allow recovery sysfs_devices_block:dir r_dir_perms;
+allow recovery sysfs_devices_block:file rw_file_perms;
+allow recovery sysfs_devices_block:lnk_file r_file_perms;
+
+# Date : WK18.25
+# Operation : UT
+# Purpose : Add policy for therm, gpu, battery, and boot_type
+allow recovery sysfs:dir r_dir_perms;
+allow recovery sysfs_batteryinfo:dir r_dir_perms;
+allow recovery sysfs_boot_type:file r_file_perms;
+allow recovery sysfs_therm:dir r_dir_perms;
+allow recovery sysfs_therm:file r_file_perms;
+allow recovery gpu_device:dir r_dir_perms;
+allow recovery dri_device:chr_file rw_file_perms;
+
+# Date : WK18.09
+# Operation : UT
+# Purpose : Allow recovery can update boot partition
+allow recovery tmpfs:lnk_file r_file_perms;
+
+# Date : WK19.03
+# Operation : UT
+# Purpose : Android Migration
+allow recovery bootdevice_block_device:blk_file rw_file_perms;
+allowxperm recovery bootdevice_block_device:blk_file ioctl {
+ MMC_IOCTLCMD
+ UFS_IOCTLCMD
+};
+
+allow recovery sysfs_dm:dir search;
+allow recovery sysfs_dm:file r_file_perms;
+allowxperm recovery tmpfs:file ioctl FS_IOC_FIEMAP;
+allowxperm recovery cache_block_device:blk_file ioctl BLKPBSZGET;
+allowxperm recovery nvdata_device:blk_file ioctl BLKPBSZGET;
+allow recovery proc_filesystems:file r_file_perms;
+
+# Seen during 'Wipe data/factory reset'
+allow recovery devpts:chr_file rw_file_perms;
+
+# Date : WK36.02
+# Operation : OTA-SIU
+# Purpose : Android Migration for Google issue
+allow recovery sysfs_block:dir search;
diff --git a/basic/non_plat/remosaic_daemon.te b/basic/non_plat/remosaic_daemon.te
new file mode 100644
index 0000000..3371424
--- /dev/null
+++ b/basic/non_plat/remosaic_daemon.te
@@ -0,0 +1 @@
+type remosaic_daemon, domain;
diff --git a/basic/non_plat/rild.te b/basic/non_plat/rild.te
new file mode 100644
index 0000000..069d5ec
--- /dev/null
+++ b/basic/non_plat/rild.te
@@ -0,0 +1,185 @@
+# ==============================================
+# Policy File of /vendor/bin/rild Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# Access to wake locks
+wakelock_use(rild)
+
+#Date : W17.21
+#Purpose: Grant permission to access binder dev node
+vndbinder_use(rild)
+
+# Trigger module auto-load.
+allow rild kernel:system module_request;
+
+# Capabilities assigned for rild
+allow rild self:capability { setuid net_admin net_raw };
+
+# Control cgroups
+allow rild cgroup:dir create_dir_perms;
+
+# Property service
+# allow set RIL related properties (radio./net./system./etc)
+set_prop(rild, vendor_mtk_ril_active_md_prop)
+
+# allow set muxreport control properties
+set_prop(rild, vendor_mtk_ril_cdma_report_prop)
+set_prop(rild, vendor_mtk_ril_mux_report_case_prop)
+set_prop(rild, vendor_mtk_ctl_muxreport-daemon_prop)
+
+# Allow access permission to efs files
+allow rild efs_file:dir create_dir_perms;
+allow rild efs_file:file create_file_perms;
+allow rild bluetooth_efs_file:file r_file_perms;
+allow rild bluetooth_efs_file:dir r_dir_perms;
+
+# Allow access permission to dir/files
+# (radio data/system data/proc/etc)
+allow rild sdcardfs:dir r_dir_perms;
+allow rild proc_net:file w_file_perms;
+
+# Allow rild to create and use netlink sockets.
+# Set and get routes directly via netlink.
+allow rild self:netlink_route_socket nlmsg_write;
+
+# Allow read/write to devices/files
+allow rild mtk_radio_device:dir search;
+allow rild radio_device:chr_file rw_file_perms;
+allow rild radio_device:blk_file r_file_perms;
+allow rild mtd_device:dir search;
+
+# Allow read/write to tty devices
+allow rild tty_device:chr_file rw_file_perms;
+allow rild eemcs_device:chr_file rw_file_perms;
+
+allow rild devmap_device:chr_file r_file_perms;
+allow rild devpts:chr_file rw_file_perms;
+allow rild ccci_device:chr_file rw_file_perms;
+allow rild misc_device:chr_file rw_file_perms;
+allow rild proc_lk_env:file rw_file_perms;
+allow rild sysfs_vcorefs_pwrctrl:file w_file_perms;
+allow rild para_block_device:blk_file rw_file_perms;
+
+# Allow dir search, fd uses
+allow rild block_device:dir search;
+allow rild platform_app:fd use;
+allow rild radio:fd use;
+
+# For MAL MFI
+allow rild mal_mfi_socket:sock_file w_file_perms;
+
+# For ccci sysfs node
+allow rild sysfs_ccci:dir search;
+allow rild sysfs_ccci:file r_file_perms;
+
+#Dat: 2017/03/27
+#Purpose: allow set telephony Sensitive property
+set_prop(rild, vendor_mtk_telephony_sensitive_prop)
+
+# For AGPSD
+allow rild mtk_agpsd:unix_stream_socket connectto;
+
+#Date: 2017/12/6
+#Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations
+allow rild vendor_shell_exec:file x_file_perms;
+allow rild vendor_toolbox_exec:file x_file_perms;
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow rild to get vendor_mtk_tel_switch_prop
+get_prop(rild, vendor_mtk_tel_switch_prop)
+
+#Date: W1817
+#Purpose: allow rild access property of vendor_mtk_radio_prop
+set_prop(rild, vendor_mtk_radio_prop)
+
+#Date : W18.21
+#Purpose: allow rild access to vendor.ril.ipo system property
+set_prop(rild, vendor_mtk_ril_ipo_prop)
+
+# Date : WK18.26
+# Operation: P migration
+# Purpose: Allow carrier express HIDL to set vendor property
+set_prop(rild, vendor_mtk_cxp_vendor_prop)
+allow rild mnt_vendor_file:dir search;
+allow rild mnt_vendor_file:file create_file_perms;
+allow rild nvdata_file:dir create_dir_perms;
+allow rild nvdata_file:file create_file_perms;
+
+#Date : W18.29
+#Purpose: allow rild access binder to mtk_hal_secure_element
+allow rild mtk_hal_secure_element:binder call;
+
+# Date : WK18.31
+# Operation: P migration
+# Purpose: Allow supplementary service HIDL to set vendor property
+set_prop(rild, vendor_mtk_ss_vendor_prop)
+
+# Date : 2018/2/27
+# Purpose : for NVRAM recovery mechanism
+set_prop(rild, powerctl_prop)
+
+# Date: 2019/06/14
+# Operation : Migration
+allow rild proc_cmdline:file r_file_perms;
+
+# Date: 2019/07/18
+# Operation: AP wifi path
+# Purpose: Allow packet can be filtered by RILD process
+allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl };
+
+# Date : WK19.43
+# Purpose: Allow wfc module from rild read system property from wfc module
+get_prop(rild, vendor_mtk_wfc_serv_prop)
+
+# Date: 2019/11/15
+# Operation: RILD init flow
+# Purpose: To handle illegal rild started
+set_prop(rild, vendor_mtk_gsm0710muxd_prop)
+
+# Date : 2019/10/29
+# Operation: imstestmode
+# Purpose: Allow HIDL to set vendor property
+set_prop(rild, vendor_mtk_imstestmode_prop)
+
+# Date : 2020/06/11
+# Operation: R migration
+# Purpose: Allow rild to get system_boot_reason_prop
+get_prop(rild, system_boot_reason_prop)
+
+# rild Bringup Policy
+allow rild mtkrild:unix_stream_socket connectto;
+set_prop(rild, radio_prop)
+
+# Allow the socket read/write of netd for rild
+allow rild netd_socket:sock_file { write read };
+
+#Date : W17.20
+#Purpose: allow access to audio hal
+binder_call(rild, mtk_hal_audio)
+hal_client_domain(rild, hal_audio)
+
+# Date : W19.16
+# Operation: Q migration
+# Purpose: Allow rild access to send SUPL INIT to mnld
+allow rild mnld:unix_dgram_socket sendto;
+
+# Date : W19.35
+# Operation: Q migration
+# Purpose: Fix rilproxy SeLinux warning of pre-defined socket
+allow rild gsmrild_socket:sock_file w_file_perms;
+
+# Date: 2021/02/03
+# Operation: for Gen98 RILD dev
+# Allow read/write to devices/files
+allow rild gsm0710muxd_device:chr_file rw_file_perms;
+
+# Date : 2021/08/27
+# Purpose: Allow rild to access ccci wifi proxy
+allow rild ccci_wifi_proxy_device:chr_file rw_file_perms;
+
+# Date: 2021/09/26
+# Purpose: Add permission for vilte
+allow rild ccci_vts_device:chr_file rw_file_perms_no_map;
\ No newline at end of file
diff --git a/basic/non_plat/sensorhub_app.te b/basic/non_plat/sensorhub_app.te
new file mode 100644
index 0000000..819edb1
--- /dev/null
+++ b/basic/non_plat/sensorhub_app.te
@@ -0,0 +1 @@
+type sensorhub_app, domain;
diff --git a/basic/non_plat/servicemanager.te b/basic/non_plat/servicemanager.te
new file mode 100644
index 0000000..72ed18c
--- /dev/null
+++ b/basic/non_plat/servicemanager.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# rild Bringup Policy
+allow servicemanager rild:dir search;
+allow servicemanager rild:file r_file_perms;
+allow servicemanager rild:process getattr;
+binder_call(servicemanager, mtk_hal_light)
+binder_call(servicemanager, hal_vibrator_default)
+
diff --git a/basic/non_plat/shell.te b/basic/non_plat/shell.te
new file mode 100644
index 0000000..e69dadd
--- /dev/null
+++ b/basic/non_plat/shell.te
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.35
+# Purpose : allow shell to dump the debugging information of camera hal.
+binder_call(shell, mtk_hal_camera)
+
+# Date : WK17.36
+# Purpose : allow shell to dump the debugging information of power hal.
+hal_client_domain(shell, hal_power)
+
+# Data: 2021/12/07
+# Purpose: adjust the cpu policy config
+userdebug_or_eng(`
+ get_prop(shell, vendor_mtk_debug_sf_cpupolicy_prop);
+')
diff --git a/basic/non_plat/slpd.te b/basic/non_plat/slpd.te
new file mode 100644
index 0000000..661ccc8
--- /dev/null
+++ b/basic/non_plat/slpd.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Policy File of /vendor/bin/slpd Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type slpd_exec, exec_type, file_type, vendor_file_type;
+type slpd, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(slpd)
+
+net_domain(slpd)
+
+# mtk_agpsd will send the current SUPL profile to SLPD
+allow slpd mtk_agpsd:unix_dgram_socket sendto;
diff --git a/basic/non_plat/smartcharging.te b/basic/non_plat/smartcharging.te
new file mode 100644
index 0000000..6757604
--- /dev/null
+++ b/basic/non_plat/smartcharging.te
@@ -0,0 +1,40 @@
+# ==============================================
+# Policy File of /vendor/bin/smartcharging Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type smartcharging, domain;
+type smartcharging_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(smartcharging)
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : smartcharging daemon for access driver node
+allow smartcharging input_device:dir r_dir_perms;
+allow smartcharging input_device:file r_file_perms;
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : For smartcharging log can be printed with kernel log
+allow smartcharging kmsg_device:chr_file w_file_perms;
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : For smartcharging daemon can comminucate with kernel
+allow smartcharging self:netlink_socket create_socket_perms_no_ioctl;
+allow smartcharging self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+
+# Data : WK16.39
+allow smartcharging self:capability { fsetid };
+
+# Date: W18.17
+# Operation : add label for /sys/devices/platform/battery(/.*)
+# Purpose : add smartcharging could access
+r_dir_file(smartcharging, sysfs_batteryinfo)
+
diff --git a/basic/non_plat/spm_loader.te b/basic/non_plat/spm_loader.te
new file mode 100644
index 0000000..6524181
--- /dev/null
+++ b/basic/non_plat/spm_loader.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Policy File of /vendor/bin/spm_loader Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type spm_loader_exec, exec_type, file_type, vendor_file_type;
+type spm_loader, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# date: 2015/6/18 wk1525
+# purpose: load spm firmware
+init_daemon_domain(spm_loader)
+
+# Read to /dev/spm
+allow spm_loader spm_device:chr_file r_file_perms;
diff --git a/basic/non_plat/st54spi_hal_secure_element.te b/basic/non_plat/st54spi_hal_secure_element.te
new file mode 100644
index 0000000..9003c0a
--- /dev/null
+++ b/basic/non_plat/st54spi_hal_secure_element.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type st54spi_hal_secure_element, domain;
+type st54spi_hal_secure_element_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(st54spi_hal_secure_element)
+
+hal_server_domain(st54spi_hal_secure_element, hal_secure_element)
+allow st54spi_hal_secure_element st54spi_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/statusd.te b/basic/non_plat/statusd.te
new file mode 100644
index 0000000..589e2d5
--- /dev/null
+++ b/basic/non_plat/statusd.te
@@ -0,0 +1 @@
+type statusd, domain;
diff --git a/basic/non_plat/stflashtool.te b/basic/non_plat/stflashtool.te
new file mode 100644
index 0000000..291b189
--- /dev/null
+++ b/basic/non_plat/stflashtool.te
@@ -0,0 +1 @@
+type stflashtool, domain;
diff --git a/basic/non_plat/stp_dump3.te b/basic/non_plat/stp_dump3.te
new file mode 100644
index 0000000..64341a0
--- /dev/null
+++ b/basic/non_plat/stp_dump3.te
@@ -0,0 +1,31 @@
+# ==============================================
+# Policy File of /vendor/bin/stp_dump3 Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type stp_dump3_exec, vendor_file_type, exec_type, file_type;
+type stp_dump3, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(stp_dump3)
+allow stp_dump3 self:capability { net_admin fowner chown fsetid };
+allow stp_dump3 self:netlink_socket create_socket_perms_no_ioctl;
+allow stp_dump3 self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow stp_dump3 wmtdetect_device:chr_file rw_file_perms;
+allow stp_dump3 stpwmt_device:chr_file rw_file_perms;
+allow stp_dump3 tmpfs:lnk_file r_file_perms;
+allow stp_dump3 mnt_user_file:dir search;
+allow stp_dump3 mnt_user_file:lnk_file r_file_perms;
+allow stp_dump3 storage_file:lnk_file r_file_perms;
+allow stp_dump3 storage_file:dir search;
+allow stp_dump3 sdcard_type:dir create_dir_perms;
+allow stp_dump3 sdcard_type:file create_file_perms;
+allow stp_dump3 stp_dump_data_file:dir create_dir_perms;
+allow stp_dump3 stp_dump_data_file:file create_file_perms;
+allow stp_dump3 stp_dump_data_file:sock_file create_file_perms;
+allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms;
+allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms;
+get_prop(stp_dump3, vendor_mtk_coredump_prop)
diff --git a/basic/non_plat/surfaceflinger.te b/basic/non_plat/surfaceflinger.te
new file mode 100644
index 0000000..5abd9c1
--- /dev/null
+++ b/basic/non_plat/surfaceflinger.te
@@ -0,0 +1,100 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Data : WK14.42
+# Operation : Migration
+# Purpose : Video playback
+allow surfaceflinger sw_sync_device:chr_file rw_file_perms;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow surfaceflinger proc_ged:file rw_file_perms;
+allowxperm surfaceflinger proc_ged:file ioctl { proc_ged_ioctls };
+
+# Date : W16.42
+# Operation : Integration
+# Purpose : DRM / DRI GPU driver required
+allow surfaceflinger gpu_device:dir search;
+
+# Date : WK17.12
+# Purpose: Fix bootup fail
+allow surfaceflinger proc_bootprof:file r_file_perms;
+
+allow surfaceflinger debugfs_ion:dir search;
+allow surfaceflinger kernel:dir search;
+
+# Date : WK17.30
+# Operation : O Migration
+# Purpose: Allow to access cmdq driver
+allow surfaceflinger mtk_cmdq_device:chr_file r_file_perms;
+allow surfaceflinger mtk_mdp_device:chr_file r_file_perms;
+allow surfaceflinger mtk_mdp_sync_device:chr_file r_file_perms;
+allow surfaceflinger sysfs_boot_mode:file r_file_perms;
+
+# Date : W17.39
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, mtkbootanimation)
+
+binder_call(surfaceflinger, mtk_hal_camera)
+
+binder_service(surfaceflinger)
+
+allow surfaceflinger mtkbootanimation:dir search;
+allow surfaceflinger mtkbootanimation:file r_file_perms;
+
+# Date : W17.43
+# Operation : Migration
+# Purpose: Allow to access perfmgr
+allow surfaceflinger proc_perfmgr:dir r_dir_perms;
+allowxperm surfaceflinger proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_BQID
+ PERFMGR_FPSGO_VSYNC
+ PERFMGR_XGFFRAME_START
+ PERFMGR_XGFFRAME_END
+};
+
+# Date : WK17.43
+# Operation : Debug
+# Purpose: Allow to dump HWC backtrace
+get_prop(surfaceflinger, vendor_mtk_graphics_hwc_pid_prop)
+get_prop(surfaceflinger, vendor_mtk_graphics_hwc_validate_separate_prop)
+allow surfaceflinger hal_graphics_composer_default:dir search;
+allow surfaceflinger hal_graphics_composer_default:lnk_file r_file_perms;
+dontaudit surfaceflinger hal_graphics_composer_default:file r_file_perms;
+
+# Date : WK19.4
+# Operation : P Migration
+# Purpose: Allow to access /dev/mdp_device driver
+allow surfaceflinger mdp_device:chr_file rw_file_perms;
+
+# Date : WK18.43
+# Operation : HDR
+# Purpose: Allow to skip aosp hdr solution
+get_prop(surfaceflinger, vendor_mtk_graphics_hwc_hdr_prop)
+
+# Date: WK21.14
+# Purpose: allow to check AppGamePQ is supported or not
+get_prop(surfaceflinger, vendor_mtk_pq_ro_prop);
+
+# Date: WK21.33
+# Purpose: allow surfaceflinger to use PowerHAL API
+allow surfaceflinger proc_perfmgr:file rw_file_perms;
+
+# Data: 2021/09/18
+# Purpose: adjust the uclamp for HWComposer
+allow surfaceflinger hal_graphics_composer_default:process { getsched setsched };
+
+# Data: 2021/10/12
+# Purpose: adjust the cpu policy for HWComposer
+allow surfaceflinger hal_graphics_composer_default:file w_file_perms;
+
+# Data: 2021/12/07
+# Purpose: adjust the cpu policy config
+get_prop(surfaceflinger, vendor_mtk_debug_sf_cpupolicy_prop)
diff --git a/basic/non_plat/system_app.te b/basic/non_plat/system_app.te
new file mode 100644
index 0000000..e135679
--- /dev/null
+++ b/basic/non_plat/system_app.te
@@ -0,0 +1,44 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute system_app mlstrustedsubject;
+
+# Date : 2017/07/21
+# Purpose :[CdsInfo] read/ write WI-FI MAC address by NVRAM API
+# Package Name: com.mediatek.connectivity
+hal_client_domain(system_app, hal_mtk_nvramagent)
+
+hal_client_domain(system_app, hal_mtk_lbs)
+
+# Dat: 2017/02/14
+# Purpose: allow set telephony Sensitive property
+get_prop(system_app, vendor_mtk_telephony_sensitive_prop)
+
+# Date : WK17.12
+# Operation : MT6799 SQC
+# Purpose : Change thermal config
+get_prop(system_app, vendor_mtk_thermal_config_prop)
+
+# Date: 2019/07/16
+# Operation : Migration
+# Purpose : system_app need use hdmi service and create socktet
+hal_client_domain(system_app, hal_mtk_hdmi)
+allow system_app self:netlink_kobject_uevent_socket { read bind create setopt };
+
+# system_app need to read from sysfs /sys/class/switch/hdmi/state
+r_dir_file(system_app, sysfs_switch)
+
+# Date: 2020/06/08
+# Purpose: Allow system app to access mtk jpeg
+allow system_app proc_mtk_jpeg:file rw_file_perms;
+allowxperm system_app proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_DEC_IO_LOCK
+ JPG_BRIDGE_DEC_IO_WAIT
+ JPG_BRIDGE_DEC_IO_UNLOCK
+};
+
+# Date: 2020/06/29
+# Purpose: Allow system app to access mtk fpsgo
+allow system_app sysfs_fpsgo:dir search;
+allow system_app sysfs_fpsgo:file r_file_perms;
diff --git a/basic/non_plat/system_server.te b/basic/non_plat/system_server.te
new file mode 100644
index 0000000..f7b527a
--- /dev/null
+++ b/basic/non_plat/system_server.te
@@ -0,0 +1,278 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Access devices.
+allow system_server touch_device:chr_file rw_file_perms;
+allow system_server stpant_device:chr_file rw_file_perms;
+allow system_server devmap_device:chr_file r_file_perms;
+allow system_server irtx_device:chr_file rw_file_perms;
+allow system_server qemu_pipe_device:chr_file rw_file_perms;
+allow system_server wmtWifi_device:chr_file w_file_perms;
+
+# Add for proc_btdbg
+allow system_server proc_btdbg:file rw_file_perms;
+# Add for bootprof
+allow system_server proc_bootprof:file rw_file_perms;
+
+# /data/core access.
+allow system_server aee_core_data_file:dir r_dir_perms;
+
+# Perform Binder IPC.
+allow system_server zygote:binder impersonate;
+
+# For dumpsys.
+allow system_server aee_dumpsys_data_file:file w_file_perms;
+
+# Querying zygote socket.
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# Allow system_server to read/write /sys/power/dcm_state
+allow system_server sysfs_dcm:file rw_file_perms;
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow system_server surfaceflinger:fifo_file rw_file_perms;
+
+# Date : W16.42
+# Operation : Integration
+# Purpose : DRM / DRI GPU driver required
+allow system_server gpu_device:dir search;
+
+# Date : W16.43
+# Operation : Integration
+# Purpose : DRM / DRI GPU driver required
+allow system_server sw_sync_device:chr_file rw_file_perms;
+
+# Date : WK16.44
+# Purpose: Allow to access UART1 ttyMT1
+allow system_server ttyMT_device:chr_file rw_file_perms;
+
+# Date : WK17.52
+# Purpose: Allow to access UART1 ttyS
+allow system_server ttyS_device:chr_file rw_file_perms;
+
+# Date:W16.46
+# Operation : thermal hal Feature developing
+# Purpose : thermal hal interface permission
+allow system_server proc_mtktz:dir search;
+allow system_server proc_mtktz:file r_file_perms;
+
+# Date:W17.02
+# Operation : audio hal developing
+# Purpose : audio hal interface permission
+allow system_server mtk_hal_audio:process { getsched setsched };
+
+# Dat: 2017/02/14
+# Purpose: allow get telephony Sensitive property
+get_prop(system_server, vendor_mtk_telephony_sensitive_prop)
+
+# Date:W17.07
+# Operation : bt hal
+# Purpose : bt hal interface permission
+binder_call(system_server, mtk_hal_bluetooth)
+
+# Date:W17.08
+# Operation : sensors hal developing
+# Purpose : sensors hal interface permission
+binder_call(system_server, mtk_hal_sensors)
+
+# Operation : light hal developing
+# Purpose : light hal interface permission
+binder_call(system_server, mtk_hal_light)
+
+# Date:W17.21
+# Operation : gnss hal
+# Purpose : gnss hal interface permission
+hal_client_domain(system_server, hal_gnss)
+
+# Date:W17.26
+# Operation : imsa hal
+# Purpose : imsa hal interface permission
+binder_call(system_server, mtk_hal_imsa)
+
+# Date:W17.28
+# Operation : camera hal developing
+# Purpose : camera hal binder_call permission
+binder_call(system_server, mtk_hal_camera)
+
+# Date:W17.31
+# Operation : mpe sensor hidl developing
+# Purpose : mpe sensor hidl permission
+binder_call(system_server, mnld)
+
+# Date : WK17.32
+# Operation : Migration
+# Purpose : for network log dumpsys setting/netd information
+# audit(0.0:914): avc: denied { write } for path="pipe:[46088]"
+# dev="pipefs" ino=46088 scontext=u:r:system_server:s0
+# tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1
+allow system_server netdiag:fifo_file w_file_perms;
+
+# Date : WK17.32
+# Operation : Migration
+# Purpose : for DHCP Client ip recover functionality
+allow system_server dhcp_data_file:dir rw_dir_perms;
+allow system_server dhcp_data_file:file create_file_perms;
+
+# Date:W17.35
+# Operation : lbs hal
+# Purpose : lbs hidl interface permission
+hal_client_domain(system_server, hal_mtk_lbs)
+
+# Date : WK17.12
+# Operation : MT6799 SQC
+# Purpose : Change thermal config
+get_prop(system_server, vendor_mtk_thermal_config_prop)
+
+# Date : WK17.43
+# Operation : Migration
+# Purpose : perfmgr permission
+allow system_server proc_perfmgr:dir r_dir_perms;
+allow system_server proc_perfmgr:file r_file_perms;
+allowxperm system_server proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_BQID
+ PERFMGR_FPSGO_SWAP_BUFFER
+};
+
+# Date : W18.22
+# Operation : MTK wifi hal migration
+# Purpose : MTK wifi hal interface permission
+binder_call(system_server, mtk_hal_wifi)
+
+# Date : W19.15
+# Operation : alarm device permission
+# Purpose : support power-off alarm
+allow system_server alarm_device:chr_file rw_file_perms;
+
+# Date : WK19.7
+# Operation: Q migration
+# Purpose : Allow system_server to use ioctl/ioctlcmd
+allow system_server proc_ged:file rw_file_perms;
+allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls };
+
+# Date: 2019/06/14
+# Operation : when WFD turnning on, turn off hdmi
+hal_client_domain(system_server, hal_mtk_hdmi)
+
+# Date:2019/10/09
+# Operation:Q Migration
+allow system_server proc_cmdq_debug:file getattr;
+allow system_server proc_last_kmsg:file r_file_perms;
+allow system_server proc_cm_mgr:dir search;
+allow system_server proc_isp_p2:dir search;
+allow system_server proc_thermal:dir search;
+allow system_server proc_atf_log:dir search;
+allow system_server proc_cpufreq:dir search;
+allow system_server proc_mtkcooler:dir search;
+allow system_server proc_ppm:dir search;
+
+# Date : 2019/10/11
+# Operation : Q Migration
+allow system_server proc_wlan_status:file getattr;
+
+# Date : 2019/10/11
+# Operation : Q Migration
+allow system_server sysfs_pages_shared:file r_file_perms;
+allow system_server sysfs_pages_sharing:file r_file_perms;
+allow system_server sysfs_pages_unshared:file r_file_perms;
+allow system_server sysfs_pages_volatile:file r_file_perms;
+
+# Date:2019/10/14
+# Operation: Q Migration
+# Purpose : power_hal_mgr_service may use libmtkperf_client
+allow system_server sysfs_boot_mode:file r_file_perms;
+
+# Date : 2019/10/22
+# Operation : Q Migration
+allow system_server self:capability sys_module;
+
+# Date : 2019/10/22
+# Operation : Q Migration
+dontaudit system_server sdcardfs:file r_file_perms;
+
+# Date : 2019/10/26
+# Operation : Q Migration
+allow system_server mtk_hal_camera:process sigkill;
+allow system_server kernel:system syslog_read;
+
+# Date : 2019/10/30
+# Operation : Q Migration
+allow system_server proc_chip:dir search;
+allow system_server zygote:process setsched;
+
+# Date : 2019/11/21
+# Operation : Q Migration
+allow system_server sf_rtt_file:dir rmdir;
+
+# Date : 2019/11/29
+# Operation : Q Migration
+allow system_server storage_stub_file:dir getattr;
+
+# Date : 2020/05/12
+# Operation : R Migration
+allow system_server proc_ppm:file r_file_perms;
+
+# Date: 2019/11/12
+# Purpose: Allow system server to access mtk jpeg
+allow system_server proc_mtk_jpeg:file rw_file_perms;
+allowxperm system_server proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_DEC_IO_LOCK
+ JPG_BRIDGE_DEC_IO_WAIT
+ JPG_BRIDGE_DEC_IO_UNLOCK
+};
+
+# Date : 2020/06/30
+# Operation : R Migration
+dontaudit system_server kernel:process sigkill;
+
+# Date : 2021/04/24
+# Operation: addwindow
+# Purpose: Get the variable value of touch report rate
+get_prop(system_server, vendor_mtk_input_report_rate_prop)
+
+
+# Date : 2021/07/20
+# Operation : S Migration
+# Purpose : dontaudit system_server is not allowed to getopt 'shell' type of unix_stream_socket
+dontaudit system_server shell:unix_stream_socket getopt;
+
+# Search /proc/cpuidle
+allow system_server proc_cpuidle:dir search;
+
+# Date:2021/08/23
+# Operation:allow CachedAppOptimi to getattr from /proc/mtk_mdp_debug
+allow system_server proc_mtk_mdp_debug:file getattr;
+
+# Search /proc/mtk_mdp_debug
+allow system_server proc_mtk_mdp_debug:dir search;
+
+# For AudioManager/WiredAccessoryManager, for Extcon uevent
+# listeners
+allow system_server sysfs_extcon:file r_file_perms;
+
+# When ams cleans up the process, it should not kill mtk_hal_bluetooth
+dontaudit system_server mtk_hal_bluetooth:process sigkill;
+
+# Write tempfs for CachedAppOptimi
+allow system_server tmpfs:file w_file_perms;
+
+# Write mediaserver_tmpfs for CachedAppOptimi
+allow system_server mediaserver_tmpfs:file w_file_perms;
+# Purpose : dontaudit system_server is not allowed to kill eara_io
+dontaudit system_server hal_wifi_default:process sigkill;
+dontaudit system_server eara_io:process sigkill;
+
+# Purpose : dontaudit system_server is not allowed to kill mtk_hal_audio
+dontaudit system_server mtk_hal_audio:process sigkill;
+dontaudit system_server mtk_hal_c2:process sigkill;
+
+# Search /proc/mgq
+allow system_server proc_mgq:dir search;
+
+# when anr dump process, SystemServer need send sigal
+allow system_server mtk_hal_pq:process signal;
diff --git a/basic/non_plat/teei_hal_capi.te b/basic/non_plat/teei_hal_capi.te
new file mode 100644
index 0000000..6040fd0
--- /dev/null
+++ b/basic/non_plat/teei_hal_capi.te
@@ -0,0 +1,3 @@
+# TEE SEPolicy Rule
+# Set a new domain
+type teei_hal_capi, domain;
diff --git a/basic/non_plat/teei_hal_ifaa.te b/basic/non_plat/teei_hal_ifaa.te
new file mode 100644
index 0000000..9bb3d30
--- /dev/null
+++ b/basic/non_plat/teei_hal_ifaa.te
@@ -0,0 +1 @@
+type teei_hal_ifaa, domain;
diff --git a/basic/non_plat/teei_hal_thh.te b/basic/non_plat/teei_hal_thh.te
new file mode 100644
index 0000000..5b2fb52
--- /dev/null
+++ b/basic/non_plat/teei_hal_thh.te
@@ -0,0 +1,3 @@
+# Set a new domain
+type teei_hal_thh, domain;
+
diff --git a/basic/non_plat/teei_hal_tui.te b/basic/non_plat/teei_hal_tui.te
new file mode 100644
index 0000000..7fd0fa2
--- /dev/null
+++ b/basic/non_plat/teei_hal_tui.te
@@ -0,0 +1,3 @@
+# Set a new domain
+type teei_hal_tui, domain;
+
diff --git a/basic/non_plat/teei_hal_wechat.te b/basic/non_plat/teei_hal_wechat.te
new file mode 100644
index 0000000..aa47f71
--- /dev/null
+++ b/basic/non_plat/teei_hal_wechat.te
@@ -0,0 +1 @@
+type teei_hal_wechat, domain;
diff --git a/basic/non_plat/tesiai_hal_hdcp.te b/basic/non_plat/tesiai_hal_hdcp.te
new file mode 100644
index 0000000..e522e66
--- /dev/null
+++ b/basic/non_plat/tesiai_hal_hdcp.te
@@ -0,0 +1 @@
+type tesiai_hal_hdcp ,domain;
diff --git a/basic/non_plat/thermal.te b/basic/non_plat/thermal.te
new file mode 100644
index 0000000..a4c8ecf
--- /dev/null
+++ b/basic/non_plat/thermal.te
@@ -0,0 +1 @@
+type thermal, domain;
diff --git a/basic/non_plat/thermal_core.te b/basic/non_plat/thermal_core.te
new file mode 100644
index 0000000..50958d1
--- /dev/null
+++ b/basic/non_plat/thermal_core.te
@@ -0,0 +1,85 @@
+# ==============================================
+# Policy File of /vendor/bin/thermal_core Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type thermal_core_exec , exec_type, file_type, vendor_file_type;
+type thermal_core ,domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(thermal_core)
+
+# call PowerHal
+hal_client_domain(thermal_core, hal_power)
+
+#thermal socket file, policy setting file
+allow thermal_core thermal_core_data_file:file create_file_perms;
+allow thermal_core thermal_core_data_file:dir { rw_dir_perms setattr};
+allow thermal_core thermal_core_data_file:sock_file create;
+allow thermal_core thermal_socket:dir { rw_dir_perms setattr};
+allow thermal_core thermal_socket:sock_file create_file_perms;
+
+#send notification to thermal hal
+allow thermal_core hal_thermal_default:unix_stream_socket connectto;
+allow thermal_core thermal_hal_socket:sock_file write;
+
+
+allow thermal_core mediaserver:fd use;
+allow thermal_core mediaserver:fifo_file { rw_file_perms };
+allow thermal_core mediaserver:tcp_socket { read write };
+
+# Date : WK16.30
+# Operation : Migration
+# Purpose :
+allow thermal_core camera_isp_device:chr_file { rw_file_perms };
+allow thermal_core cameraserver:fd use;
+allow thermal_core kd_camera_hw_device:chr_file { rw_file_perms };
+allow thermal_core MTK_SMI_device:chr_file r_file_perms;
+allow thermal_core surfaceflinger:fd use;
+set_prop(thermal_core, vendor_mtk_thermal_config_prop)
+
+#for thermal sysfs
+allow thermal_core sysfs_therm:file rw_file_perms;
+allow thermal_core sysfs_therm:dir search;
+
+
+#for md_on/md_off control
+allow thermal_core rild:unix_stream_socket connectto;
+allow thermal_core rild_oem_socket:sock_file write;
+
+#for sysfs thermal sram
+allow thermal_core sysfs_thermal_sram:file rw_file_perms;
+allow thermal_core sysfs_thermal_sram:dir search;
+
+#for fps cool interface
+set_prop(thermal_core, vendor_mtk_frs_prop)
+allow thermal_core self:netlink_socket { read write bind create };
+
+
+# To find a service from hwservice_manager
+allow thermal_core fwk_sensor_hwservice:hwservice_manager find;
+allow thermal_core nvram_data_file:lnk_file create_file_perms;
+allow thermal_core nvdata_file:lnk_file create_file_perms;
+hal_client_domain(thermal_core, hal_graphics_allocator)
+
+# To read gpu opp table
+allow thermal_core proc_gpufreqv2:file r_file_perms;
+allow thermal_core proc_gpufreqv2:dir search;
+
+#for sysfs charger cooler
+allow thermal_core sysfs_charger_cooler:file r_file_perms;
+allow thermal_core sysfs_charger_cooler:dir search;
+
+# To read modem boot status
+allow thermal_core sysfs_ccci:dir search;
+allow thermal_core sysfs_ccci:file r_file_perms;
+
+# To init mipc
+allow thermal_core gsm0710muxd_device:chr_file rw_file_perms;
+
+# To read connsys node
+allow thermal_core conn_pwr_device:chr_file rw_file_perms_no_map;
+
diff --git a/basic/non_plat/thermal_manager.te b/basic/non_plat/thermal_manager.te
new file mode 100644
index 0000000..a4ba20b
--- /dev/null
+++ b/basic/non_plat/thermal_manager.te
@@ -0,0 +1,47 @@
+# ==============================================
+# Policy File of /vendor/bin/thermal_manager Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type thermal_manager_exec, exec_type, file_type, vendor_file_type;
+type thermal_manager, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(thermal_manager)
+
+allow thermal_manager proc_mtkcooler:dir search;
+allow thermal_manager proc_mtktz:dir search;
+allow thermal_manager proc_thermal:dir search;
+allow thermal_manager proc_mtkcooler:file rw_file_perms;
+allow thermal_manager proc_mtktz:file rw_file_perms;
+allow thermal_manager proc_thermal:file rw_file_perms;
+allow thermal_manager thermal_manager_data_file:file create_file_perms;
+allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr };
+allow thermal_manager mediaserver:fd use;
+allow thermal_manager mediaserver:fifo_file rw_file_perms;
+allow thermal_manager mediaserver:tcp_socket { read write };
+
+# Date : WK16.30
+# Operation : Migration
+# Purpose :
+allow thermal_manager camera_isp_device:chr_file rw_file_perms;
+allow thermal_manager cameraserver:fd use;
+allow thermal_manager kd_camera_hw_device:chr_file rw_file_perms;
+allow thermal_manager MTK_SMI_device:chr_file r_file_perms;
+allow thermal_manager surfaceflinger:fd use;
+set_prop(thermal_manager, vendor_mtk_thermal_config_prop)
+
+# Date : 2019/09/12
+# Operation : Migration
+# Purpose : add sysfs permission
+# path = " sys/devices/virtual/thermal/"
+# path = " sys/class/thermal/"
+allow thermal_manager sysfs_therm:file w_file_perms;
+
+# Date : WK18.18
+# Operation : P Migration
+# Purpose : Allow thermal_manager to access vendor data file.
+allow thermal_manager self:capability { fowner chown };
diff --git a/basic/non_plat/thermalloadalgod.te b/basic/non_plat/thermalloadalgod.te
new file mode 100644
index 0000000..23a91f7
--- /dev/null
+++ b/basic/non_plat/thermalloadalgod.te
@@ -0,0 +1,45 @@
+# ==============================================
+# Policy File of /vendor/bin/thermalloadalgod_exec Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type thermalloadalgod ,domain;
+type thermalloadalgod_exec, exec_type, file_type, vendor_file_type;
+typeattribute thermalloadalgod mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(thermalloadalgod)
+
+# Data : WK14.43
+# Operation : Migration
+# Purpose : thermal algorithm daemon for access driver node
+allow thermalloadalgod input_device:dir rw_dir_perms;
+allow thermalloadalgod input_device:file r_file_perms;
+
+allow thermalloadalgod thermalloadalgod:netlink_socket create_socket_perms_no_ioctl;
+
+allow thermalloadalgod thermal_manager_data_file:dir create_dir_perms;
+allow thermalloadalgod thermal_manager_data_file:file create_file_perms;
+allow thermalloadalgod kmsg_device:chr_file w_file_perms;
+
+# Data : WK16.49
+# Operation : SPA porting
+# Purpose : thermal algorithm daemon for SPA
+# For /proc/[pid]/cgroup accessing
+allow thermalloadalgod proc:dir { search getattr };
+allow thermalloadalgod shell:dir search;
+allow thermalloadalgod platform_app:dir search;
+allow thermalloadalgod platform_app:file r_file_perms;
+allow thermalloadalgod priv_app:dir search;
+allow thermalloadalgod priv_app:file r_file_perms;
+allow thermalloadalgod system_app:dir search;
+allow thermalloadalgod system_app:file r_file_perms;
+allow thermalloadalgod untrusted_app:dir search;
+allow thermalloadalgod untrusted_app:file r_file_perms;
+allow thermalloadalgod mediaserver:dir search;
+allow thermalloadalgod mediaserver:file r_file_perms;
+allow thermalloadalgod proc_thermal:dir search;
+allow thermalloadalgod proc_thermal:file rw_file_perms;
diff --git a/basic/non_plat/ueventd.te b/basic/non_plat/ueventd.te
new file mode 100644
index 0000000..82162e7
--- /dev/null
+++ b/basic/non_plat/ueventd.te
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.12
+# Purpose: Fix bootup fail
+allow ueventd proc_net:file r_file_perms;
+
+# Date: W17.22
+# Operation : New Feature
+# Purpose : Add for A/B system
+allow ueventd m_acc_misc_device:chr_file { relabelfrom relabelto };
+allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto };
+
+# Date: 2019/06/14
+# Operation : Migration
+allow ueventd tmpfs:lnk_file r_file_perms;
diff --git a/basic/non_plat/uncrypt.te b/basic/non_plat/uncrypt.te
new file mode 100644
index 0000000..7723531
--- /dev/null
+++ b/basic/non_plat/uncrypt.te
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# uncrypt for mtd
+allow uncrypt mtd_device:chr_file rw_file_perms;
+allow uncrypt mtd_device:dir search;
+allow uncrypt mtd_device:blk_file rw_file_perms;
+
+allow uncrypt misc_device:chr_file ~rename;
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+allow uncrypt para_block_device:blk_file w_file_perms;
+allow uncrypt system_app_data_file:dir { getattr search };
+allow uncrypt system_app_data_file:file { read getattr };
+allow uncrypt media_rw_data_file:dir { getattr search };
+allow uncrypt media_rw_data_file:file r_file_perms;
+allow uncrypt ota_package_file:file w_file_perms;
diff --git a/basic/non_plat/untrusted_app.te b/basic/non_plat/untrusted_app.te
new file mode 100644
index 0000000..d726ed0
--- /dev/null
+++ b/basic/non_plat/untrusted_app.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2016/02/26
+# Operation: Migration
+# Purpose: Allow MTK modified ElephantStress and WhatsTemp to read thermal zone temperatures
+# from MTK kernel modules for thermal tests at OEM/ODM.
+allow untrusted_app proc_mtktz:dir search;
+allow untrusted_app proc_mtktz:file r_file_perms;
diff --git a/basic/non_plat/untrusted_app_25.te b/basic/non_plat/untrusted_app_25.te
new file mode 100644
index 0000000..8c94ea3
--- /dev/null
+++ b/basic/non_plat/untrusted_app_25.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/08/01
+# Operation: SQC
+# Purpose : Allow Whatstemp, a MTK thermal logging tool, to log thermal related information
+# properly for thermal tests at OEM/ODM.
+allow untrusted_app_25 proc_mtktz:dir search;
+allow untrusted_app_25 proc_mtktz:file r_file_perms;
+allow untrusted_app_25 proc_thermal:dir search;
+allow untrusted_app_25 proc_thermal:file r_file_perms;
+
+allow untrusted_app_25 sysfs_fps:dir search;
+allow untrusted_app_25 sysfs_fps:file r_file_perms;
+allow untrusted_app_25 sysfs_batteryinfo:dir search;
+allow untrusted_app_25 sysfs_therm:dir r_dir_perms;
+allow untrusted_app_25 sysfs_therm:file r_file_perms;
diff --git a/basic/non_plat/untrusted_app_all.te b/basic/non_plat/untrusted_app_all.te
new file mode 100644
index 0000000..d5a2a90
--- /dev/null
+++ b/basic/non_plat/untrusted_app_all.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2020/06/08
+# Purpose: Allow untrusted app to access mtk jpeg
+allow untrusted_app_all proc_mtk_jpeg:file rw_file_perms;
+allowxperm untrusted_app_all proc_mtk_jpeg:file ioctl {
+ JPG_BRIDGE_DEC_IO_LOCK
+ JPG_BRIDGE_DEC_IO_WAIT
+ JPG_BRIDGE_DEC_IO_UNLOCK
+};
diff --git a/basic/non_plat/update_engine.te b/basic/non_plat/update_engine.te
new file mode 100644
index 0000000..9a9f66c
--- /dev/null
+++ b/basic/non_plat/update_engine.te
@@ -0,0 +1,63 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Add for update_engine update block device
+allow update_engine preloader_block_device:blk_file rw_file_perms;
+allow update_engine lk_block_device:blk_file rw_file_perms;
+allow update_engine dtbo_block_device:blk_file rw_file_perms;
+allow update_engine tee_block_device:blk_file rw_file_perms;
+allow update_engine vendor_block_device:blk_file rw_file_perms;
+allow update_engine odm_block_device:blk_file rw_file_perms;
+allow update_engine oem_block_device:blk_file rw_file_perms;
+allow update_engine md_block_device:blk_file rw_file_perms;
+allow update_engine dsp_block_device:blk_file rw_file_perms;
+allow update_engine scp_block_device:blk_file rw_file_perms;
+allow update_engine sspm_block_device:blk_file rw_file_perms;
+allow update_engine spmfw_block_device:blk_file rw_file_perms;
+allow update_engine mcupmfw_block_device:blk_file rw_file_perms;
+allow update_engine loader_ext_block_device:blk_file rw_file_perms;
+allow update_engine cam_vpu_block_device:blk_file rw_file_perms;
+allow update_engine para_block_device:blk_file rw_file_perms;
+allow update_engine vbmeta_block_device:blk_file rw_file_perms;
+allow update_engine audio_dsp_block_device:blk_file rw_file_perms;
+allow update_engine gz_block_device:blk_file rw_file_perms;
+allow update_engine proc_filesystems:file r_file_perms;
+allow update_engine dpm_block_device:blk_file rw_file_perms;
+allow update_engine pi_img_device:blk_file rw_file_perms;
+allow update_engine apusys_device:blk_file rw_file_perms_no_map;
+allow update_engine ccu_device:blk_file rw_file_perms_no_map;
+allow update_engine gpueb_device:blk_file rw_file_perms_no_map;
+allow update_engine mcf_ota_block_device:blk_file rw_file_perms_no_map;
+allow update_engine vcp_device:blk_file rw_file_perms_no_map;
+allow update_engine mvpu_algo_device:blk_file rw_file_perms_no_map;
+
+# Add for update_engine call by system_app
+allow update_engine system_app:binder { call transfer };
+
+# Add for update_engine with postinstall
+allow update_engine postinstall_mnt_dir:dir { rw_dir_perms unlink};
+
+# Add for AVB20
+allow update_engine tmpfs:lnk_file r_file_perms;
+
+allow update_engine metadata_file:dir { getattr mounton };
+allow update_engine devpts:chr_file rw_file_perms;
+allow update_engine kmsg_device:chr_file w_file_perms;
+
+# Date: 2020/09/02
+# Operation: R migration
+# Purpose: Add permission for pl path utilities to add symlink to raw pl
+allow update_engine sysfs_devices_block:dir search;
+
+# Date: 2021/07/15
+# Operation: S migration
+# Purpose: Add permission for pl path utilities
+allow update_engine postinstall_block_device:dir w_dir_perms;
+allow update_engine postinstall_block_device:lnk_file create_file_perms;
+allow update_engine proc_bootconfig:file r_file_perms;
+
+# Date : 2022/02/07
+# Operation : T migration
+# Purpose : Add permission for pl path utilities
+allow update_engine sysfs_block:dir search;
diff --git a/basic/non_plat/vendor_init.te b/basic/non_plat/vendor_init.te
new file mode 100644
index 0000000..58ca754
--- /dev/null
+++ b/basic/non_plat/vendor_init.te
@@ -0,0 +1,163 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+set_prop(vendor_init, vendor_mtk_mediatek_prop)
+set_prop(vendor_init, vendor_mtk_md_version_prop)
+set_prop(vendor_init, vendor_mtk_volte_prop)
+set_prop(vendor_init, vendor_mtk_radio_prop)
+set_prop(vendor_init, vendor_mtk_ril_mode_prop)
+set_prop(vendor_init, vendor_mtk_wmt_prop)
+set_prop(vendor_init, vendor_mtk_coredump_prop)
+allow vendor_init proc_wmtdbg:file w_file_perms;
+allow vendor_init proc_cpufreq:file w_file_perms;
+allow vendor_init proc_bootprof:file w_file_perms;
+allow vendor_init proc_pl_lk:file w_file_perms;
+allow vendor_init proc_mtprintk:file w_file_perms;
+allow vendor_init rootfs:dir create_dir_perms;
+allow vendor_init self:capability sys_module;
+allow vendor_init tmpfs:dir create_dir_perms;
+allow vendor_init unlabeled:dir { relabelfrom getattr setattr search };
+allow vendor_init vendor_file:system module_load;
+allow vendor_init kmsg_device:chr_file unlink;
+set_prop(vendor_init, vendor_mtk_sensor_prop)
+set_prop(vendor_init, vendor_mtk_usb_prop)
+set_prop(vendor_init, vendor_mtk_ct_volte_prop)
+set_prop(vendor_init, vendor_mtk_gps_support_prop)
+set_prop(vendor_init, vendor_mtk_rat_config_prop)
+set_prop(vendor_init, vendor_mtk_tel_switch_prop)
+set_prop(vendor_init, vendor_mtk_aal_ro_prop)
+set_prop(vendor_init, vendor_mtk_pq_ro_prop)
+set_prop(vendor_init, vendor_mtk_default_prop)
+set_prop(vendor_init, vendor_mtk_nn_option_prop)
+set_prop(vendor_init, vendor_mtk_emmc_support_prop)
+set_prop(vendor_init, vendor_mtk_anr_support_prop)
+set_prop(vendor_init, vendor_mtk_app_prop)
+set_prop(vendor_init, vendor_mtk_bt_sap_enable_prop)
+set_prop(vendor_init, vendor_mtk_factory_prop)
+get_prop(vendor_init, vendor_mtk_soc_prop)
+set_prop(vendor_init, vendor_mtk_prefer64_prop)
+
+# allow create symbolic link, /mnt/sdcard, for meta/factory mode
+allow vendor_init tmpfs:lnk_file create_file_perms;
+
+set_prop(vendor_init, vendor_mtk_cxp_vendor_prop)
+
+# Run "ifup lo" to bring up the localhost interface
+allow vendor_init proc_hostname:file w_file_perms;
+allow vendor_init self:udp_socket create_socket_perms;
+
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm vendor_init self:udp_socket ioctl { SIOCSIFFLAGS };
+allow vendor_init self:global_capability_class_set net_raw;
+
+# enhance boot time
+allow vendor_init proc_perfmgr:file w_file_perms;
+
+set_prop(vendor_init, vendor_mtk_appresolutiontuner_prop)
+
+# fullscreen switch
+set_prop(vendor_init, vendor_mtk_fullscreenswitch_prop)
+
+# for kernel module verification support, allow vendor domain to search kernel keyring
+allow vendor_init kernel:key search;
+
+# Purpose: /dev/block/mmcblk0p10
+allow vendor_init expdb_block_device:blk_file rw_file_perms;
+
+set_prop(vendor_init, vendor_mtk_wifi_hotspot_prop)
+set_prop(vendor_init, vendor_mtk_wifi_hal_prop)
+set_prop(vendor_init, vendor_mtk_powerhal_prop)
+
+# mmstat tracer
+allow vendor_init debugfs_tracing_instances:dir create_dir_perms;
+allow vendor_init debugfs_tracing_instances:file w_file_perms;
+
+#boot tracer
+allow vendor_init debugfs_tracing_debug:file w_file_perms;
+
+# Set surfaceflinger cpu policy property
+set_prop(vendor_init, vendor_mtk_debug_sf_cpupolicy_prop)
+
+# Date : 2019/11/21
+# Operation: SQC
+# Purpose : Allow vendor_init to control MCDI
+allow vendor_init proc_cpuidle:file rw_file_perms;
+
+# Date : 2020/07/08
+# Purpose: add permission for /proc/sys/vm/swappiness
+allow vendor_init proc_swappiness:file w_file_perms;
+
+# Date : 2020/08/05
+# Purpose: add permission for /proc/driver/wmt_user_proc
+allow vendor_init proc_wmtuserproc:file w_file_perms;
+
+# Date : 2020/08/20
+# Operation: touchboost
+# Purpose: Allow vendor_init to set the default value of touch resample latency
+set_prop(vendor_init, vendor_mtk_input_resample_latency_prop)
+
+# Date : 2021/04/24
+# Operation: addwindow
+# Purpose: Get the variable value of touch report rate
+set_prop(vendor_init, vendor_mtk_input_report_rate_prop)
+
+# Date : 2020/09/07
+# Purpose: add permission for /proc/sys/kernel/panic_on_rcu_stall
+allow vendor_init proc_panic_on_rcu_stall:file rw_file_perms;
+
+# Date : 2020/12/23
+# Purpose: Allow vendor_init to write /proc/driver/conninfra_dbg
+allow vendor_init proc_conninfradbg:file w_file_perms;
+
+# Date: 2020/11/18
+# Purpose: Set the vendor.all.modules.ready property
+set_prop(vendor_init, vendor_mtk_device_prop)
+
+# Date: 2021/04/15
+# Purpose: Allow init to write /proc/blocktag/blockio
+allow vendor_init procfs_blockio:file w_file_perms;
+
+# Date : 2021/04/20
+# Purpose: Allow vendor_init to write /proc/driver/drop_caches , extra_free_kbytes , watermark_scale_factor
+allow vendor_init proc_extra_free_kbytes:file w_file_perms;
+allow vendor_init proc_drop_caches:file w_file_perms;
+allow vendor_init proc_watermark_scale_factor:file w_file_perms;
+set_prop(vendor_init, vendor_mtk_vm_prop)
+
+# Date 2021/05/10
+# Purpose : init the default value before bootup
+allow vendor_init proc_sched_migration_cost_ns:file rw_file_perms;
+
+# Date 2021/05/15
+# Purpose allow vendor_init to write proc/sys/kernel/sched_*
+allow vendor_init proc_sched:file w_file_perms;
+
+# Date 2021/07/21
+# Purpose: Set the ro.vendor.mtk_aod_support property
+set_prop(vendor_init, vendor_mtk_aod_support_prop)
+
+# Data 2021/08/06
+# Purpose: Set the ro.vendor.bluetooth.a2dp_aac_vbr.is_disabled property
+set_prop(vendor_init, vendor_mtk_bt_aac_vbr_prop)
+
+# Data 2021/09/23
+# Purpose: Set the ro.vendor.game_aisr_enable property
+set_prop(vendor_init, vendor_mtk_gpu_prop)
+
+# Data 2021/09/28
+# Purpose: Set the ro.vendor.mtk_ovl_bringup property
+set_prop(vendor_init, vendor_mtk_display_ro_prop)
+
+# Date : 2021/11/12
+# Purpose: add permission for /proc/sys/vm/watermark_boost_factor
+allow vendor_init proc_watermark_boost_factor:file w_file_perms;
+
+# Date: 2022/1/4
+# Purpose: add Neuropilot flag
+set_prop(vendor_init, vendor_mtk_neuropilot_flag_prop)
+
+# Date: 2022/2/16
+# Purpose: for non-5G GKI platform
+set_prop(vendor_init, vendor_mtk_mdrsra_v2_support_prop)
+set_prop(vendor_init, vendor_mtk_xfrm_support_prop)
diff --git a/basic/non_plat/viarild.te b/basic/non_plat/viarild.te
new file mode 100644
index 0000000..f9878ef
--- /dev/null
+++ b/basic/non_plat/viarild.te
@@ -0,0 +1 @@
+type viarild, domain;
diff --git a/basic/non_plat/vold.te b/basic/non_plat/vold.te
new file mode 100644
index 0000000..9eb5f22
--- /dev/null
+++ b/basic/non_plat/vold.te
@@ -0,0 +1,47 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# volume manager
+
+# Date : WK16.19
+# Operation : Migration
+# Purpose : unmount /mnt/cd-rom. It causes by unmountAll() when VolumeManager starts
+allow vold iso9660:filesystem unmount;
+
+# Date : WK16.19
+# Operation : Migration
+# Purpose : vold will traverse /proc when remountUid().
+# It will trigger violation if mtk customize some label in /proc.
+# However, we should ignore the violation if the processes never access the storage.
+dontaudit vold proc_mtkcooler:dir r_dir_perms;
+dontaudit vold proc_mtktz:dir r_dir_perms;
+dontaudit vold proc_thermal:dir r_dir_perms;
+
+# Date : WK18.30
+# Operation : Migration
+# Purpose : vold create mdlog folder in data for meta mode.
+allow vold mdlog_data_file:dir create_dir_perms;
+
+allow vold mtd_device:blk_file rw_file_perms;
+
+# dontaudit for fstrim on 'vendor' folder
+dontaudit vold nvdata_file:dir r_dir_perms;
+dontaudit vold nvcfg_file:dir r_dir_perms;
+dontaudit vold protect_f_data_file:dir r_dir_perms;
+dontaudit vold protect_s_data_file:dir r_dir_perms;
+
+# execute mke2fs when format as internal
+allow vold cache_block_device:blk_file getattr;
+allowxperm vold dm_device:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+allow vold nvcfg_block_device:blk_file getattr;
+allow vold nvdata_device:blk_file getattr;
+allow vold proc_swaps:file r_file_perms;
+allow vold protect1_block_device:blk_file getattr;
+allow vold protect2_block_device:blk_file getattr;
+allow vold swap_block_device:blk_file getattr;
+
+# trigger udisk uevent
+allow vold sysfs_usb_nonplat:file w_file_perms;
\ No newline at end of file
diff --git a/basic/non_plat/volte_clientapi_ua.te b/basic/non_plat/volte_clientapi_ua.te
new file mode 100644
index 0000000..c20979e
--- /dev/null
+++ b/basic/non_plat/volte_clientapi_ua.te
@@ -0,0 +1 @@
+type volte_clientapi_ua, domain, mtkimsapdomain;
diff --git a/basic/non_plat/volte_rcs_ua.te b/basic/non_plat/volte_rcs_ua.te
new file mode 100644
index 0000000..8e25f8d
--- /dev/null
+++ b/basic/non_plat/volte_rcs_ua.te
@@ -0,0 +1 @@
+type volte_rcs_ua, domain, mtkimsapdomain;
diff --git a/basic/non_plat/vpud_native.te b/basic/non_plat/vpud_native.te
new file mode 100644
index 0000000..312437e
--- /dev/null
+++ b/basic/non_plat/vpud_native.te
@@ -0,0 +1,49 @@
+# ==============================================
+# Policy File of /vendor/bin/vpud Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type vpud_native_exec, exec_type, file_type, vendor_file_type;
+type vpud_native, domain;
+
+init_daemon_domain(vpud_native)
+
+allow vpud_native ion_device:chr_file rw_file_perms;
+allow vpud_native vcu_device:chr_file rw_file_perms;
+allow vpud_native MTK_SMI_device:chr_file r_file_perms;
+allow vpud_native thermal_manager_data_file:file rw_file_perms;
+allow vpud_native thermalloadalgod:unix_stream_socket connectto;
+allow vpud_native proc_mtktz:dir search;
+allow vpud_native proc_mtktz:file rw_file_perms;
+allow vpud_native proc_thermal:file rw_file_perms;
+set_prop(vpud_native, vendor_mtk_thermal_config_prop)
+allowxperm vpud_native proc_m4u:file ioctl MTK_M4U_GZ_SEC_INIT;
+allowxperm vpud_native proc_m4u:file ioctl MTK_M4U_T_SEC_INIT;
+allow vpud_native vcodec_file:file create_file_perms;
+allow vpud_native vcodec_file:dir create_dir_perms;
+allow vpud_native sysfs_device_tree_model:file r_file_perms;
+
+allow vpud_native gz_device:chr_file rw_file_perms;
+allow vpud_native proc_m4u:file rw_file_perms;
+allow vpud_native tee_device:chr_file rw_file_perms;
+
+# call PowerHal
+hal_client_domain(vpud_native, hal_power)
+
+allow vpud_native mediaserver:fd use;
+allow vpud_native debugfs_ion:dir search;
+
+not_full_treble(`
+ allow vpud_native shell_exec:file { execute read open execute_no_trans getattr };
+ allow vpud_native toolbox_exec:file { getattr execute read open execute_no_trans };
+')
+
+full_treble_only(`
+ allow vpud_native vendor_shell_exec:file rx_file_perms;
+ allow vpud_native vendor_toolbox_exec:file rx_file_perms;
+')
+
+# add power config
+allow vpud_native sysfs_boot_mode:file r_file_perms;
diff --git a/basic/non_plat/vtservice_hidl.te b/basic/non_plat/vtservice_hidl.te
new file mode 100644
index 0000000..c96d8b6
--- /dev/null
+++ b/basic/non_plat/vtservice_hidl.te
@@ -0,0 +1,2 @@
+# "mtkimsapdomain" is for IMS repo phase 3, mean all permiton for IMCB/UA
+type vtservice_hidl, domain, mtkimsapdomain;
diff --git a/basic/non_plat/wifi_dump.te b/basic/non_plat/wifi_dump.te
new file mode 100644
index 0000000..0794dd8
--- /dev/null
+++ b/basic/non_plat/wifi_dump.te
@@ -0,0 +1,27 @@
+# ==============================================
+# Policy File of /vendor/bin/wifi_dump Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type wifi_dump_exec, vendor_file_type, exec_type, file_type;
+type wifi_dump, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(wifi_dump)
+allow wifi_dump self:capability net_admin;
+allow wifi_dump self:netlink_socket create_socket_perms_no_ioctl;
+allow wifi_dump self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wifi_dump conninfra_device:chr_file rw_file_perms;
+allow wifi_dump stpwmt_device:chr_file rw_file_perms;
+allow wifi_dump tmpfs:lnk_file r_file_perms;
+allow wifi_dump mnt_user_file:dir search;
+allow wifi_dump mnt_user_file:lnk_file r_file_perms;
+allow wifi_dump storage_file:lnk_file r_file_perms;
+allow wifi_dump stp_dump_data_file:dir create_dir_perms;
+allow wifi_dump stp_dump_data_file:file create_file_perms;
+allow wifi_dump connsyslog_data_vendor_file:dir create_dir_perms;
+allow wifi_dump connsyslog_data_vendor_file:file create_file_perms;
+get_prop(wifi_dump, vendor_mtk_coredump_prop)
\ No newline at end of file
diff --git a/basic/non_plat/wlan_assistant.te b/basic/non_plat/wlan_assistant.te
new file mode 100644
index 0000000..98f2ecb
--- /dev/null
+++ b/basic/non_plat/wlan_assistant.te
@@ -0,0 +1,39 @@
+# ==============================================
+# Policy File of /vendor/bin/wlan_assistant Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type wlan_assistant_exec, exec_type, file_type, vendor_file_type;
+type wlan_assistant, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(wlan_assistant)
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose : for mtk debug mechanism. agpsd_data_file, mtk_agpsd are used
+# to share wifi scan results with AGPS module. netlink_socket is used to
+# listen events of wlan driver. udp_socket is used to do ioctl with wlan driver
+# kernel-3.18 uses netlink_socket, but kernel-4.4 uses generic netlink_socket
+allow wlan_assistant agpsd_data_file:sock_file w_file_perms;
+allow wlan_assistant mtk_agpsd:unix_dgram_socket sendto;
+allow wlan_assistant agpsd_data_file:dir search;
+allow wlan_assistant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wlan_assistant self:udp_socket create_socket_perms;
+
+# Date : WK18.17
+# Operation : Migration
+# Purpose : To allow wlan_assistant monitor /vendor/nvdata/APCFG/APRDEB,
+# /storage/sdcard0, /vendor/firmware. Which can help to check if nvram,
+# driver config or firmware config file are changed, if yes, will write it
+# to wlan driver in time.
+allow wlan_assistant nvdata_file:dir r_dir_perms;
+allow wlan_assistant nvdata_file:file r_file_perms;
+allow wlan_assistant wmtWifi_device:chr_file rw_file_perms;
+
+allow wlan_assistant mnt_vendor_file:dir search;
+
+set_prop(wlan_assistant, vendor_mtk_nvram_ready_prop)
diff --git a/basic/non_plat/wmt_loader.te b/basic/non_plat/wmt_loader.te
new file mode 100644
index 0000000..de812f3
--- /dev/null
+++ b/basic/non_plat/wmt_loader.te
@@ -0,0 +1,33 @@
+# ==============================================
+# Policy File of /vendor/bin/wmt_loader Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type wmt_loader, domain;
+type wmt_loader_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(wmt_loader)
+
+allow wmt_loader self:capability chown;
+
+# Set the property
+set_prop(wmt_loader, vendor_mtk_wmt_prop)
+
+# add ioctl/open/read/write permission for wmt_loader with /dev/wmtdetect
+allow wmt_loader wmtdetect_device:chr_file rw_file_perms;
+
+# add ioctl/open/read/write permission for wmt_loader with /dev/stpwm
+allow wmt_loader stpwmt_device:chr_file rw_file_perms;
+allow wmt_loader devpts:chr_file rwx_file_perms;
+
+# Date: 2019/06/14
+# Operation : Migration
+allow wmt_loader proc_wmtdbg:file setattr;
+
+# Date : 2020/08/05
+# add setattr permission for wmt_loader with /proc/driver/wmt_user_proc
+allow wmt_loader proc_wmtuserproc:file setattr;
diff --git a/basic/non_plat/wo_epdg_client.te b/basic/non_plat/wo_epdg_client.te
new file mode 100644
index 0000000..181ba2e
--- /dev/null
+++ b/basic/non_plat/wo_epdg_client.te
@@ -0,0 +1 @@
+type wo_epdg_client, domain;
diff --git a/basic/non_plat/wo_ipsec.te b/basic/non_plat/wo_ipsec.te
new file mode 100644
index 0000000..ce5c597
--- /dev/null
+++ b/basic/non_plat/wo_ipsec.te
@@ -0,0 +1 @@
+type wo_ipsec, domain;
diff --git a/basic/non_plat/xgff_test_native.te b/basic/non_plat/xgff_test_native.te
new file mode 100644
index 0000000..8fb3e5e
--- /dev/null
+++ b/basic/non_plat/xgff_test_native.te
@@ -0,0 +1,24 @@
+# ==============================================
+# Policy File of /vendor/bin/xgff_test Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type xgff_test_native_exec, exec_type, file_type, vendor_file_type;
+type xgff_test_native, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(xgff_test_native)
+
+allow xgff_test_native self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow xgff_test_native sysfs_boot_mode:file r_file_perms;
+hal_client_domain(xgff_test_native, hal_power)
+
+allow xgff_test_native proc_perfmgr:dir r_dir_perms;
+allow xgff_test_native proc_perfmgr:file rw_file_perms;
+allowxperm xgff_test_native proc_perfmgr:file ioctl {
+ PERFMGR_XGFFRAME_START
+ PERFMGR_XGFFRAME_END
+};
diff --git a/basic/non_plat/zygote.te b/basic/non_plat/zygote.te
new file mode 100644
index 0000000..61b5c47
--- /dev/null
+++ b/basic/non_plat/zygote.te
@@ -0,0 +1,31 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow zygote proc_ged:file rw_file_perms;
+
+# Date : WK17.02
+# Purpose: Allow to access gpu for memtrack functions
+allow zygote gpu_device:dir search;
+allow zygote gpu_device:chr_file rw_file_perms;
+
+allow zygote proc_bootprof:file rw_file_perms;
+allow zygote proc_uptime:file rw_file_perms;
+
+# Date : WK21.29
+# Purpose: Allow Zygote to unmount labeledfs
+allow zygote labeledfs:filesystem { unmount };
+
+# Date : WK21.41
+# Purpose: Allow Zygote to access cgroup for statsd functions
+allow zygote cgroup:file setattr;
+
+# Date : WK21.47
+# Purpose: dontaudit Zygote set its the nice value
+dontaudit zygote self:capability sys_nice;
+
+# Date : WK22.04
+# Purpose: dontaudit Zygote write system_file when restarting Android
+dontaudit zygote system_file:dir write;
diff --git a/basic/plat_private/aal.te b/basic/plat_private/aal.te
new file mode 100644
index 0000000..4262a7c
--- /dev/null
+++ b/basic/plat_private/aal.te
@@ -0,0 +1 @@
+type aal, domain;
diff --git a/basic/plat_private/adbd.te b/basic/plat_private/adbd.te
new file mode 100644
index 0000000..d2b1195
--- /dev/null
+++ b/basic/plat_private/adbd.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow adbd debuglog_data_file:dir r_dir_perms;
+allow adbd debuglog_data_file:file r_file_perms;
diff --git a/basic/plat_private/app.te b/basic/plat_private/app.te
new file mode 100644
index 0000000..2f1c073
--- /dev/null
+++ b/basic/plat_private/app.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2019/06/17
+# Operation : Migration
+# Purpose : appdomain need get system_mtk_amslog_prop
+get_prop(appdomain, system_mtk_amslog_prop)
diff --git a/basic/plat_private/audioserver.te b/basic/plat_private/audioserver.te
new file mode 100644
index 0000000..808460d
--- /dev/null
+++ b/basic/plat_private/audioserver.te
@@ -0,0 +1,62 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.32
+# Operation : Migration
+# Purpose : For audio dump and log
+allow audioserver sdcard_type:dir create_dir_perms;
+
+# Data : WK14.38
+# Operation : Migration
+# Purpose : for boot animation.
+binder_call(audioserver, bootanim)
+binder_call(audioserver, mtkbootanimation)
+
+# Data : WK14.46
+# Operation : Migration
+# Purpose : for SMS app
+allow audioserver radio_data_file:dir search;
+allow audioserver radio_data_file:file open;
+
+# Data : WK14.47
+# Operation : Audio playback
+# Purpose : Music as ringtone
+allow audioserver radio:dir r_dir_perms;
+allow audioserver radio:file r_file_perms;
+
+# Data : WK14.47
+# Operation : CTS
+# Purpose : cts search strange app
+allow audioserver untrusted_app:dir search;
+
+# Date : WK15.34
+# Operation : Migration
+# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
+allow audioserver storage_file:lnk_file rw_file_perms;
+allow audioserver mnt_user_file:dir rw_dir_perms;
+allow audioserver mnt_user_file:lnk_file rw_file_perms;
+
+# Purpose: Dump debug info
+allow audioserver kmsg_device:chr_file w_file_perms;
+allow audioserver media_rw_data_file:dir create_dir_perms;
+
+# Date : WK16.27
+# Operation : Migration
+# Purpose: tunning tool update parameters
+allow audioserver media_rw_data_file:file create_file_perms;
+
+# Date : WK16.28
+# Operation : Migration
+# Purpose: Write audio dump files to external SDCard.
+allow audioserver sdcard_type:file create_file_perms;
+allow audioserver storage_file:dir r_dir_perms;
+
+# Date : W18.01
+# Add for turn on SElinux in enforcing mode
+allow audioserver self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Date : WK20.14
+# Operation : Migartion
+# Purpose : MTK Audio debug use
+set_prop(audioserver, system_mtk_audio_prop)
diff --git a/basic/plat_private/batterywarning.te b/basic/plat_private/batterywarning.te
new file mode 100644
index 0000000..833fc86
--- /dev/null
+++ b/basic/plat_private/batterywarning.te
@@ -0,0 +1 @@
+type batterywarning, domain;
diff --git a/basic/plat_private/bluetooth.te b/basic/plat_private/bluetooth.te
new file mode 100644
index 0000000..0257806
--- /dev/null
+++ b/basic/plat_private/bluetooth.te
@@ -0,0 +1,48 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2018/01/17
+set_prop(bluetooth, system_mtk_vendor_bluetooth_prop)
+set_prop(bluetooth, debug_prop)
+
+# Date: 2018/02/02
+# Add permission for different storage types logging
+# permission in storage for legacy android M version
+allow bluetooth mnt_user_file:dir search;
+allow bluetooth mnt_user_file:lnk_file r_file_perms;
+allow bluetooth storage_file:lnk_file r_file_perms;
+
+# purpose: allow access storage for legacy N version
+allow bluetooth media_rw_data_file:file create_file_perms;
+allow bluetooth media_rw_data_file:dir create_dir_perms;
+
+# permission for storage link access in vzw Project
+allow bluetooth mnt_media_rw_file:dir search;
+
+# for logging sdcard access
+allow bluetooth sdcard_type:dir create_dir_perms;
+allow bluetooth sdcard_type:file create_file_perms;
+allow bluetooth sdcardfs:dir create_dir_perms;
+allow bluetooth sdcardfs:file create_file_perms;
+allow bluetooth rootfs:lnk_file getattr;
+
+allow bluetooth fuse:dir create_dir_perms;
+allow bluetooth fuse:file create_file_perms;
+
+# permission for storage access storage
+allow bluetooth vfat:dir create_dir_perms;
+allow bluetooth vfat:file create_file_perms;
+allow bluetooth storage_file:dir create_dir_perms;
+allow bluetooth tmpfs:lnk_file r_file_perms;
+allow bluetooth storage_file:file create_file_perms;
+
+# Date: 2019/06/14
+# Operation : Migration
+get_prop(bluetooth, system_mtk_amslog_prop)
+
+# Date: 2019/06/20
+# Add dir create perms for bluetooth on /data/debuglogger
+#{ read write create search open getattr };
+allow bluetooth debuglog_data_file:dir {relabelto create_dir_perms};
+allow bluetooth debuglog_data_file:file create_file_perms;
diff --git a/basic/plat_private/boot_logo_updater.te b/basic/plat_private/boot_logo_updater.te
new file mode 100644
index 0000000..e06d736
--- /dev/null
+++ b/basic/plat_private/boot_logo_updater.te
@@ -0,0 +1,39 @@
+# ==============================================
+# Policy File of /system/bin/boot_logo_updater Executable File
+
+typeattribute boot_logo_updater coredomain;
+type boot_logo_updater_exec, system_file_type, exec_type, file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(boot_logo_updater)
+
+# Date : WK14.32
+# Operation : Migration
+# Puration : set boot reason
+set_prop(boot_logo_updater, system_prop)
+
+allow boot_logo_updater graphics_device:chr_file rw_file_perms;
+
+# To access directory /dev/block/mmcblk0 or /dev/block/sdc
+allow boot_logo_updater block_device:dir search;
+allow boot_logo_updater graphics_device:dir search;
+
+# to access file at /dev/block/mtd
+allow boot_logo_updater mtd_device:chr_file r_file_perms;
+allow boot_logo_updater mtd_device:dir search;
+
+#To access the file at /dev/kmsg
+allow boot_logo_updater kmsg_device:chr_file w_file_perms;
+
+#To the access /fstab mount point
+allow boot_logo_updater rootfs:file r_file_perms;
+
+#To access linux filesystem
+allow boot_logo_updater sysfs:dir r_dir_perms;
+
+# sanity fail for ALPS03604686:
+# for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14"
+allow boot_logo_updater mtd_device:blk_file r_file_perms;
diff --git a/basic/plat_private/bootanim.te b/basic/plat_private/bootanim.te
new file mode 100644
index 0000000..a697388
--- /dev/null
+++ b/basic/plat_private/bootanim.te
@@ -0,0 +1,39 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.32
+# Operation : Migration
+# Purpose : for playing boot tone
+binder_call(bootanim, mediaserver)
+allow bootanim mediaserver_service:service_manager find;
+
+# Purpose : for playing bootanimation audio
+allow bootanim audioserver:binder {call transfer};
+allow bootanim audioserver_service:service_manager find;
+
+# Date : WK14.37
+# Operation : Migration
+# Purpose : for opetator
+set_prop(bootanim, debug_prop)
+
+# Date : WK14.37
+# Operation : Migration
+# Purpose : for opetator
+set_prop(bootanim, system_mtk_bootani_prop)
+
+# Date : WK14.46
+# Operation : Migration
+# /data/resource-cache
+allow bootanim resourcecache_data_file:dir search;
+allow bootanim resourcecache_data_file:file r_file_perms;
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow bootanim surfaceflinger:fifo_file rw_file_perms;
+
+# Date : W16.42
+# Operation : Integration
+# Purpose : DRM / DRI GPU driver required
+allow bootanim gpu_device:dir search;
diff --git a/basic/plat_private/cmddumper.te b/basic/plat_private/cmddumper.te
new file mode 100644
index 0000000..176dfc7
--- /dev/null
+++ b/basic/plat_private/cmddumper.te
@@ -0,0 +1,36 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type cmddumper_exec, system_file_type, exec_type, file_type;
+typeattribute cmddumper coredomain;
+
+init_daemon_domain(cmddumper)
+
+# for modem logging sdcard access
+allow cmddumper sdcard_type:dir create_dir_perms;
+allow cmddumper sdcard_type:file create_file_perms;
+
+# modem logger socket access
+allow cmddumper platform_app:unix_stream_socket connectto;
+allow cmddumper shell_exec:file rx_file_perms;
+allow cmddumper system_file:file x_file_perms;
+
+# purpose: allow cmddumper to access storage in N version
+allow cmddumper media_rw_data_file:file create_file_perms;
+allow cmddumper media_rw_data_file:dir create_dir_perms;
+
+# purpose: access plat_file_contexts
+allow cmddumper file_contexts_file:file r_file_perms;
+
+# Save C2K modem log into data
+allow cmddumper debuglog_data_file:dir { relabelto create_dir_perms };
+allow cmddumper debuglog_data_file:file create_file_perms;
+
+#allow emdlogger to set property
+set_prop(cmddumper, system_mtk_debug_mdlogger_prop)
+set_prop(cmddumper, debug_prop)
+
+# Android P migration
+set_prop(cmddumper, system_mtk_persist_mtklog_prop)
+set_prop(cmddumper, system_mtk_mdl_prop)
diff --git a/basic/plat_private/compat/30.0/30.0.cil b/basic/plat_private/compat/30.0/30.0.cil
new file mode 100644
index 0000000..6a18837
--- /dev/null
+++ b/basic/plat_private/compat/30.0/30.0.cil
@@ -0,0 +1,162 @@
+(expandtypeattribute (aee_aed_30_0) true)
+(expandtypeattribute (aee_core_forwarder_30_0) true)
+(expandtypeattribute (apmsrv_app_30_0) true)
+(expandtypeattribute (atci_service_sys_30_0) true)
+(expandtypeattribute (boot_logo_updater_30_0) true)
+(expandtypeattribute (camerapostalgo_30_0) true)
+(expandtypeattribute (capability_app_30_0) true)
+(expandtypeattribute (cmddumper_30_0) true)
+(expandtypeattribute (connsyslogger_30_0) true)
+(expandtypeattribute (dm_agent_binder_service_30_0) true)
+(expandtypeattribute (em_app_30_0) true)
+(expandtypeattribute (emdlogger_30_0) true)
+(expandtypeattribute (em_svr_30_0) true)
+(expandtypeattribute (fpspolicy-server_service_30_0) true)
+(expandtypeattribute (gas_srv_service_30_0) true)
+(expandtypeattribute (GoogleOtaBinder_30_0) true)
+(expandtypeattribute (kpoc_charger_30_0) true)
+(expandtypeattribute (lbs_dbg_data_file_30_0) true)
+(expandtypeattribute (loghidlsysservice_30_0) true)
+(expandtypeattribute (mcupm_device_30_0) true)
+(expandtypeattribute (mdi_redirector_30_0) true)
+(expandtypeattribute (mdlogger_30_0) true)
+(expandtypeattribute (mdmi_redirector_30_0) true)
+(expandtypeattribute (met_log_d_30_0) true)
+(expandtypeattribute (mobile_log_d_30_0) true)
+(expandtypeattribute (modemdbfilter_client_30_0) true)
+(expandtypeattribute (mtd_device_30_0) true)
+(expandtypeattribute (mtk_advcamserver_30_0) true)
+(expandtypeattribute (mtk_advcamserver_service_30_0) true)
+(expandtypeattribute (mtk_anrmanager_service_30_0) true)
+(expandtypeattribute (mtk_appdetection_service_30_0) true)
+(expandtypeattribute (mtk_autoboot_service_30_0) true)
+(expandtypeattribute (mtkbootanimation_30_0) true)
+(expandtypeattribute (mtk_carrierexpress_service_30_0) true)
+(expandtypeattribute (mtk_data_shaping_service_30_0) true)
+(expandtypeattribute (mtk_duraspeed_service_30_0) true)
+(expandtypeattribute (mtk_epdg_service_30_0) true)
+(expandtypeattribute (mtk_fm_radio_service_30_0) true)
+(expandtypeattribute (mtk_gwsd_service_30_0) true)
+(expandtypeattribute (mtk_hdmi_service_30_0) true)
+(expandtypeattribute (mtk_mobile_service_30_0) true)
+(expandtypeattribute (mtk_msg_monitor_service_30_0) true)
+(expandtypeattribute (mtk_omadm_service_30_0) true)
+(expandtypeattribute (mtk_perf_service_30_0) true)
+(expandtypeattribute (mtk_permrecords_service_30_0) true)
+(expandtypeattribute (mtk_phonesubinfo_service_30_0) true)
+(expandtypeattribute (mtk_power_hal_mgr_service_30_0) true)
+(expandtypeattribute (mtk_radio_service_30_0) true)
+(expandtypeattribute (mtk_registry_service_30_0) true)
+(expandtypeattribute (mtk_rns_service_30_0) true)
+(expandtypeattribute (mtk_search_engine_service_30_0) true)
+(expandtypeattribute (mtk_simphonebook_service_30_0) true)
+(expandtypeattribute (mtk_telecom_service_30_0) true)
+(expandtypeattribute (mtk_vowbridge_service_30_0) true)
+(expandtypeattribute (netdiag_30_0) true)
+(expandtypeattribute (nvram_agent_service_30_0) true)
+(expandtypeattribute (ota_agent_service_30_0) true)
+(expandtypeattribute (ppl_agent_service_30_0) true)
+(expandtypeattribute (sysfs_boot_info_30_0) true)
+(expandtypeattribute (sysfs_headset_30_0) true)
+(expandtypeattribute (sysfs_pmu_30_0) true)
+(expandtypeattribute (sysfs_vbus_30_0) true)
+(expandtypeattribute (system_mtk_ctl_emdlogger1_prop_30_0) true)
+(expandtypeattribute (system_mtk_ctl_emdlogger2_prop_30_0) true)
+(expandtypeattribute (system_mtk_ctl_emdlogger3_prop_30_0) true)
+(expandtypeattribute (system_mtk_ctl_mdlogger_prop_30_0) true)
+(expandtypeattribute (system_mtk_heavy_loading_prop_30_0) true)
+(expandtypeattribute (system_mtk_init_svc_aee_aedv_prop_30_0) true)
+(expandtypeattribute (system_mtk_init_svc_emdlogger1_prop_30_0) true)
+(expandtypeattribute (system_mtk_init_svc_md_monitor_prop_30_0) true)
+(expandtypeattribute (system_mtk_persist_mtk_aee_prop_30_0) true)
+(expandtypeattribute (system_mtk_pkm_init_prop_30_0) true)
+(expandtypeattribute (teeregistry_service_30_0) true)
+(expandtypeattribute (tee_service_30_0) true)
+(expandtypeattribute (terservice_30_0) true)
+(expandtypeattribute (thermald_30_0) true)
+(expandtypeattribute (usp_service_30_0) true)
+(expandtypeattribute (vpuservice_service_30_0) true)
+(expandtypeattribute (vtservice_30_0) true)
+(expandtypeattribute (vtservice_hidl_service_30_0) true)
+(expandtypeattribute (vtservice_service_30_0) true)
+(typeattributeset aee_aed_30_0 (aee_aed))
+(typeattributeset aee_core_forwarder_30_0 (aee_core_forwarder))
+(typeattributeset apmsrv_app_30_0 (apmsrv_app))
+(typeattributeset atci_service_sys_30_0 (atci_service_sys))
+(typeattributeset boot_logo_updater_30_0 (boot_logo_updater))
+(typeattributeset camerapostalgo_30_0 (camerapostalgo))
+(typeattributeset capability_app_30_0 (capability_app))
+(typeattributeset cmddumper_30_0 (cmddumper))
+(typeattributeset connsyslogger_30_0 (connsyslogger))
+(typeattributeset dm_agent_binder_service_30_0 (dm_agent_binder_service))
+(typeattributeset em_app_30_0 (em_app))
+(typeattributeset emdlogger_30_0 (emdlogger))
+(typeattributeset em_svr_30_0 (em_svr))
+(typeattributeset fpspolicy-server_service_30_0 (fpspolicy-server_service))
+(typeattributeset gas_srv_service_30_0 (gas_srv_service))
+(typeattributeset GoogleOtaBinder_30_0 (GoogleOtaBinder))
+(typeattributeset kpoc_charger_30_0 (kpoc_charger))
+(typeattributeset lbs_dbg_data_file_30_0 (lbs_dbg_data_file))
+(typeattributeset loghidlsysservice_30_0 (loghidlsysservice))
+(typeattributeset mcupm_device_30_0 (mcupm_device))
+(typeattributeset mdi_redirector_30_0 (mdi_redirector))
+(typeattributeset mdlogger_30_0 (mdlogger))
+(typeattributeset mdmi_redirector_30_0 (mdmi_redirector))
+(typeattributeset met_log_d_30_0 (met_log_d))
+(typeattributeset mobile_log_d_30_0 (mobile_log_d))
+(typeattributeset modemdbfilter_client_30_0 (modemdbfilter_client))
+(typeattributeset mtd_device_30_0 (mtd_device))
+(typeattributeset mtk_advcamserver_30_0 (mtk_advcamserver))
+(typeattributeset mtk_advcamserver_service_30_0 (mtk_advcamserver_service))
+(typeattributeset mtk_anrmanager_service_30_0 (mtk_anrmanager_service))
+(typeattributeset mtk_appdetection_service_30_0 (mtk_appdetection_service))
+(typeattributeset mtk_autoboot_service_30_0 (mtk_autoboot_service))
+(typeattributeset mtkbootanimation_30_0 (mtkbootanimation))
+(typeattributeset mtk_carrierexpress_service_30_0 (mtk_carrierexpress_service))
+(typeattributeset mtk_data_shaping_service_30_0 (mtk_data_shaping_service))
+(typeattributeset mtk_duraspeed_service_30_0 (mtk_duraspeed_service))
+(typeattributeset mtk_epdg_service_30_0 (mtk_epdg_service))
+(typeattributeset mtk_fm_radio_service_30_0 (mtk_fm_radio_service))
+(typeattributeset mtk_gwsd_service_30_0 (mtk_gwsd_service))
+(typeattributeset mtk_hdmi_service_30_0 (mtk_hdmi_service))
+(typeattributeset mtk_mobile_service_30_0 (mtk_mobile_service))
+(typeattributeset mtk_msg_monitor_service_30_0 (mtk_msg_monitor_service))
+(typeattributeset mtk_omadm_service_30_0 (mtk_omadm_service))
+(typeattributeset mtk_perf_service_30_0 (mtk_perf_service))
+(typeattributeset mtk_permrecords_service_30_0 (mtk_permrecords_service))
+(typeattributeset mtk_phonesubinfo_service_30_0 (mtk_phonesubinfo_service))
+(typeattributeset mtk_power_hal_mgr_service_30_0 (mtk_power_hal_mgr_service))
+(typeattributeset mtk_radio_service_30_0 (mtk_radio_service))
+(typeattributeset mtk_registry_service_30_0 (mtk_registry_service))
+(typeattributeset mtk_rns_service_30_0 (mtk_rns_service))
+(typeattributeset mtk_search_engine_service_30_0 (mtk_search_engine_service))
+(typeattributeset mtk_simphonebook_service_30_0 (mtk_simphonebook_service))
+(typeattributeset mtk_telecom_service_30_0 (mtk_telecom_service))
+(typeattributeset mtk_vowbridge_service_30_0 (mtk_vowbridge_service))
+(typeattributeset netdiag_30_0 (netdiag))
+(typeattributeset nvram_agent_service_30_0 (nvram_agent_service))
+(typeattributeset ota_agent_service_30_0 (ota_agent_service))
+(typeattributeset ppl_agent_service_30_0 (ppl_agent_service))
+(typeattributeset sysfs_boot_info_30_0 (sysfs_boot_info))
+(typeattributeset sysfs_headset_30_0 (sysfs_headset))
+(typeattributeset sysfs_pmu_30_0 (sysfs_pmu))
+(typeattributeset sysfs_vbus_30_0 (sysfs_vbus))
+(typeattributeset system_mtk_ctl_emdlogger1_prop_30_0 (system_mtk_ctl_emdlogger1_prop))
+(typeattributeset system_mtk_ctl_emdlogger2_prop_30_0 (system_mtk_ctl_emdlogger2_prop))
+(typeattributeset system_mtk_ctl_emdlogger3_prop_30_0 (system_mtk_ctl_emdlogger3_prop))
+(typeattributeset system_mtk_ctl_mdlogger_prop_30_0 (system_mtk_ctl_mdlogger_prop))
+(typeattributeset system_mtk_heavy_loading_prop_30_0 (system_mtk_heavy_loading_prop))
+(typeattributeset system_mtk_init_svc_aee_aedv_prop_30_0 (system_mtk_init_svc_aee_aedv_prop))
+(typeattributeset system_mtk_init_svc_emdlogger1_prop_30_0 (system_mtk_init_svc_emdlogger1_prop))
+(typeattributeset system_mtk_init_svc_md_monitor_prop_30_0 (system_mtk_init_svc_md_monitor_prop))
+(typeattributeset system_mtk_persist_mtk_aee_prop_30_0 (system_mtk_persist_mtk_aee_prop))
+(typeattributeset system_mtk_pkm_init_prop_30_0 (system_mtk_pkm_init_prop))
+(typeattributeset teeregistry_service_30_0 (teeregistry_service))
+(typeattributeset tee_service_30_0 (tee_service))
+(typeattributeset terservice_30_0 (terservice))
+(typeattributeset thermald_30_0 (thermald))
+(typeattributeset usp_service_30_0 (usp_service))
+(typeattributeset vpuservice_service_30_0 (vpuservice_service))
+(typeattributeset vtservice_30_0 (vtservice))
+(typeattributeset vtservice_hidl_service_30_0 (vtservice_hidl_service))
+(typeattributeset vtservice_service_30_0 (vtservice_service))
diff --git a/basic/plat_private/compat/30.0/31.0.compat.cil b/basic/plat_private/compat/30.0/31.0.compat.cil
new file mode 100644
index 0000000..628abfc
--- /dev/null
+++ b/basic/plat_private/compat/30.0/31.0.compat.cil
@@ -0,0 +1 @@
+;; This file can't be empty.
diff --git a/basic/plat_private/compat/30.0/31.0.ignore.cil b/basic/plat_private/compat/30.0/31.0.ignore.cil
new file mode 100644
index 0000000..5bc85a7
--- /dev/null
+++ b/basic/plat_private/compat/30.0/31.0.ignore.cil
@@ -0,0 +1,8 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ ))
diff --git a/basic/plat_private/coredomain.te b/basic/plat_private/coredomain.te
new file mode 100644
index 0000000..88216ff
--- /dev/null
+++ b/basic/plat_private/coredomain.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Operation : DEBUG
+# Purpose : Allow to get system_mtk_audio_prop
+get_prop(coredomain, system_mtk_audio_prop)
diff --git a/basic/plat_private/crash_dump.te b/basic/plat_private/crash_dump.te
new file mode 100644
index 0000000..c976e33
--- /dev/null
+++ b/basic/plat_private/crash_dump.te
@@ -0,0 +1,97 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute crash_dump mlstrustedsubject;
+
+# /porc/pid/
+allow crash_dump appdomain:dir r_dir_perms;
+allow crash_dump coredomain:dir r_dir_perms;
+
+# AED start: /dev/block/expdb
+allow crash_dump block_device:dir search;
+
+#data/anr
+allow crash_dump anr_data_file:dir create_dir_perms;
+allow crash_dump anr_data_file:file create_file_perms;
+
+allow crash_dump domain:process { getattr getsched };
+
+#core-pattern
+allow crash_dump usermodehelper:file r_file_perms;
+
+#allow crash_dump call binaries labeled "system_file" under /system/bin/
+allow crash_dump system_file:file x_file_perms;
+
+allow crash_dump init:process getsched;
+allow crash_dump kernel:process getsched;
+
+# Date: W15.34
+# Operation: Migration
+# Purpose: For pagemap & pageflags information in NE DB
+userdebug_or_eng(`allow crash_dump self:capability sys_admin;')
+
+# Purpose: allow crash_dump to access toolbox
+allow crash_dump toolbox_exec:file rx_file_perms;
+
+# Purpose: mnt/user/*
+allow crash_dump mnt_user_file:dir search;
+allow crash_dump mnt_user_file:lnk_file r_file_perms;
+
+allow crash_dump storage_file:dir search;
+allow crash_dump storage_file:lnk_file r_file_perms;
+
+userdebug_or_eng(`
+ allow crash_dump su:dir r_dir_perms;
+ allow crash_dump su:file r_file_perms;
+')
+
+# /data/tombstone
+allow crash_dump tombstone_data_file:dir w_dir_perms;
+allow crash_dump tombstone_data_file:file create_file_perms;
+
+# /proc/pid/
+allow crash_dump self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };
+
+# PROCESS_FILE_STATE
+allow crash_dump dumpstate:unix_stream_socket rw_socket_perms;
+allow crash_dump dumpstate:dir search;
+allow crash_dump dumpstate:file r_file_perms;
+
+allow crash_dump logdr_socket:sock_file w_file_perms;
+allow crash_dump logd:unix_stream_socket connectto;
+
+# vibrator
+allow crash_dump sysfs_vibrator:file w_file_perms;
+
+# Data : 2017/03/22
+# Operation : add NE flow rule for Android O
+# Purpose : make crash_dump can get specific process NE info
+allow crash_dump domain:dir r_dir_perms;
+allow crash_dump domain:{ file lnk_file } r_file_perms;
+
+allow crash_dump dalvikcache_data_file:dir r_dir_perms;
+
+# Data : 2017/04/06
+# Operation : add selinux rule for crash_dump notify crash_dump
+# Purpose : make crash_dump can get notify from crash_dump
+allow crash_dump crash_dump:dir search;
+allow crash_dump crash_dump:file r_file_perms;
+
+# Purpose : allow crash_dump to read /proc/version
+allow crash_dump proc_version:file r_file_perms;
+
+# Purpose: Allow crash_dump to write /sys/kernel/debug/tracing/snapshot
+userdebug_or_eng(`allow crash_dump debugfs_tracing_debug:file rw_file_perms;')
+
+# Purpose: receive dropbox message
+allow crash_dump dropbox_data_file:file { getattr read };
+allow crash_dump dropbox_service:service_manager find;
+allow crash_dump servicemanager:binder call;
+allow crash_dump system_server:binder call;
+
+# Purpose: allow crash_dump to read packages.list
+allow crash_dump packages_list_file:file r_file_perms;
+
+# Purpose: Allow crash_dump to read /proc/*/exe
+allow crash_dump system_file_type:file r_file_perms;
diff --git a/basic/plat_private/device.te b/basic/plat_private/device.te
new file mode 100644
index 0000000..8f703f5
--- /dev/null
+++ b/basic/plat_private/device.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type tll_device, dev_type;
+type mcupm_device, dev_type;
diff --git a/basic/plat_private/domain.te b/basic/plat_private/domain.te
new file mode 100644
index 0000000..6d0e3ec
--- /dev/null
+++ b/basic/plat_private/domain.te
@@ -0,0 +1,3 @@
+allow domain system_mtk_pmb_file:dir r_dir_perms;
+allow domain system_mtk_pmb_file:lnk_file { getattr read };
+allow { appdomain coredomain } system_mtk_pmb_file:file { execute read open getattr map };
diff --git a/basic/plat_private/drmserver.te b/basic/plat_private/drmserver.te
new file mode 100644
index 0000000..74bf06e
--- /dev/null
+++ b/basic/plat_private/drmserver.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow drmserver access_sys_file:file r_file_perms;
diff --git a/basic/plat_private/dumpstate.te b/basic/plat_private/dumpstate.te
new file mode 100644
index 0000000..c882261
--- /dev/null
+++ b/basic/plat_private/dumpstate.te
@@ -0,0 +1,36 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose: access for SYS_MEMORY_INFO
+allow dumpstate fuse:dir w_dir_perms;
+allow dumpstate fuse:file create_file_perms;
+
+# Purpose: mnt/user/*
+allow dumpstate mnt_user_file:dir search;
+allow dumpstate mnt_user_file:lnk_file r_file_perms;
+
+# Purpose: /storage/*
+allow dumpstate storage_file:lnk_file r_file_perms;
+
+# Purpose: timer_intval. this is neverallow
+allow dumpstate kmsg_device:chr_file r_file_perms;
+
+# Data : WK17.03
+# Purpose: Allow to access gpu
+allow dumpstate gpu_device:dir search;
+
+# Date: 2017/07/11
+# Purpose: 01-01 08:30:57.474 286 286 E SELinux : avc: denied { find } for interface=
+# android.hardware.camera.provider::ICameraProvider pid=3133 scontext=u:r:dumpstate:s0 tcontext=
+# u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
+hal_client_domain(dumpstate, hal_camera)
+
+#Purpose: Allow dumpstate to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
+userdebug_or_eng(`allow dumpstate debugfs_tracing_debug:file rw_file_perms;')
+
+# Purpose: Allow dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
+allow dumpstate sysfs_vibrator:file w_file_perms;
+
+# Purpose : Allow dumpstate self to sys_nice sys_admin
+allow dumpstate self:capability { sys_nice sys_admin };
diff --git a/basic/plat_private/em_svr.te b/basic/plat_private/em_svr.te
new file mode 100644
index 0000000..67c1025
--- /dev/null
+++ b/basic/plat_private/em_svr.te
@@ -0,0 +1,48 @@
+# ==============================================
+# Policy File of /system/bin/em_svr Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type em_svr_exec, system_file_type, exec_type, file_type;
+typeattribute em_svr coredomain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+init_daemon_domain(em_svr)
+
+# Date: WK1812
+# Purpose: add for MD log filter
+allow em_svr block_device:dir search;
+allow em_svr sdcardfs:dir w_dir_perms;
+allow em_svr sdcardfs:file create_file_perms;
+
+allow em_svr media_rw_data_file:dir rw_dir_perms;
+allow em_svr media_rw_data_file:file create_file_perms;
+
+# Date: WK1812
+# Purpose: add for controlling screen on/off
+allow em_svr graphics_device:dir search;
+allow em_svr graphics_device:chr_file rw_file_perms;
+allow em_svr surfaceflinger_service:service_manager find;
+binder_use(em_svr)
+binder_call(em_svr, surfaceflinger)
+
+# Date: WK1812
+# Purpose: add for controlling backlight
+allow em_svr sysfs_leds:dir search;
+
+# Date: WK1812
+# Purpose: add for sensor calibration
+allow em_svr self:capability { chown fsetid };
+
+# Date: WK1812
+# Purpose: add for shell cmd
+allow em_svr shell_exec:file rx_file_perms;
+
+# Date: WK1812
+# Purpose: sys file access
+allow em_svr sysfs:dir r_dir_perms;
diff --git a/basic/plat_private/file.te b/basic/plat_private/file.te
new file mode 100644
index 0000000..4502ebb
--- /dev/null
+++ b/basic/plat_private/file.te
@@ -0,0 +1,37 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+##########################
+# Filesystem types
+#
+##########################
+# Proc Filesystem types
+#
+type proc_ccci_lp_mem, fs_type, proc_type;
+type proc_dynamic_debug_control, fs_type, proc_type;
+
+##########################
+# Sys Filesystem types
+#
+type sysfs_mcupm, fs_type, sysfs_type;
+
+# For drmserver
+# Date: WK1812
+# Operation : Migration
+# Purpose : For drmserver
+type access_sys_file, fs_type, sysfs_type;
+
+##########################
+# File types
+# Core domain data file types
+#
+# For modem db filter HIDL client
+# Date: WK1924
+# Operation : Save modem db and filter into data partition
+# Purpose : For Modem db and filter file
+type mddb_filter_data_file, file_type, data_file_type, core_data_file_type;
+
+type debuglog_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+
+#support system server domain do ioctl
+type system_mtk_pmb_file, system_file_type, file_type, mlstrustedobject;
diff --git a/basic/plat_private/file_contexts b/basic/plat_private/file_contexts
new file mode 100644
index 0000000..0f6ebc0
--- /dev/null
+++ b/basic/plat_private/file_contexts
@@ -0,0 +1,55 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# Data files
+#
+/data/system_de/mdfilter(/.*)? u:object_r:mddb_filter_data_file:s0
+/data/debuglogger(/.*)? u:object_r:debuglog_data_file:s0
+/data/ramdump(/.*)? u:object_r:debuglog_data_file:s0
+
+##########################
+# System files
+#
+/system/bin/cmddumper u:object_r:cmddumper_exec:s0
+/system/bin/em_svr u:object_r:em_svr_exec:s0
+/system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0
+
+# wifi standalone log
+/data/log_wifi_temp(/.*)? u:object_r:logtemp_data_file:s0
+
+# storagemanager daemon
+# it is used to mount all storages in meta/factory mode
+/system/bin/storagemanagerd u:object_r:vold_exec:s0
+
+# MTK Bootanim
+/system/bin/mtkbootanimation u:object_r:mtkbootanimation_exec:s0
+/system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
+
+# Date: 2020/08/17
+# Operation: R migration
+# Purpose: Add permission for pl path utilities for OTA
+/system/bin/mtk_plpath_utils u:object_r:mtk_plpath_utils_exec:s0
+
+# mediaserver 64 bit support
+/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0
+/system/bin/mediahelper u:object_r:mediahelper_exec:s0
+
+# drmserver 64 bit support
+/system/bin/drmserver64 u:object_r:drmserver_exec:s0
+
+##########################
+# SystemExt files
+#
+##########################
+# Devices
+#
+/dev/ubi_ctrl u:object_r:mtd_device:s0
+/dev/ubi[_0-9]* u:object_r:mtd_device:s0
+/dev/block/mtd(.*)? u:object_r:mtd_device:s0
+/dev/block/mntlblk(.*)? u:object_r:mtd_device:s0
+/dev/mcupm(/.*)? u:object_r:mcupm_device:s0
+
+# support system server domain do ioctl with framework-res
+/system/framework/framework-res.apk u:object_r:system_mtk_pmb_file:s0
diff --git a/basic/plat_private/genfs_contexts b/basic/plat_private/genfs_contexts
new file mode 100644
index 0000000..5561e3c
--- /dev/null
+++ b/basic/plat_private/genfs_contexts
@@ -0,0 +1,33 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# proc files
+#
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc /ccci_lp_mem u:object_r:proc_ccci_lp_mem:s0
+
+# Date : WK21.02
+# Purpose : write proc/dynamic_debug/control
+genfscon proc /dynamic_debug/control u:object_r:proc_dynamic_debug_control:s0
+
+##########################
+# sysfs files
+#
+# sysfs labels can be set by userspace.
+genfscon sysfs /devices/platform/vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0
+genfscon sysfs /block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
+genfscon sysfs /devices/virtual/misc/mcupm u:object_r:sysfs_mcupm:s0
+
+# Date : 2020/04/17
+# Purpose : mtk Audio headset detect
+genfscon sysfs /bus/platform/drivers/Accdet_Driver/state u:object_r:sysfs_headset:s0
+genfscon sysfs /bus/platform/drivers/pmic-codec-accdet/state u:object_r:sysfs_headset:s0
+
+# Date : WK20.20
+# Operation: R migration
+# Purpose : vbus voltage
+genfscon sysfs /devices/platform/charger/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0
+genfscon sysfs /devices/platform/battery/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0
+
diff --git a/basic/plat_private/init.te b/basic/plat_private/init.te
new file mode 100644
index 0000000..fb88f18
--- /dev/null
+++ b/basic/plat_private/init.te
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# insmod LKM under /odm or /vendor
+allow init self:capability sys_module;
+allow init system_file:system module_load;
+
+# boot process denial clean up
+allow init debugfs_tracing:dir w_dir_perms;
+allow init debugfs_tracing:file w_file_perms;
+allow init sysfs_devices_system_cpu:file relabelfrom;
+
+domain_auto_trans(init, mtk_plpath_utils_exec, update_engine)
+
+#allow write for mobile_log_d.rc
+allow init proc_dynamic_debug_control:file w_file_perms;
diff --git a/basic/plat_private/lbs_dbg.te b/basic/plat_private/lbs_dbg.te
new file mode 100644
index 0000000..18cc51e
--- /dev/null
+++ b/basic/plat_private/lbs_dbg.te
@@ -0,0 +1,48 @@
+# ==============================================
+# Policy File of /system/bin/lbs_dbg Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type lbs_dbg, domain;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type lbs_dbg_exec, system_file_type, exec_type, file_type;
+typeattribute lbs_dbg coredomain;
+
+init_daemon_domain(lbs_dbg)
+
+#============= lbs_dbg ==============
+allow lbs_dbg storage_file:dir { create_dir_perms mounton };
+allow lbs_dbg storage_file:lnk_file r_file_perms;
+
+allow lbs_dbg debuglog_data_file:lnk_file r_file_perms;
+
+allow lbs_dbg mnt_user_file:dir search;
+allow lbs_dbg fuse:dir create_dir_perms;
+allow lbs_dbg fuse:file create_file_perms;
+allow lbs_dbg sdcard_type:filesystem unmount;
+allow lbs_dbg tmpfs:filesystem unmount;
+allow lbs_dbg sysfs:dir r_dir_perms;
+allow lbs_dbg sysfs_leds:dir search;
+allow lbs_dbg sysfs_leds:lnk_file r_file_perms;
+allow lbs_dbg sysfs_vibrator:file rw_file_perms;
+
+allow lbs_dbg sdcard_type:dir r_dir_perms;
+allow lbs_dbg self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+
+allow lbs_dbg self:tcp_socket create_stream_socket_perms;
+allow lbs_dbg self:udp_socket create_socket_perms;
+
+hal_client_domain(lbs_dbg, hal_mtk_lbs)
+
+allow lbs_dbg vfat:dir create_dir_perms;
+allow lbs_dbg vfat:file create_file_perms;
+allow lbs_dbg debuglog_data_file:dir create_dir_perms;
+allow lbs_dbg debuglog_data_file:file create_file_perms;
+allow lbs_dbg sdcardfs:dir create_dir_perms;
+allow lbs_dbg sdcardfs:file create_file_perms;
+allow lbs_dbg media_rw_data_file:dir create_dir_perms;
+allow lbs_dbg media_rw_data_file:file create_file_perms;
diff --git a/basic/plat_private/mediahelper.te b/basic/plat_private/mediahelper.te
new file mode 100755
index 0000000..dae1755
--- /dev/null
+++ b/basic/plat_private/mediahelper.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mediahelper_exec, system_file_type, exec_type, file_type;
+typeattribute mediahelper coredomain;
+init_daemon_domain(mediahelper)
+domain_auto_trans(mediahelper, mediaserver_exec, mediaserver)
+
diff --git a/basic/plat_private/mediaserver.te b/basic/plat_private/mediaserver.te
new file mode 100755
index 0000000..03e46f7
--- /dev/null
+++ b/basic/plat_private/mediaserver.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK21.31
+# Operation : 64-bit support
+# Purpose : Allow mediahelper exec mediaserver
+allow mediaserver mediahelper:fd use;
diff --git a/basic/plat_private/mediatranscoding.te b/basic/plat_private/mediatranscoding.te
new file mode 100644
index 0000000..5e68264
--- /dev/null
+++ b/basic/plat_private/mediatranscoding.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK21.31
+# Operation : Migration
+# Purpose : Allow mediatranscoding service to access the GPU
+allow mediatranscoding gpu_device:chr_file rw_file_perms;
diff --git a/basic/plat_private/met_log_d.te b/basic/plat_private/met_log_d.te
new file mode 100644
index 0000000..7c02140
--- /dev/null
+++ b/basic/plat_private/met_log_d.te
@@ -0,0 +1 @@
+type met_log_d, domain;
diff --git a/basic/plat_private/mmp.te b/basic/plat_private/mmp.te
new file mode 100644
index 0000000..7d37656
--- /dev/null
+++ b/basic/plat_private/mmp.te
@@ -0,0 +1 @@
+type mmp, domain;
diff --git a/basic/plat_private/mtk_plpath_utils.te b/basic/plat_private/mtk_plpath_utils.te
new file mode 100644
index 0000000..7b3071b
--- /dev/null
+++ b/basic/plat_private/mtk_plpath_utils.te
@@ -0,0 +1,4 @@
+# ==============================================
+# Type Declaration
+# ==============================================
+type mtk_plpath_utils_exec, system_file_type, exec_type, file_type;
diff --git a/basic/plat_private/mtkbootanimation.te b/basic/plat_private/mtkbootanimation.te
new file mode 100644
index 0000000..1f978eb
--- /dev/null
+++ b/basic/plat_private/mtkbootanimation.te
@@ -0,0 +1,77 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute mtkbootanimation coredomain;
+
+type mtkbootanimation_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtkbootanimation)
+
+# Date : WK14.37
+# Operation : Migration
+# Purpose : for opetator
+set_prop(mtkbootanimation, system_mtk_bootani_prop)
+
+hal_client_domain(mtkbootanimation, hal_configstore)
+hal_client_domain(mtkbootanimation, hal_graphics_allocator)
+hal_client_domain(mtkbootanimation, hal_graphics_composer)
+binder_use(mtkbootanimation)
+binder_call(mtkbootanimation, surfaceflinger)
+binder_call(mtkbootanimation, audioserver)
+
+allow mtkbootanimation gpu_device:chr_file rw_file_perms;
+
+# /oem access
+allow mtkbootanimation oemfs:dir search;
+allow mtkbootanimation oemfs:file r_file_perms;
+
+allow mtkbootanimation audio_device:dir r_dir_perms;
+allow mtkbootanimation audio_device:chr_file rw_file_perms;
+
+allow mtkbootanimation surfaceflinger_service:service_manager find;
+
+# Allow access to ion memory allocation device
+allow mtkbootanimation ion_device:chr_file rw_file_perms;
+allow mtkbootanimation hal_graphics_allocator:fd use;
+
+# Fences
+allow mtkbootanimation hal_graphics_composer:fd use;
+
+# Read access to pseudo filesystems.
+allow mtkbootanimation proc_meminfo:file r_file_perms;
+r_dir_file(mtkbootanimation, cgroup)
+
+# System file accesses.
+allow mtkbootanimation system_file:dir r_dir_perms;
+
+# Date : WK14.32
+# Operation : Migration
+# Purpose : for playing boot tone
+binder_call(mtkbootanimation, mediaserver)
+allow mtkbootanimation mediaserver_service:service_manager find;
+
+# Purpose : for playing bootanimation audio
+allow mtkbootanimation audioserver_service:service_manager find;
+
+# Date : WK14.37
+# Operation : Migration
+# Purpose : for opetator
+set_prop(mtkbootanimation, debug_prop)
+
+# Date : WK14.46
+# Operation : Migration
+# /data/resource-cache
+allow mtkbootanimation resourcecache_data_file:dir search;
+allow mtkbootanimation resourcecache_data_file:file r_file_perms;
+
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow mtkbootanimation surfaceflinger:fifo_file rw_file_perms;
+
+# Date : W16.42
+# Operation : Integration
+# Purpose : DRM / DRI GPU driver required
+allow mtkbootanimation gpu_device:dir search;
+
diff --git a/basic/plat_private/platform_app.te b/basic/plat_private/platform_app.te
new file mode 100644
index 0000000..7cc6942
--- /dev/null
+++ b/basic/plat_private/platform_app.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2021/06/02
+# Operation : S Migration
+# Purpose : access soundtrigger_middleware_service
+# Package : com.mediatek.voicecommand
+allow platform_app soundtrigger_middleware_service:service_manager find;
diff --git a/basic/plat_private/ppp.te b/basic/plat_private/ppp.te
new file mode 100644
index 0000000..b35cf77
--- /dev/null
+++ b/basic/plat_private/ppp.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.53
+# Operation : check in
+# Purpose: for warning kernel API
+allow ppp mtp:file r_file_perms;
diff --git a/basic/plat_private/property.te b/basic/plat_private/property.te
new file mode 100644
index 0000000..91d18e6
--- /dev/null
+++ b/basic/plat_private/property.te
@@ -0,0 +1,65 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
+
+# Properties used only in /system
+system_internal_prop(system_mtk_audio_prop)
+system_internal_prop(system_mtk_bgdata_disabled_prop)
+system_internal_prop(system_mtk_bootani_prop)
+system_internal_prop(system_mtk_connsysfw_prop)
+system_internal_prop(system_mtk_debug_bq_dump_prop)
+system_internal_prop(system_mtk_debug_mdlogger_prop)
+system_internal_prop(system_mtk_debug_mtklog_prop)
+system_internal_prop(system_mtk_debug_netlog_prop)
+system_internal_prop(system_mtk_gprs_attach_type_prop)
+system_internal_prop(system_mtk_mdl_prop)
+system_internal_prop(system_mtk_mdl_pulllog_prop)
+system_internal_prop(system_mtk_mdl_start_prop)
+system_internal_prop(system_mtk_mobile_log_post_prop)
+system_internal_prop(system_mtk_mobile_log_prop)
+system_internal_prop(system_mtk_persist_mdlog_prop)
+system_internal_prop(system_mtk_persist_mtklog_prop)
+system_internal_prop(system_mtk_persist_xcap_rawurl_prop)
+system_internal_prop(system_mtk_power_off_md_prop)
+system_internal_prop(system_mtk_sim_system_prop)
+system_internal_prop(system_mtk_vendor_bluetooth_prop)
+system_internal_prop(system_mtk_wifisa_log_prop)
+system_internal_prop(system_mtk_rcs_single_reg_support_prop)
+system_internal_prop(system_mtk_sf_debug_prop)
+system_internal_prop(system_mtk_pco_prop)
+
+# Properties which can't be written outside system
+system_restricted_prop(system_mtk_amslog_prop)
+
+# Properties with can't be accessed by device-sepcific domains
+typeattribute system_mtk_amslog_prop extended_core_property_type;
+typeattribute system_mtk_audio_prop extended_core_property_type;
+typeattribute system_mtk_bgdata_disabled_prop extended_core_property_type;
+typeattribute system_mtk_bootani_prop extended_core_property_type;
+typeattribute system_mtk_connsysfw_prop extended_core_property_type;
+typeattribute system_mtk_debug_bq_dump_prop extended_core_property_type;
+typeattribute system_mtk_debug_mdlogger_prop extended_core_property_type;
+typeattribute system_mtk_debug_mtklog_prop extended_core_property_type;
+typeattribute system_mtk_debug_netlog_prop extended_core_property_type;
+typeattribute system_mtk_gprs_attach_type_prop extended_core_property_type;
+typeattribute system_mtk_mdl_prop extended_core_property_type;
+typeattribute system_mtk_mdl_pulllog_prop extended_core_property_type;
+typeattribute system_mtk_mdl_start_prop extended_core_property_type;
+typeattribute system_mtk_mobile_log_prop extended_core_property_type;
+typeattribute system_mtk_persist_mdlog_prop extended_core_property_type;
+typeattribute system_mtk_persist_mtklog_prop extended_core_property_type;
+typeattribute system_mtk_persist_xcap_rawurl_prop extended_core_property_type;
+typeattribute system_mtk_power_off_md_prop extended_core_property_type;
+typeattribute system_mtk_sim_system_prop extended_core_property_type;
+typeattribute system_mtk_vendor_bluetooth_prop extended_core_property_type;
+typeattribute system_mtk_rcs_single_reg_support_prop extended_core_property_type;
+typeattribute system_mtk_sf_debug_prop extended_core_property_type;
+typeattribute system_mtk_pco_prop extended_core_property_type;
diff --git a/basic/plat_private/property_contexts b/basic/plat_private/property_contexts
new file mode 100644
index 0000000..7340287
--- /dev/null
+++ b/basic/plat_private/property_contexts
@@ -0,0 +1,80 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int
+
+persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int
+
+vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0
+vendor.MB.logpost. u:object_r:system_mtk_mobile_log_post_prop:s0
+persist.vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0
+
+vendor.mtklog u:object_r:system_mtk_debug_mtklog_prop:s0
+persist.vendor.mtklog u:object_r:system_mtk_persist_mtklog_prop:s0
+vendor.netlog u:object_r:system_mtk_debug_netlog_prop:s0
+
+vendor.mdlogger u:object_r:system_mtk_debug_mdlogger_prop:s0
+vendor.mdl u:object_r:system_mtk_mdl_prop:s0
+vendor.starting.mode u:object_r:system_mtk_mdl_start_prop:s0
+persist.vendor.mdl u:object_r:system_mtk_persist_mdlog_prop:s0
+vendor.pullmdlog u:object_r:system_mtk_mdl_pulllog_prop:s0
+
+vendor.debug.bq.dump u:object_r:system_mtk_debug_bq_dump_prop:s0
+
+persist.vendor.bootanim. u:object_r:system_mtk_bootani_prop:s0
+
+# mobile log property
+vendor.MB. u:object_r:system_mtk_mobile_log_prop:s0
+
+persist.vendor.radio.bgdata.disabled u:object_r:system_mtk_bgdata_disabled_prop:s0
+
+persist.vendor.radio.gprs.attach.type u:object_r:system_mtk_gprs_attach_type_prop:s0
+
+persist.vendor.mtk_rcs_single_reg_support u:object_r:system_mtk_rcs_single_reg_support_prop:s0
+
+persist.vendor.pco5.radio.ctrl u:object_r:system_mtk_pco_prop:s0
+
+vendor.ril.test.poweroffmd u:object_r:system_mtk_power_off_md_prop:s0
+vendor.ril.testmode u:object_r:system_mtk_power_off_md_prop:s0
+
+# sim config property
+vendor.gsm.sim.operator.default-name u:object_r:system_mtk_sim_system_prop:s0
+
+vendor.connsysfw u:object_r:system_mtk_connsysfw_prop:s0
+
+vendor.bthcisnoop u:object_r:system_mtk_vendor_bluetooth_prop:s0
+
+# xcap rawurl config
+persist.vendor.mtk.xcap.rawurl u:object_r:system_mtk_persist_xcap_rawurl_prop:s0
+
+ctl.mdlogger u:object_r:system_mtk_ctl_mdlogger_prop:s0
+ctl.emdlogger1 u:object_r:system_mtk_ctl_emdlogger1_prop:s0
+ctl.emdlogger2 u:object_r:system_mtk_ctl_emdlogger2_prop:s0
+ctl.emdlogger3 u:object_r:system_mtk_ctl_emdlogger3_prop:s0
+
+init.svc.emdlogger1 u:object_r:system_mtk_init_svc_emdlogger1_prop:s0
+
+#=============mtk wifi driver log property====================
+persist.vendor.wlan.standalone.log u:object_r:system_mtk_wifisa_log_prop:s0
+
+# mtk audio log and dump property
+vendor.af.mixer.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.track.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.offload.write.raw u:object_r:system_mtk_audio_prop:s0
+vendor.af.resampler.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.mixer.end.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.record.dump.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.effect.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.mixer.drc.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.dumplog u:object_r:system_mtk_audio_prop:s0
+vendor.aaudio.pcm u:object_r:system_mtk_audio_prop:s0
+vendor.af.audioflinger.log u:object_r:system_mtk_audio_prop:s0
+vendor.af.track.log u:object_r:system_mtk_audio_prop:s0
+vendor.af.policy.debug u:object_r:system_mtk_audio_prop:s0
+vendor.af.audioserver.restart u:object_r:system_mtk_audio_prop:s0
+
+# mtk display driver log property
+vendor.debug.sf.log_repaint u:object_r:system_mtk_sf_debug_prop:s0
+vendor.debug.sf.log_transaction u:object_r:system_mtk_sf_debug_prop:s0
+vendor.debug.sf.restart u:object_r:system_mtk_sf_debug_prop:s0
diff --git a/basic/plat_private/radio.te b/basic/plat_private/radio.te
new file mode 100644
index 0000000..d285c19
--- /dev/null
+++ b/basic/plat_private/radio.te
@@ -0,0 +1,38 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow radio proc_ccci_lp_mem:file r_file_perms;
+
+#Data : 2021/08/11
+# Operattion : DEBUG
+# Purpose : Allow process at radio domain get mediametrics_service from service_manager
+allow radio mediametrics_service:service_manager find;
+
+# Date : 2018/07/03
+# Purpose : Allow sim system to set prop
+set_prop(radio, system_mtk_sim_system_prop)
+
+# Operation : DEBUG
+# Purpose : Allow to use system_mtk_bgdata_disabled_prop
+set_prop(radio, system_mtk_bgdata_disabled_prop)
+
+# Date : 2018/07/03
+# Operation : DEBUG
+# Purpose : Allow to use system_mtk_gprs_attach_type_prop
+set_prop(radio, system_mtk_gprs_attach_type_prop)
+
+#Date : 2018/11/02
+# Operation : Allow radio set system_mtk_persist_xcap_rawurl_prop
+# Purpose : for set telephony xcap use raw url property in IMS SS
+set_prop(radio, system_mtk_persist_xcap_rawurl_prop)
+
+#Date : 2021/09/06
+# Operation : Allow radio set system_mtk_rcs_single_reg_support_prop
+# Purpose : To use SIngle Registration property which will enable Google UCE flow in IMS and Presence
+set_prop(radio, system_mtk_rcs_single_reg_support_prop)
+
+#Date : 2021/11/10
+# Operation : Allow radio set for pco_property
+# Purpose : which will run pco flow
+set_prop(radio, system_mtk_pco_prop)
diff --git a/basic/plat_private/recovery.te b/basic/plat_private/recovery.te
new file mode 100644
index 0000000..1518dd4
--- /dev/null
+++ b/basic/plat_private/recovery.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Purpose : Nand device policy
+allow recovery mtd_device:dir search;
+allow recovery mtd_device:chr_file rw_file_perms;
+allow recovery self:capability { sys_resource sys_rawio fsetid };
+set_prop(recovery, boottime_prop)
diff --git a/basic/plat_private/resize.te b/basic/plat_private/resize.te
new file mode 100644
index 0000000..5bed6eb
--- /dev/null
+++ b/basic/plat_private/resize.te
@@ -0,0 +1 @@
+type resize, domain;
diff --git a/basic/plat_private/service_contexts b/basic/plat_private/service_contexts
new file mode 100644
index 0000000..85bd71e
--- /dev/null
+++ b/basic/plat_private/service_contexts
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+memory_dumper u:object_r:mediaserver_service:s0
+imsa u:object_r:radio_service:s0
+mtkIms u:object_r:radio_service:s0
+GbaService u:object_r:radio_service:s0
+
diff --git a/basic/plat_private/shared_relro.te b/basic/plat_private/shared_relro.te
new file mode 100644
index 0000000..69d1f66
--- /dev/null
+++ b/basic/plat_private/shared_relro.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2019/06/14
+# Operation : Migration
+get_prop(shared_relro, system_mtk_amslog_prop)
diff --git a/basic/plat_private/shell.te b/basic/plat_private/shell.te
new file mode 100644
index 0000000..d528492
--- /dev/null
+++ b/basic/plat_private/shell.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow shell debuglog_data_file:dir r_dir_perms;
+allow shell debuglog_data_file:file r_file_perms;
+
+get_prop(shell, system_mtk_mobile_log_prop)
+
diff --git a/basic/plat_private/surfaceflinger.te b/basic/plat_private/surfaceflinger.te
new file mode 100644
index 0000000..18f9a20
--- /dev/null
+++ b/basic/plat_private/surfaceflinger.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Data : WK14.42
+# Operation : Migration
+# Purpose : Video playback
+set_prop(surfaceflinger, debug_prop)
+
+# Date : WK18.36
+# Operation : Debug
+# Purpose: Allow to dump buffer queue
+get_prop(surfaceflinger, system_mtk_debug_bq_dump_prop)
+
+# Date : WK21.32
+# Operation : Debug
+# Purpose: Allow to open debug log
+set_prop(surfaceflinger, system_mtk_sf_debug_prop)
diff --git a/basic/plat_private/system_app.te b/basic/plat_private/system_app.te
new file mode 100644
index 0000000..ddd81de
--- /dev/null
+++ b/basic/plat_private/system_app.te
@@ -0,0 +1,24 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2016/07/12
+# Purpose : Issue submitter need creat folder on SD card
+allow system_app vfat:dir create_dir_perms;
+
+# Date: 2017/07/01
+# Change to simple policy
+allow system_app media_rw_data_file:dir rw_dir_perms;
+allow system_app media_rw_data_file:file rw_file_perms;
+
+# Purpose: receive dropbox message
+allow system_app system_server:unix_stream_socket connectto;
+allow system_app crash_dump:unix_stream_socket connectto;
+
+# Date : 2021/01/19
+# Purpose : access power hal
+hal_client_domain(system_app, hal_power)
+
+# Date: 2021/09/06
+# Purpose: To enable Google UCE Flow
+set_prop(system_app, system_mtk_rcs_single_reg_support_prop)
\ No newline at end of file
diff --git a/basic/plat_private/system_server.te b/basic/plat_private/system_server.te
new file mode 100644
index 0000000..4e6100f
--- /dev/null
+++ b/basic/plat_private/system_server.te
@@ -0,0 +1,53 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: W18.32
+# Operation : dontaudit writing to timerslack_ns
+dontaudit system_server appdomain:file w_file_perms;
+allow system_server ota_package_file:dir getattr;
+
+# Purpose: receive dropbox message
+allow system_server crash_dump:fifo_file w_file_perms;
+allow system_server crash_dump:fd use;
+
+# Property service.
+set_prop(system_server, ctl_bootanim_prop)
+
+# Date : WK16.36
+# Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW
+set_prop(system_server, log_tag_prop)
+
+# Fix bootup violation
+get_prop(system_server, wifi_prop)
+
+#Date:2019/10/09
+#Operation:Q Migration
+get_prop(system_server, system_mtk_debug_bq_dump_prop)
+
+#Date:2019/10/10
+#Operation:Q Migration
+allow system_server mddb_filter_data_file:dir getattr;
+
+allow system_server netdiag:fd use;
+
+#Date :2020/10/19
+#Operation : Allow system server to kill dex2oat
+allow system_server dex2oat:process sigkill;
+
+#Date:2021/9/22
+# Allow system server to get pgid
+allow system_server rs:process getpgid;
+allow system_server webview_zygote:process getpgid;
+allow system_server netd:process setsched;
+allow system_server keystore:process setsched;
+allow system_server audioserver_tmpfs:file write;
+#Date:2021/10/13
+# neverallow system server to kill process
+dontaudit system_server mediaserver:process sigkill;
+dontaudit system_server netd:process sigkill;
+dontaudit system_server keystore:process sigkill;
+
+#support system server domain do ioctl
+allow system_server system_mtk_pmb_file:file ioctl;
+allowxperm system_server system_mtk_pmb_file:file ioctl FS_IOC_MEASURE_VERITY;
diff --git a/basic/plat_private/teed_app.te b/basic/plat_private/teed_app.te
new file mode 100644
index 0000000..d962391
--- /dev/null
+++ b/basic/plat_private/teed_app.te
@@ -0,0 +1 @@
+type teed_app, domain;
diff --git a/basic/plat_private/tombstoned.te b/basic/plat_private/tombstoned.te
new file mode 100644
index 0000000..3cc2c68
--- /dev/null
+++ b/basic/plat_private/tombstoned.te
@@ -0,0 +1,9 @@
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 20200520
+# Operation : failed to create tombstone in /data/anr because permissive denied
+# Purpose : type=1400 audit(0.0:14838): avc: denied { write } for
+# name=".temporary0" dev="mmcblk0p43" ino=3478 scontext=u:r:tombstoned:s0
+# tcontext=u:object_r:anr_data_file:s0 tclass=file permissive=0
+allow tombstoned anr_data_file:file w_file_perms;
diff --git a/basic/plat_private/uncrypt.te b/basic/plat_private/uncrypt.te
new file mode 100644
index 0000000..9dca90e
--- /dev/null
+++ b/basic/plat_private/uncrypt.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow uncrypt uncrypt:capability fowner;
\ No newline at end of file
diff --git a/basic/plat_private/vendor_init.te b/basic/plat_private/vendor_init.te
new file mode 100644
index 0000000..f808cf3
--- /dev/null
+++ b/basic/plat_private/vendor_init.te
@@ -0,0 +1,3 @@
+# allow write for mobile_log_d.rc
+allow vendor_init proc_dynamic_debug_control:file w_file_perms;
+
diff --git a/basic/plat_public/GoogleOtaBinder.te b/basic/plat_public/GoogleOtaBinder.te
new file mode 100644
index 0000000..3723d07
--- /dev/null
+++ b/basic/plat_public/GoogleOtaBinder.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Policy File of /system/bin/GoogleOtaBinder Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type GoogleOtaBinder, domain;
diff --git a/basic/plat_public/apmsrv_app.te b/basic/plat_public/apmsrv_app.te
new file mode 100644
index 0000000..a8dd525
--- /dev/null
+++ b/basic/plat_public/apmsrv_app.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Policy File of /system/priv-app/ApmService/ApmService.apk Executable File
+# ==============================================
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type apmsrv_app, domain, coredomain;
diff --git a/basic/plat_public/atci_service_sys.te b/basic/plat_public/atci_service_sys.te
new file mode 100644
index 0000000..d40559f
--- /dev/null
+++ b/basic/plat_public/atci_service_sys.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Policy File of /system/bin/atci_service_sys Executable File
+# ==============================================
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type atci_service_sys, domain;
diff --git a/basic/plat_public/attributes b/basic/plat_public/attributes
new file mode 100644
index 0000000..4c48837
--- /dev/null
+++ b/basic/plat_public/attributes
@@ -0,0 +1,113 @@
+# ==============================================
+# MTK Attribute declarations
+# ==============================================
+
+# Attribute that represents all mtk property types (except those with ctl_xxx prefix)
+attribute mtk_core_property_type;
+
+# attribute that represents all MTK IMS types. It should be used by AP side module only.
+attribute mtkimsapdomain;
+#
+# # attribute that represents all MTK IMS types. It should be used by MD side module only.
+attribute mtkimsmddomain;
+
+# Just for MTK's neverallow rules
+attribute domain_deprecated;
+attribute public_mtk_debug_domain;
+attribute system_aosp_dev_type;
+attribute system_aosp_domain;
+attribute system_mtk_debug_dev_type;
+attribute system_mtk_debug_domain;
+attribute system_mtk_dev_type;
+attribute system_mtk_domain;
+attribute vendor_aosp_dev_type;
+attribute vendor_aosp_domain;
+attribute vendor_mtk_debug_dev_type;
+attribute vendor_mtk_debug_domain;
+attribute vendor_mtk_dev_type;
+attribute vendor_mtk_domain;
+
+# Date: 2017/06/12
+# LBS HIDL
+attribute hal_mtk_lbs;
+attribute hal_mtk_lbs_client;
+attribute hal_mtk_lbs_server;
+
+# Date: 2017/06/27
+# IMSA HIDL
+attribute hal_mtk_imsa;
+attribute hal_mtk_imsa_client;
+attribute hal_mtk_imsa_server;
+
+# Date: 2017/07/13
+# NVRAM AGENT HIDL
+attribute hal_mtk_nvramagent;
+attribute hal_mtk_nvramagent_client;
+attribute hal_mtk_nvramagent_server;
+
+# Date: 2017/07/19
+# PQ HIDL
+attribute hal_mtk_pq;
+attribute hal_mtk_pq_client;
+attribute hal_mtk_pq_server;
+
+# Date: 2017/07/28
+# KEY ATTESTATION HIDL
+attribute hal_mtk_keyattestation;
+attribute hal_mtk_keyattestation_client;
+attribute hal_mtk_keyattestation_server;
+
+# Date: 2018/05/25
+# FM HIDL
+attribute hal_mtk_fm;
+attribute hal_mtk_fm_client;
+attribute hal_mtk_fm_server;
+
+# Date: 2018/07/02
+# MDP HIDL
+attribute hal_mtk_mms;
+attribute hal_mtk_mms_client;
+attribute hal_mtk_mms_server;
+
+# Date: 2019/06/12
+# modem db filter hidl
+attribute hal_mtk_md_dbfilter;
+attribute hal_mtk_md_dbfilter_client;
+attribute hal_mtk_md_dbfilter_server;
+
+# Date: 2019/07/16
+# HDMI HIDL
+attribute hal_mtk_hdmi;
+attribute hal_mtk_hdmi_client;
+attribute hal_mtk_hdmi_server;
+
+# Date: 2019/09/06
+# BGService HIDL
+attribute hal_mtk_bgs;
+attribute hal_mtk_bgs_client;
+attribute hal_mtk_bgs_server;
+
+# Date: 2019/11/18
+# em hidl
+attribute hal_mtk_em;
+attribute hal_mtk_em_client;
+attribute hal_mtk_em_server;
+
+attribute hal_mtk_codecservice;
+attribute hal_mtk_codecservice_client;
+attribute hal_mtk_codecservice_server;
+
+attribute hal_mtk_atci;
+attribute hal_mtk_atci_client;
+attribute hal_mtk_atci_server;
+
+# All types used for mtk's safe hwservice
+attribute mtk_safe_hwservice_manager_type;
+
+# All types used for mtk's safe halserver
+attribute mtk_safe_halserverdomain_type;
+
+# Date: 2020/12/30
+attribute hal_mtk_mmagent;
+attribute hal_mtk_mmagent_client;
+attribute hal_mtk_mmagent_server;
diff --git a/basic/plat_public/boot_logo_updater.te b/basic/plat_public/boot_logo_updater.te
new file mode 100644
index 0000000..a09f0c1
--- /dev/null
+++ b/basic/plat_public/boot_logo_updater.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/boot_logo_updater Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type boot_logo_updater, domain;
diff --git a/basic/plat_public/camerapostalgo.te b/basic/plat_public/camerapostalgo.te
new file mode 100644
index 0000000..0b38e9c
--- /dev/null
+++ b/basic/plat_public/camerapostalgo.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Policy File of /system/bin/camerapostalgo Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type camerapostalgo, domain;
diff --git a/basic/plat_public/capability_app.te b/basic/plat_public/capability_app.te
new file mode 100644
index 0000000..ddd2f53
--- /dev/null
+++ b/basic/plat_public/capability_app.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Policy File of /system/priv-app/CapabilityTest/CapabilityTest.apk Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type capability_app, domain, coredomain;
diff --git a/basic/plat_public/cmddumper.te b/basic/plat_public/cmddumper.te
new file mode 100644
index 0000000..332858a
--- /dev/null
+++ b/basic/plat_public/cmddumper.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/cmddumper Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type cmddumper, domain;
diff --git a/basic/plat_public/device.te b/basic/plat_public/device.te
new file mode 100644
index 0000000..6ad5ed8
--- /dev/null
+++ b/basic/plat_public/device.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtd_device, dev_type;
diff --git a/basic/plat_public/em_app.te b/basic/plat_public/em_app.te
new file mode 100644
index 0000000..144ef4a
--- /dev/null
+++ b/basic/plat_public/em_app.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Policy File of /system/priv-app/EngineerMode/EngineerMode.apk Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type em_app, domain, coredomain;
diff --git a/basic/plat_public/em_svr.te b/basic/plat_public/em_svr.te
new file mode 100644
index 0000000..3236653
--- /dev/null
+++ b/basic/plat_public/em_svr.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/em_svr Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type em_svr, domain;
diff --git a/basic/plat_public/file.te b/basic/plat_public/file.te
new file mode 100644
index 0000000..8c4c5c8
--- /dev/null
+++ b/basic/plat_public/file.te
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+##########################
+# Filesystem types
+#
+##########################
+# Sys Filesystem types
+
+# Date : 2020/03/25
+# Purpose : mtk Audio headset detect
+type sysfs_headset, fs_type, sysfs_type;
+
+# Date : WK20.20
+# Operation: R migration
+# Purpose : read vbus voltage
+type sysfs_vbus, fs_type, sysfs_type;
diff --git a/basic/plat_public/global_macros b/basic/plat_public/global_macros
new file mode 100644
index 0000000..0ae4a59
--- /dev/null
+++ b/basic/plat_public/global_macros
@@ -0,0 +1,12 @@
+#####################################
+# Common groupings of permissions without map.
+#
+define(`x_file_perms_no_map', `{ getattr execute execute_no_trans }')
+define(`r_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads }')
+define(`w_file_perms_no_map', `{ open append write lock }')
+define(`rx_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads execute execute_no_trans }')
+define(`ra_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads append }')
+define(`rw_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads append write }')
+define(`rwx_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads append write execute execute_no_trans }')
+define(`create_file_perms_no_map', `{ create rename setattr unlink getattr open read ioctl lock watch watch_reads append write }')
+
diff --git a/basic/plat_public/kpoc_charger.te b/basic/plat_public/kpoc_charger.te
new file mode 100644
index 0000000..a17827a
--- /dev/null
+++ b/basic/plat_public/kpoc_charger.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/kpoc_charger Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type kpoc_charger, domain;
diff --git a/basic/plat_public/mdi_redirector.te b/basic/plat_public/mdi_redirector.te
new file mode 100644
index 0000000..cd80ba3
--- /dev/null
+++ b/basic/plat_public/mdi_redirector.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mdi_redirector, domain;
diff --git a/basic/plat_public/mdmi_redirector.te b/basic/plat_public/mdmi_redirector.te
new file mode 100644
index 0000000..89ca55e
--- /dev/null
+++ b/basic/plat_public/mdmi_redirector.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mdmi_redirector, domain;
diff --git a/basic/plat_public/mediahelper.te b/basic/plat_public/mediahelper.te
new file mode 100755
index 0000000..16638bc
--- /dev/null
+++ b/basic/plat_public/mediahelper.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mediahelper, domain;
+
diff --git a/basic/plat_public/mtk_advcamserver.te b/basic/plat_public/mtk_advcamserver.te
new file mode 100644
index 0000000..e0b0bf9
--- /dev/null
+++ b/basic/plat_public/mtk_advcamserver.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Policy File of /system/bin/mtk_advcamserver Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type mtk_advcamserver, domain;
diff --git a/basic/plat_public/mtkbootanimation.te b/basic/plat_public/mtkbootanimation.te
new file mode 100644
index 0000000..95254dd
--- /dev/null
+++ b/basic/plat_public/mtkbootanimation.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Policy File of /system/bin/mtkbootanimation Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+#bootanimation oneshot service
+type mtkbootanimation, domain;
diff --git a/basic/plat_public/netd.te b/basic/plat_public/netd.te
new file mode 100644
index 0000000..14ceb98
--- /dev/null
+++ b/basic/plat_public/netd.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#Suppress the denial for netd to use surfaceflinger
+dontaudit netd surfaceflinger:fd use;
diff --git a/basic/plat_public/netdiag.te b/basic/plat_public/netdiag.te
new file mode 100644
index 0000000..e4a691b
--- /dev/null
+++ b/basic/plat_public/netdiag.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/netdiag Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type netdiag, domain;
diff --git a/basic/plat_public/osi.te b/basic/plat_public/osi.te
new file mode 100644
index 0000000..7bb301d
--- /dev/null
+++ b/basic/plat_public/osi.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type osi, domain;
diff --git a/basic/plat_public/property.te b/basic/plat_public/property.te
new file mode 100644
index 0000000..99f45a7
--- /dev/null
+++ b/basic/plat_public/property.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
+
+# Properties with no restrictions
+system_public_prop(system_mtk_ctl_emdlogger1_prop)
+system_public_prop(system_mtk_ctl_emdlogger2_prop)
+system_public_prop(system_mtk_ctl_emdlogger3_prop)
+system_public_prop(system_mtk_ctl_mdlogger_prop)
+system_public_prop(system_mtk_init_svc_emdlogger1_prop)
diff --git a/basic/plat_public/rsu_app.te b/basic/plat_public/rsu_app.te
new file mode 100644
index 0000000..13e3955
--- /dev/null
+++ b/basic/plat_public/rsu_app.te
@@ -0,0 +1,4 @@
+# ==============================================
+# Policy File of /system/priv-app/RsuService/RsuService.apk Executable File
+
+type rsu_app, domain;
diff --git a/basic/plat_public/teeregistryd_app.te b/basic/plat_public/teeregistryd_app.te
new file mode 100644
index 0000000..16b2887
--- /dev/null
+++ b/basic/plat_public/teeregistryd_app.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type teeregistryd_app, domain;
diff --git a/basic/plat_public/terservice.te b/basic/plat_public/terservice.te
new file mode 100644
index 0000000..8a6527f
--- /dev/null
+++ b/basic/plat_public/terservice.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Policy File of /system/bin/terservice Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type terservice, domain;
diff --git a/basic/plat_public/thermald.te b/basic/plat_public/thermald.te
new file mode 100644
index 0000000..052a0ab
--- /dev/null
+++ b/basic/plat_public/thermald.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/thermald Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type thermald, domain;
diff --git a/basic/plat_public/usp_service.te b/basic/plat_public/usp_service.te
new file mode 100644
index 0000000..493c870
--- /dev/null
+++ b/basic/plat_public/usp_service.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/usp_service Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type usp_service ,domain;
diff --git a/basic/plat_public/vtservice.te b/basic/plat_public/vtservice.te
new file mode 100644
index 0000000..e10bbfc
--- /dev/null
+++ b/basic/plat_public/vtservice.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Policy File of /system/bin/vtservice Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# TODO: Should move to plat_private after split.
+type vtservice, domain;
diff --git a/bsp/debug/non_plat/aee_aedv.te b/bsp/debug/non_plat/aee_aedv.te
new file mode 100644
index 0000000..5944760
--- /dev/null
+++ b/bsp/debug/non_plat/aee_aedv.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.21
+# Operation : direct coredump enhancement
+# Purpose : support abort message dumping
+userdebug_or_eng(`
+ allow aee_aedv coredump_file:dir { remove_name };
+ allow aee_aedv coredump_file:file { unlink };
+')
diff --git a/bsp/debug/non_plat/domain.te b/bsp/debug/non_plat/domain.te
new file mode 100644
index 0000000..9a66593
--- /dev/null
+++ b/bsp/debug/non_plat/domain.te
@@ -0,0 +1,4 @@
+# Date : WK17.29
+# Operation : Migration
+# Purpose : for aee dump systemAPI db, get backtrace
+allow domain aee_aedv:process sigchld;
diff --git a/bsp/debug/non_plat/file.te b/bsp/debug/non_plat/file.te
new file mode 100644
index 0000000..f38e08e
--- /dev/null
+++ b/bsp/debug/non_plat/file.te
@@ -0,0 +1,9 @@
+# Date : WK16.35
+# Operation : untrusted_app support direct-coredump abort message
+# Purpose :
+# avc: denied { write } for name="aee_interim" dev="dm-0" ino=8236
+# scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:coredump_file:s0
+# tclass=dir permissive=0
+userdebug_or_eng(`
+ typeattribute coredump_file mlstrustedobject;
+')
diff --git a/bsp/debug/non_plat/logd.te b/bsp/debug/non_plat/logd.te
new file mode 100644
index 0000000..17fe263
--- /dev/null
+++ b/bsp/debug/non_plat/logd.te
@@ -0,0 +1,2 @@
+# purpose: allow logd to access aee socket
+allow logd crash_dump:unix_stream_socket connectto;
diff --git a/bsp/debug/non_plat/platform_app.te b/bsp/debug/non_plat/platform_app.te
new file mode 100644
index 0000000..4a8b81a
--- /dev/null
+++ b/bsp/debug/non_plat/platform_app.te
@@ -0,0 +1,6 @@
+# Date : 2021/05/19
+# Purpose :[CdsInfo] read/ write WI-FI MAC address by NVRAM API
+# Package Name: com.mediatek.connectivity
+hal_client_domain(platform_app, hal_mtk_nvramagent)
+hal_client_domain(platform_app, hal_telephony)
+binder_call(platform_app, rild)
\ No newline at end of file
diff --git a/bsp/debug/non_plat/rild.te b/bsp/debug/non_plat/rild.te
new file mode 100644
index 0000000..b51dde8
--- /dev/null
+++ b/bsp/debug/non_plat/rild.te
@@ -0,0 +1,4 @@
+# Date: 2021/05/25
+# Operation: Engineer mode send AT command
+# Purpose: allow rild callback to CDS_INFO app
+binder_call(rild, platform_app)
\ No newline at end of file
diff --git a/bsp/debug/non_plat/shell.te b/bsp/debug/non_plat/shell.te
new file mode 100644
index 0000000..4af0fe9
--- /dev/null
+++ b/bsp/debug/non_plat/shell.te
@@ -0,0 +1,4 @@
+# Date : WK17.46
+# Operation : Migration
+# Purpose: Allow shell to read KE DB
+allow shell aee_dumpsys_data_file:file r_file_perms;
diff --git a/bsp/debug/non_plat/surfaceflinger.te b/bsp/debug/non_plat/surfaceflinger.te
new file mode 100644
index 0000000..92b0add
--- /dev/null
+++ b/bsp/debug/non_plat/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger aee_exp_data_file:file write;
diff --git a/bsp/debug/non_plat/system_app.te b/bsp/debug/non_plat/system_app.te
new file mode 100644
index 0000000..15cfebb
--- /dev/null
+++ b/bsp/debug/non_plat/system_app.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+
+# Date: 2019/09/11
+# Purpose: Allow atmwifimeta apk to use HIDL and access loghidlvendorservice
+hal_client_domain(system_app, hal_mtk_log)
diff --git a/bsp/debug/non_plat/system_server.te b/bsp/debug/non_plat/system_server.te
new file mode 100644
index 0000000..a4038d5
--- /dev/null
+++ b/bsp/debug/non_plat/system_server.te
@@ -0,0 +1,9 @@
+# Date:2020/09/01
+# Operation:R Migration
+allow system_server proc_aed:dir search;
+
+# Search /proc/iommu/debug
+allow system_server proc_iommu_debug:dir search;
+
+# Search /proc/dmaheap
+allow system_server proc_dmaheap:dir search;
diff --git a/bsp/debug/non_plat/untrusted_app.te b/bsp/debug/non_plat/untrusted_app.te
new file mode 100644
index 0000000..c03c690
--- /dev/null
+++ b/bsp/debug/non_plat/untrusted_app.te
@@ -0,0 +1,9 @@
+# Date : WK16.35
+# Operation : untrusted_app support direct-coredump abort message
+# Purpose :
+# avc: denied { write } for name="aee_interim" dev="dm-0" ino=8236
+# scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:coredump_file:s0
+# tclass=dir permissive=0
+userdebug_or_eng(`
+ allow untrusted_app coredump_file:dir w_dir_perms;
+')
diff --git a/bsp/debug/non_plat/viarild.te b/bsp/debug/non_plat/viarild.te
new file mode 100644
index 0000000..04d4972
--- /dev/null
+++ b/bsp/debug/non_plat/viarild.te
@@ -0,0 +1,2 @@
+# For Kryptowire mtklog issue
+allow viarild aee_aedv:unix_stream_socket connectto;
diff --git a/bsp/debug/plat_private/domain.te b/bsp/debug/plat_private/domain.te
new file mode 100644
index 0000000..1748f84
--- /dev/null
+++ b/bsp/debug/plat_private/domain.te
@@ -0,0 +1,4 @@
+# Date : WK17.29
+# Operation : Migration
+# Purpose : for aee dump systemAPI db, get backtrace
+allow domain crash_dump:process sigchld;
diff --git a/bsp/debug/plat_private/em_app.te b/bsp/debug/plat_private/em_app.te
new file mode 100644
index 0000000..9b70794
--- /dev/null
+++ b/bsp/debug/plat_private/em_app.te
@@ -0,0 +1,2 @@
+#For debug utils
+get_prop(em_app, system_mtk_persist_mtk_aee_prop)
diff --git a/bsp/debug/plat_private/emdlogger.te b/bsp/debug/plat_private/emdlogger.te
new file mode 100644
index 0000000..fc7c51b
--- /dev/null
+++ b/bsp/debug/plat_private/emdlogger.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# get & set persist.vendor.radio.port_index proeprty
+set_prop(emdlogger, system_mtk_atci_sys_prop)
+
diff --git a/bsp/debug/plat_private/mobile_log_d.te b/bsp/debug/plat_private/mobile_log_d.te
new file mode 100644
index 0000000..2a70fab
--- /dev/null
+++ b/bsp/debug/plat_private/mobile_log_d.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# purpose: allow mobile_log_d to read persist.vendor.log.tel_dbg
+get_prop(mobile_log_d, system_mtk_em_tel_log_prop)
+
+# purpose: allow mobile_log_d to read persist.vendor.logmuch
+get_prop(mobile_log_d, system_mtk_logmuch_prop)
diff --git a/bsp/debug/plat_private/platform_app.te b/bsp/debug/plat_private/platform_app.te
new file mode 100644
index 0000000..3b183df
--- /dev/null
+++ b/bsp/debug/plat_private/platform_app.te
@@ -0,0 +1,5 @@
+# Date: 2021/07/16
+# Purpose : DebugLoggerUI support for telephony log settings
+# Package: com.debug.loggerui
+set_prop(platform_app, system_mtk_logmuch_prop)
+set_prop(platform_app, system_mtk_em_tel_log_prop)
\ No newline at end of file
diff --git a/bsp/debug/plat_private/system_server.te b/bsp/debug/plat_private/system_server.te
new file mode 100644
index 0000000..4d61c64
--- /dev/null
+++ b/bsp/debug/plat_private/system_server.te
@@ -0,0 +1,7 @@
+# Date : 2016/11/11
+# Purpose : Add permission for aee socket access to report Java Layer Exception
+allow system_server crash_dump:unix_stream_socket connectto;
+
+# Date:2020/12/23
+# Operation:R Migration, add permission for AMS read mtk_AEE_prop
+get_prop(system_server, system_mtk_persist_aee_prop)
diff --git a/bsp/non_plat/GoogleOtaBinder.te b/bsp/non_plat/GoogleOtaBinder.te
new file mode 100644
index 0000000..a5c370f
--- /dev/null
+++ b/bsp/non_plat/GoogleOtaBinder.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Policy File of /system/bin/GoogleOtaBinder Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#/dev/misc
+allow GoogleOtaBinder misc_device:chr_file rw_file_perms;
+
diff --git a/bsp/non_plat/apmsrv_app.te b/bsp/non_plat/apmsrv_app.te
new file mode 100644
index 0000000..569b20e
--- /dev/null
+++ b/bsp/non_plat/apmsrv_app.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Policy File of /system/priv-app/ApmService/ApmService.apk Executable File
+# This is a workaround for Google bug, put apmsrv_app in non_platform
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Allow to get DMC properties
+get_prop(apmsrv_app, vendor_mtk_dmc_prop)
+
diff --git a/bsp/non_plat/app.te b/bsp/non_plat/app.te
new file mode 100644
index 0000000..dc0b3ac
--- /dev/null
+++ b/bsp/non_plat/app.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2016/07/11
+# Operation: Migration
+# Purpose: Add permission for gpu access
+allow appdomain dri_device:chr_file rw_file_perms;
+
+#allow mtk_sec_video_path_support
+get_prop(appdomain, vendor_mtk_sec_video_path_support_prop)
+
+#allow mtk_mtee_on_svp_support
+get_prop(appdomain, vendor_mtk_svp_on_mtee_support_prop)
diff --git a/bsp/non_plat/atci_service_sys.te b/bsp/non_plat/atci_service_sys.te
new file mode 100644
index 0000000..c45ee87
--- /dev/null
+++ b/bsp/non_plat/atci_service_sys.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /system/bin/atci_service_sys Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow atci_service_sys nfc_socket_file:dir w_dir_perms;
+allow atci_service_sys system_file:file execute_no_trans;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow atci_service_sys proc_ged:file rw_file_perms;
+
+# Date : WK17.01
+# Operation : Migration
+# Purpose : Update AT_Command NFC function
+allow atci_service_sys factory_data_file:sock_file write;
+
+# Date : WK18.21
+# Purpose: Allow to use HIDL
+hal_client_domain(atci_service_sys, hal_mtk_atci)
diff --git a/bsp/non_plat/audioserver.te b/bsp/non_plat/audioserver.te
new file mode 100644
index 0000000..9dd0465
--- /dev/null
+++ b/bsp/non_plat/audioserver.te
@@ -0,0 +1,23 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.03
+# Operation : Migration
+# Purpose : offloadservice
+allow audioserver offloadservice_device:chr_file rw_file_perms;
+
+# Date : WK15.44
+# Operation : Migration
+# Purpose : ancservice
+allow audioserver ancservice_device:chr_file rw_file_perms;
+
+# Date : WK17.31
+# Operation : ViLTE
+# Purpose : for ViLTE - set VTservice has permission to access me
+binder_call(audioserver, vtservice)
+
+# Date : WK18.42
+# Operation : Migration
+# Purpose : adsp
+allow audioserver adsp_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/bluetooth.te b/bsp/non_plat/bluetooth.te
new file mode 100644
index 0000000..5e1c5b9
--- /dev/null
+++ b/bsp/non_plat/bluetooth.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Device access
+allow bluetooth stpbt_device:chr_file rw_file_perms;
+
+# NVRAM access
+allow bluetooth nvram_data_file:dir search;
+allow bluetooth nvram_data_file:file rw_file_perms;
+allow bluetooth nvram_data_file:lnk_file r_file_perms;
+allow bluetooth nvdata_file:lnk_file r_file_perms;
+allow bluetooth nvdata_file:dir search;
+allow bluetooth nvdata_file:file rw_file_perms;
+
+allow bluetooth block_device:dir search;
+allow bluetooth proc_secmem:file r_file_perms;
+
+# Date : WK15.36
+# Operation : Migration
+# Purpose: Allow bluetooth to access surfaceflinger
+allow bluetooth surfaceflinger:fifo_file rw_file_perms;
diff --git a/bsp/non_plat/boot_logo_updater.te b/bsp/non_plat/boot_logo_updater.te
new file mode 100644
index 0000000..1a07963
--- /dev/null
+++ b/bsp/non_plat/boot_logo_updater.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow boot_logo_updater sysfs:dir open;
diff --git a/bsp/non_plat/bootanim.te b/bsp/non_plat/bootanim.te
new file mode 100644
index 0000000..6d34bc6
--- /dev/null
+++ b/bsp/non_plat/bootanim.te
@@ -0,0 +1,15 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.31
+# Operation : Migration
+# Purpose : access to sec mem proc interface.
+allow bootanim proc_secmem:file r_file_perms;
+
+# Date : WK16.29
+# Operation : Migration
+# Purpose : for gpu access
+allow bootanim dri_device:chr_file rw_file_perms;
+
+allow bootanim debugfs_ion:dir search;
diff --git a/bsp/non_plat/bp_kmsetkey_ca.te b/bsp/non_plat/bp_kmsetkey_ca.te
new file mode 100644
index 0000000..8563324
--- /dev/null
+++ b/bsp/non_plat/bp_kmsetkey_ca.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type bp_kmsetkey_ca_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(bp_kmsetkey_ca)
+
+set_prop(bp_kmsetkey_ca, vendor_mtk_soter_teei_prop)
+
+allow bp_kmsetkey_ca ut_keymaster_device:chr_file rw_file_perms;
+allow bp_kmsetkey_ca teei_client_device:chr_file rw_file_perms;
+
+hal_client_domain(bp_kmsetkey_ca, hal_keymaster)
diff --git a/bsp/non_plat/camerapostalgo.te b/bsp/non_plat/camerapostalgo.te
new file mode 100644
index 0000000..9023a6d
--- /dev/null
+++ b/bsp/non_plat/camerapostalgo.te
@@ -0,0 +1,26 @@
+# ==============================================
+# Policy File of /system/bin/camerapostalgo Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow camerapostalgo proc_perfmgr:dir r_dir_perms;
+allow camerapostalgo proc_perfmgr:file r_file_perms;
+allowxperm camerapostalgo proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_BQID
+};
+
+allow camerapostalgo proc_ged:file r_file_perms;
+allowxperm camerapostalgo proc_ged:file ioctl { proc_ged_ioctls };
+allow camerapostalgo debugfs_ion:dir search;
+
+# ipc call
+hal_client_domain(camerapostalgo, hal_mtk_mms)
+hal_client_domain(camerapostalgo, hal_graphics_allocator)
+allow camerapostalgo hal_graphics_mapper_hwservice:hwservice_manager find;
+allow camerapostalgo hal_configstore_default:binder call;
+
diff --git a/bsp/non_plat/cameraserver.te b/bsp/non_plat/cameraserver.te
new file mode 100644
index 0000000..b5bf393
--- /dev/null
+++ b/bsp/non_plat/cameraserver.te
@@ -0,0 +1,32 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.29
+# Operation : Migration
+# Purpose : Add permission for gpu access
+allow cameraserver dri_device:chr_file rw_file_perms;
+
+# Date : WK16.30
+# Operation : Migration
+# Purpose : allow camera to save raw data on sdcard
+allow cameraserver fuse:dir create_dir_perms;
+allow cameraserver fuse:file create_file_perms;
+
+# Date : WK16.33
+# Operation : Migration
+# Purpose : Dump camera buffer to sdcard for debug
+allow cameraserver sdcardfs:dir create_dir_perms;
+allow cameraserver sdcardfs:file create_file_perms;
+allow cameraserver media_rw_data_file:dir create_dir_perms;
+allow cameraserver media_rw_data_file:file create_file_perms;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(cameraserver, hal_allocator)
+
+# Date : WK17.31
+# Operation : ViLTE
+# Purpose : for ViLTE - set VTservice has permission to access me
+binder_call(cameraserver, vtservice)
diff --git a/bsp/non_plat/capability_app.te b/bsp/non_plat/capability_app.te
new file mode 100644
index 0000000..106af33
--- /dev/null
+++ b/bsp/non_plat/capability_app.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Policy File of /system/priv-app/CapabilityTest/CapabilityTest.apk Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow capability_app sysfs_boot_mode:file r_file_perms;
+allow capability_app debugfs_ion:dir search;
diff --git a/bsp/non_plat/ccci_mdinit.te b/bsp/non_plat/ccci_mdinit.te
new file mode 100644
index 0000000..db0051d
--- /dev/null
+++ b/bsp/non_plat/ccci_mdinit.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#=============allow ccci_mdinit to start/stop fsd==============
+typeattribute ccci_mdinit mtkimsapdomain;
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci_rpcd_prop)
+set_prop(ccci_mdinit, vendor_mtk_ctl_ccci2_rpcd_prop)
diff --git a/bsp/non_plat/ccci_rpcd.te b/bsp/non_plat/ccci_rpcd.te
new file mode 100644
index 0000000..92de144
--- /dev/null
+++ b/bsp/non_plat/ccci_rpcd.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /vendor/bin/ccci_fsd Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type ccci_rpcd_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(ccci_rpcd)
+
+wakelock_use(ccci_rpcd)
+
+allow ccci_rpcd ccci_device:chr_file rw_file_perms;
+allow ccci_rpcd block_device:dir search;
+allow ccci_rpcd misc2_block_device:blk_file rw_file_perms;
+allow ccci_rpcd bootdevice_block_device:blk_file rw_file_perms;
+
+allow ccci_rpcd sysfs_ccci:dir search;
+allow ccci_rpcd sysfs_ccci:file r_file_perms;
+
+allow ccci_rpcd md_block_device:blk_file r_file_perms;
diff --git a/bsp/non_plat/dconfig.te b/bsp/non_plat/dconfig.te
new file mode 100644
index 0000000..1e7fc9b
--- /dev/null
+++ b/bsp/non_plat/dconfig.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_dconfig_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(mtk_dconfig)
+userdebug_or_eng(`
+ allow mtk_dconfig mtk_hal_dplanner:fd use;
+ allow mtk_dconfig mtk_hal_dplanner:fifo_file { w_file_perms getattr };
+')
+allow mtk_dconfig proc_chip:file r_file_perms;
+allow mtk_dconfig sysfs_chipid:file r_file_perms;
+
+#for setting
+allow mtk_dconfig mtk_dconfig_exec:file execute_no_trans;
+allow mtk_dconfig block_device:dir search;
+allow mtk_dconfig boot_para_block_device:blk_file rw_file_perms;
diff --git a/bsp/non_plat/dmc_core.te b/bsp/non_plat/dmc_core.te
new file mode 100644
index 0000000..7c72aff
--- /dev/null
+++ b/bsp/non_plat/dmc_core.te
@@ -0,0 +1,39 @@
+# ==============================================
+# Policy File of /vendor/bin/dmc_core Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type dmc_core_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(dmc_core)
+
+# ==============================================
+# Date : W1920
+# Operation : Diagnostic framework Q migration
+# ==============================================
+
+# Purpose : allow dmc_core to start DMC and APM HIDL server
+hal_server_domain(dmc_core, hal_mtk_dmc)
+hal_server_domain(dmc_core, hal_mtk_apm)
+
+# Purpose : for dmc_core to connenct to md_monitor
+hal_client_domain(dmc_core, md_monitor_hal)
+
+# Purpose : for dmc_core to access /data/md_mon/
+allow dmc_core md_monitor_vendor_file:dir r_dir_perms;
+allow dmc_core md_monitor_vendor_file:file r_file_perms;
+
+# Purpose : Allow dmc_core to start/stop md_monitor
+set_prop(dmc_core, ctl_start_prop)
+set_prop(dmc_core, ctl_stop_prop)
+
+# Purpose : Allow dmc_core to set DMC control property (vendor.dmc.apm.active)
+set_prop(dmc_core, vendor_mtk_dmc_prop)
+
+# Add policy read property for init.svc.md_monitor
+get_prop(dmc_core, system_mtk_init_svc_md_monitor_prop)
+
+# Add policy read property for init.svc.mtk_pkm_service
+get_prop(dmc_core, system_mtk_pkm_init_prop)
diff --git a/bsp/non_plat/domain.te b/bsp/non_plat/domain.te
new file mode 100644
index 0000000..d724bc1
--- /dev/null
+++ b/bsp/non_plat/domain.te
@@ -0,0 +1,23 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.29
+# Operation : Migration
+# Purpose : for device bring up, not to block early migration
+allow { domain -isolated_app } storage_file:dir search;
+
+# Date : W17.47
+# Allow system_server to enable/disable logmuch_prop for Wi-Fi logging purpose
+neverallow {
+ domain
+ -init
+ -mtkrild
+ -mtk_hal_camera
+ -vendor_init
+ } vendor_mtk_logmuch_prop:property_service set;
+
+# Date : WK18.34
+# Operation : Migration
+# Purpose : for CTS android.os.cts.SecurityPatchTest
+get_prop(domain, vendor_security_patch_level_prop)
diff --git a/bsp/non_plat/drmserver.te b/bsp/non_plat/drmserver.te
new file mode 100644
index 0000000..b0670d9
--- /dev/null
+++ b/bsp/non_plat/drmserver.te
@@ -0,0 +1,143 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.30
+# Operation : DRM UT
+# Purpose : To pass DRM UT
+allow drmserver mtk_hal_nvramagent:binder call;
+allow drmserver platform_app:dir search;
+allow drmserver platform_app:file { read getattr open };
+allow drmserver radio_data_file:file { read getattr open };
+allow drmserver sdcard_type:file open;
+
+# Date : WK14.36
+# Operation : DRM UT
+# Purpose : Make drmserver and binder read /proc/pid/cmdline to get process name
+allow drmserver system_app:dir search;
+allow drmserver system_app:file { read open getattr };
+
+# Mediaserver to drmserver
+allow drmserver mediaserver:dir search;
+allow drmserver mediaserver:file { read open getattr };
+
+# Date : WK14.36.5
+# Operation : DRM UT
+# Purpose : Make widevine mediacodec mode work
+allow drmserver untrusted_app:dir search;
+allow drmserver untrusted_app:file { read open getattr };
+
+# Date : WK14.40.1
+# Operation : DRM SQC - play OMA DRM audio file failed
+# Purpose : Make OMA DRM audio file can be played
+allow drmserver radio_data_file:dir search;
+
+# Date : WK14.44.2
+# Operation : DRM SQC - view image failed
+# Purpose : To fix ALPS01790300
+allow drmserver surfaceflinger:fd use;
+
+# Date : WK14.44.3
+# Operation : MTBF test fail
+# Purpose : To fix ALPS01793801
+allow drmserver mediaserver:fifo_file read;
+
+# Date : WK14.46.4
+# Operation : DRM SQC - view image failed
+# Purpose : To fix ALPS01822176
+allow drmserver mediaserver:fifo_file write;
+
+# Date : WK15.30
+# Operation : Migration
+# Purpose : for device bring up, not to block early migration/sanity
+allow drmserver system_app:process getattr;
+
+# Date : WK15.34
+# Operation : Play Ready IT
+# Purpose : Allow access to link file; Such as play ready will request
+# drmserver to access /mnt/sdcard/xxx, which links to /sdcard/xxx.
+allow drmserver mnt_user_file:dir search;
+allow drmserver mnt_user_file:lnk_file read;
+allow drmserver storage_file:lnk_file read;
+
+# Add by : Jackie
+# Date : WK15.34
+# Operation : Migration
+# Purpose : Allow drmserver to access some system_server opreration on M
+# and allow drmserver access file stored in sdcard
+use_drmservice(system_server)
+allow drmserver system_server:file getattr;
+allow system_server drmserver:drmservice openDecryptSession;
+
+# Date : WK15.35
+# Operation : Migration
+# Purpose : Allow reador path="/data/data/com.mediatek.voicecommand/training
+# /unlock/passwordfile/0.dat"
+allow drmserver system_app_data_file:file read;
+
+# Add by : Jackie
+# Date : WK15.35
+# Operation : Migration
+# Purpose : allow drmserver access file stored in sdcard like /mnt/media_rw/
+allow drmserver vfat:file open;
+allow drmserver mnt_media_rw_file:dir search;
+
+# Add by : Jackie
+# Date : WK15.44
+# Operation : Migration
+# Purpose : allow drmserver access nfc process info, because drmserver need
+# check whether calling process is granted process, it need get process name
+# with calling pid
+allow drmserver nfc:dir search;
+allow drmserver nfc:file { read getattr open };
+
+# Add by : Jackie
+# Date : WK16.17
+# Operation : Bug Fixed
+# Purpose : allow drmserver access internal storage which mounted by sdcard, on Android M,
+# google add new feature which can format sdcard as internal storage. MediaScanner will use
+# .maybeTranslateEmulatedPathToInternal to translate emulate storage path(/storage/emulated/0)
+# to internal storage path(/mnt/expand/edf477fd-9470-450e-882a-7ecda941edf6/media/0), this
+# need add policy to grand permission.
+allow drmserver mnt_expand_file:dir search;
+
+# Add by : Jackie
+# Date : WK16.25
+# Operation : New Feature
+# Purpose : allow drmserver get AMS to start renew/expire/secure time invalid dialog
+allow drmserver activity_service:service_manager find;
+
+# Add by : Jackie
+# Date : WK16.26
+# Operation : Migration
+# Purpose : allow drmserver access priv app(such as wallpaper) info, because
+# drmserver need check whether calling process is granted process, it need
+# get process name with calling pid
+allow drmserver priv_app:dir search;
+allow drmserver priv_app:file { read getattr open };
+
+# Add by : Bo
+# Date : WK16.27
+# Operation : Migration
+# Purpose : allow drmserver encrypt file
+allow drmserver media_rw_data_file:file write;
+
+# Add by : Jackie
+# Date : WK16.34
+# Operation : Migration
+# Purpose : allow drmserver access ringtone file, so that it can play
+# FL cached ringtone in /data/system_de/0/ringtones/ringtone_cache
+allow drmserver ringtone_file:file read;
+
+# Fix boot violation
+allow drmserver proc_uptime:file r_file_perms;
+
+# Add by : sheetal.garg
+# Operation : Migration issue
+allow drmserver mediaextractor:dir search;
+allow drmserver mediaextractor:file { read open getattr };
+allow drmserver untrusted_app_25:dir search;
+allow drmserver untrusted_app_25:file { getattr open read };
+
+allow drmserver proc_uptime:file read;
+allow drmserver sdcardfs:file open;
diff --git a/bsp/non_plat/dumpstate.te b/bsp/non_plat/dumpstate.te
new file mode 100644
index 0000000..d61c0f6
--- /dev/null
+++ b/bsp/non_plat/dumpstate.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK19.22
+# Operation : let dumpstate can read sysfs_mmcblk
+# Purpose : fix Test error
+allow dumpstate sysfs_devices_block:file r_file_perms;
+
+# Purpose: workaround patch for xTS
+allow dumpstate mtk_hal_neuralnetworks:process signal;
diff --git a/bsp/non_plat/e2fs.te b/bsp/non_plat/e2fs.te
new file mode 100644
index 0000000..592dae0
--- /dev/null
+++ b/bsp/non_plat/e2fs.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow e2fs cache_block_device:blk_file getattr;
+allow e2fs devpts:chr_file { getattr ioctl };
+allow e2fs sysfs_fs_ext4_features:dir search;
+allow e2fs system_block_device:blk_file getattr;
+allow e2fs vendor_block_device:blk_file getattr;
diff --git a/bsp/non_plat/em_app.te b/bsp/non_plat/em_app.te
new file mode 100644
index 0000000..c762b58
--- /dev/null
+++ b/bsp/non_plat/em_app.te
@@ -0,0 +1,120 @@
+# ==============================================
+# Policy File of /system/priv-app/EngineerMode/EngineerMode.apk Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# For Rild hidl connection
+binder_call(em_app, rild)
+
+# For lbs hidl usage
+hal_client_domain(em_app, hal_mtk_lbs)
+
+# Allow to get vendor_mtk_dmc_prop
+get_prop(em_app, vendor_mtk_dmc_prop)
+
+# Date: 2020/03/25
+# Purpose : Allow get USB Current Speed in Engineer Mode
+get_prop(em_app, vendor_mtk_usb_prop)
+
+# Date: 2020/04/30
+# Purose: telephony -> Vilte
+get_prop(em_app, vendor_mtk_vendor_vt_prop)
+
+# Purose: SIM Switch
+get_prop(em_app, vendor_mtk_simswitch_emmode_prop)
+
+# Date: 2020/04/30
+# Purpose: telephony ->IMS
+get_prop(em_app, vendor_mtk_mims_prop)
+get_prop(em_app, vendor_mtk_smsformat_prop)
+get_prop(em_app, vendor_mtk_imstestmode_prop)
+get_prop(em_app, vendor_mtk_dsbp_support_prop)
+
+# Date: 2020/04/30
+# Purpose: telephony ->MobileDataPreferred %%em_hidl
+get_prop(em_app, vendor_mtk_gprs_prefer_prop)
+
+# Date: 2020/04/30
+# Purpose: telephony ->RatConfiguration
+get_prop(em_app, vendor_mtk_rat_config_prop)
+get_prop(em_app, vendor_mtk_tel_switch_prop)
+
+# Date : 2020/04/30
+# Purpose: FeatureSupport
+get_prop(em_app, vendor_mtk_default_prop)
+get_prop(em_app, vendor_mtk_mdm_prop)
+get_prop(em_app, vendor_mtk_aal_ro_prop)
+get_prop(em_app, vendor_mtk_fd_support_prop)
+get_prop(em_app, vendor_mtk_wfd_support_prop)
+get_prop(em_app, vendor_mtk_vilte_support_prop)
+get_prop(em_app, vendor_mtk_mdworldmode_prop)
+get_prop(em_app, vendor_mtk_log_tel_dbg_prop)
+get_prop(em_app, vendor_mtk_ril_mode_prop)
+get_prop(em_app, vendor_mtk_wfc_support_prop)
+get_prop(em_app, vendor_mtk_telephony_addon_prop)
+get_prop(em_app, vendor_mtk_ims_prop)
+
+# Date : 2020/04/30
+# Purpose: PrefsFragment
+get_prop(em_app, vendor_mtk_cxp_vendor_prop)
+
+# Date: 2020/04/30
+# Purpose: telephony ->IMS ,ModemCategory
+get_prop(em_app, vendor_mtk_radio_prop)
+
+# Date : 2021/01/27
+# Purpose: Allow EM to read persist.vendor.sys.mtkaal.xx
+get_prop(em_app, vendor_mtk_pq_prop)
+# Purpose: Allow EM to read persist.vendor.ss.xx
+get_prop(em_app, vendor_mtk_ss_vendor_prop)
+# Purpose: Allow EM to read persist.vendor.connsys.xx
+get_prop(em_app, vendor_mtk_wmt_prop)
+# Purpose: Allow EM to read persist.vendor.em.dy.debug
+get_prop(em_app, vendor_mtk_em_dy_debug_ctrl_prop)
+# Purpose: Allow EM to read persist.vendor.em.hidl.xx
+get_prop(em_app, vendor_mtk_em_hidl_prop)
+# Purpose: Allow EM to read persist.vendor.usb.otg.switch
+get_prop(em_app, vendor_mtk_usb_otg_switch_prop)
+# Purpose: Allow EM to read vendor.debug.gps.xx
+get_prop(em_app, vendor_mtk_mnld_prop)
+# Purpose: Allow EM to read vendor.mtk.omx.xx
+get_prop(em_app, vendor_mtk_omx_log_prop)
+# Purpose: Allow EM to read vendor.mtk.vdec.log
+get_prop(em_app, vendor_mtk_vdec_log_prop)
+# Purpose: Allow EM to read vendor.mtk.vdectlc.log
+get_prop(em_app, vendor_mtk_vdectlc_log_prop)
+# Purpose: Allow EM to read vendor.mtk.venc.h264.showlog
+get_prop(em_app, vendor_mtk_venc_h264_showlog_prop)
+# Purpose: Allow EM to read vendor.usb.xx
+get_prop(em_app, vendor_mtk_usb_prop)
+# Purpose: Allow EM to read vendor.usb.port.mode
+get_prop(em_app, vendor_mtk_em_usb_prop)
+# Purpose: Allow EM to read vendor.net.xx
+get_prop(em_app, vendor_mtk_network_prop)
+# Purpose: Allow EM to endor.mediatek.debug.md.reset.wait
+get_prop(em_app, vendor_mtk_debug_md_reset_prop)
+
+# Data : 2021/4/21
+# Purpose : add permission for /proc/mtk_usb
+allow em_app proc_usb_plat:dir search;
+allow em_app proc_usb_plat:file rw_file_perms;
+
+# Data : 2021/6/4
+# Purpose : add permission for /sys/class/udc/xxx/current_speed
+allow em_app sysfs_usb_nonplat:dir search;
+allow em_app sysfs_usb_nonplat:file rw_file_perms;
+
+# Date : 2021/05/07
+# Purpose : AOL test in EngineerMode
+allow em_app self:netlink_generic_socket { read write getattr bind create setopt };
+allow em_app conn_scp_device:chr_file rw_file_perms;
+
+# Date: 2021/08/17
+# Purpose: Allow EM to ro.vendor.mcf_support
+get_prop(em_app, vendor_mtk_mcf_prop)
+
+# Date:2021/10/29
+# Purpose: Allow EM PMU search extdev
+allow em_app sysfs_extdev:dir search;
\ No newline at end of file
diff --git a/bsp/non_plat/em_hidl.te b/bsp/non_plat/em_hidl.te
new file mode 100644
index 0000000..c5d301b
--- /dev/null
+++ b/bsp/non_plat/em_hidl.te
@@ -0,0 +1,57 @@
+# ==============================================
+# Policy File of /vendor/bin/em_hidi Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2018/07/10
+# Operation : EM DEBUG
+# Purpose: EM set Moms property
+set_prop(em_hidl, vendor_mtk_moms_prop)
+
+# Date : 2019/2/11
+# Operation: EM for ViLTE
+# Purpose: Allow EM HIDL to get/set vendor_mtk_vendor_vt_prop
+set_prop(em_hidl, vendor_mtk_vendor_vt_prop)
+
+# Date : 2019/08/20
+# Operation : DMC Q Migration
+# Purpose : allow EM to set vendor_mtk_dmc_prop
+set_prop(em_hidl, vendor_mtk_dmc_prop)
+
+# Date : 2020/04/24
+# Purpos : allow EM set dynamic debug control property
+set_prop(em_hidl, vendor_mtk_em_dy_debug_ctrl_prop)
+
+# Date : 2020/05/04
+# Purpose : allow EM to access vendor_nfc_socket_file
+allow em_hidl vendor_nfc_socket_file:dir w_dir_perms;
+allow em_hidl nfcstackp_vendor:unix_stream_socket connectto;
+
+# Date : 2020/05/05
+# Purpose : Add availablities to set property
+set_prop(em_hidl, vendor_mtk_nfc_nfcstackp_enable_prop)
+
+# Date : 2020/05/07
+# Purpose : allow EM to access MNL config file
+allow em_hidl gps_data_file:file rw_file_perms;
+allow em_hidl gps_data_file:dir search;
+
+# Date : 2020/05/09
+# Purpose: allow IMS SS to set radio prop
+set_prop(em_hidl,vendor_mtk_radio_prop)
+
+# Date : 2020/11/18
+# Purpos : allow EM set mtu property
+set_prop(em_hidl, vendor_mtk_em_mtu_prop)
+
+# Date: 2021/01/27
+# Purpose: Allow EM to set persist.vendor.connsys.xx
+set_prop(em_hidl, vendor_mtk_wmt_prop)
+
+# Date: 2021/04/28
+# Purpose: Allow EM to access NVRAM for BT
+allow em_hidl metadata_file:dir search;
+allow em_hidl gsi_metadata_file:dir search;
+
diff --git a/bsp/non_plat/em_svr.te b/bsp/non_plat/em_svr.te
new file mode 100644
index 0000000..0861421
--- /dev/null
+++ b/bsp/non_plat/em_svr.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Policy File of /system/bin/em_svr Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK1823
+# Purpose: Rsc switch
+allow em_svr para_block_device:blk_file w_file_perms;
+
+# Date:2021/10/29
+# Purpose: Allow EM PMU search extdev
+allow em_svr sysfs_extdev:dir search;
\ No newline at end of file
diff --git a/bsp/non_plat/emcamera_app.te b/bsp/non_plat/emcamera_app.te
new file mode 100644
index 0000000..a5ab8fd
--- /dev/null
+++ b/bsp/non_plat/emcamera_app.te
@@ -0,0 +1,29 @@
+# ==============================================
+# Policy File of /vendor/app/emcamera Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+app_domain(emcamera_app)
+
+# Date: WK1931
+# Purpose: write data/vendor/camera_dump
+allow emcamera_app vendor_camera_dump_file:dir create_dir_perms;
+allow emcamera_app vendor_camera_dump_file:file create_file_perms;
+
+allow emcamera_app cameraserver_service:service_manager find;
+allow emcamera_app activity_service:service_manager find;
+allow emcamera_app surfaceflinger_service:service_manager find;
+allow emcamera_app activity_task_service:service_manager find;
+allow emcamera_app audio_service:service_manager find;
+allow emcamera_app trust_service:service_manager find;
+allow emcamera_app device_policy_service:service_manager find;
+allow emcamera_app autofill_service:service_manager find;
+allow emcamera_app sensorservice_service:service_manager find;
+
+# Date: WK1931
+# Purpose: set em camera properties
+set_prop(emcamera_app, vendor_mtk_em_prop)
+set_prop(emcamera_app, vendor_mtk_emcamera_prop)
+set_prop(emcamera_app, vendor_mtk_mediatek_prop)
diff --git a/bsp/non_plat/factory.te b/bsp/non_plat/factory.te
new file mode 100644
index 0000000..e8d10e2
--- /dev/null
+++ b/bsp/non_plat/factory.te
@@ -0,0 +1,47 @@
+# ==============================================
+# Policy File of /vendor/bin/factory Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK17.46
+allow factory kmsg_device:chr_file w_file_perms;
+allow factory dm_device:blk_file rw_file_perms;
+allow factory sysfs_fs_ext4_features:dir search;
+allow factory sysfs_fs_ext4_features:file r_file_perms;
+allow factory system_block_device:blk_file getattr;
+allow factory vendor_block_device:blk_file getattr;
+allow factory cache_block_device:blk_file getattr;
+allow factory protect1_block_device:blk_file getattr;
+allow factory protect2_block_device:blk_file getattr;
+
+# Purpose : Allow factory to call android.hardware.audio@2.0-service-mediatek
+binder_call(factory, mtk_hal_audio)
+allow factory mtk_hal_audio:binder call;
+allow factory mtk_audiohal_data_file:dir r_dir_perms;
+allow factory audio_device:chr_file rw_file_perms;
+allow factory audio_device:dir w_dir_perms;
+
+# Purpose : adsp
+allow factory adsp_device:chr_file rw_file_perms;
+
+# Purpose : Allow factory to get usb_state
+allow factory sysfs_android_usb:dir search;
+allow factory sysfs_android_usb:file r_file_perms;
+
+# Date : 2020/05/12
+allow factory nfcstackp_vendor:unix_stream_socket connectto;
+
+# Date : 2020/05/12
+# Purpose : Add availablities to set property
+set_prop(factory, vendor_mtk_nfc_nfcstackp_enable_prop)
+
+allow factory fingerprint_device:chr_file rw_file_perms;
+allow factory tmpfs:chr_file rw_file_perms;
+allow factory self:netlink_socket create_socket_perms_no_ioctl;
+
+# Data : 2021/4/21
+# Purpose : add permission for /proc/mtk_usb
+allow factory proc_usb_plat:dir search;
+allow factory proc_usb_plat:file rw_file_perms;
\ No newline at end of file
diff --git a/bsp/non_plat/file.te b/bsp/non_plat/file.te
new file mode 100644
index 0000000..3bd8416
--- /dev/null
+++ b/bsp/non_plat/file.te
@@ -0,0 +1,123 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# Filesystem types
+#
+##########################
+# Proc Filesystem types
+#
+# For DuraSpeed
+type proc_cpu_loading, fs_type, proc_type;
+type proc_low_memory_hit, fs_type, proc_type;
+
+# TKCore proc file
+type proc_tkcore, fs_type, proc_type;
+
+# For CachedAppOptimizer
+type proc_freqhopping, fs_type, proc_type;
+
+##########################
+# Sys Filesystem types
+#
+# TEEI data file
+type teei_control_file, fs_type, sysfs_type;
+
+##########################
+# File types
+#
+# mobicore device type and file type
+type mobicore_vendor_file, file_type, vendor_file_type;
+
+type tkcore_systa_file, file_type, vendor_file_type;
+
+type wo_starter_exec, exec_type, file_type, vendor_file_type;
+type wo_charon_exec, exec_type, file_type, vendor_file_type;
+type wo_stroke_exec, exec_type, file_type, vendor_file_type;
+
+##########################
+# File types
+# Data file types
+#
+# TEEI data file
+type teei_data_file, file_type, data_file_type;
+
+# Date:WK1822
+# Purpose: Store ims config data
+type mtk_radio_data_file, file_type, data_file_type;
+
+# mobicore file type
+type mobicore_data_file, file_type, data_file_type;
+
+# DOE
+type doe_vendor_data_file, file_type, data_file_type;
+
+# md monitor file
+type md_monitor_vendor_file, file_type, data_file_type;
+
+# MTK omadm data folder
+type omadm_data_file, file_type, data_file_type;
+type omadm_misc_file, file_type, data_file_type;
+
+# camera_dump
+type vendor_camera_dump_file, file_type, data_file_type;
+
+type tkcore_spta_file, file_type, data_file_type, mlstrustedobject;
+type tkcore_data_file, file_type, data_file_type, mlstrustedobject;
+
+type tkcore_protect_data_file, file_type, data_file_type;
+type tkcore_log_file, file_type, data_file_type;
+
+# Date : W1949
+# Purpose: for thp data file
+type mtk_thp_data_file, file_type, data_file_type;
+
+# for img gpu_nn_service
+type gpunn_data_file, file_type, data_file_type;
+
+# Date : 2021/06/30
+# Purpose: add permission for /data/vendor/nn/
+type data_vendor_nn_file, data_file_type, file_type;
+
+# Date : 2021/07/01
+# Purpose: add permission for /data/vendor/hmp/
+type data_vendor_hmp_file, data_file_type, file_type;
+
+##########################
+# File types
+# Core domain data file types
+#
+# android log too much data/misc/log
+type logmuch_data_file, file_type, data_file_type, core_data_file_type;
+
+# For DuraSpeed
+type duraspeed_data_file, file_type, data_file_type, core_data_file_type;
+
+##########################
+# Socket types
+#
+type statusd_socket, file_type;
+
+# Date : WK17.30
+# Purpose : wifi offload daemon access files and sockets
+type wo_epdg_ipsec_socket, file_type;
+
+# Date : WK17.48
+# Purpose: RCS stack for 2/3G network
+type rcs_volte_stack_socket, file_type;
+
+# Date : WK1929
+# Purpose: Rcs Volte stack submarine development
+type rcs_rild_socket, file_type;
+
+# vtservice_hidl for imsvt socket
+type volte_imsvt1_socket, file_type;
+
+type rcs_ua_proxy_socket, file_type;
+
+# For chager enable fast charging algorithm
+type sysfs_fs_chg_file, fs_type, sysfs_type;
+
+# For InputReader scan and search power_supply path
+type sysfs_power_supply, fs_type, sysfs_type;
diff --git a/bsp/non_plat/file_contexts b/bsp/non_plat/file_contexts
new file mode 100644
index 0000000..76fe240
--- /dev/null
+++ b/bsp/non_plat/file_contexts
@@ -0,0 +1,276 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# Data files
+#
+# Trustonic data files
+/data/vendor/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0
+
+# Microtrust data files
+/data/vendor/thh(/.*)? u:object_r:teei_data_file:s0
+
+/data/vendor/radio(/.*)? u:object_r:mtk_radio_data_file:s0
+/data/vendor/verizon(/.*)? u:object_r:omadm_data_file:s0
+/data/vendor/misc/msdata(/.*)? u:object_r:omadm_misc_file:s0
+
+# TrustKernel add
+/data/vendor/t6(/.*)? u:object_r:tkcore_data_file:s0
+/data/vendor/t6/app(/.*)? u:object_r:tkcore_spta_file:s0
+/data/vendor/t6/tkcore.log u:object_r:tkcore_log_file:s0
+
+# For Google Trusty Secure Storage Proxy
+/data/vendor/trusty(/.*)? u:object_r:tee_data_file:s0
+
+# DOE
+/data/vendor/doe(/.*)? u:object_r:doe_vendor_data_file:s0
+
+# MTK thp hal
+/data/vendor/thp(/.*)? u:object_r:mtk_thp_data_file:s0
+
+# MTK MDM
+/data/vendor/md_mon(/.*)? u:object_r:md_monitor_vendor_file:s0
+
+# EmCamera
+/data/vendor/camera_dump(/.*)? u:object_r:vendor_camera_dump_file:s0
+
+/data/vendor/.img(/.*)? u:object_r:gpunn_data_file:s0
+
+# DuraSpeed
+/data/duraspeed(/.*)? u:object_r:duraspeed_data_file:s0
+
+/data/misc/log(/.*)? u:object_r:logmuch_data_file:s0
+
+# Date: 2021/06/30
+# Purpose: mtk nn info file
+/data/vendor/nn(/.*)? u:object_r:data_vendor_nn_file:s0
+
+# Date: 2021/07/01
+# Purpose: mtk hmp info file
+/data/vendor/hmp(/.*)? u:object_r:data_vendor_hmp_file:s0
+
+##########################
+# Devices
+#
+# TrustKernel add
+/dev/tkcoredrv u:object_r:tkcore_admin_device:s0
+
+# For Google Trusty Secure Storage Proxy
+/dev/block/mmcblk0rpmb u:object_r:rpmb_block_device:s0
+
+# Trustonic TEE devices
+/dev/mobicore u:object_r:mobicore_admin_device:s0
+/dev/mobicore-user u:object_r:mobicore_user_device:s0
+/dev/t-base-tui u:object_r:mobicore_tui_device:s0
+
+# teeperf devices
+/dev/teeperf u:object_r:teeperf_device:s0
+
+# Microtrust TEEI devices
+/dev/teei_config u:object_r:teei_config_device:s0
+/dev/teei_client u:object_r:teei_client_device:s0
+/dev/isee_tee0 u:object_r:teei_client_device:s0
+/dev/tz_vfs u:object_r:teei_vfs_device:s0
+
+# rpmb char device
+/dev/rpmb0 u:object_r:teei_rpmb_device:s0
+/dev/mmcblk0rpmb u:object_r:rpmb_device:s0
+
+# legacy char device for cross-platform compatibility
+/dev/emmcrpmb0 u:object_r:teei_rpmb_device:s0
+/dev/teei_fp u:object_r:teei_fp_device:s0
+/dev/ut_keymaster u:object_r:ut_keymaster_device:s0
+/dev/utr_tui u:object_r:utr_tui_device:s0
+
+# microtrust lite version use start
+/dev/teei_loader u:object_r:tee_device:s0
+
+# microtrust lite version use end
+/dev/dri/card0 u:object_r:dri_device:s0
+
+/dev/ttyC5 u:object_r:nwkopt_device:s0
+/dev/mix_event u:object_r:tx_device:s0
+
+# MTK thp hal
+/dev/thp u:object_r:gdix_thp_device:s0
+/dev/input_mt_wrapper u:object_r:gdix_mt_wrapper_device:s0
+
+# tetheroffload
+/dev/mddp u:object_r:mddp_device:s0
+
+/dev/socket/rcs_ua_proxy(/.*)? u:object_r:rcs_ua_proxy_socket:s0
+/dev/socket/rcs_volte_stack(/.*)? u:object_r:rcs_volte_stack_socket:s0
+/dev/socket/rcs_rild(/.*)? u:object_r:rcs_rild_socket:s0
+/dev/socket/statusd u:object_r:statusd_socket:s0
+/dev/socket/rilproxy-mal(/.*)? u:object_r:rild_mal_socket:s0
+/dev/socket/wo_epdg_ipsec(/.*)? u:object_r:wo_epdg_ipsec_socket:s0
+
+# MTK ATCI
+/dev/socket/rild-atci(/.*)? u:object_r:rild_atci_socket:s0
+/dev/socket/rilproxy-atci(/.*)? u:object_r:rilproxy_atci_socket:s0
+/dev/socket/atci-service(/.*)? u:object_r:atci_service_socket:s0
+/dev/socket/adb_atci_socket(/.*)? u:object_r:adb_atci_socket:s0
+
+# MTK VTService
+/dev/socket/volte_imsvt1(/.*)? u:object_r:volte_imsvt1_socket:s0
+
+/dev/goodix_fp u:object_r:fingerprint_device:s0
+
+#MTK widevine kernel driver
+/dev/drm_wv u:object_r:widevine_drv_device:s0
+
+##########################
+# Vendor files
+#
+# TrustKernel add
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.trustkernel u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.trustkernel u:object_r:hal_keymaster_default_exec:s0
+
+# Trustonic TEE
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trustonic u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.trustonic u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.trustonic u:object_r:hal_keymaster_default_exec:s0
+
+# Trustonic TEE system files
+/(vendor|system/vendor)/app/mcRegistry(/.*)? u:object_r:mobicore_vendor_file:s0
+/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:mobicore_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.trustonic\.tee@1\.1-service u:object_r:hal_tee_default_exec:s0
+
+/(vendor|system/vendor)/bin/thermal u:object_r:thermal_exec:s0
+/(vendor|system/vendor)/bin/volte_rcs_ua u:object_r:volte_rcs_ua_exec:s0
+/(vendor|system/vendor)/bin/rcs_volte_stack u:object_r:rcs_volte_stack_exec:s0
+/(vendor|system/vendor)/bin/volte_clientapi_ua u:object_r:volte_clientapi_ua_exec:s0
+/(vendor|system/vendor)/bin/viarild u:object_r:viarild_exec:s0
+/(vendor|system/vendor)/bin/statusd u:object_r:statusd_exec:s0
+/(vendor|system/vendor)/bin/flashlessd u:object_r:flashlessd_exec:s0
+/(vendor|system/vendor)/bin/ccci_rpcd u:object_r:ccci_rpcd_exec:s0
+/(vendor|system/vendor)/bin/ipsec_mon u:object_r:ipsec_mon_exec:s0
+/(vendor|system/vendor)/bin/getgameserver u:object_r:getgameserver_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.wfo@1\.0-service u:object_r:mtk_hal_wfo_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.clientapi@1\.0-service u:object_r:volte_clientapi_ua_exec:s0
+/(vendor|system/vendor)/bin/hw/vtservice_hidl u:object_r:vtservice_hidl_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.rcs@1\.0-service u:object_r:volte_rcs_ua_exec:s0
+/(vendor|system/vendor)/bin/STFlashTool u:object_r:stflashtool_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.dfps@1\.0-service u:object_r:mtk_hal_dfps_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.omadm@1\.0-service u:object_r:mtk_hal_omadm_exec:s0
+
+# DOE
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.dplanner@1\.0-service u:object_r:mtk_hal_dplanner_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.dplanner@2\.0-service u:object_r:mtk_hal_dplanner_exec:s0
+/(vendor|system/vendor)/bin/dconfig u:object_r:mtk_dconfig_exec:s0
+/(vendor|system/vendor)/bin/dtc_vendor u:object_r:mtk_dconfig_exec:s0
+
+# DRM Key Installation HIDL
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.keyinstall@1\.0-service u:object_r:mtk_hal_keyinstall_exec:s0
+
+# DRM Key Manage HIDL
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.keymanage@1\.0-service u:object_r:mtk_hal_keymanage_exec:s0
+
+/(vendor|system/vendor)/bin/wo_ipsec u:object_r:wo_ipsec_exec:s0
+/(vendor|system/vendor)/bin/wo_charon u:object_r:wo_charon_exec:s0
+/(vendor|system/vendor)/bin/wo_starter u:object_r:wo_starter_exec:s0
+/(vendor|system/vendor)/bin/wo_stroke u:object_r:wo_stroke_exec:s0
+/(vendor|system/vendor)/bin/wo_epdg_client u:object_r:wo_epdg_client_exec:s0
+
+# netdagent
+/(vendor|system/vendor)/bin/netdagent u:object_r:netdagent_exec:s0
+
+# MTK PPL
+/(vendor|system/vendor)/bin/ppl_agent u:object_r:ppl_agent_exec:s0
+
+# Microtrust TEEI system files
+/(vendor|system/vendor)/bin/init_thh u:object_r:init_thh_service_exec:s0
+/(vendor|system/vendor)/bin/teei_daemon u:object_r:tee_exec:s0
+
+# microtrust THH daemon
+/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.thh@2\.0-service u:object_r:teei_hal_thh_exec:s0
+
+# microtrust TUI daemon
+/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.tui@2\.0-service u:object_r:teei_hal_tui_exec:s0
+
+# microtrust IFAA hidl service
+/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.ifaa@1\.0-service u:object_r:teei_hal_ifaa_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.ifaa@2\.0-service u:object_r:teei_hal_ifaa_exec:s0
+
+# microtrust WECHAT hidl service
+/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.soter@1\.0-service u:object_r:teei_hal_wechat_exec:s0
+/(vendor|system/vendor)/bin/teei_loader u:object_r:tee_exec:s0
+/(vendor|system/vendor)/bin/istorageproxyd u:object_r:tee_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.capi@2\.0-service u:object_r:teei_hal_capi_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.beanpod u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.beanpod\.lite u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.beanpod u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.beanpod\.lite u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint@1\.0-service\.beanpod u:object_r:hal_keymint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.beanpod\.lite u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.itrusty u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/bp_kmsetkey_ca u:object_r:bp_kmsetkey_ca_exec:s0
+
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerrpint@1\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-gpunn u:object_r:mtk_hal_neuralnetworks_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron u:object_r:mtk_hal_neuralnetworks_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron-lazy u:object_r:mtk_hal_neuralnetworks_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron-debug u:object_r:mtk_hal_neuralnetworks_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron-debug-lazy u:object_r:mtk_hal_neuralnetworks_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks-shim-service-mtk u:object_r:mtk_hal_neuralnetworks_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks-shell-service-mtk u:object_r:mtk_hal_neuralnetworks_exec:s0
+
+# MTK nwk opt hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.nwk_opt@1\.0-service u:object_r:mtk_hal_nwk_opt_exec:s0
+
+# MTK touchll hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.touchll@1\.0-service u:object_r:mtk_hal_touchll_exec:s0
+
+# MTK thp hal
+/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.thp@1\.0-service u:object_r:mtk_hal_thp_exec:s0
+
+# tetheroffload
+/(vendor|system/vendor)/bin/hw/tetheroffloadservice u:object_r:hal_tetheroffload_default_exec:s0
+
+# MTK ATCI
+/(vendor|system/vendor)/bin/atcid u:object_r:atcid_exec:s0
+/(vendor|system/vendor)/bin/atci_service u:object_r:atci_service_exec:s0
+
+# MTK PMS ext
+/(vendor|system/vendor)/operator/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/etc/rsc/[^/]+/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/etc/rsc/[^/]+/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/etc/rsc/[^/]+/plugin(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/etc/rsc/[^/]+/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/etc/rsc/[^/]+/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+/(vendor|system/vendor)/bin/remosaic_daemon u:object_r:remosaic_daemon_exec:s0
+
+# HDCP
+/(vendor|system/vendor)/bin/hw/vendor\.tesiai\.hardware\.hdcpconnection@1\.0-service u:object_r:tesiai_hal_hdcp_exec:s0
+
+# ST nfcstackp service
+/vendor/bin/nfcstackp-vendor u:object_r:nfcstackp_vendor_exec:s0
+
+# DMC (Diagnostic Monitoring Collector)
+/vendor/bin/dmc_core u:object_r:dmc_core_exec:s0
+
+# DMC Packet Monitor (PKM)
+/vendor/bin/mtk_pkm_service u:object_r:mtk_pkm_service_exec:s0
+
+# TrustKernel add
+/vendor/bin/teed u:object_r:tee_exec:s0
+
+# For Google Trusty Secure Storage Proxy
+/vendor/bin/storageproxyd u:object_r:tee_exec:s0
+/(vendor|system/vendor)/bin/rpmb_svc u:object_r:tee_exec:s0
+
+# MTK MDM
+/vendor/bin/md_monitor u:object_r:md_monitor_exec:s0
+
+/vendor/app/t6(/.*)? u:object_r:tkcore_systa_file:s0
+
+##########################
+# Others
+#
+/mnt/vendor/persist/t6(/.*)? u:object_r:tkcore_protect_data_file:s0
+/mnt/vendor/protect_f/tee(/.*)? u:object_r:tkcore_protect_data_file:s0
+
+# Logo Updater
+/vendor/bin/logo_updater u:object_r:logo_updater_exec:s0
diff --git a/bsp/non_plat/flashlessd.te b/bsp/non_plat/flashlessd.te
new file mode 100644
index 0000000..0f2598e
--- /dev/null
+++ b/bsp/non_plat/flashlessd.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Policy File of /vendor/bin/flashlessd Executable File
+
+type flashlessd_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(flashlessd)
+
+#============= flashlessd ttyMT related ==============
+allow flashlessd ttyMT_device:chr_file rw_file_perms;
+
+
+#============= ccci_fsd MD NVRAM==============
+allow flashlessd nvram_data_file:dir create_dir_perms;
+allow flashlessd nvram_data_file:file create_file_perms;
+allow flashlessd nvram_data_file:lnk_file read;
+allow flashlessd nvdata_file:lnk_file read;
+allow flashlessd nvdata_file:dir create_dir_perms;
+allow flashlessd nvdata_file:file create_file_perms;
+allow flashlessd nvram_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/fsck.te b/bsp/non_plat/fsck.te
new file mode 100644
index 0000000..33e62cf
--- /dev/null
+++ b/bsp/non_plat/fsck.te
@@ -0,0 +1,8 @@
+#============= fsck ==============
+allow fsck sysfs_fs_ext4_features:dir search;
+
+# Date : WK19.12
+# Operation: Q migration
+# Purpose : Allow resize.f2fs to read in "f2fs" block dev
+allow init fsck_exec: lnk_file r_file_perms;
+allowxperm fsck userdata_block_device:blk_file ioctl BLKSECDISCARD;
diff --git a/bsp/non_plat/gatekeeperd.te b/bsp/non_plat/gatekeeperd.te
new file mode 100644
index 0000000..bba3640
--- /dev/null
+++ b/bsp/non_plat/gatekeeperd.te
@@ -0,0 +1,28 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.49
+# Operation : Migration
+# Purpose: Trustonic HW-backed Gatekeeper
+allow hal_gatekeeper_default mobicore:unix_stream_socket { connectto read write };
+allow hal_gatekeeper_default mobicore_user_device:chr_file { read write open ioctl};
+
+allow hal_gatekeeper_default debugfs_tracing:file write;
+allow hal_gatekeeper_default mnt_vendor_file:dir search;
+allow hal_gatekeeper_default persist_data_file:dir { write search add_name remove_name};
+allow hal_gatekeeper_default persist_data_file:file { write read getattr open create unlink};
+
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: Microtrust HW-backed Gatekeeper
+hal_client_domain(hal_gatekeeper_default, hal_teei_capi)
+hal_client_domain(hal_gatekeeper_default, hal_allocator)
+allow hal_gatekeeper_default teei_client_device:chr_file rw_file_perms;
+
+# Purpose: TrustKernel HW-backed Gatekeeper
+allow hal_gatekeeper_default tkcore_admin_device:chr_file { read write open ioctl };
+
+# Allow hal_gatekeeper_default to access /data/key_provisioning
+allow hal_gatekeeper_default key_install_data_file:dir w_dir_perms;
+allow hal_gatekeeper_default key_install_data_file:file create_file_perms;
diff --git a/bsp/non_plat/genfs_contexts b/bsp/non_plat/genfs_contexts
new file mode 100644
index 0000000..9cefccc
--- /dev/null
+++ b/bsp/non_plat/genfs_contexts
@@ -0,0 +1,55 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# proc files
+#
+genfscon proc /secmem0 u:object_r:proc_secmem:s0
+
+# TrustKernel TEE proc
+genfscon proc /tkcore u:object_r:proc_tkcore:s0
+
+# For DuraSpeed
+genfscon proc /cpu_loading/onoff u:object_r:proc_cpu_loading:s0
+genfscon proc /cpu_loading/uevent_enable u:object_r:proc_cpu_loading:s0
+genfscon proc /cpu_loading/poltime_secs u:object_r:proc_cpu_loading:s0
+genfscon proc /cpu_loading/poltime_nsecs u:object_r:proc_cpu_loading:s0
+genfscon proc /cpu_loading/overThrhld u:object_r:proc_cpu_loading:s0
+genfscon proc /cpu_loading/specify_cpus u:object_r:proc_cpu_loading:s0
+genfscon proc /cpu_loading/specify_overThrhld u:object_r:proc_cpu_loading:s0
+
+# For CachedAppOptimizer
+genfscon proc /freqhopping u:object_r:proc_freqhopping:s0
+
+##########################
+# sysfs files
+#
+# Microtrust TEEI sysfs files
+genfscon sysfs /devices/platform/utos u:object_r:teei_control_file:s0
+genfscon sysfs /devices/utos u:object_r:teei_control_file:s0
+
+# for 7663 VTS NetdSELinuxTest.CheckProperMTULabels requirement
+genfscon sysfs /devices/platform/soc/11250000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/11250000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1/net/ap0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/11250000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1/net/p2p0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/11240000.msdc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/11240000.msdc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/ap0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/11240000.msdc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/p2p0/mtu u:object_r:sysfs_net:s0
+
+# for 7668 VTS NetdSELinuxTest.CheckProperMTULabels requirement
+genfscon sysfs /devices/platform/soc/11170000.sdio/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/11170000.sdio/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/ap0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/11170000.sdio/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/p2p0/mtu u:object_r:sysfs_net:s0
+
+# Date : 2020/09/09
+# Purpose: for otg access
+genfscon sysfs /devices/platform/bus/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0
+
+# For chager enable fast charging algorithm
+genfscon sysfs /devices/platform/charger/fast_chg_indicator u:object_r:sysfs_fs_chg_file:s0
+
+# Date: 2021/08/10
+# Operation: S migration
+# Purpose: Add permission for inputReader search every input device path including "power_supply"
+genfscon sysfs /devices/virtual/power_supply u:object_r:sysfs_power_supply:s0
diff --git a/bsp/non_plat/getgameserver.te b/bsp/non_plat/getgameserver.te
new file mode 100644
index 0000000..0925f5c
--- /dev/null
+++ b/bsp/non_plat/getgameserver.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /vendor/bin/getgameserver Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type getgameserver_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(getgameserver)
+net_domain(getgameserver)
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+allow getgameserver self:capability net_raw;
+allow getgameserver self:packet_socket { create_socket_perms };
+allow getgameserver self:udp_socket { create_socket_perms };
+
+allowxperm getgameserver self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP };
+allowxperm getgameserver self:udp_socket ioctl {SIOCGIFINDEX SIOCGSTAMP };
+set_prop(getgameserver, vendor_mtk_netdagent_gameserver_prop)
diff --git a/bsp/non_plat/hal_clientapi.te b/bsp/non_plat/hal_clientapi.te
new file mode 100644
index 0000000..54f3459
--- /dev/null
+++ b/bsp/non_plat/hal_clientapi.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_clientapi_client, hal_clientapi_server)
+binder_call(hal_clientapi_server, hal_clientapi_client)
+
+add_hwservice(hal_clientapi_server, volte_clientapi_ua_hwservice)
+
+# give permission for hal client
+allow hal_clientapi_client volte_clientapi_ua_hwservice:hwservice_manager find;
diff --git a/bsp/non_plat/hal_dfps.te b/bsp/non_plat/hal_dfps.te
new file mode 100644
index 0000000..e56b0df
--- /dev/null
+++ b/bsp/non_plat/hal_dfps.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_dfps_client, hal_dfps_server)
+binder_call(hal_dfps_server, hal_dfps_client)
+
+# give permission for hal client
+allow hal_dfps_client mtk_hal_dfps_hwservice:hwservice_manager find;
diff --git a/bsp/non_plat/hal_drm_widevine.te b/bsp/non_plat/hal_drm_widevine.te
new file mode 100644
index 0000000..fb632d2
--- /dev/null
+++ b/bsp/non_plat/hal_drm_widevine.te
@@ -0,0 +1,35 @@
+allow hal_drm_widevine debugfs_tracing:file write;
+allow hal_drm_widevine debugfs_ion:dir search;
+
+# Allow widevine hidl process read keybox stored in /mnt/vendor/persist
+allow hal_drm_widevine mnt_vendor_file:dir search;
+
+# Add sepolicy for tee relate
+allow hal_drm_widevine mobicore:unix_stream_socket connectto;
+allow hal_drm_widevine persist_data_file:dir search;
+allow hal_drm_widevine mobicore_user_device:chr_file { read write ioctl open };
+allow hal_drm_widevine persist_data_file:file { read getattr open };
+allow hal_drm_widevine mobicore_data_file:file { read open getattr};
+allow hal_drm_widevine mobicore_data_file:dir search;
+allow hal_drm_widevine block_device:dir search;
+allow hal_drm_widevine kb_block_device:blk_file r_file_perms;
+allow hal_drm_widevine dkb_block_device:blk_file r_file_perms;
+
+# Allow widevine hidl process access teeperf
+allow hal_drm_widevine teeperf_device:chr_file rw_file_perms_no_map;
+
+# Allow widevine hidl process access TEEI
+hal_client_domain(hal_drm_widevine, hal_teei_capi)
+hal_client_domain(hal_drm_widevine, hal_allocator)
+allow hal_drm_widevine teei_client_device:chr_file rw_file_perms;
+
+# Add selinux policy for mtee related permission
+allow hal_drm_widevine kisd:unix_stream_socket connectto;
+allow hal_drm_widevine sysfs_mmcblk:dir search;
+allow hal_drm_widevine sysfs_mmcblk:file { read open getattr};
+
+# Allow widevine hidl process access widevine kernel driver
+allow hal_drm_widevine widevine_drv_device:chr_file { getattr open read ioctl write };
+
+# Allow widevine hidl process to read vendor_mtk_soc_prop
+get_prop(hal_drm_widevine, vendor_mtk_soc_prop)
diff --git a/bsp/non_plat/hal_fingerprint_default.te b/bsp/non_plat/hal_fingerprint_default.te
new file mode 100644
index 0000000..49901f4
--- /dev/null
+++ b/bsp/non_plat/hal_fingerprint_default.te
@@ -0,0 +1,21 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# MICROTRUST SEPolicy Rule
+allow hal_fingerprint_default teei_fp_device:chr_file rw_file_perms;
+allow hal_fingerprint_default teei_client_device:chr_file rw_file_perms;
+allow hal_fingerprint_default teei_control_file:dir r_dir_perms;
+allow hal_fingerprint_default teei_control_file:file rw_file_perms;
+allow hal_fingerprint_default teei_control_file:lnk_file rw_file_perms;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tkcore_admin_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default self:unix_stream_socket connectto;
+allow hal_fingerprint_default mobicore_user_device:chr_file rw_file_perms;
+allow hal_fingerprint_default mobicore_user_device:unix_stream_socket connectto;
+allow hal_fingerprint_default mobicore:unix_stream_socket connectto;
+allow hal_fingerprint_default tmpfs:chr_file rw_file_perms;
+allow hal_fingerprint_default debugfs_trace_marker:file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/hal_graphics_allocator_default.te b/bsp/non_plat/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..5b9761c
--- /dev/null
+++ b/bsp/non_plat/hal_graphics_allocator_default.te
@@ -0,0 +1,3 @@
+#============= hal_graphics_allocator_default ==============
+allow hal_graphics_allocator_default teei_client_device:chr_file rw_file_perms;
+allow hal_graphics_allocator_default mobicore_user_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/hal_graphics_composer_default.te b/bsp/non_plat/hal_graphics_composer_default.te
new file mode 100644
index 0000000..a2f8018
--- /dev/null
+++ b/bsp/non_plat/hal_graphics_composer_default.te
@@ -0,0 +1,39 @@
+# Date : WK17.25
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(hal_graphics_composer_default, hal_mtk_pq)
+
+# Date : WK17.25
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(hal_graphics_composer_default, hal_allocator)
+
+# Date : WK19.45
+# Operation : WFD
+# Purpose : HWC verify secure WFD
+get_prop(hal_graphics_composer_default, vendor_mtk_secure_venc_prop)
+
+# Date : WK20.39
+# Purpose: allow proess access tee node(tee_client_device/isee_tee0)
+allow hal_graphics_composer_default teei_client_device:chr_file rw_file_perms;
+
+# Date : WK20.40
+# Purpose : wifidisplay notify
+get_prop(hal_graphics_composer_default, vendor_mtk_wfd_enable_prop)
+
+# Date : WK21.01
+# Purpose : Allow to use MMAgent
+hal_client_domain(hal_graphics_composer_default, hal_mtk_mmagent)
+allow hal_graphics_composer_default ion_device:chr_file w_file_perms;
+
+# Date : WK21.25
+# Purpose : Allow to use DAM buffer
+allow hal_graphics_composer_default dmabuf_system_heap_device:chr_file rw_file_perms;
+
+# Data: WK21.26
+# Purpose: HWC needs to check whether mtk_svp_on_mtee is supported or not
+get_prop(hal_graphics_composer_default, vendor_mtk_svp_on_mtee_support_prop)
+
+# Data: WK21.35
+# Purpose: Call NpAgent
+hal_client_domain(hal_graphics_composer_default,hal_neuralnetworks)
diff --git a/bsp/non_plat/hal_keymaster_attestation.te b/bsp/non_plat/hal_keymaster_attestation.te
new file mode 100644
index 0000000..6c55f5f
--- /dev/null
+++ b/bsp/non_plat/hal_keymaster_attestation.te
@@ -0,0 +1,17 @@
+# ==============================================
+# MICROTRUST SEPolicy Rule
+# ==============================================
+
+allow hal_keymaster_attestation ut_keymaster_device:chr_file rw_file_perms;
+allow hal_keymaster_attestation teei_client_device:chr_file rw_file_perms;
+hal_client_domain(hal_keymaster_attestation, hal_teei_capi)
+hal_client_domain(hal_keymaster_attestation, hal_allocator)
+hal_client_domain(hal_keymaster_attestation, hal_keymaster)
+set_prop(hal_keymaster_attestation, vendor_mtk_soter_teei_prop)
+allow hal_keymaster_attestation tkcore_admin_device:chr_file rw_file_perms;
+
+# Date : 2017/08/08 (or WK17.32)
+# Operation : Keymaster 3.0 Migration
+# Purpose : Set sepolicy for Keymaster attestation key injection
+allow hal_keymaster_attestation mobicore:unix_stream_socket connectto;
+allow hal_keymaster_attestation mobicore_user_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/hal_keymaster_default.te b/bsp/non_plat/hal_keymaster_default.te
new file mode 100644
index 0000000..d44b58c
--- /dev/null
+++ b/bsp/non_plat/hal_keymaster_default.te
@@ -0,0 +1,33 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.42 2017/10/19
+# Operation: Keymaster 3.0
+# Purpose: Access attestation key in persist partition
+allow hal_keymaster_default mnt_vendor_file:dir search;
+allow hal_keymaster_default persist_data_file:dir search;
+allow hal_keymaster_default persist_data_file:file r_file_perms;
+
+# Date : WK17.22 2017/06/02 (Revised for HIDL)
+# Operation : keystore CTS
+# Purpose : Open MobiCore access permission for keystore CTS hardware-backed solution
+allow hal_keymaster_default mobicore:unix_stream_socket { connectto read write };
+allow hal_keymaster_default mobicore_user_device:chr_file rw_file_perms;
+
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: Microtrust HW-backed Keymaster
+allow hal_keymaster_default ut_keymaster_device:chr_file rw_file_perms;
+allow hal_keymaster_default teei_client_device:chr_file rw_file_perms;
+set_prop(hal_keymaster_default, vendor_mtk_soter_teei_prop)
+hal_client_domain(hal_keymaster_default, hal_teei_capi)
+hal_client_domain(hal_keymaster_default, hal_allocator)
+
+# Purpose: TrustKernel HW-backed Keymaster
+allow hal_keymaster_default tkcore_admin_device:chr_file rw_file_perms;
+
+# Date : 2018/09/11
+# Operation: MTEE Keymaster
+# Purpose: Access kisd to get key & certs
+allow hal_keymaster_default kisd:unix_stream_socket connectto;
diff --git a/bsp/non_plat/hal_keymint_default.te b/bsp/non_plat/hal_keymint_default.te
new file mode 100644
index 0000000..cdedc10
--- /dev/null
+++ b/bsp/non_plat/hal_keymint_default.te
@@ -0,0 +1,4 @@
+# Date : 2021/07/16
+# Operation: TEEI integration
+# Purpose: Microtrust HW-backed Keymint
+allow hal_keymint_default teei_client_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/hal_mtk_apm.te b/bsp/non_plat/hal_mtk_apm.te
new file mode 100644
index 0000000..b1b5cd4
--- /dev/null
+++ b/bsp/non_plat/hal_mtk_apm.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_apm, mtk_hal_apm_hwservice)
+
+binder_call(hal_mtk_apm_client, hal_mtk_apm_server)
+binder_call(hal_mtk_apm_server, hal_mtk_apm_client)
diff --git a/bsp/non_plat/hal_mtk_dmc.te b/bsp/non_plat/hal_mtk_dmc.te
new file mode 100644
index 0000000..390abb3
--- /dev/null
+++ b/bsp/non_plat/hal_mtk_dmc.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+binder_call(hal_mtk_dmc_client, hal_mtk_dmc_server)
+binder_call(hal_mtk_dmc_server, hal_mtk_dmc_client)
+add_hwservice(hal_mtk_dmc_server, mtk_hal_dmc_hwservice)
+allow hal_mtk_dmc_client mtk_hal_dmc_hwservice:hwservice_manager find;
diff --git a/bsp/non_plat/hal_mtk_omadm.te b/bsp/non_plat/hal_mtk_omadm.te
new file mode 100644
index 0000000..1c5b170
--- /dev/null
+++ b/bsp/non_plat/hal_mtk_omadm.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_omadm, mtk_hal_omadm_hwservice)
+
+binder_call(hal_mtk_omadm_client, hal_mtk_omadm_server)
+binder_call(hal_mtk_omadm_server, hal_mtk_omadm_client)
diff --git a/bsp/non_plat/hal_mtk_thp.te b/bsp/non_plat/hal_mtk_thp.te
new file mode 100644
index 0000000..a0cf40a
--- /dev/null
+++ b/bsp/non_plat/hal_mtk_thp.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_thp, mtk_hal_thp_hwservice)
+
+binder_call(hal_mtk_thp_client, hal_mtk_thp_server)
+binder_call(hal_mtk_thp_server, hal_mtk_thp_client)
+
diff --git a/bsp/non_plat/hal_mtk_touchll.te b/bsp/non_plat/hal_mtk_touchll.te
new file mode 100644
index 0000000..be08128
--- /dev/null
+++ b/bsp/non_plat/hal_mtk_touchll.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_touchll, mtk_hal_touchll_hwservice)
+
+binder_call(hal_mtk_touchll_client, hal_mtk_touchll_server)
+binder_call(hal_mtk_touchll_server, hal_mtk_touchll_client)
diff --git a/bsp/non_plat/hal_mtk_wfo.te b/bsp/non_plat/hal_mtk_wfo.te
new file mode 100644
index 0000000..5671090
--- /dev/null
+++ b/bsp/non_plat/hal_mtk_wfo.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_mtk_wfo, mtk_hal_wfo_hwservice)
+
+binder_call(hal_mtk_wfo_client, hal_mtk_wfo_server)
+binder_call(hal_mtk_wfo_server, hal_mtk_wfo_client)
diff --git a/bsp/non_plat/hal_presence.te b/bsp/non_plat/hal_presence.te
new file mode 100644
index 0000000..9950ebf
--- /dev/null
+++ b/bsp/non_plat/hal_presence.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_presence_client, hal_presence_server)
+binder_call(hal_presence_server, hal_presence_client)
+
+# give permission for hal client
+allow hal_presence_client volte_uce_ua_hwservice :hwservice_manager find;
diff --git a/bsp/non_plat/hal_rcs.te b/bsp/non_plat/hal_rcs.te
new file mode 100644
index 0000000..1da5237
--- /dev/null
+++ b/bsp/non_plat/hal_rcs.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_rcs_client, hal_rcs_server)
+binder_call(hal_rcs_server, hal_rcs_client)
+
+add_hwservice(hal_rcs_server, volte_rcs_ua_hwservice)
+
+# give permission for hal client
+allow hal_rcs_client volte_rcs_ua_hwservice:hwservice_manager find;
+
diff --git a/bsp/non_plat/hal_tee.te b/bsp/non_plat/hal_tee.te
new file mode 100644
index 0000000..d0efc4f
--- /dev/null
+++ b/bsp/non_plat/hal_tee.te
@@ -0,0 +1,9 @@
+##
+# Trustonic TeeService
+#
+
+binder_call(hal_tee_client, hal_tee_server)
+binder_call(hal_tee_server, hal_tee_client)
+
+add_hwservice(hal_tee_server, hal_tee_hwservice)
+allow hal_tee_client hal_tee_hwservice:hwservice_manager find;
\ No newline at end of file
diff --git a/bsp/non_plat/hal_tee_default.te b/bsp/non_plat/hal_tee_default.te
new file mode 100644
index 0000000..af7c303
--- /dev/null
+++ b/bsp/non_plat/hal_tee_default.te
@@ -0,0 +1,20 @@
+##
+# Trustonic TeeService
+#
+
+type hal_tee_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_tee_default)
+
+hal_server_domain(hal_tee_default, hal_tee)
+hal_client_domain(hal_tee_default, hal_allocator)
+
+# Access to TEE driver nodes (user and tui)
+allow hal_tee_default mobicore_user_device:chr_file rw_file_perms;
+allow hal_tee_default mobicore_tui_device:chr_file rw_file_perms;
+allow hal_tee_default system_app:fd use;
+
+# HIDL memory is using this behind the scene
+allow hal_tee_default untrusted_app_all:fd use;
+allow hal_tee_default teeregistryd_app:fd use;
+
diff --git a/bsp/non_plat/hal_teei_capi.te b/bsp/non_plat/hal_teei_capi.te
new file mode 100644
index 0000000..62a48f2
--- /dev/null
+++ b/bsp/non_plat/hal_teei_capi.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Microtrust SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_teei_capi, teei_hal_capi_hwservice)
+
+binder_call(hal_teei_capi_client, hal_teei_capi_server)
+binder_call(hal_teei_capi_server, hal_teei_capi_client)
diff --git a/bsp/non_plat/hal_teei_ifaa.te b/bsp/non_plat/hal_teei_ifaa.te
new file mode 100644
index 0000000..ba50010
--- /dev/null
+++ b/bsp/non_plat/hal_teei_ifaa.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Microtrust SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_teei_ifaa, teei_hal_ifaa_hwservice)
+
+binder_call(hal_teei_ifaa_client, hal_teei_ifaa_server)
+binder_call(hal_teei_ifaa_server, hal_teei_ifaa_client)
diff --git a/bsp/non_plat/hal_teei_thh.te b/bsp/non_plat/hal_teei_thh.te
new file mode 100644
index 0000000..4a10db2
--- /dev/null
+++ b/bsp/non_plat/hal_teei_thh.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Microtrust SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_teei_thh, teei_hal_thh_hwservice)
+
+binder_call(hal_teei_thh_client, hal_teei_thh_server)
+binder_call(hal_teei_thh_server, hal_teei_thh_client)
diff --git a/bsp/non_plat/hal_teei_tui.te b/bsp/non_plat/hal_teei_tui.te
new file mode 100644
index 0000000..22db585
--- /dev/null
+++ b/bsp/non_plat/hal_teei_tui.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Microtrust SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_teei_tui, teei_hal_tui_hwservice)
+
+binder_call(hal_teei_tui_client, hal_teei_tui_server)
+binder_call(hal_teei_tui_server, hal_teei_tui_client)
diff --git a/bsp/non_plat/hal_teei_wechat.te b/bsp/non_plat/hal_teei_wechat.te
new file mode 100644
index 0000000..a6a5467
--- /dev/null
+++ b/bsp/non_plat/hal_teei_wechat.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Microtrust SEPolicy Rule
+# ==============================================
+
+hal_attribute_hwservice(hal_teei_wechat, teei_hal_wechat_hwservice)
+
+binder_call(hal_teei_wechat_client, hal_teei_wechat_server)
+binder_call(hal_teei_wechat_server, hal_teei_wechat_client)
diff --git a/bsp/non_plat/hal_teeregistry.te b/bsp/non_plat/hal_teeregistry.te
new file mode 100644
index 0000000..a79561e
--- /dev/null
+++ b/bsp/non_plat/hal_teeregistry.te
@@ -0,0 +1,9 @@
+##
+# Trustonic TeeService
+#
+
+binder_call(hal_teeregistry_client, hal_teeregistry_server)
+binder_call(hal_teeregistry_server, hal_teeregistry_client)
+
+add_hwservice(hal_teeregistry_server, hal_teeregistry_hwservice)
+allow hal_teeregistry_client hal_teeregistry_hwservice:hwservice_manager find;
\ No newline at end of file
diff --git a/bsp/non_plat/hal_teeregistry_default.te b/bsp/non_plat/hal_teeregistry_default.te
new file mode 100644
index 0000000..d307846
--- /dev/null
+++ b/bsp/non_plat/hal_teeregistry_default.te
@@ -0,0 +1,21 @@
+##
+# Trustonic TeeService
+#
+
+type hal_teeregistry_default_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_teeregistry_default, hal_teeregistry)
+
+hal_client_domain(hal_teeregistry_default, hal_allocator)
+
+# Access to TEE driver nodes (user and admin)
+allow hal_teeregistry_default mobicore_user_device:chr_file rw_file_perms;
+allow hal_teeregistry_default mobicore_admin_device:chr_file rw_file_perms;
+
+# Registry need to be accessed by the HAL OTAv1
+
+allow hal_teeregistry_default mobicore_data_file:dir { rw_dir_perms create rename rmdir };
+allow hal_teeregistry_default mobicore_data_file:file { rw_file_perms rename create };
+allow hal_teeregistry_default mobicore_vendor_file:file { r_file_perms };
+
+init_daemon_domain(hal_teeregistry_default);
diff --git a/bsp/non_plat/hal_tesiai_hdcp.te b/bsp/non_plat/hal_tesiai_hdcp.te
new file mode 100644
index 0000000..f9f07e4
--- /dev/null
+++ b/bsp/non_plat/hal_tesiai_hdcp.te
@@ -0,0 +1,6 @@
+# add/find permission rule to hwservicemanager
+hal_attribute_hwservice(hal_tesiai_hdcp, tesiai_hal_hdcp_hwservice)
+
+# Allow client domain to perform hwbinder IPC to server domain, and callbacks
+binder_call(hal_tesiai_hdcp_client, hal_tesiai_hdcp_server)
+binder_call(hal_tesiai_hdcp_server, hal_tesiai_hdcp_client)
diff --git a/bsp/non_plat/hal_tetheroffload_default.te b/bsp/non_plat/hal_tetheroffload_default.te
new file mode 100644
index 0000000..a3ee2f9
--- /dev/null
+++ b/bsp/non_plat/hal_tetheroffload_default.te
@@ -0,0 +1,37 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/tetheroffloadservice Executable File
+
+
+# ==============================================
+# New design
+# ==============================================
+# associate netdomain to use for accessing internet sockets
+net_domain(hal_tetheroffload_default)
+
+# Register to hwbinder service
+add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice)
+
+allow hal_tetheroffload_default self:{
+ netlink_socket
+ netlink_generic_socket
+} create_socket_perms_no_ioctl;
+
+#============= for binder call ==============
+allow hal_tetheroffload_default system_server:binder call;
+allow hal_tetheroffload_default netdagent:binder call;
+
+#============= mddp device ==============
+allow hal_tetheroffload_default mddp_device:chr_file rw_file_perms;
+
+#============= proc ==============
+allow hal_tetheroffload_default proc_net:file r_file_perms;
+
+#=============for other hild services==============
+hal_client_domain(hal_tetheroffload_default,mtk_hal_netdagent);
+
+#============= other rules ==============
+allow hal_tetheroffload_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow hal_tetheroffload_default self:netlink_route_socket create_socket_perms_no_ioctl;
+allow hal_tetheroffload_default system_server:netlink_netfilter_socket {read write};
+allow hal_tetheroffload_default system_server:fd use;
+
diff --git a/bsp/non_plat/hal_wifi_supplicant_default.te b/bsp/non_plat/hal_wifi_supplicant_default.te
new file mode 100644
index 0000000..8384292
--- /dev/null
+++ b/bsp/non_plat/hal_wifi_supplicant_default.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typealias hal_wifi_supplicant_default alias wpa;
+
diff --git a/bsp/non_plat/healthd.te b/bsp/non_plat/healthd.te
new file mode 100644
index 0000000..21a9fb0
--- /dev/null
+++ b/bsp/non_plat/healthd.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow healthd sysfs_vcorefs_pwrctrl:file write;
diff --git a/bsp/non_plat/hwservice.te b/bsp/non_plat/hwservice.te
new file mode 100644
index 0000000..d679316
--- /dev/null
+++ b/bsp/non_plat/hwservice.te
@@ -0,0 +1,55 @@
+type mtk_hal_wfo_hwservice, hwservice_manager_type;
+type volte_uce_ua_hwservice, hwservice_manager_type;
+type mtk_hal_videotelephony_hwservice, hwservice_manager_type;
+type mtk_hal_codecservice_hwservice, hwservice_manager_type;
+type mtk_hal_netdagent_hwservice, hwservice_manager_type;
+type volte_rcs_ua_hwservice, hwservice_manager_type;
+type mtk_hal_dfps_hwservice, hwservice_manager_type;
+type mtk_hal_dplanner_hwservice, hwservice_manager_type;
+type mtk_hal_pplagent_hwservice, hwservice_manager_type;
+# omadm hidl
+type mtk_hal_omadm_hwservice, hwservice_manager_type;
+# DMC HIDL
+type mtk_hal_dmc_hwservice, hwservice_manager_type;
+# APM HIDL
+type mtk_hal_apm_hwservice, hwservice_manager_type;
+# nwk opt HIDL
+type mtk_hal_nwk_opt_hwservice, hwservice_manager_type;
+# touchll HIDL
+type mtk_hal_touchll_hwservice, hwservice_manager_type;
+# thp
+type mtk_hal_thp_hwservice, hwservice_manager_type;
+
+# MICROTRUST SEPolicy Rule
+# microtrust THH service manager type
+type teei_hal_thh_hwservice, hwservice_manager_type;
+
+# microtrust TUI service manager type
+type teei_hal_tui_hwservice, hwservice_manager_type;
+
+# microtrust IFAA service manager type
+type teei_hal_ifaa_hwservice, hwservice_manager_type;
+
+# microtrust CAPI service manager type
+type teei_hal_capi_hwservice, hwservice_manager_type;
+
+# microtrust WECHAT service manager type
+type teei_hal_wechat_hwservice, hwservice_manager_type;
+
+# Trustonic SEPolicy Rule
+type hal_tee_hwservice, hwservice_manager_type;
+type hal_teeregistry_hwservice, hwservice_manager_type;
+
+# Date : 2019/05/16
+# Operation : IT
+# Purpose : Add for HIDL service
+type mtk_mdm_hidl_server, hwservice_manager_type;
+
+
+#client API HIDL
+type volte_clientapi_ua_hwservice, hwservice_manager_type;
+
+# ==============================================
+# HDCP SEPolicy Rule
+# ==============================================
+type tesiai_hal_hdcp_hwservice, hwservice_manager_type;
diff --git a/bsp/non_plat/hwservice_contexts b/bsp/non_plat/hwservice_contexts
new file mode 100644
index 0000000..73e3119
--- /dev/null
+++ b/bsp/non_plat/hwservice_contexts
@@ -0,0 +1,119 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/06/1
+vendor.mediatek.hardware.camera.advcam::IAdvCamControl u:object_r:hal_camera_hwservice:s0
+
+# Date : 2017/06/15
+vendor.mediatek.hardware.wfo::IWifiOffload u:object_r:mtk_hal_wfo_hwservice:s0
+
+# Date: 2017/06/22
+vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0
+
+# Date : 2017/07/11
+vendor.mediatek.hardware.videotelephony::IVideoTelephony u:object_r:mtk_hal_videotelephony_hwservice:s0
+
+# Date : 2017/07/20
+vendor.mediatek.hardware.presence::IPresence u:object_r:volte_uce_ua_hwservice:s0
+
+# Date: 2017/09/06
+vendor.mediatek.hardware.netdagent::INetdagent u:object_r:mtk_hal_netdagent_hwservice:s0
+
+# Date : 2017/08/4
+vendor.mediatek.hardware.rcs::IRcs u:object_r:volte_rcs_ua_hwservice:s0
+
+# Date: 2017/06/22
+vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0
+
+# Date : 2017/10/22
+vendor.mediatek.hardware.dfps::IFpsPolicyService u:object_r:mtk_hal_dfps_hwservice:s0
+
+# Date : 2018/11/13
+vendor.mediatek.hardware.dplanner::IDPlanner u:object_r:mtk_hal_dplanner_hwservice:s0
+
+# Date : 2018/01/04
+# tablet DRM Key Manage HIDL
+vendor.mediatek.hardware.keymanage::IKeymanage u:object_r:mtk_hal_keymanage_hwservice:s0
+
+# Date: 2018/05/07
+vendor.mediatek.hardware.pplagent::IPplAgent u:object_r:mtk_hal_pplagent_hwservice:s0
+
+# Date : 2019/05/14
+# Android Q diagnostic framework migration
+vendor.mediatek.hardware.dmc::IDmcService u:object_r:mtk_hal_dmc_hwservice:s0
+
+# Date : 2019/05/14
+# Android Q diagnostic framework migration
+vendor.mediatek.hardware.apmonitor::IApmService u:object_r:mtk_hal_apm_hwservice:s0
+
+# MICROTRUST SEPolicy Rule
+# microtrust THH hidl
+vendor.microtrust.hardware.thh::IThhDevice u:object_r:teei_hal_thh_hwservice:s0
+
+# microtrust TUI hidl
+vendor.microtrust.hardware.tui::ITuiDevice u:object_r:teei_hal_tui_hwservice:s0
+
+# microtrust IFAA hidl
+vendor.microtrust.hardware.ifaa::IIFAADevice u:object_r:teei_hal_ifaa_hwservice:s0
+
+# microtrust Client Api hidl
+vendor.microtrust.hardware.capi::IClientApiDevice u:object_r:teei_hal_capi_hwservice:s0
+
+# microtrust wechat hidl
+vendor.microtrust.hardware.soter::ISoter u:object_r:teei_hal_wechat_hwservice:s0
+
+# Date : 2018/05/14
+# IMtkSupplicant hidl, to export Mediatek supplicant hidl interface to framework
+vendor.mediatek.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+
+# Date : 2018/07/16
+vendor.mediatek.hardware.camera.security::ISecureCamera u:object_r:hal_camera_hwservice:s0
+
+# Date : 2018/08/27
+vendor.mediatek.hardware.camera.frhandler::IFRHandler u:object_r:hal_camera_hwservice:s0
+
+# Date : 2019/05/16
+# Operation : IT
+# Purpose : Add for HIDL service
+vendor.mediatek.hardware.mdmonitor::IMDMonitorService u:object_r:mtk_mdm_hidl_server:s0
+
+# omadm hidl
+vendor.mediatek.hardware.omadm::IOmadm u:object_r:mtk_hal_omadm_hwservice:s0
+
+# nwk opt HIDL
+vendor.mediatek.hardware.nwk_opt::INwkOpt u:object_r:mtk_hal_nwk_opt_hwservice:s0
+
+# Date : 2018/10/25
+vendor.mediatek.hardware.clientapi::IClientapi u:object_r:volte_clientapi_ua_hwservice:s0
+
+# Date: 2019/09/25
+vendor.mediatek.hardware.touchll::ITouchll u:object_r:mtk_hal_touchll_hwservice:s0
+
+# Date: 2019/11/07
+vendor.mediatek.hardware.thp::ITHP u:object_r:mtk_hal_thp_hwservice:s0
+
+# Trustonic SEPolicy Rule
+vendor.trustonic.tee::ITee u:object_r:hal_tee_hwservice:s0
+vendor.trustonic.tee.tui::ITui u:object_r:hal_tee_hwservice:s0
+vendor.trustonic.teeregistry::ITeeRegistry u:object_r:hal_teeregistry_hwservice:s0
+
+# HDCP SEPolicy Rule
+vendor.tesiai.hardware.hdcpconnection::IHDCPConnection u:object_r:tesiai_hal_hdcp_hwservice:s0
+
+# Date : 2020/06/10
+# Define apuware context
+vendor.mediatek.hardware.apuware.apusys::INeuronApusys u:object_r:hal_neuralnetworks_hwservice:s0
+vendor.mediatek.hardware.apuware.xrp::INeuronXrp u:object_r:hal_neuralnetworks_hwservice:s0
+
+# Date : 2020/07/03
+# Define uitls hidl context for ann
+vendor.mediatek.hardware.apuware.utils::IApuwareUtils u:object_r:hal_neuralnetworks_hwservice:s0
+
+# Date : 2021/04/23
+# Define hml hidl context
+vendor.mediatek.hardware.apuware.hmp::IApuwareHmp u:object_r:hal_neuralnetworks_hwservice:s0
+
+# Date : 2021/06/28
+# Define NpAgent hidl context for ann
+vendor.mediatek.hardware.neuropilot.agent::IAgent u:object_r:hal_neuralnetworks_hwservice:s0
diff --git a/bsp/non_plat/init.te b/bsp/non_plat/init.te
new file mode 100644
index 0000000..7a63da9
--- /dev/null
+++ b/bsp/non_plat/init.te
@@ -0,0 +1,39 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.15
+# Operation : Migration
+# Purpose : set specific label for used raw partitions, for dumchar cases.
+allow init system_block_device:blk_file relabelfrom;
+allow init nvram_device:blk_file relabelto;
+allow init nvdata_device:blk_file relabelto;
+allow init nvcfg_block_device:blk_file relabelto;
+allow init expdb_block_device:blk_file relabelto;
+allow init misc2_block_device:blk_file relabelto;
+allow init logo_block_device:blk_file relabelto;
+allow init para_block_device:blk_file relabelto;
+allow init tee_block_device:blk_file relabelto;
+allow init seccfg_block_device:blk_file relabelto;
+allow init secro_block_device:blk_file relabelto;
+allow init frp_block_device:blk_file relabelto;
+allow init userdata_block_device:blk_file relabelto;
+allow init mtk_hal_dfps_exec:file getattr;
+
+# Operation : Migration
+# Purpose : for init reboot operate /dev/RT_Monitor when enable hang detect
+allow init RT_Monitor_device:chr_file rw_file_perms;
+
+# Purpose : For DuraSpeed
+allow init proc_drop_caches:file w_file_perms;
+
+allow init teei_client_device:chr_file rw_file_perms;
+
+# Date : W19.28
+# Purpose: Allow to setattr for duraspeed.rc
+allow init proc_cpu_loading:file setattr;
+allow init proc_pressure_cpu:file setattr;
+
+# Date : W20.20
+# Purpose: Allow to create socket for rild
+allow init volte_imsvt1_socket:sock_file create_file_perms;
diff --git a/bsp/non_plat/init_thh_service.te b/bsp/non_plat/init_thh_service.te
new file mode 100644
index 0000000..ba79a7b
--- /dev/null
+++ b/bsp/non_plat/init_thh_service.te
@@ -0,0 +1,22 @@
+# ==============================================
+# MICROTRUST SEPolicy Rule
+# ==============================================
+
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: Microtrust service
+type init_thh_service_exec, exec_type, file_type, vendor_file_type;
+
+# set up domain
+init_daemon_domain(init_thh_service)
+
+allow init_thh_service teei_data_file:dir create_dir_perms;
+allow init_thh_service teei_data_file:file create_file_perms;
+allow init_thh_service tee_device:chr_file rw_file_perms;
+
+# enable access android property
+set_prop(init_thh_service, vendor_mtk_soter_teei_prop)
+
+hal_client_domain(init_thh_service, hal_teei_capi)
+hal_client_domain(init_thh_service, hal_allocator)
+hal_client_domain(init_thh_service, hal_teei_thh)
diff --git a/bsp/non_plat/installd.te b/bsp/non_plat/installd.te
new file mode 100644
index 0000000..3978c95
--- /dev/null
+++ b/bsp/non_plat/installd.te
@@ -0,0 +1,36 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.34
+# Operation : Migration
+# Purpose : Move app to phone storage
+# 1. Enter Settings->Apps
+# 2. Select Downloaded tab
+# 3. Choose the application and move to phone storage
+# 4. Check the application in Phone storage tab
+allow installd apk_tmp_file:dir getattr;
+allow installd vfat:file getattr;
+
+# Date : WK14.34
+# Operation : Development GMO Feature "Move OAT to SD Card"
+# Purpose : for GMO ROM Size Slim
+allow installd dalvikcache_data_file:lnk_file create_file_perms;
+allow installd sdcard_type:dir create_dir_perms;
+allow installd sdcard_type:file create_file_perms;
+
+# Date : WK14.40
+# Operation : SQC1
+# Purpose : for access .android_secure
+allow installd vfat:dir search;
+
+# Date : WK15.02
+# Operation : SQC0
+# Purpose : ALPS01889518 (MTK MTBF)
+allow installd platform_app:fd use;
+
+# Date : WK16.09
+# Operation : Migration
+# Purpose : copy the content in /data/media/0 to /data/media
+allow installd media_rw_data_file:file create_file_perms;
+allow installd shell_exec:file rx_file_perms;
diff --git a/bsp/non_plat/ipsec_mon.te b/bsp/non_plat/ipsec_mon.te
new file mode 100644
index 0000000..363b5ec
--- /dev/null
+++ b/bsp/non_plat/ipsec_mon.te
@@ -0,0 +1,29 @@
+# ==============================================
+# Policy File of /vendor/bin/ipsec_mon Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type ipsec_mon_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(ipsec_mon)
+
+allow ipsec_mon self:netlink_xfrm_socket { write bind create read nlmsg_read nlmsg_write};
+allow ipsec_mon ims_ipsec_data_file:dir w_dir_perms;
+allow ipsec_mon ims_ipsec_data_file:file create_file_perms;
+allow ipsec_mon self:key_socket { write read create setopt };
+
+# Date: W17.36
+# Purpose: ipsec_mon fulfill 3x solution
+allow ipsec_mon self:capability { net_admin net_raw };
+allow ipsec_mon self:udp_socket { create ioctl };
+allow ipsec_mon self:netlink_route_socket { write read create nlmsg_read bind connect nlmsg_write};
+allowxperm ipsec_mon self:udp_socket ioctl { SIOCDEVPRIVATE_2 };
+allow ipsec_mon devpts:chr_file rw_file_perms;
+allow ipsec_mon proc_net:file w_file_perms;
+
+set_prop(ipsec_mon, vendor_mtk_network_prop)
+
+allowxperm ipsec_mon self:udp_socket ioctl SIOCDEVPRIVATE;
+dontaudit ipsec_mon kernel:system module_request;
diff --git a/bsp/non_plat/kernel.te b/bsp/non_plat/kernel.te
new file mode 100644
index 0000000..617400d
--- /dev/null
+++ b/bsp/non_plat/kernel.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow kernel teei_client_device:chr_file rw_file_perms;
+
+# For FPSGO set affinity
+allow kernel servicemanager:process setsched;
+allow kernel surfaceflinger:process setsched;
+allow kernel system_server:process setsched;
+allow kernel untrusted_app_all:process setsched;
diff --git a/bsp/non_plat/kpoc_charger.te b/bsp/non_plat/kpoc_charger.te
new file mode 100644
index 0000000..72cc627
--- /dev/null
+++ b/bsp/non_plat/kpoc_charger.te
@@ -0,0 +1,39 @@
+# ==============================================
+# Policy File of /system/bin/kpoc_charger Executable File
+
+
+allow kpoc_charger logo_block_device:blk_file { read open };
+
+# Date : WK15.45
+# Operation : Migration
+# Purpose : add sepolicy for kpoc_charger
+allow kpoc_charger logo_device:chr_file read;
+allow kpoc_charger logo_device:chr_file open;
+allow kpoc_charger bootdevice_block_device:blk_file read;
+allow kpoc_charger bootdevice_block_device:blk_file open;
+
+# Date : WK18.20
+# Operation : Android P migration
+# Purpose : access boot mode
+allow kpoc_charger sysfs_boot_mode:file r_file_perms;
+
+# Purpose : access pump_express
+allow kpoc_charger sysfs_pump_express:file r_file_perms;
+
+# Purpose: ioctl operation on /dev/RT_Monitor to enable hang detect
+allow kpoc_charger RT_Monitor_device:chr_file r_file_perms;
+
+# Purpose: Add permission to access metadata_file and sysfs to
+# enable fast charging algorithm
+allow kpoc_charger metadata_file:file r_file_perms;
+allow kpoc_charger sysfs_fs_chg_file:file rw_file_perms;
+
+allow kpoc_charger gsi_metadata_file:dir search;
+allow kpoc_charger self:capability2 block_suspend;
+
+#Purpose: Add permission for DRM in animation
+allow kpoc_charger dri_device:chr_file rw_file_perms;
+
+# Date : WK21.31
+# Purpose: Add permission to access new bootmode file
+allow kpoc_charger sysfs_boot_info:file r_file_perms;
diff --git a/bsp/non_plat/logd.te b/bsp/non_plat/logd.te
new file mode 100644
index 0000000..c60def9
--- /dev/null
+++ b/bsp/non_plat/logd.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : W18.26
+# Allow logmuch related property
+get_prop(logd, vendor_mtk_logmuch_prop)
diff --git a/bsp/non_plat/logo_updater.te b/bsp/non_plat/logo_updater.te
new file mode 100644
index 0000000..a6ead89
--- /dev/null
+++ b/bsp/non_plat/logo_updater.te
@@ -0,0 +1,7 @@
+type logo_updater, domain, mlstrustedsubject;
+type logo_updater_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(logo_updater)
+
+allow logo_updater logo_block_device:blk_file rw_file_perms;
+allow logo_updater vendor_file:file r_file_perms;
+allow logo_updater block_device:dir search;
diff --git a/bsp/non_plat/md_monitor.te b/bsp/non_plat/md_monitor.te
new file mode 100644
index 0000000..2f23ba7
--- /dev/null
+++ b/bsp/non_plat/md_monitor.te
@@ -0,0 +1,57 @@
+# ==============================================
+# Policy File of /vendor/bin/md_monitor Executable File
+
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type md_monitor_exec ,exec_type, vendor_file_type, file_type;
+init_daemon_domain(md_monitor)
+
+typeattribute md_monitor mlstrustedsubject;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2019/05/16
+# Operation : IT
+# Purpose : access /data/vendor/md_mon/, write filter bin and layout file to this dir
+allow md_monitor md_monitor_vendor_file:dir { create_dir_perms relabelto relabelfrom};
+allow md_monitor md_monitor_vendor_file:file create_file_perms;
+
+# Date : 2017/10/20
+# Operation : IT
+# Purpose : Allow md_monitor to dump raw data to file in /sdcard/MdmDump/
+allow md_monitor mnt_user_file:dir search;
+allow md_monitor mnt_user_file:lnk_file read;
+allow md_monitor sdcardfs:dir create_dir_perms;
+allow md_monitor sdcardfs:file create_file_perms;
+allow md_monitor storage_file:lnk_file read;
+
+# Date : 2019/05/16
+# Operation : IT
+# Purpose : Add for HIDL service
+add_hwservice(md_monitor, mtk_mdm_hidl_server)
+get_prop(md_monitor, hwservicemanager_prop)
+hwbinder_use(md_monitor)
+hal_server_domain(md_monitor, md_monitor_hal)
+
+# Date : 2015/10/12
+# Operation : IT
+# Purpose : Allow md_monitor to set
+allow md_monitor ccci_mdmonitor_device:chr_file rw_file_perms;
+allow md_monitor ccci_ccb_device:chr_file rw_file_perms;
+allow md_monitor sysfs_ccci:dir search;
+allow md_monitor sysfs_ccci:file r_file_perms;
+allow md_monitor file_contexts_file:file r_file_perms;
+
+# Date : 2017/10/16
+# Operation : IT
+# Purpose : Allow md_monitor to use restore_image_from_pt()
+allow md_monitor block_device:dir search;
+allow md_monitor md_block_device:blk_file r_file_perms;
+allow md_monitor self:capability chown;
+allow md_monitor storage_file:dir search;
+allow md_monitor tmpfs:lnk_file read;
diff --git a/bsp/non_plat/md_monitor_hal.te b/bsp/non_plat/md_monitor_hal.te
new file mode 100644
index 0000000..f0a81b7
--- /dev/null
+++ b/bsp/non_plat/md_monitor_hal.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(md_monitor_hal_client, md_monitor_hal_server)
+binder_call(md_monitor_hal_server, md_monitor_hal_client)
+
+allow md_monitor_hal_client mtk_mdm_hidl_server:hwservice_manager find;
diff --git a/bsp/non_plat/mdi_redirector.te b/bsp/non_plat/mdi_redirector.te
new file mode 100644
index 0000000..ad6f844
--- /dev/null
+++ b/bsp/non_plat/mdi_redirector.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Read ro.vendor.mtk_mapi_support
+get_prop(mdi_redirector, vendor_mtk_dmc_prop)
diff --git a/bsp/non_plat/mdmi_redirector.te b/bsp/non_plat/mdmi_redirector.te
new file mode 100644
index 0000000..95fcdd9
--- /dev/null
+++ b/bsp/non_plat/mdmi_redirector.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Read ro.vendor.mtk_mapi_support
+get_prop(mdmi_redirector, vendor_mtk_dmc_prop)
diff --git a/bsp/non_plat/mediacodec.te b/bsp/non_plat/mediacodec.te
new file mode 100644
index 0000000..ea34c6b
--- /dev/null
+++ b/bsp/non_plat/mediacodec.te
@@ -0,0 +1,79 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Data : WK16.25
+# Operation : Camera display client
+# Purpose : for SVP secure memory allocation
+allow mediacodec proc_secmem:file rw_file_perms;
+
+# Date : WK16.25
+# Operation : WVL1 IT
+# Purpose : SVP module operates secmem driver
+allow mediacodec mobicore_data_file:file { read open getattr};
+allow mediacodec mobicore_user_device:chr_file rw_file_perms;
+allow mediacodec mobicore:unix_stream_socket connectto;
+allow mediacodec mobicore_data_file:dir search;
+allow mediacodec persist_data_file:file { read getattr open };
+allow mediacodec persist_data_file:dir search;
+
+# Date : WK16.28
+# Operation : video codec driver
+# Purpose : for performance profiling and timing issue tracking during video playback
+allow mediacodec debugfs_fb:dir search;
+
+# Date : WK16.29
+# Operation : Migration
+# Purpose : Add permission for gpu access
+allow mediacodec dri_device:chr_file rw_file_perms;
+
+# Date : WK16.50
+# Operation : video codec driver
+# Purpose : Add permission for thermal function access
+allow mediacodec proc_mtktz:dir search;
+allow mediacodec proc_mtktz:file r_file_perms;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(mediacodec, hal_mtk_pq)
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(mediacodec, hal_allocator)
+
+# Date : WK17.31
+# Stage: O Migration, SQC
+# Purpose: Allow to use ape decoder
+hal_client_domain(mediacodec, hal_mtk_codecservice)
+
+# Date : WK18.46
+# Operation : WVL1 IT for TEEI
+# Purpose : SVP module operates TEEI
+hal_client_domain(mediacodec, hal_teei_capi)
+allow mediacodec teei_client_device:chr_file rw_file_perms;
+
+# Date : WK19.44
+# Purpose: Android Migration for D2+ Encoder
+allow mediacodec proc_chip:dir r_dir_perms;
+allow mediacodec proc_chip:file r_file_perms;
+
+# Date : WK19.45
+# Operation : WFD
+# Purpose : Allow set property to notify HWC secure venc enabled
+set_prop(mediacodec, vendor_mtk_secure_venc_prop)
+
+# Date : WK20.22
+# Operation : VDEC debug
+# Purpose : allow vdec can dump file to storage
+allow mediacodec vcodec_file:dir create_dir_perms;
+allow mediacodec vcodec_file:file create_file_perms;
+
+# Date : WK20.40
+# Operation : WFD
+# Purpose : Allow set property to notify HWC wfd enabled
+set_prop(mediacodec, vendor_mtk_wfd_enable_prop)
+
+#allow get mtk_sec_video_path_support
+get_prop(mediacodec, vendor_mtk_sec_video_path_support_prop)
diff --git a/bsp/non_plat/mediaserver.te b/bsp/non_plat/mediaserver.te
new file mode 100644
index 0000000..89062fa
--- /dev/null
+++ b/bsp/non_plat/mediaserver.te
@@ -0,0 +1,106 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.52
+# Operation : WVL1 IT
+# Purpose : SVP module operates secmem driver
+allow mediaserver mobicore_data_file:file getattr;
+allow mediaserver mobicore_data_file:file getattr;
+
+allow mediaserver mobicore_data_file:file { getattr read};
+allow mediaserver mobicore_user_device:chr_file { read write open ioctl};
+
+# Date: WK14.45
+# Operation : Migration
+# Purpose : HDCP
+allow mediaserver persist_data_file:file { read write getattr };
+
+# Date : WK15.03
+# Operation : Migration
+# Purpose : offloadservice
+allow mediaserver offloadservice_device:chr_file { read write ioctl open };
+
+# Data : WK14.38
+# Operation : Migration
+# Purpose : WFD
+allow mediaserver surfaceflinger:dir search;
+allow mediaserver surfaceflinger:file { read open };
+
+# Date : WK14.49
+# Operation : WFD
+# Purpose : WFD notifies its status to thermal module
+allow mediaserver proc_thermal:file { write getattr open };
+allow mediaserver proc_mtkcooler:file { read write open };
+allow mediaserver proc_mtktz:file { read write open };
+allow mediaserver proc_thermal:file { read write open };
+
+# Date : WK15.44
+# Operation : Migration
+# Purpose : ancservice
+allow mediaserver ancservice_device:chr_file { read write ioctl open };
+
+# Date : WK16.29
+# Operation : Migration
+# Purpose : Add permission for gpu access
+allow mediaserver dri_device:chr_file { read write open ioctl };
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(mediaserver, hal_mtk_pq)
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(mediaserver, hal_allocator)
+
+# Date : WK17.31
+# Stage: O Migration, SQC
+# Purpose: Allow to use ape decoder
+hal_client_domain(mediaserver, hal_mtk_codecservice)
+
+# Date : WK17.31
+# Operation : ViLTE
+# Purpose : for ViLTE - set VTservice has permission to access me
+allow mediaserver vtservice:binder { transfer call };
+allow mediaserver vtservice:fd use;
+
+# Date : WK17.43
+# Operation : OMA DRM
+# Purpose : Allow mediaserver to read processname to pass OMA DRM permisson check
+allow mediaserver platform_app:dir search;
+allow mediaserver platform_app:file { read open };
+
+# Date : WK17.47
+# Operation : SQC
+# Purpose : Allow mediaserver to read processname of DeskClock to pass OMA DRM permisson check
+allow mediaserver mediaprovider:dir search;
+allow mediaserver platform_app:file getattr;
+allow mediaserver system_app:dir search;
+allow mediaserver system_app:file read;
+allow mediaserver system_app:file open;
+
+# Date : WK17.49
+# Operation : VOW
+# Purpose: Allow read and getattr path="/data/data/com.mediatek.voicecommand/training
+# /anyone/passwordfile/0.dat"
+allow mediaserver system_app_data_file:file { read getattr };
+
+# Date : WK19.16
+# Operation : WFD
+# Purpose: Allow ioctl
+allowxperm mediaserver proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+};
+
+# Date : WK19.43
+# Operation : HDCP
+# Purpose : Allow to connect HDCP HIDL server
+hal_client_domain(mediaserver, hal_tesiai_hdcp)
+
+# Date : WK21.37
+# Operation : HDCP
+# Purpose : Allow HDCP to access wv dev to get handle
+allow mediaserver widevine_drv_device:chr_file rw_file_perms_no_map;
diff --git a/bsp/non_plat/mediaswcodec.te b/bsp/non_plat/mediaswcodec.te
new file mode 100644
index 0000000..60af43c
--- /dev/null
+++ b/bsp/non_plat/mediaswcodec.te
@@ -0,0 +1,7 @@
+# Date : WK19.25
+# Operation : Migration
+# Purpose : [ALPS04666895] DRTS failed due to avc denied
+allow mediaswcodec debugfs_ion:dir rw_dir_perms;
+allow mediaswcodec gpu_device:dir rw_dir_perms;
+allow mediaswcodec dri_device:chr_file rw_file_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/bsp/non_plat/merged_hal_service.te b/bsp/non_plat/merged_hal_service.te
new file mode 100644
index 0000000..28985fa
--- /dev/null
+++ b/bsp/non_plat/merged_hal_service.te
@@ -0,0 +1,5 @@
+# Date : 2018/4/13
+# Operation: SQC
+# Purpose : Allow powerHAL to access dfps
+allow merged_hal_service mtk_hal_dfps:binder call;
+hal_client_domain(merged_hal_service, hal_dfps);
diff --git a/bsp/non_plat/meta_tst.te b/bsp/non_plat/meta_tst.te
new file mode 100644
index 0000000..05c8bf5
--- /dev/null
+++ b/bsp/non_plat/meta_tst.te
@@ -0,0 +1,89 @@
+# ==============================================
+# Policy File of /vendor/bin/meta_tst Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: Microtrust service
+allow meta_tst init_thh_service_exec:file rx_file_perms;
+allow meta_tst teei_data_file:dir create_dir_perms;
+allow meta_tst teei_data_file:file create_file_perms;
+allow meta_tst teei_client_device:chr_file { create setattr unlink rw_file_perms };
+set_prop(meta_tst, vendor_mtk_soter_teei_prop)
+hal_client_domain(meta_tst, hal_teei_thh)
+allow meta_tst tee_device:chr_file rw_file_perms;
+
+allow meta_tst camera_fdvt_device:chr_file rw_file_perms;
+allow meta_tst camera_owe_device:chr_file rw_file_perms;
+allow meta_tst camera_wpe_device:chr_file rw_file_perms;
+allow meta_tst camera_gepf_device:chr_file rw_file_perms;
+allow meta_tst camera_rsc_device:chr_file rw_file_perms;
+allow meta_tst camera_tsf_device:chr_file rw_file_perms;
+allow meta_tst camera_isp_device:chr_file rw_file_perms;
+allow meta_tst ccu_device:chr_file rw_file_perms;
+allow meta_tst vpu_device:chr_file rw_file_perms;
+
+# Data: W17.27
+# DRM Key Installation HIDL
+allow meta_tst mtk_hal_keyinstall:binder call;
+
+# Date: W17.27
+# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keyinstall@1.0-service.
+hal_client_domain(meta_tst, hal_keymaster)
+
+# Date: W17.46
+allow meta_tst dm_device:blk_file rw_file_perms;
+allow meta_tst devpts:chr_file rw_file_perms;
+allow meta_tst kmsg_device:chr_file w_file_perms;
+allow meta_tst sysfs_fs_ext4_features:dir search;
+allow meta_tst sysfs_fs_ext4_features:file read;
+allow meta_tst vendor_block_device:blk_file getattr;
+allow meta_tst protect1_block_device:blk_file getattr;
+allow meta_tst protect2_block_device:blk_file getattr;
+
+# Date: W17.48
+# Purpose : meta connect with ATCI by socket.
+set_prop(meta_tst, vendor_mtk_persist_service_atci_prop)
+allow meta_tst atcid:unix_stream_socket connectto;
+
+# Purpose: TrustKernel Service
+allow meta_tst tkcore_admin_device:chr_file { read write open ioctl };
+allow meta_tst sdcardfs:dir create_dir_perms;
+allow meta_tst sdcardfs:file create_file_perms;
+
+# Data: W18.01
+#tablet DRM Key Manager HIDL
+allow meta_tst mtk_hal_keymanage:binder call;
+
+# lite version start
+allow meta_tst init_thh_service_exec:file { execute_no_trans };
+# lite version end
+
+# Date: W18.32
+# Purpose: DRM key install
+allow meta_tst mobicore_user_device:chr_file rw_file_perms;
+
+# Data: W19.18
+# Operation: Android Q migration
+# Purpose : meta set atci property
+set_prop(meta_tst, vendor_mtk_atci_sys_prop)
+allow meta_tst adb_atci_socket:sock_file write;
+
+# Date: WK20.13
+# Operation : Migration
+# Purpose : HDCP
+allow meta_tst persist_data_file:dir create_dir_perms;
+allow meta_tst persist_data_file:file create_file_perms;
+allow meta_tst mobicore_vendor_file:file lock;
+allow meta_tst self:capability chown;
+
+hal_client_domain(meta_tst, hal_teei_capi)
+hal_client_domain(meta_tst, hal_allocator)
+
+# Date : WK20.51
+# Purpose: Allow meta connect to sysfs_pmu
+allow meta_tst sysfs_pmu:dir search;
+allow meta_tst sysfs_pmu:file rw_file_perms;
diff --git a/bsp/non_plat/mobicore.te b/bsp/non_plat/mobicore.te
new file mode 100644
index 0000000..550fa27
--- /dev/null
+++ b/bsp/non_plat/mobicore.te
@@ -0,0 +1,33 @@
+##
+# Trustonic TEE (mobicore) daemon
+#
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type mobicore_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+# permissive mobicore;
+init_daemon_domain(mobicore)
+allow mobicore mobicore_admin_device:chr_file rw_file_perms;
+allow mobicore mobicore_user_device:chr_file rw_file_perms;
+allow mobicore mobicore_data_file:dir { create rw_dir_perms rename reparent };
+allow mobicore mobicore_data_file:file { create_file_perms rw_file_perms };
+
+# Date : 2016/10/17 (or WK16.43)
+# Operation : TUI Migration/SQC
+# Purpose : Set new added properties for TuiStarter in 311B mcDriverDaemon
+allow mobicore mobicore_tui_device:chr_file { read open ioctl };
+
+# Date: 2017/12/11
+# Purpose: set policy for FBE
+allow mobicore unlabeled:dir search;
+
+# Date: 2018/06/22
+# Purpose: set sepolicy for access mnt vendor file on Android P
+allow mobicore mnt_vendor_file:dir search;
+allow mobicore persist_data_file:dir { ra_dir_perms };
+allow mobicore persist_data_file:file { read write create open getattr };
diff --git a/bsp/non_plat/mobicore_app.te b/bsp/non_plat/mobicore_app.te
new file mode 100644
index 0000000..4c70ba6
--- /dev/null
+++ b/bsp/non_plat/mobicore_app.te
@@ -0,0 +1,16 @@
+app_domain(mobicore_app)
+net_domain(mobicore_app)
+
+# ==============================================
+# Rules between mobicore_app and mobicore
+# ==============================================
+
+# For RootPA (TA installation OTAv1) + RSU daemon
+allow mobicore_app mobicore_user_device:chr_file { getattr read write ioctl open };
+allow mobicore_app mobicore_admin_device:chr_file { getattr };
+
+allow mobicore_app mobicore_data_file:dir { read getattr open search};
+allow mobicore_app mobicore_data_file:file { read getattr open };
+allow mobicore_app mobicore_tui_device:chr_file { ioctl open read};
+allow mobicore_app mobicore:unix_stream_socket { connectto };
+
diff --git a/bsp/non_plat/mtk_advcamserver.te b/bsp/non_plat/mtk_advcamserver.te
new file mode 100644
index 0000000..c5be294
--- /dev/null
+++ b/bsp/non_plat/mtk_advcamserver.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Policy File of /system/bin/mtk_advcamserver Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+binder_call(mtk_advcamserver, mtk_hal_camera)
+
+allow mtk_advcamserver hal_graphics_allocator_default:fd use;
+allow mtk_advcamserver hal_graphics_mapper_hwservice:hwservice_manager find;
+allow mtk_advcamserver debugfs_ion:dir search;
+allow mtk_advcamserver proc_perfmgr:dir search;
+allow mtk_advcamserver proc_perfmgr:file r_file_perms;
diff --git a/bsp/non_plat/mtk_agpsd.te b/bsp/non_plat/mtk_agpsd.te
new file mode 100644
index 0000000..d5b884a
--- /dev/null
+++ b/bsp/non_plat/mtk_agpsd.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Policy File of /system/bin/mtk_agpsd Executable File
+
+# Request CDMA network info for CDMA A-GPS
+allow mtk_agpsd rild:unix_dgram_socket sendto;
+
+#============= mtk_agpsd ==============
+allow mtk_agpsd sysfs_ccci:dir search;
+allow mtk_agpsd sysfs_ccci:file { read open };
+
+# Allow to connect APM HIDL server
+hal_client_domain(mtk_agpsd, hal_mtk_apm)
+get_prop(mtk_agpsd, vendor_mtk_dmc_prop)
diff --git a/bsp/non_plat/mtk_hal_audio.te b/bsp/non_plat/mtk_hal_audio.te
new file mode 100644
index 0000000..a44a747
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_audio.te
@@ -0,0 +1,2 @@
+# Purpose : adsp
+allow mtk_hal_audio adsp_device:chr_file { rw_file_perms };
diff --git a/bsp/non_plat/mtk_hal_c2.te b/bsp/non_plat/mtk_hal_c2.te
new file mode 100644
index 0000000..ecd5b0a
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_c2.te
@@ -0,0 +1,12 @@
+#============= mtk_hal_c2 for SVP on legacy vcodec ==============
+allow mtk_hal_c2 mobicore_user_device:chr_file rw_file_perms;
+allow mtk_hal_c2 proc_m4u:file r_file_perms;
+allowxperm mtk_hal_c2 proc_m4u:file ioctl {
+ MTK_M4U_T_SEC_INIT
+ MTK_M4U_T_CONFIG_PORT
+ MTK_M4U_T_CACHE_SYNC
+ MTK_M4U_T_CONFIG_PORT_ARRAY
+};
+
+hal_client_domain(mtk_hal_c2, hal_teei_capi)
+allow mtk_hal_c2 teei_client_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/mtk_hal_camera.te b/bsp/non_plat/mtk_hal_camera.te
new file mode 100644
index 0000000..d06affa
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_camera.te
@@ -0,0 +1,105 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.27
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(mtk_hal_camera, hal_mtk_pq)
+
+# Date : WK17.27
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(mtk_hal_camera, hal_allocator)
+
+# WK17.33 camera binder_call permission
+binder_call(mtk_hal_camera, system_server)
+
+# Date : WK17.33
+# Stage: O Migration, SQC
+# Purpose: Allow to set log too much property
+set_prop(mtk_hal_camera, vendor_mtk_logmuch_prop)
+
+# Date : WK17.35
+# Stage: O Migration, SQC
+# Purpose: camera notifies its status to thermal module
+allow mtk_hal_camera proc_thermal:file rw_file_perms;
+allow mtk_hal_camera proc_mtktz:file rw_file_perms;
+get_prop(mtk_hal_camera, vendor_mtk_thermal_config_prop)
+allow mtk_hal_camera proc_mtkcooler:file rw_file_perms;
+
+# W17.36 callback to mtk_advcamserver
+binder_call(mtk_hal_camera, mtk_advcamserver)
+
+# Date : WK17.39
+# Stage: O1 Migration, SQC
+# Purpose : Update camera Vcodec device file
+allow mtk_hal_camera Vcodec_device:chr_file rw_file_perms;
+
+# Date : WK17.42
+# Operation : Migration
+# Purpose : Dump camera buffer to sdcard for debug
+allow mtk_hal_camera sdcardfs:dir create_dir_perms;
+allow mtk_hal_camera sdcardfs:file create_file_perms;
+
+# Date : WK17.48
+# Stage: O Migration
+# Purpose: CCT
+allow mtk_hal_camera cct_data_file:dir create_dir_perms;
+allow mtk_hal_camera cct_data_file:file create_file_perms;
+allow mtk_hal_camera cct_data_file:fifo_file create_file_perms;
+
+# Date : WK18.22
+# Stage: p Migration
+# Purpose: NVRAM
+allow mtk_hal_camera nvram_data_file:dir search;
+allow mtk_hal_camera nvram_data_file:file rw_file_perms;
+allow mtk_hal_camera nvram_data_file:lnk_file r_file_perms;
+allow mtk_hal_camera nvdata_file:lnk_file r_file_perms;
+allow mtk_hal_camera nvdata_file:dir create_dir_perms;
+allow mtk_hal_camera nvdata_file:file create_file_perms;
+allow mtk_hal_camera nvcfg_file:lnk_file r_file_perms;
+allow mtk_hal_camera nvcfg_file:dir create_dir_perms;
+allow mtk_hal_camera nvcfg_file:file create_file_perms;
+allow mtk_hal_camera mnt_vendor_file:dir search;
+allow mtk_hal_camera mnt_vendor_file:file create_file_perms;
+
+# Date : WK18.29
+# Stage: P Migration
+# Purpose: Trustonic TEE access
+allow mtk_hal_camera mobicore_user_device:chr_file rw_file_perms;
+
+# Date : WK18.29
+# Stage: P Migration
+# Purpose: secure memory driver access
+allow mtk_hal_camera proc_secmem:file rw_file_perms;
+
+# Date : WK18.30
+# Stage: P migration
+# Purpose: sysfs boot mode access for HalSensor
+allow mtk_hal_camera sysfs_boot_mode:file r_file_perms;
+
+# Date : WK18.40
+# Stage: P migration
+# Purpose: Allow setprop for CCT
+set_prop(mtk_hal_camera, vendor_mtk_camera_prop)
+
+# Date : WK19.39
+# Stage: Q Migration
+# Purpose: Microtrust TEE access
+allow mtk_hal_camera teei_client_device:chr_file rw_file_perms;
+
+allow mtk_hal_camera mdla_device:chr_file rw_file_perms;
+
+# Date: 2019/11/11
+# Operation: For NDD
+allow mtk_hal_camera vendor_camera_dump_file:dir create_dir_perms;
+allow mtk_hal_camera vendor_camera_dump_file:file create_file_perms;
+
+binder_call(mtk_hal_camera, remosaic_daemon)
+allow mtk_hal_camera remosaic_daemon_service:service_manager find;
+
+# Date : WK21.14
+# Stage: R Migration
+# Purpose: Allow memfd access by MPEG4Writer
+allow mtk_hal_camera tmpfs:file rw_file_perms;
diff --git a/bsp/non_plat/mtk_hal_codecservice_default.te b/bsp/non_plat/mtk_hal_codecservice_default.te
new file mode 100644
index 0000000..7479ab0
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_codecservice_default.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_hal_codecservice_default_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(mtk_hal_codecservice_default)
+
+hal_server_domain(mtk_hal_codecservice_default, hal_mtk_codecservice)
+hal_client_domain(mtk_hal_codecservice_default, hal_allocator)
diff --git a/bsp/non_plat/mtk_hal_dfps.te b/bsp/non_plat/mtk_hal_dfps.te
new file mode 100644
index 0000000..862cc07
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_dfps.te
@@ -0,0 +1,23 @@
+# ==============================================
+# Type Declaration
+# ==============================================
+type mtk_hal_dfps_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(mtk_hal_dfps)
+
+hwbinder_use(mtk_hal_dfps);
+vndbinder_use(mtk_hal_dfps);
+
+hal_server_domain(mtk_hal_dfps, hal_dfps)
+
+add_hwservice(hal_dfps_server, mtk_hal_dfps_hwservice)
+
+# sysfs access.
+r_dir_file(mtk_hal_dfps, proc_net);
+
+get_prop(mtk_hal_dfps, hwservicemanager_prop)
+
+allow mtk_hal_dfps mtk_dfrc_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/mtk_hal_dplanner.te b/bsp/non_plat/mtk_hal_dplanner.te
new file mode 100644
index 0000000..78c833c
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_dplanner.te
@@ -0,0 +1,30 @@
+# ==============================================
+# Type Declaration
+# ==============================================
+type mtk_hal_dplanner_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+init_daemon_domain(mtk_hal_dplanner);
+
+userdebug_or_eng(`
+ #Allow domain:mtk_hal_dplanner to use HWBinder IPC
+ hwbinder_use(mtk_hal_dplanner);
+
+ #Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder
+ hal_server_domain(mtk_hal_dplanner, hal_dplanner);
+
+ #Add/find permission rule to hwservicemanager
+ add_hwservice(hal_dplanner, mtk_hal_dplanner_hwservice);
+
+ #Allow platform app calls
+ allow mtk_hal_dplanner platform_app:binder { call transfer };
+
+ #Give permissions of dconfig
+ domain_auto_trans(mtk_hal_dplanner, mtk_dconfig_exec, mtk_dconfig);
+
+ #allow store data
+ allow mtk_hal_dplanner doe_vendor_data_file:dir create_dir_perms;
+ allow mtk_hal_dplanner doe_vendor_data_file:file create_file_perms;
+')
diff --git a/bsp/non_plat/mtk_hal_keyinstall.te b/bsp/non_plat/mtk_hal_keyinstall.te
new file mode 100644
index 0000000..c7b192e
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_keyinstall.te
@@ -0,0 +1,24 @@
+# Set mtk_hal_keyinstall as server domain of hal_keymaster
+hal_server_domain(mtk_hal_keyinstall, hal_keymaster)
+
+# Set exec file type
+type mtk_hal_keyinstall_exec, exec_type, file_type, vendor_file_type;
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_keyinstall)
+
+# Allow mtk_hal_keyinstall to communicate with mobicore
+allow mtk_hal_keyinstall mobicore:unix_stream_socket connectto;
+allow mtk_hal_keyinstall mobicore_data_file:dir search;
+allow mtk_hal_keyinstall mobicore_data_file:file { read getattr open };
+allow mtk_hal_keyinstall mobicore_user_device:chr_file { read write ioctl open };
+
+# Allow mtk_hal_keyinstall to access /persist
+allow mtk_hal_keyinstall persist_data_file:dir { search write add_name };
+allow mtk_hal_keyinstall persist_data_file:file { read write create open setattr getattr };
+
+# Allow mtk_hal_keyinstall to access /data/key_provisioning
+allow mtk_hal_keyinstall key_install_data_file:dir { write add_name remove_name search };
+allow mtk_hal_keyinstall key_install_data_file:file { write create setattr read getattr unlink open append };
+
+allow mtk_hal_keyinstall debugfs_tracing:file { write };
diff --git a/bsp/non_plat/mtk_hal_netdagent.te b/bsp/non_plat/mtk_hal_netdagent.te
new file mode 100644
index 0000000..bb2ad66
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_netdagent.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(mtk_hal_netdagent_client, mtk_hal_netdagent_server)
+binder_call(mtk_hal_netdagent_server, mtk_hal_netdagent_client)
+
+add_hwservice(mtk_hal_netdagent_server, mtk_hal_netdagent_hwservice)
+allow mtk_hal_netdagent_client mtk_hal_netdagent_hwservice:hwservice_manager find;
diff --git a/bsp/non_plat/mtk_hal_neuralnetworks.te b/bsp/non_plat/mtk_hal_neuralnetworks.te
new file mode 100644
index 0000000..4ec2c13
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_neuralnetworks.te
@@ -0,0 +1,88 @@
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+
+type mtk_hal_neuralnetworks_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mtk_hal_neuralnetworks)
+
+hal_server_domain(mtk_hal_neuralnetworks, hal_neuralnetworks)
+allow mtk_hal_neuralnetworks ion_device:chr_file rw_file_perms;
+allow mtk_hal_neuralnetworks debugfs_ion:dir r_dir_perms;
+allow mtk_hal_neuralnetworks vpu_device:chr_file rw_file_perms;
+allow mtk_hal_neuralnetworks mdla_device:chr_file rw_file_perms;
+allow mtk_hal_neuralnetworks apusys_device:chr_file rw_file_perms;
+allow mtk_hal_neuralnetworks gpu_device:chr_file rw_file_perms;
+binder_call(mtk_hal_neuralnetworks, untrusted_app_25)
+binder_call(mtk_hal_neuralnetworks, untrusted_app)
+allow mtk_hal_neuralnetworks shell_data_file:file read;
+allow mtk_hal_neuralnetworks sdcardfs:file r_file_perms;
+allow mtk_hal_neuralnetworks fuse:file r_file_perms;
+allow mtk_hal_neuralnetworks sysfs_lowmemorykiller:dir r_dir_perms;
+allow mtk_hal_neuralnetworks sysfs_lowmemorykiller:file r_file_perms;
+allow mtk_hal_neuralnetworks proc_zoneinfo:file r_file_perms;
+allow mtk_hal_neuralnetworks apk_data_file:file read;
+allow mtk_hal_neuralnetworks gpu_device:dir r_dir_perms;
+
+# Date : WK14.40 2018/11/16
+# Purpose : allow access to /data/vendor for blob cache for gpunn service
+allow mtk_hal_neuralnetworks mnt_user_file:lnk_file r_file_perms;
+allow mtk_hal_neuralnetworks mnt_user_file:dir search;
+allow mtk_hal_neuralnetworks storage_file:lnk_file r_file_perms;
+allow mtk_hal_neuralnetworks sdcardfs:dir search;
+dontaudit mtk_hal_neuralnetworks media_rw_data_file:dir search;
+
+# Date : WK19.03 2019/01/14
+# Purpose : allow access to /data/vendor for blob cache for gpunn service
+allow mtk_hal_neuralnetworks gpunn_data_file:dir create_dir_perms;
+allow mtk_hal_neuralnetworks gpunn_data_file:file create_file_perms;
+
+# Date : WK1919 2019/0513
+# Purpose : allow access to perfmgr for EARA-QoS
+allow mtk_hal_neuralnetworks proc_perfmgr:dir r_dir_perms;
+allow mtk_hal_neuralnetworks proc_perfmgr:file r_file_perms;
+allowxperm mtk_hal_neuralnetworks proc_perfmgr:file ioctl {
+ PERFMGR_EARA_NN_BEGIN
+ PERFMGR_EARA_NN_END
+ PERFMGR_EARA_GETUSAGE
+};
+
+allow mtk_hal_neuralnetworks proc_ged:file rw_file_perms;
+allowxperm mtk_hal_neuralnetworks proc_ged:file ioctl proc_ged_ioctls;
+
+# Date : WK1946
+# Purpose : allow access to /proc/[pid]/cmdline
+typeattribute mtk_hal_neuralnetworks mlstrustedsubject;
+allow mtk_hal_neuralnetworks untrusted_app_all:dir search;
+allow mtk_hal_neuralnetworks untrusted_app_all:file r_file_perms;
+
+# Date : WK2003
+# Purpose : read chip id and segment code
+allow mtk_hal_neuralnetworks sysfs_chipid:file r_file_perms;
+allow mtk_hal_neuralnetworks proc_devinfo:file r_file_perms;
+
+# Date : WK2016 2020/0415
+# Purpose : Support AHardwareBuffer
+hal_client_domain(mtk_hal_neuralnetworks, hal_graphics_allocator)
+
+# Date : WK2023
+# Purpose : Allow access to PowerHal for performance boost
+hal_client_domain(mtk_hal_neuralnetworks, hal_power)
+
+# Date : WK2038
+# Purpose : Allow VtsHalNeuralnetworks search fd
+allow mtk_hal_neuralnetworks shell:dir search;
+
+# Date : WK2127
+# Purpose : Allow Debug Plus read/write report
+allow mtk_hal_neuralnetworks data_vendor_nn_file:dir create_dir_perms;
+allow mtk_hal_neuralnetworks data_vendor_nn_file:file create_file_perms;
+
+# Date : WK2127
+# Purpose : Allow HMP custom api request
+allow mtk_hal_neuralnetworks data_vendor_hmp_file:dir { rw_dir_perms };
+allow mtk_hal_neuralnetworks data_vendor_hmp_file:file { create_file_perms };
+
+# Date : WK2128
+# Purpose: Allow Neuron Hidl set property
+set_prop(mtk_hal_neuralnetworks, vendor_mtk_apuware_debug_prop)
diff --git a/bsp/non_plat/mtk_hal_nwk_opt.te b/bsp/non_plat/mtk_hal_nwk_opt.te
new file mode 100644
index 0000000..f99f8e7
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_nwk_opt.te
@@ -0,0 +1,20 @@
+hal_server_domain(mtk_hal_nwk_opt,hal_nwk_opt)
+type mtk_hal_nwk_opt_exec,exec_type,file_type,vendor_file_type;
+init_daemon_domain(mtk_hal_nwk_opt)
+hwbinder_use(mtk_hal_nwk_opt)
+
+add_hwservice(hal_nwk_opt_server,mtk_hal_nwk_opt_hwservice)
+
+binder_call(hal_nwk_opt_client, hal_nwk_opt_server)
+binder_call(hal_nwk_opt_server, hal_nwk_opt_client)
+
+allow hal_nwk_opt_client mtk_hal_nwk_opt_hwservice :hwservice_manager find;
+allow mtk_hal_nwk_opt nwkopt_device:chr_file rw_file_perms;
+allow mtk_hal_nwk_opt sysfs_fpsgo:dir search;
+allow mtk_hal_nwk_opt sysfs_fpsgo:file rw_file_perms;
+allow mtk_hal_nwk_opt input_device:dir r_dir_perms;
+allow mtk_hal_nwk_opt input_device:file rw_file_perms;
+allow mtk_hal_nwk_opt input_device:chr_file rw_file_perms;
+allow mtk_hal_nwk_opt tx_device:chr_file rw_file_perms;
+
+set_prop(mtk_hal_nwk_opt, vendor_mtk_nwk_opt_prop)
diff --git a/bsp/non_plat/mtk_hal_omadm.te b/bsp/non_plat/mtk_hal_omadm.te
new file mode 100644
index 0000000..222c22d
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_omadm.te
@@ -0,0 +1,26 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type mtk_hal_omadm_exec, exec_type, vendor_file_type, file_type;
+typeattribute mtk_hal_omadm hal_mtk_omadm_server;
+typeattribute mtk_hal_omadm hal_mtk_omadm;
+
+net_domain(mtk_hal_omadm)
+init_daemon_domain(mtk_hal_omadm)
+hwbinder_use(mtk_hal_omadm)
+get_prop(mtk_hal_omadm, hwservicemanager_prop)
+
+allow mtk_hal_omadm omadm_data_file:file create_file_perms;
+allow mtk_hal_omadm omadm_data_file:dir create_dir_perms;
+allow mtk_hal_omadm self:udp_socket create_socket_perms_no_ioctl;
+allow mtk_hal_omadm self:tcp_socket create_socket_perms_no_ioctl;
+allow mtk_hal_omadm self:capability net_raw;
+allow mtk_hal_omadm fwmarkd_socket:sock_file write;
+allow mtk_hal_omadm netd:unix_stream_socket connectto;
+allow mtk_hal_omadm port:tcp_socket { name_bind name_connect };
+allow mtk_hal_omadm protect_f_data_file:dir create_dir_perms;
+allow mtk_hal_omadm protect_f_data_file:file create_file_perms;
+allow mtk_hal_omadm mnt_vendor_file:dir create_dir_perms;
+allow mtk_hal_omadm mnt_vendor_file:file create_file_perms;
+allow mtk_hal_omadm omadm_misc_file:file create_file_perms;
+allow mtk_hal_omadm omadm_misc_file:dir create_dir_perms;
diff --git a/bsp/non_plat/mtk_hal_power.te b/bsp/non_plat/mtk_hal_power.te
new file mode 100644
index 0000000..7fa2266
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_power.te
@@ -0,0 +1,37 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/10/24
+# Operation: SQC
+# Purpose : Allow powerHAL to access dfps
+allow mtk_hal_power mtk_hal_dfps:binder call;
+hal_client_domain(mtk_hal_power, hal_dfps)
+
+# Date : 2018/9/10
+# Operation: netdagnt
+allow mtk_hal_power mtk_hal_netdagent_hwservice:hwservice_manager find;
+allow mtk_hal_power netdagent:binder call;
+
+# Date : 2019/07/19
+# Operation: NwkOpt
+allow mtk_hal_power mtk_hal_nwk_opt:binder call;
+hal_client_domain(mtk_hal_power, hal_nwk_opt)
+
+# Date : 2019/09/19
+# Operation: touchll
+allow mtk_hal_power mtk_hal_touchll:binder call;
+hal_client_domain(mtk_hal_power, hal_mtk_touchll)
+
+# Date : 2020/05/19
+# Operation: CapabilityTest
+allow mtk_hal_power capability_app:dir { getattr search };
+allow mtk_hal_power capability_app:file r_file_perms;
+
+# Date : 2020/06/03
+# Purpose : Allow PowerHAL to access Neuralnetworks HAL
+allow mtk_hal_power mtk_hal_neuralnetworks:dir r_dir_perms;
+allow mtk_hal_power mtk_hal_neuralnetworks:file r_file_perms;
+
+# Allow Power to alter DT2W node
+allow mtk_hal_power sysfs_keypad_file:file rw_file_perms;
diff --git a/bsp/non_plat/mtk_hal_pplagent.te b/bsp/non_plat/mtk_hal_pplagent.te
new file mode 100644
index 0000000..64d9876
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_pplagent.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(mtk_hal_pplagent_client, mtk_hal_pplagent_server)
+binder_call(mtk_hal_pplagent_server, mtk_hal_pplagent_client)
+
+
+add_hwservice(mtk_hal_pplagent, mtk_hal_pplagent_hwservice)
+
+add_hwservice(mtk_hal_pplagent_server, mtk_hal_pplagent_hwservice)
+allow mtk_hal_pplagent_client mtk_hal_pplagent_hwservice:hwservice_manager find;
diff --git a/bsp/non_plat/mtk_hal_pq.te b/bsp/non_plat/mtk_hal_pq.te
new file mode 100644
index 0000000..9e64a63
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_pq.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.pq@2.0-service Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.01
+# Operation : New feature: Factory Gamma
+# Purpose : Allow nvram access
+allow mtk_hal_pq nvdata_file:dir w_dir_perms;
+allow mtk_hal_pq nvdata_file:file create_file_perms;
+allow mtk_hal_pq nvram_data_file:dir w_dir_perms;
+allow mtk_hal_pq nvram_data_file:file create_file_perms;
+allow mtk_hal_pq nvram_data_file:lnk_file read;
+allow mtk_hal_pq nvdata_file:lnk_file read;
+
+# Operation : New feature: AppGamePQ 2.0
+# Purpose : create hidl handle for buffer
+allow mtk_hal_pq hal_graphics_allocator_default:fd use;
+allow mtk_hal_pq proc_ged:file r_file_perms;
+allowxperm mtk_hal_pq proc_ged:file ioctl proc_ged_ioctls;
diff --git a/bsp/non_plat/mtk_hal_thp.te b/bsp/non_plat/mtk_hal_thp.te
new file mode 100644
index 0000000..1ca37a2
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_thp.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_hal_thp_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(mtk_hal_thp)
+
+hal_server_domain(mtk_hal_thp, hal_mtk_thp)
+
+allow mtk_hal_thp mtk_thp_data_file:dir create_dir_perms;
+allow mtk_hal_thp mtk_thp_data_file:file create_file_perms;
+allow mtk_hal_thp mtk_thp_data_file:sock_file create_file_perms;
+allow mtk_hal_thp mtk_thp_data_file:fifo_file create_file_perms;
+
+# Allow accessto /dev/thp & /dev/input_mt_wrapper node
+allow mtk_hal_thp gdix_thp_device:chr_file rw_file_perms;
+allow mtk_hal_thp gdix_mt_wrapper_device:chr_file rw_file_perms;
+
+# Allow sys_nice
+allow mtk_hal_thp self:capability sys_nice;
+
diff --git a/bsp/non_plat/mtk_hal_touchll.te b/bsp/non_plat/mtk_hal_touchll.te
new file mode 100644
index 0000000..43cb2be
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_touchll.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type mtk_hal_touchll_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(mtk_hal_touchll)
+
+hal_server_domain(mtk_hal_touchll, hal_mtk_touchll)
diff --git a/bsp/non_plat/mtk_hal_wfo.te b/bsp/non_plat/mtk_hal_wfo.te
new file mode 100644
index 0000000..1b97183
--- /dev/null
+++ b/bsp/non_plat/mtk_hal_wfo.te
@@ -0,0 +1,15 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type mtk_hal_wfo_exec, exec_type, file_type, vendor_file_type;
+
+# hwbinder access
+init_daemon_domain(mtk_hal_wfo)
+
+hal_server_domain(mtk_hal_wfo, hal_mtk_wfo)
+
+# Date : WK1721 2017/5/26
+# Operation : IT
+# Purpose: WifiOffloadService HIDL Migration
+allow mtk_hal_wfo mal_mfi_socket:sock_file write;
+allow mtk_hal_wfo debugfs_tracing:file w_file_perms;
diff --git a/bsp/non_plat/mtk_pkm_service.te b/bsp/non_plat/mtk_pkm_service.te
new file mode 100644
index 0000000..b982763
--- /dev/null
+++ b/bsp/non_plat/mtk_pkm_service.te
@@ -0,0 +1,44 @@
+# ==============================================
+# Policy File of /vendor/bin/mtk_pkm_service Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_pkm_service_exec ,exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(mtk_pkm_service)
+
+# Date : W1920
+# Operation : Diagnostic framework Q migration
+# Purpose : allow mtk_pkm_service to send KPI through APM service
+hal_client_domain(mtk_pkm_service, hal_mtk_apm)
+
+# Purpose : for mtk_pkm_service to connenct to md_monitor
+hal_client_domain(mtk_pkm_service, md_monitor_hal)
+
+# Purpose : for mtk_pkm_service to access /data/md_mon/
+allow mtk_pkm_service md_monitor_vendor_file:dir r_dir_perms;
+allow mtk_pkm_service md_monitor_vendor_file:file r_file_perms;
+
+# Purpose : Allow mtk_pkm_service to get properties
+# For PKM to know PDN status
+# ro.vendor.md_auto_setup_ims
+get_prop(mtk_pkm_service, vendor_mtk_ims_prop)
+# vendor.ims.eims.pdn.info
+get_prop(mtk_pkm_service, vendor_mtk_ims_eims_pdn_prop)
+# vendor.ril.data.pdn_info*
+get_prop(mtk_pkm_service, vendor_mtk_radio_prop)
+
+# Purpose : Allow mtk_pkm_service to pull packet from netd
+allow mtk_pkm_service self:capability net_raw;
+allow mtk_pkm_service self:packet_socket { create_socket_perms };
+allow mtk_pkm_service self:udp_socket { create_socket_perms };
+allowxperm mtk_pkm_service self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP };
+allowxperm mtk_pkm_service self:udp_socket ioctl {SIOCGIFINDEX SIOCGSTAMP };
+
+# Add policy read property for init.svc.md_monitor
+get_prop(mtk_pkm_service, system_mtk_init_svc_md_monitor_prop)
+
+# Allow PKM service to read vendor.dmc.apm.active
+get_prop(mtk_pkm_service, vendor_mtk_dmc_prop)
diff --git a/bsp/non_plat/mtkfusionrild.te b/bsp/non_plat/mtkfusionrild.te
new file mode 100644
index 0000000..aa51bbf
--- /dev/null
+++ b/bsp/non_plat/mtkfusionrild.te
@@ -0,0 +1,88 @@
+# ==============================================
+# Policy File of /system/bin/mtkfusionrild Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute rild mtkimsapdomain;
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow rild to get/set vendor_mtk_vsim_prop
+set_prop(rild, vendor_mtk_vsim_prop)
+
+# Date : 2018/05/28
+# Operation: Ims config TelephonyWare dev
+allow rild mtk_radio_data_file:dir { read remove_name write search add_name open };
+allow rild mtk_radio_data_file:file { read write create open getattr lock unlink };
+
+# Date : WK18.22
+# Operation: Ims config TelephonyWare dev
+# Purpose: Allow rild to set ims feature
+set_prop(rild, vendor_mtk_volte_prop)
+set_prop(rild, vendor_mtk_wfc_prop)
+set_prop(rild, vendor_mtk_vilte_prop)
+set_prop(rild, vendor_mtk_viwifi_prop)
+
+# Date : WK18.25
+# Operation: P migration
+# Purpose: Allow rild to get/set vendor_mtk_ims_prop
+set_prop(rild, vendor_mtk_ims_prop)
+
+# Date : WK18.26
+# Operation: P migration
+# Purpose: Allow rild to set ims support property
+set_prop(rild, vendor_mtk_volte_support_prop)
+set_prop(rild, vendor_mtk_wfc_support_prop)
+set_prop(rild, vendor_mtk_vilte_support_prop)
+set_prop(rild, vendor_mtk_viwifi_support_prop)
+set_prop(rild, vendor_mtk_rcs_ua_support_prop)
+
+# Date : WK18.29
+# Operation: Ims config TelephonyWare dev
+# Purpose: Allow mtkrild to get/set vendor_mtk_provision_prop
+set_prop(rild, vendor_mtk_provision_prop)
+
+# Date : 2019/01/29
+# Operation: IMS/EIMS pdn info
+# Purpose: Allow mtkrild to get/set vendor_mtk_ims_eims_pdn_prop
+set_prop(rild, vendor_mtk_ims_eims_pdn_prop)
+
+# Date : 2019/06/27
+# Operation : rild need to read vendor_mtk_cta_support_prop property
+# Purpose : allow to get mtk_cta_support property
+get_prop(rild, vendor_mtk_cta_support_prop)
+
+# Date : WK19.29
+# Operation: IMS Config NR dev
+# Purpose: Allow rild to set IMS NR feature
+set_prop(rild, vendor_mtk_vonr_prop)
+set_prop(rild, vendor_mtk_vinr_prop)
+
+# Date : 2019/07/17
+# Operation: Game SDK
+# Purpose: Allow rild to write phantom packet
+allow rild nlop_device:chr_file rw_file_perms;
+
+# Date : 2020/02/17
+# Purpose: Allow rild to access netlink_xfrm_socket
+allow rild self:netlink_xfrm_socket {create setopt bind getattr write read nlmsg_read nlmsg_write};
+
+# Date : 2020/05/19
+# Purpose: Allow mtkrild to get/set vendor_mtk_hvolte_indicator
+set_prop(rild, vendor_mtk_hvolte_indicator)
+
+# Date : 2020/06/08
+# Purpose: Allow rild have 'wake_alarm' capability
+allow rild self:capability2 wake_alarm;
+
+# Date : 2020/10/30
+# Operation: IMS Config NR force value
+# Purpose: Allow rild to force set IMS NR feature
+set_prop(rild, vendor_mtk_vonr_force_prop)
+
+# Date : 2021/09/17
+# Operation: vonr setting
+# Purpose: Allow rild to set vonr support property
+set_prop(rild, vendor_mtk_vonr_support_prop)
diff --git a/bsp/non_plat/mtkimsmddomain.te b/bsp/non_plat/mtkimsmddomain.te
new file mode 100644
index 0000000..a3ec961
--- /dev/null
+++ b/bsp/non_plat/mtkimsmddomain.te
@@ -0,0 +1,76 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# IMCB
+allow mtkimsmddomain ccci_device:chr_file { read write open };
+allow mtkimsmddomain fwmarkd_socket:sock_file write;
+allow mtkimsmddomain sysfs_ccci:dir search;
+allow mtkimsmddomain sysfs_ccci:file r_file_perms;
+allow mtkimsmddomain self:capability2 wake_alarm;
+set_prop(mtkimsmddomain, vendor_mtk_ril_mux_report_case_prop)
+allow mtkimsmddomain self:capability { setuid setgid chown net_raw } ;
+
+# Date : 2017/02/17
+# Purpose : ptty
+allow mtkimsmddomain devpts:chr_file { rw_file_perms setattr };
+
+# UA
+allow mtkimsmddomain volte_vt_socket:sock_file write;
+
+# IMSM
+allow mtkimsmddomain rild_imsm_socket:sock_file write;
+allow mtkimsmddomain mtkrild:unix_stream_socket connectto;
+allow mtkimsmddomain rild_mal_socket:sock_file write;
+allow mtkimsmddomain rild_mal_at_socket:sock_file write;
+allow mtkimsmddomain rild_mal_md2_socket:sock_file write;
+allow mtkimsmddomain rild_mal_at_md2_socket:sock_file write;
+unix_socket_send(mtkimsmddomain, wpa, wpa)
+allow mtkimsmddomain wpa:unix_dgram_socket sendto;
+
+# ePDG
+allow mtkimsmddomain dnsproxyd_socket:sock_file write;
+allow mtkimsmddomain ccci_device:chr_file { read write ioctl open };
+allow mtkimsmddomain devpts:chr_file { read write open };
+
+# MAL
+allow mtkimsmddomain tmpfs:lnk_file read;
+
+# VzW APN table
+allow mtkimsmddomain mal_data_file:dir create_dir_perms;
+allow mtkimsmddomain mal_data_file:file create_file_perms;
+
+# ATCP
+allow mtkimsmddomain devpts:chr_file { open read write ioctl };
+allow mtkimsmddomain devpts:chr_file { getattr setattr };
+
+# Netlink
+allow mtkimsmddomain self:netlink_route_socket { bind create write nlmsg_read };
+
+# RILD connection
+allow mtkimsmddomain mtkrild:unix_stream_socket connectto;
+allow mtkimsmddomain rild_mal_socket:sock_file write;
+allow mtkimsmddomain rild_mal_at_socket:sock_file write;
+allow mtkimsmddomain rild_mal_md2_socket:sock_file write;
+allow mtkimsmddomain rild_mal_at_md2_socket:sock_file write;
+
+# for RAN access wpa
+unix_socket_send(mtkimsmddomain, wpa, wpa)
+allow mtkimsmddomain wpa:unix_dgram_socket sendto;
+
+# RILPROXY
+allow mtkimsmddomain rild:unix_stream_socket connectto;
+
+set_prop(mtkimsmddomain, vendor_mtk_operator_id_prop)
+
+# Set permission for MAL
+vndbinder_use(mtkimsmddomain)
+
+# ViLTE
+allow mtkimsmddomain vtservice_hidl:unix_stream_socket connectto;
+
+# MD-AP
+set_prop(mtkimsmddomain, vendor_mtk_radio_prop)
+set_prop(mtkimsmddomain, vendor_mtk_ril_mux_report_case_prop)
+set_prop(mtkimsmddomain, vendor_mtk_md_version_prop)
+set_prop(mtkimsmddomain, vendor_mtk_network_prop)
diff --git a/bsp/non_plat/mtkrild.te b/bsp/non_plat/mtkrild.te
new file mode 100644
index 0000000..efe6e87
--- /dev/null
+++ b/bsp/non_plat/mtkrild.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /system/bin/mtkrild Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute mtkrild mtkimsapdomain;
+set_prop(mtkrild, vendor_mtk_logmuch_prop)
+
+# For sim property
+set_prop(mtkrild, vendor_mtk_cdma_prop)
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow mtkrild to get/set vendor_mtk_vsim_prop
+set_prop(mtkrild, vendor_mtk_vsim_prop)
+
+# Date : WK18.25
+# Operation: P migration
+# Purpose: Allow mtkrild to get/set vendor_mtk_ims_prop
+set_prop(mtkrild, vendor_mtk_ims_prop)
diff --git a/bsp/non_plat/netd.te b/bsp/non_plat/netd.te
new file mode 100644
index 0000000..e3c5516
--- /dev/null
+++ b/bsp/non_plat/netd.te
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : W17.31
+# Operation : O migration
+# Purpose : Allow ViLTE use udp_socket
+allow netd vtservice:fd use;
+allow netd vtservice:udp_socket { read write setopt getopt };
+
+allow netd wo_ipsec:fd use;
+allow netd wo_ipsec:tcp_socket { read write setopt getopt };
+allow netd wo_ipsec:udp_socket { read write setopt getopt };
+allow netd wo_epdg_client:fd use;
+allow netd wo_epdg_client:tcp_socket { read write setopt getopt };
+allow netd wo_epdg_client:udp_socket {read write setopt getopt};
+
diff --git a/bsp/non_plat/netdagent.te b/bsp/non_plat/netdagent.te
new file mode 100644
index 0000000..23f2c1b
--- /dev/null
+++ b/bsp/non_plat/netdagent.te
@@ -0,0 +1,23 @@
+# ==============================================
+# Policy File of /vendor/bin/netdagent Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type netdagent_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(netdagent)
+domain_auto_trans(netdagent, netutils_wrapper_exec, netutils_wrapper)
+
+allow netdagent devpts:chr_file rw_file_perms;
+allow netdagent usermodehelper:file r_file_perms;
+
+allow netdagent self:netlink_route_socket { connect create setopt bind getattr nlmsg_read nlmsg_write read write };
+
+set_prop(netdagent, vendor_mtk_netdagent_prop)
+allow netdagent proc_net:file rw_file_perms;
+allow netdagent kernel:system module_request;
+
+hal_server_domain(netdagent, mtk_hal_netdagent)
+
diff --git a/bsp/non_plat/netutils_wrapper.te b/bsp/non_plat/netutils_wrapper.te
new file mode 100644
index 0000000..8c6094c
--- /dev/null
+++ b/bsp/non_plat/netutils_wrapper.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow netutils_wrapper ipsec_mon:fd use;
+allow netutils_wrapper ipsec_mon:netlink_route_socket { read write };
+allow netutils_wrapper ipsec_mon:netlink_xfrm_socket { read write };
+allow netutils_wrapper devpts:chr_file { getattr ioctl read write };
+
+allow netutils_wrapper netdagent:fd use;
+allow netutils_wrapper netdagent:unix_stream_socket { read write };
+
+allow netutils_wrapper rild:fd use;
+allow netutils_wrapper rild:unix_stream_socket { read write };
+allow netutils_wrapper rild:fifo_file rw_file_perms;
+
+allow netutils_wrapper wo_epdg_client:unix_stream_socket { read write };
+allow netutils_wrapper wo_epdg_client:fd use;
diff --git a/bsp/non_plat/nfc.te b/bsp/non_plat/nfc.te
new file mode 100644
index 0000000..4c3618b
--- /dev/null
+++ b/bsp/non_plat/nfc.te
@@ -0,0 +1,70 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2014/10/15
+# Operation : Refine
+# Purpose : Set NFC permission to access nfc_socket_file.
+allow nfc nfc_socket_file:dir w_dir_perms;
+
+# Date : 2014/10/15
+# Operation : Refine
+# Purpose : Set NFC permission to access custom file.
+allow nfc custom_file:dir getattr;
+
+# Date : 2014/10/15
+# Operation : Refine
+# Purpose : Set NFC permission to access nfc data file.
+allow nfc nfc_data_file:dir { write remove_name add_name search create setattr };
+allow nfc nfc_data_file:file { read getattr open rename write ioctl setattr create unlink };
+
+# Date : 2014/10/15
+# Operation : Refine
+# Purpose : Set NFC permission to access SD card for debug purpose.
+allow nfc sdcard_type:dir { write remove_name search create add_name };
+allow nfc sdcard_type:file { read write getattr open rename create };
+allow nfc vfat:dir { write add_name search };
+allow nfc vfat:file { read write getattr open create };
+
+# Date : 2014/10/15
+# Operation : Refine
+# Purpose : Set NFC permission for WFD
+allow nfc surfaceflinger:dir search;
+
+# Date : 2014/10/15
+# Operation : Refine
+# Purpose : For Mdlogger
+allow nfc node:tcp_socket node_bind;
+allow nfc port:tcp_socket name_bind;
+allow nfc self:tcp_socket { setopt read bind create accept write getattr connect getopt listen };
+
+# Date : 2014/10/15
+# Operation : Refine
+# Purpose : For NFC-JNI
+allow nfc zygote:unix_stream_socket { getopt getattr };
+
+# Date : WK1546
+# Operation : Migration
+# Purpose: Allow nfc to read binder from surfaceflinger
+allow nfc surfaceflinger:fifo_file {read write};
+
+# Date : 2016/06/30
+# Operation : SQC
+# Purpose : Allow NFC to plays sound which uses DrmServer
+allow nfc drmserver_service:service_manager find;
+
+# Date : 2016/07/04
+# Operation : SQC
+# Purpose : Allow NFC to access media data file
+allow nfc media_rw_data_file:dir { create read open write remove_name search add_name };
+allow nfc media_rw_data_file:file { read write create unlink open rename };
+
+# Date : 2016/11/10
+# Operation : SQC
+# Purpose : Allow NFC to use FileManager share file
+allow nfc sw_sync_device:chr_file getattr;
+
+# Date : 2017/07/26
+# Operation : Refine
+# Purpose : Set NFC permission to access st21nfc_device ( nfc device node ) .
+allow nfc st21nfc_device:chr_file { read write getattr open ioctl };
diff --git a/bsp/non_plat/nfcstackp_vendor.te b/bsp/non_plat/nfcstackp_vendor.te
new file mode 100644
index 0000000..92a6541
--- /dev/null
+++ b/bsp/non_plat/nfcstackp_vendor.te
@@ -0,0 +1,20 @@
+# ==============================================
+# Policy File of /vendor/bin/nfcstackp_vendor Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type nfcstackp_vendor_exec, exec_type, file_type, vendor_file_type;
+
+# Date : WK2019
+# Purpose : Start nfcstackp_vendor to serve EM
+init_daemon_domain(nfcstackp_vendor)
+
+# Date : WK2019
+# Purpose : Add availablities to access nfc socket
+allow nfcstackp_vendor vendor_nfc_socket_file:dir w_dir_perms;
+
+# Date : WK2019
+# Purpose : Add availablities to access nfc device
+allow nfcstackp_vendor st21nfc_device:chr_file rw_file_perms;
+
diff --git a/bsp/non_plat/osi.te b/bsp/non_plat/osi.te
new file mode 100644
index 0000000..98a645e
--- /dev/null
+++ b/bsp/non_plat/osi.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+userdebug_or_eng(`
+allow osi sysfs_therm:dir search;
+allow osi sysfs_therm:file r_file_perms;
+')
diff --git a/bsp/non_plat/platform_app.te b/bsp/non_plat/platform_app.te
new file mode 100644
index 0000000..8fc1bc8
--- /dev/null
+++ b/bsp/non_plat/platform_app.te
@@ -0,0 +1,121 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2014/11/14
+# Operation: SQC
+# Purpose: [ALPS01824827][SystemUI] [RenderThread][open device file failed]
+# Package: com.android.systemui
+allow platform_app proc_secmem:file r_file_perms;
+
+# Date : 2014/12/30
+# Operation : TUI Migration
+# Purpose : TUI service need to access tui device driver
+# Package: com.trustonic.tuiservice.TuiService
+allow platform_app mobicore_tui_device:chr_file r_file_perms;
+allow platform_app mobicore_user_device:chr_file rw_file_perms;
+
+allow platform_app mobicore_data_file:file r_file_perms;
+allow platform_app mobicore_data_file:dir search;
+allow platform_app self:netlink_kobject_uevent_socket {create bind read setopt};
+
+# Date : 2015/09/12
+# Operation : SQC
+# Purpose : allow settings get file of ntfs device
+# Package: com.android.settings
+allow platform_app fuseblk:dir create_dir_perms;
+
+# Date : 2015/10/15
+# Operation : jg_jinchuanqin
+# Purpose :[ALPS02350168]allow Settings get file of ntfs device
+# Package: com.android.settings
+allow platform_app fuseblk:file create_file_perms;
+
+# Date: 2017/08/24
+# Stage: Migration
+# Purpose: Allow to use lomo effect
+# Package: com.mediatek.camera
+allow platform_app mtk_hal_camera:binder call;
+
+# Date : 2017/10/02
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(platform_app, hal_mtk_pq)
+
+# Date : 2017/10/02
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(platform_app, hal_allocator)
+
+# Date: 2018/05/08
+# Operation: Migration
+# Purpose : Allow System UI to find ppl agent
+# Package: com.android.systemui.keyguard
+allow platform_app mtk_hal_pplagent_hwservice:hwservice_manager find;
+allow platform_app ppl_agent:binder call;
+
+allow platform_app debugfs_ion:dir search;
+
+# Date: 2018/06/19
+# Operation: Migration
+# Purpose : Allow Dialer to get vendor_mtk_vendor_vt_prop
+# Package: com.android.dialer
+get_prop(platform_app, vendor_mtk_vendor_vt_prop)
+
+# Date: 2019/04/27
+# Operation: Migration
+# Purpose : Allow Entitlement to get vendor_mtk_cxp_vendor_prop
+# Package: com.mediatek.entitlement
+get_prop(platform_app, vendor_mtk_cxp_vendor_prop)
+
+# Date: 2018/07/14
+# Operation: Migration
+# Purpose : Allow Dialer to get vendor_mtk_ims_prop
+# Package: com.android.dialer
+get_prop(platform_app, vendor_mtk_ims_prop)
+
+# Date: 2018/04/18
+# Purpose: Allow platform app to use HIDL and access mtk_hal_neuralnetworks
+allow platform_app mtk_hal_neuralnetworks:binder { call transfer };
+
+# Date: 2018/09/17
+# Purpose: Allow platform app to get vendor_mtk_cam_security_prop
+get_prop(platform_app, vendor_mtk_cam_security_prop)
+
+# Date: 2018/09/29
+# Purpose: Allow platform app to use BGService HIDL and access mtk_hal_camera
+binder_call(platform_app, mtk_hal_camera)
+binder_call(mtk_hal_camera, platform_app)
+
+# Date: 2018/11/13
+# Purpose: Allow platform app to use HIDL and access to mtk_hal_dplanner
+userdebug_or_eng(`
+ allow platform_app mtk_hal_dplanner:binder call;
+ allow platform_app mtk_hal_dplanner_hwservice:hwservice_manager find;
+')
+
+# Date : 2019/05/16
+# Operation : IT
+# Purpose : Add for HIDL service
+hal_client_domain(platform_app, md_monitor_hal)
+
+# Date : 2019/06/27
+# Operation : platform app need to read vendor_mtk_cta_support_prop property
+# Purpose : allow to get mtk_cta_support property
+get_prop(platform_app, vendor_mtk_cta_support_prop)
+
+# Date: 2018/12/19
+# Purpose: Allow platform app to access mdlactl_device and vpu_device
+allow platform_app mdla_device:chr_file { rw_file_perms };
+allow platform_app vpu_device:chr_file { rw_file_perms };
+
+# Date: 2018/10/25
+# Operation: Clientapi Develope
+# Package: com.android.contacts
+allow platform_app volte_clientapi_ua_hwservice:hwservice_manager find ;
+allow platform_app volte_clientapi_ua:binder { call transfer };
+
+# Date: 2020/06/29
+# Operation : eMBMS Migration
+# Purpose :allow EXPWAY middleware to access the socket
+allow platform_app radio:unix_stream_socket connectto;
diff --git a/bsp/non_plat/ppl_agent.te b/bsp/non_plat/ppl_agent.te
new file mode 100644
index 0000000..8de8f34
--- /dev/null
+++ b/bsp/non_plat/ppl_agent.te
@@ -0,0 +1,64 @@
+# ==============================================
+# Policy File of /vendor/bin/ppl_agent Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type ppl_agent_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(ppl_agent)
+
+# Date : 2014/10/16
+# Operation : QC
+# Purpose : [Privacy protection lock][ppl_agent call FileOp_BackupToBinRegionForDM to do nvram backup]
+# Package name : com.mediatek.ppl
+allow ppl_agent nvram_device:blk_file rw_file_perms;
+
+# Data : 2014/10/24
+# Operation : Migration
+# Purpose : [Privacy protection lock][ppl_agent need access nvram data file for backup restore function]
+# Package name : com.mediatek.ppl
+allow ppl_agent nvram_data_file:dir create_dir_perms;
+allow ppl_agent nvram_data_file:file create_file_perms;
+allow ppl_agent nvram_data_file:lnk_file read;
+allow ppl_agent nvdata_file:lnk_file read;
+allow ppl_agent nvdata_file:dir create_dir_perms;
+allow ppl_agent nvdata_file:file create_file_perms;
+
+# Data : 2014/10/31
+# Operation : QC
+# Purpose : [Privacy protection lock][ppl_agent need access nvram data file for backup restore function on MT6582]
+# Package name : ServiceManager
+allow ppl_agent nvram_device:chr_file rw_file_perms;
+
+# Data : 2015/10/09
+# Operation : IT
+# Purpose : [Privacy protection lock][ppl_agent need access ppl data file for backup restore function on MT6577]
+# Package name : ppl_agent
+allow ppl_agent ppl_block_device:blk_file rw_file_perms;
+
+# Data : 2015/10/16
+# Operation : QC
+# Purpose : [Privacy protection lock][ppl_agent need access nvcfg ext4 partiton ppl on MT6797]
+# Package name : com.mediatek.ppl
+allow ppl_agent nvcfg_file:dir create_dir_perms;
+allow ppl_agent nvcfg_file:file create_file_perms;
+
+# Data : 2018/05/23
+# Operation : QC
+# Purpose : [Privacy protection lock]
+allow ppl_agent mnt_vendor_file:dir search;
+
+# Data : 2018/06/12
+# Operation : QC
+# Purpose : [Privacy protection lock]
+allow ppl_agent proc_cmdline:file r_file_perms;
+allow ppl_agent sysfs_dt_firmware_android:dir search;
+
+# Data: 2018/08/02
+# Operation: iT
+# Purpose : [Privacy protection lock]
+allow ppl_agent block_device:dir search;
+
+hal_server_domain(ppl_agent, mtk_hal_pplagent)
diff --git a/bsp/non_plat/priv_app.te b/bsp/non_plat/priv_app.te
new file mode 100644
index 0000000..8ab7039
--- /dev/null
+++ b/bsp/non_plat/priv_app.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2019/06/17
+# Operation: Migration
+# Purpose: allow priv_app to search debugfs_ion dir
+allow priv_app debugfs_ion:dir search;
diff --git a/bsp/non_plat/property.te b/bsp/non_plat/property.te
new file mode 100644
index 0000000..fd4bfc1
--- /dev/null
+++ b/bsp/non_plat/property.te
@@ -0,0 +1,216 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
+
+# Properties used only in /vendor
+vendor_internal_prop(vendor_mtk_ctl_ccci_rpcd_prop)
+vendor_internal_prop(vendor_mtk_ctl_ccci2_rpcd_prop)
+vendor_internal_prop(vendor_mtk_rpmb_ready_prop)
+
+# Properties which can't be written outside vendor
+vendor_restricted_prop(vendor_mtk_active_noise_cancel_prop)
+vendor_restricted_prop(vendor_mtk_atci_sys_prop)
+vendor_restricted_prop(vendor_mtk_besloudness_support_prop)
+vendor_restricted_prop(vendor_mtk_bg_power_saving_support_prop)
+vendor_restricted_prop(vendor_mtk_bg_power_saving_ui_prop)
+vendor_restricted_prop(vendor_mtk_camera_prop)
+vendor_restricted_prop(vendor_mtk_cam_security_prop)
+vendor_restricted_prop(vendor_mtk_cdma_prop)
+vendor_restricted_prop(vendor_mtk_cta_log_prop)
+vendor_restricted_prop(vendor_mtk_cta_support_prop)
+vendor_restricted_prop(vendor_mtk_boostfwk_log_prop)
+vendor_restricted_prop(vendor_mtk_boostfwk_scrollidentify_prop)
+vendor_restricted_prop(vendor_mtk_boostfwk_display60_prop)
+vendor_restricted_prop(vendor_mtk_boostfwk_frameidentify_prop)
+vendor_restricted_prop(vendor_mtk_boostfwk_prop)
+vendor_restricted_prop(vendor_mtk_datashaping_prop)
+vendor_restricted_prop(vendor_mtk_default_write_disk_prop)
+vendor_restricted_prop(vendor_mtk_dmc_prop)
+vendor_restricted_prop(vendor_mtk_drm_fwd_lock_only_prop)
+vendor_restricted_prop(vendor_mtk_duraspeed_prop)
+vendor_restricted_prop(vendor_mtk_dx_hdcp_support_prop)
+vendor_restricted_prop(vendor_mtk_dynims_prop)
+vendor_restricted_prop(vendor_mtk_emcamera_prop)
+vendor_restricted_prop(vendor_mtk_extsim_prop)
+vendor_restricted_prop(vendor_mtk_fd_support_prop)
+vendor_restricted_prop(vendor_mtk_gallery_prop)
+vendor_restricted_prop(vendor_mtk_hifiaudio_support_prop)
+vendor_restricted_prop(vendor_mtk_ims_eims_pdn_prop)
+vendor_restricted_prop(vendor_mtk_ims_prop)
+vendor_restricted_prop(vendor_mtk_jpeg_opt_prop)
+vendor_restricted_prop(vendor_mtk_libudf_prop)
+vendor_restricted_prop(vendor_mtk_logmuch_prop)
+vendor_restricted_prop(vendor_mtk_log_tel_dbg_prop)
+vendor_restricted_prop(vendor_mtk_mdm_prop)
+vendor_restricted_prop(vendor_mtk_mdworldmode_prop)
+vendor_restricted_prop(vendor_mtk_media_prop)
+vendor_restricted_prop(vendor_mtk_microtrust_tee_prop)
+vendor_restricted_prop(vendor_mtk_mims_prop)
+vendor_restricted_prop(vendor_mtk_miravision_support_prop)
+vendor_restricted_prop(vendor_mtk_mobile_management_prop)
+vendor_restricted_prop(vendor_mtk_moms_prop)
+vendor_restricted_prop(vendor_mtk_netdagent_prop)
+vendor_restricted_prop(vendor_mtk_network_prop)
+vendor_restricted_prop(vendor_mtk_nfc_addon_support_prop)
+vendor_restricted_prop(vendor_mtk_nfc_uicc_clf_prop)
+vendor_restricted_prop(vendor_mtk_nfc_nfcstackp_enable_prop)
+vendor_restricted_prop(vendor_mtk_nn_quant_preferred_prop)
+vendor_restricted_prop(vendor_mtk_num_md_protocol_prop)
+vendor_restricted_prop(vendor_mtk_nxp_nfc_gsma_support_prop)
+vendor_restricted_prop(vendor_mtk_omacp_support_prop)
+vendor_restricted_prop(vendor_mtk_oma_drm_support_prop)
+vendor_restricted_prop(vendor_mtk_operator_prop)
+vendor_restricted_prop(vendor_mtk_persist_epdg_prop)
+vendor_restricted_prop(vendor_mtk_pms_prop)
+vendor_restricted_prop(vendor_mtk_pppd_gprs_prop)
+vendor_restricted_prop(vendor_mtk_printk_prop)
+vendor_restricted_prop(vendor_mtk_provision_prop)
+vendor_restricted_prop(vendor_mtk_radio_seapi_off_prop)
+vendor_restricted_prop(vendor_mtk_rcs_ua_support_prop)
+vendor_restricted_prop(vendor_mtk_rsc_prop)
+vendor_restricted_prop(vendor_mtk_secure_venc_prop)
+vendor_restricted_prop(vendor_mtk_service_rcs_prop)
+vendor_restricted_prop(vendor_mtk_soter_teei_prop)
+vendor_restricted_prop(vendor_mtk_st_nfc_gsma_support_prop)
+vendor_restricted_prop(vendor_mtk_st_nfc_ignore_modem_prop)
+vendor_restricted_prop(vendor_mtk_telephony_addon_prop)
+vendor_restricted_prop(vendor_mtk_trustkernel_tee_prop)
+vendor_restricted_prop(vendor_mtk_trustonic_tee_prop)
+vendor_restricted_prop(vendor_mtk_vendor_vt_prop)
+vendor_restricted_prop(vendor_mtk_vilte_prop)
+vendor_restricted_prop(vendor_mtk_vilte_support_prop)
+vendor_restricted_prop(vendor_mtk_vinr_prop)
+vendor_restricted_prop(vendor_mtk_viwifi_prop)
+vendor_restricted_prop(vendor_mtk_viwifi_support_prop)
+vendor_restricted_prop(vendor_mtk_volte_support_prop)
+vendor_restricted_prop(vendor_mtk_vonr_support_prop)
+vendor_restricted_prop(vendor_mtk_vonr_prop)
+vendor_restricted_prop(vendor_mtk_vsim_prop)
+vendor_restricted_prop(vendor_mtk_vt_prop)
+vendor_restricted_prop(vendor_mtk_wapi_support_prop)
+vendor_restricted_prop(vendor_mtk_wappush_prop)
+vendor_restricted_prop(vendor_mtk_wfc_prop)
+vendor_restricted_prop(vendor_mtk_wfc_support_prop)
+vendor_restricted_prop(vendor_mtk_wfd_support_prop)
+vendor_restricted_prop(vendor_mtk_em_dy_debug_ctrl_prop)
+vendor_restricted_prop(vendor_mtk_hvolte_indicator)
+vendor_restricted_prop(vendor_mtk_md_c2k_cap_dep_check_prop)
+vendor_restricted_prop(vendor_mtk_gwsd_capability_prop)
+vendor_restricted_prop(vendor_mtk_netdagent_gameserver_prop)
+vendor_restricted_prop(vendor_mtk_apuware_debug_prop)
+vendor_restricted_prop(vendor_mtk_nwk_opt_prop)
+vendor_restricted_prop(vendor_mtk_wfd_enable_prop)
+vendor_restricted_prop(vendor_mtk_vonr_force_prop)
+vendor_restricted_prop(vendor_mtk_em_mtu_prop)
+vendor_restricted_prop(vendor_mtk_fast_charging_support_prop)
+vendor_restricted_prop(vendor_mtk_call_drop_prop)
+vendor_restricted_prop(vendor_mtk_mcf_prop)
+vendor_restricted_prop(vendor_mtk_subsidy_lock_support_prop)
+
+# Properties with no restriction
+vendor_public_prop(vendor_mtk_sec_video_path_support_prop)
+vendor_public_prop(vendor_mtk_svp_on_mtee_support_prop)
+
+# Properties with can be read by all domains
+typeattribute vendor_mtk_active_noise_cancel_prop mtk_core_property_type;
+typeattribute vendor_mtk_besloudness_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_bg_power_saving_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_bg_power_saving_ui_prop mtk_core_property_type;
+typeattribute vendor_mtk_camera_prop mtk_core_property_type;
+typeattribute vendor_mtk_cam_security_prop mtk_core_property_type;
+typeattribute vendor_mtk_cdma_prop mtk_core_property_type;
+typeattribute vendor_mtk_cta_log_prop mtk_core_property_type;
+typeattribute vendor_mtk_cta_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_boostfwk_log_prop mtk_core_property_type;
+typeattribute vendor_mtk_boostfwk_scrollidentify_prop mtk_core_property_type;
+typeattribute vendor_mtk_boostfwk_display60_prop mtk_core_property_type;
+typeattribute vendor_mtk_boostfwk_frameidentify_prop mtk_core_property_type;
+typeattribute vendor_mtk_boostfwk_prop mtk_core_property_type;
+typeattribute vendor_mtk_datashaping_prop mtk_core_property_type;
+typeattribute vendor_mtk_default_write_disk_prop mtk_core_property_type;
+typeattribute vendor_mtk_drm_fwd_lock_only_prop mtk_core_property_type;
+typeattribute vendor_mtk_duraspeed_prop mtk_core_property_type;
+typeattribute vendor_mtk_dx_hdcp_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_dynims_prop mtk_core_property_type;
+typeattribute vendor_mtk_emcamera_prop mtk_core_property_type;
+typeattribute vendor_mtk_extsim_prop mtk_core_property_type;
+typeattribute vendor_mtk_fd_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_gallery_prop mtk_core_property_type;
+typeattribute vendor_mtk_hifiaudio_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_ims_eims_pdn_prop mtk_core_property_type;
+typeattribute vendor_mtk_ims_prop mtk_core_property_type;
+typeattribute vendor_mtk_jpeg_opt_prop mtk_core_property_type;
+typeattribute vendor_mtk_libudf_prop mtk_core_property_type;
+typeattribute vendor_mtk_logmuch_prop mtk_core_property_type;
+typeattribute vendor_mtk_log_tel_dbg_prop mtk_core_property_type;
+typeattribute vendor_mtk_mdm_prop mtk_core_property_type;
+typeattribute vendor_mtk_mdworldmode_prop mtk_core_property_type;
+typeattribute vendor_mtk_media_prop mtk_core_property_type;
+typeattribute vendor_mtk_microtrust_tee_prop mtk_core_property_type;
+typeattribute vendor_mtk_mims_prop mtk_core_property_type;
+typeattribute vendor_mtk_miravision_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_mobile_management_prop mtk_core_property_type;
+typeattribute vendor_mtk_moms_prop mtk_core_property_type;
+typeattribute vendor_mtk_netdagent_prop mtk_core_property_type;
+typeattribute vendor_mtk_network_prop mtk_core_property_type;
+typeattribute vendor_mtk_nfc_addon_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_nfc_uicc_clf_prop mtk_core_property_type;
+typeattribute vendor_mtk_nn_quant_preferred_prop mtk_core_property_type;
+typeattribute vendor_mtk_num_md_protocol_prop mtk_core_property_type;
+typeattribute vendor_mtk_nxp_nfc_gsma_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_omacp_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_oma_drm_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_operator_prop mtk_core_property_type;
+typeattribute vendor_mtk_persist_epdg_prop mtk_core_property_type;
+typeattribute vendor_mtk_pms_prop mtk_core_property_type;
+typeattribute vendor_mtk_pppd_gprs_prop mtk_core_property_type;
+typeattribute vendor_mtk_printk_prop mtk_core_property_type;
+typeattribute vendor_mtk_provision_prop mtk_core_property_type;
+typeattribute vendor_mtk_radio_seapi_off_prop mtk_core_property_type;
+typeattribute vendor_mtk_rcs_ua_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_rsc_prop mtk_core_property_type;
+typeattribute vendor_mtk_secure_venc_prop mtk_core_property_type;
+typeattribute vendor_mtk_service_rcs_prop mtk_core_property_type;
+typeattribute vendor_mtk_soter_teei_prop mtk_core_property_type;
+typeattribute vendor_mtk_st_nfc_gsma_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_st_nfc_ignore_modem_prop mtk_core_property_type;
+typeattribute vendor_mtk_telephony_addon_prop mtk_core_property_type;
+typeattribute vendor_mtk_trustkernel_tee_prop mtk_core_property_type;
+typeattribute vendor_mtk_trustonic_tee_prop mtk_core_property_type;
+typeattribute vendor_mtk_vendor_vt_prop mtk_core_property_type;
+typeattribute vendor_mtk_vilte_prop mtk_core_property_type;
+typeattribute vendor_mtk_vilte_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_vinr_prop mtk_core_property_type;
+typeattribute vendor_mtk_viwifi_prop mtk_core_property_type;
+typeattribute vendor_mtk_viwifi_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_volte_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_vonr_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_vonr_prop mtk_core_property_type;
+typeattribute vendor_mtk_vsim_prop mtk_core_property_type;
+typeattribute vendor_mtk_vt_prop mtk_core_property_type;
+typeattribute vendor_mtk_wapi_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_wappush_prop mtk_core_property_type;
+typeattribute vendor_mtk_wfc_prop mtk_core_property_type;
+typeattribute vendor_mtk_wfc_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_wfd_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_em_dy_debug_ctrl_prop mtk_core_property_type;
+typeattribute vendor_mtk_hvolte_indicator mtk_core_property_type;
+typeattribute vendor_mtk_md_c2k_cap_dep_check_prop mtk_core_property_type;
+typeattribute vendor_mtk_gwsd_capability_prop mtk_core_property_type;
+typeattribute vendor_mtk_netdagent_gameserver_prop mtk_core_property_type;
+typeattribute vendor_mtk_apuware_debug_prop mtk_core_property_type;
+typeattribute vendor_mtk_nwk_opt_prop mtk_core_property_type;
+typeattribute vendor_mtk_wfd_enable_prop mtk_core_property_type;
+typeattribute vendor_mtk_vonr_force_prop mtk_core_property_type;
+typeattribute vendor_mtk_em_mtu_prop mtk_core_property_type;
+typeattribute vendor_mtk_fast_charging_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_sec_video_path_support_prop mtk_core_property_type;
+typeattribute vendor_mtk_subsidy_lock_support_prop mtk_core_property_type;
diff --git a/bsp/non_plat/property_contexts b/bsp/non_plat/property_contexts
new file mode 100644
index 0000000..2c3e57c
--- /dev/null
+++ b/bsp/non_plat/property_contexts
@@ -0,0 +1,348 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+ctl.vendor.ccci_rpcd u:object_r:vendor_mtk_ctl_ccci_rpcd_prop:s0
+ctl.vendor.ccci2_rpcd u:object_r:vendor_mtk_ctl_ccci2_rpcd_prop:s0
+
+vendor.soter.teei. u:object_r:vendor_mtk_soter_teei_prop:s0
+
+vendor.rpmb.ready u:object_r:vendor_mtk_rpmb_ready_prop:s0
+
+ro.vendor.mtklog_internal u:object_r:vendor_mtk_default_prop:s0
+
+# customer log path
+ro.vendor.customer_logpath u:object_r:vendor_mtk_default_prop:s0
+
+# android log much detect
+vendor.logmuch.value u:object_r:vendor_mtk_logmuch_prop:s0
+vendor.logmuch.delay u:object_r:vendor_mtk_logmuch_prop:s0
+
+persist.vendor.mtk.volte.enable u:object_r:vendor_mtk_volte_prop:s0
+
+persist.vendor.volte_support u:object_r:vendor_mtk_volte_support_prop:s0
+
+persist.vendor.vonr_setting_support u:object_r:vendor_mtk_vonr_support_prop:s0
+
+persist.vendor.mtk_wfc_support u:object_r:vendor_mtk_wfc_support_prop:s0
+
+persist.vendor.vilte_support u:object_r:vendor_mtk_vilte_support_prop:s0
+
+persist.vendor.viwifi_support u:object_r:vendor_mtk_viwifi_support_prop:s0
+
+persist.vendor.mtk_rcs_ua_support u:object_r:vendor_mtk_rcs_ua_support_prop:s0
+
+persist.vendor.mtk.wfc.enable u:object_r:vendor_mtk_wfc_prop:s0
+
+persist.vendor.mtk.vilte.enable u:object_r:vendor_mtk_vilte_prop:s0
+
+persist.vendor.mtk.viwifi.enable u:object_r:vendor_mtk_viwifi_prop:s0
+
+persist.vendor.mtk.ims.video.enable u:object_r:vendor_mtk_vt_prop:s0
+
+persist.vendor.mtk.vonr.enable u:object_r:vendor_mtk_vonr_prop:s0
+
+persist.vendor.mtk.vonr.force.enable u:object_r:vendor_mtk_vonr_force_prop:s0
+
+persist.vendor.mtk.vinr.enable u:object_r:vendor_mtk_vinr_prop:s0
+
+persist.vendor.mtk_hvolte_indicator u:object_r:vendor_mtk_hvolte_indicator:s0
+
+persist.vendor.service.atci u:object_r:vendor_mtk_persist_service_atci_prop:s0
+vendor.mtk.atci u:object_r:vendor_mtk_atci_prop:s0
+
+# allow carrier express (cxp)
+persist.vendor.operator.optr u:object_r:vendor_mtk_cxp_vendor_prop:s0
+persist.vendor.operator.spec u:object_r:vendor_mtk_cxp_vendor_prop:s0
+persist.vendor.operator.seg u:object_r:vendor_mtk_cxp_vendor_prop:s0
+persist.vendor.operator.subid u:object_r:vendor_mtk_cxp_vendor_prop:s0
+persist.vendor.mtk_usp_md_sbp_code u:object_r:vendor_mtk_cxp_vendor_prop:s0
+ro.vendor.mtk_carrierexpress_pack u:object_r:vendor_mtk_cxp_vendor_prop:s0
+persist.vendor.mtk_usp_switch_mode u:object_r:vendor_mtk_cxp_vendor_prop:s0
+
+# vt operator property
+persist.vendor.vt. u:object_r:vendor_mtk_vendor_vt_prop:s0
+vendor.vt. u:object_r:vendor_mtk_vendor_vt_prop:s0
+
+
+vendor.gsm.external.sim.enabled u:object_r:vendor_mtk_vsim_prop:s0
+vendor.gsm.external.sim.inserted u:object_r:vendor_mtk_vsim_prop:s0
+vendor.gsm.external.sim.internal u:object_r:vendor_mtk_vsim_prop:s0
+vendor.gsm.modem.vsim.capability u:object_r:vendor_mtk_vsim_prop:s0
+vendor.gsm.prefered.aka.sim.slot u:object_r:vendor_mtk_vsim_prop:s0
+vendor.gsm.prefered.rsim.slot u:object_r:vendor_mtk_vsim_prop:s0
+vendor.gsm.external.sim.timeout u:object_r:vendor_mtk_vsim_prop:s0
+vendor.gsm.external.sim.connected u:object_r:vendor_mtk_vsim_prop:s0
+persist.vendor.radio.external.sim u:object_r:vendor_mtk_vsim_prop:s0
+persist.vendor.radio.vsim.timeout u:object_r:vendor_mtk_vsim_prop:s0
+
+# TrustKernel add
+vendor.trustkernel. u:object_r:vendor_mtk_trustkernel_tee_prop:s0
+ro.vendor.trustkernel. u:object_r:vendor_mtk_trustkernel_tee_prop:s0
+
+ro.vendor.md_prop_ver u:object_r:vendor_mtk_md_version_prop:s0
+
+persist.vendor.sys.disable.moms u:object_r:vendor_mtk_moms_prop:s0
+
+persist.vendor.log.tel_log_ctrl u:object_r:vendor_mtk_log_tel_dbg_prop:s0
+
+# IMS property
+ro.vendor.md_auto_setup_ims u:object_r:vendor_mtk_ims_prop:s0
+ro.vendor.md_mims_support u:object_r:vendor_mtk_ims_prop:s0
+persist.vendor.ims_support u:object_r:vendor_mtk_ims_prop:s0
+ro.vendor.mtk_imsi_switch_support u:object_r:vendor_mtk_ims_prop:s0
+persist.vendor.ims.simulate u:object_r:vendor_mtk_ims_prop:s0
+ro.vendor.mtk_ims_notification u:object_r:vendor_mtk_ims_prop:s0
+
+vendor.net. u:object_r:vendor_mtk_network_prop:s0
+
+# CTA property
+vendor.cta.log.enable u:object_r:vendor_mtk_cta_log_prop:s0
+ro.vendor.mtk_mobile_management u:object_r:vendor_mtk_mobile_management_prop:s0
+
+vendor.boostfwk.log.enable u:object_r:vendor_mtk_boostfwk_log_prop:s0
+vendor.boostfwk.scrollidentify.option u:object_r:vendor_mtk_boostfwk_scrollidentify_prop:s0
+vendor.boostfwk.display60 u:object_r:vendor_mtk_boostfwk_display60_prop:s0
+vendor.boostfwk.frameidentify.option u:object_r:vendor_mtk_boostfwk_frameidentify_prop:s0
+vendor.boostfwk.option u:object_r:vendor_mtk_boostfwk_prop:s0
+
+ro.vendor.mtk_wfd_support u:object_r:vendor_mtk_wfd_support_prop:s0
+
+ro.vendor.mtk_dx_hdcp_support u:object_r:vendor_mtk_dx_hdcp_support_prop:s0
+
+# mtk duraspeed property
+persist.vendor.duraspeed. u:object_r:vendor_mtk_duraspeed_prop:s0
+persist.vendor.low.memory.hint u:object_r:vendor_mtk_duraspeed_prop:s0
+
+# Multiple IMS property
+persist.vendor.mims_support u:object_r:vendor_mtk_mims_prop:s0
+persist.vendor.mtk_dynamic_ims_switch u:object_r:vendor_mtk_dynims_prop:s0
+ro.vendor.mtk_external_sim_support u:object_r:vendor_mtk_extsim_prop:s0
+ro.vendor.mtk_external_sim_only_slots u:object_r:vendor_mtk_extsim_prop:s0
+ro.vendor.mtk_non_dsda_rsim_support u:object_r:vendor_mtk_extsim_prop:s0
+ro.vendor.mtk_persist_vsim_disabled u:object_r:vendor_mtk_extsim_prop:s0
+
+# IMS/EIMS pdn info property
+vendor.ims.eims.pdn.info u:object_r:vendor_mtk_ims_eims_pdn_prop:s0
+
+# Modem Monitor property
+ro.vendor.mtk_modem_monitor_support u:object_r:vendor_mtk_mdm_prop:s0
+ro.vendor.mtk_single_bin_modem_support u:object_r:vendor_mtk_mdm_prop:s0
+
+# game server property
+vendor.netdagent.gameserver u:object_r:vendor_mtk_netdagent_gameserver_prop:s0
+
+# Modem World Mode property
+ro.vendor.mtk_md_world_mode_support u:object_r:vendor_mtk_mdworldmode_prop:s0
+
+# OMA DRM
+ro.vendor.mtk_oma_drm_support u:object_r:vendor_mtk_oma_drm_support_prop:s0
+vendor.drm.forwardlock.only u:object_r:vendor_mtk_drm_fwd_lock_only_prop:s0
+
+# relevant property
+ro.vendor.mtk_miravision_support u:object_r:vendor_mtk_miravision_support_prop:s0
+ro.vendor.mtk_default_write_disk u:object_r:vendor_mtk_default_write_disk_prop:s0
+ro.vendor.mtk_bg_power_saving_support u:object_r:vendor_mtk_bg_power_saving_support_prop:s0
+ro.vendor.mtk_bg_power_saving_ui u:object_r:vendor_mtk_bg_power_saving_ui_prop:s0
+ro.vendor.mtk_besloudness_support u:object_r:vendor_mtk_besloudness_support_prop:s0
+ro.vendor.mtk_hifiaudio_support u:object_r:vendor_mtk_hifiaudio_support_prop:s0
+ro.vendor.mtk_active_noise_cancel u:object_r:vendor_mtk_active_noise_cancel_prop:s0
+ro.vendor.mtk_wapi_support u:object_r:vendor_mtk_wapi_support_prop:s0
+ro.vendor.mtk_fast_charging_support u:object_r:vendor_mtk_fast_charging_support_prop:s0
+
+# FastDormancy support property
+ro.vendor.mtk_fd_support u:object_r:vendor_mtk_fd_support_prop:s0
+
+# wappush property
+ro.vendor.mtk_wappush_support u:object_r:vendor_mtk_wappush_prop:s0
+
+# MD Number Protocol
+ro.vendor.num_md_protocol u:object_r:vendor_mtk_num_md_protocol_prop:s0
+
+# NFC related property
+persist.vendor.st_nfc_gsma_support u:object_r:vendor_mtk_st_nfc_gsma_support_prop:s0
+persist.vendor.st_nfc_ignore_modem u:object_r:vendor_mtk_st_nfc_ignore_modem_prop:s0
+ro.vendor.mtk_nfc_addon_support u:object_r:vendor_mtk_nfc_addon_support_prop:s0
+ro.vendor.mtk_uicc_clf u:object_r:vendor_mtk_nfc_uicc_clf_prop:s0
+persist.vendor.radio.seapi.off u:object_r:vendor_mtk_radio_seapi_off_prop:s0
+persist.vendor.nxp_nfc_gsma_support u:object_r:vendor_mtk_nxp_nfc_gsma_support_prop:s0
+vendor.nfc.nfcstackp.enable u:object_r:vendor_mtk_nfc_nfcstackp_enable_prop:s0
+
+# MTK operator property
+ro.vendor.operator. u:object_r:vendor_mtk_operator_prop:s0
+
+ro.vendor.mtk_omacp_support u:object_r:vendor_mtk_omacp_support_prop:s0
+
+persist.vendor.md_c2k_cap_dep_check u:object_r:vendor_mtk_md_c2k_cap_dep_check_prop:s0
+
+persist.vendor.debug.fdleak u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug.fdleak.program u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug.fdleak.bt2log u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug.fdleak.thd u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.libc.debug.malloc u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.libc.debug15.prog u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug15.config u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug15.config.file u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug15.statis u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug.mmap u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug.mmap.program u:object_r:vendor_mtk_libudf_prop:s0
+persist.vendor.debug.mmap.config u:object_r:vendor_mtk_libudf_prop:s0
+
+persist.vendor.uartconsole.enable u:object_r:vendor_mtk_printk_prop:s0
+
+# fm vibspk support
+ro.vendor.mtk_vibspk_support u:object_r:vendor_mtk_default_prop:s0
+
+# fm 50khz support
+ro.vendor.mtk_fm_50khz_support u:object_r:vendor_mtk_default_prop:s0
+
+vendor.camera.save.temp.video u:object_r:vendor_mtk_camera_prop:s0
+vendor.camera_af_power_debug u:object_r:vendor_mtk_camera_prop:s0
+vendor.com.mediatek.gesture.pose u:object_r:vendor_mtk_camera_prop:s0
+vendor.debug.dualcam.mode u:object_r:vendor_mtk_camera_prop:s0
+vendor.debug.mtkcam.loglevel u:object_r:vendor_mtk_camera_prop:s0
+vendor.mtkcamapp.cshot.platform u:object_r:vendor_mtk_camera_prop:s0
+vendor.mtkcamapp.cshot.version u:object_r:vendor_mtk_camera_prop:s0
+vendor.debug.stereo.single_main2 u:object_r:vendor_mtk_camera_prop:s0
+vendor.debug.surface.enabled u:object_r:vendor_mtk_camera_prop:s0
+vendor.debug.thumbnailFromYuv.enable u:object_r:vendor_mtk_camera_prop:s0
+vendor.lomoeffect. u:object_r:vendor_mtk_camera_prop:s0
+vendor.mtk.camera.app. u:object_r:vendor_mtk_camera_prop:s0
+vendor.multizone.af.window.ratio u:object_r:vendor_mtk_camera_prop:s0
+persist.vendor.mtkcamapp.loglevel u:object_r:vendor_mtk_camera_prop:s0
+persist.vendor.mtk_camera_app_version u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_cam_cfb u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_cam_dualdenoise_support u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_cam_dualzoom_support u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_cam_mfb_support u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_cam_vfb u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_camera_app_api_version u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_camera_app_version u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_emulator_support u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_fat_on_nand u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_multiwindow u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_slow_motion_support u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_zsdhdr_support u:object_r:vendor_mtk_camera_prop:s0
+vendor.vdo.cam.effect u:object_r:vendor_mtk_camera_prop:s0
+vendor.mtk.client.appmode u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.mtk_video_hevc_enc_support u:object_r:vendor_mtk_camera_prop:s0
+ro.vendor.hdr10plus.enable u:object_r:vendor_mtk_camera_prop:s0
+
+vendor.debug.gallery.loglevel u:object_r:vendor_mtk_gallery_prop:s0
+vendor.gallery.log.enable u:object_r:vendor_mtk_gallery_prop:s0
+
+vendor.debug.log_delete u:object_r:vendor_mtk_media_prop:s0
+vendor.debug.log_insert u:object_r:vendor_mtk_media_prop:s0
+vendor.debug.log_query u:object_r:vendor_mtk_media_prop:s0
+vendor.debug.log_scan u:object_r:vendor_mtk_media_prop:s0
+vendor.debug.log_update u:object_r:vendor_mtk_media_prop:s0
+
+ro.vendor.mtk_privacy_protection_lock u:object_r:vendor_mtk_default_prop:s0
+
+ro.vendor.sys.current_rsc_path u:object_r:vendor_mtk_rsc_prop:s0
+ro.vendor.vnd.current_rsc_path u:object_r:vendor_mtk_rsc_prop:s0
+
+persist.vendor.net.dhcp.renew u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_dhcpv6c_wifi u:object_r:vendor_mtk_default_prop:s0
+
+persist.vendor.pms_removable u:object_r:vendor_mtk_pms_prop:s0
+ro.vendor.mtk_carrierexpress_inst_sup u:object_r:vendor_mtk_pms_prop:s0
+ro.vendor.mtk_skip_pkg_file u:object_r:vendor_mtk_pms_prop:s0
+
+# CT SelfRegister property
+ro.vendor.mtk_ct4greg_app u:object_r:vendor_mtk_default_prop:s0
+ro.vendor.mtk_devreg_app u:object_r:vendor_mtk_default_prop:s0
+
+vendor.cdma. u:object_r:vendor_mtk_cdma_prop:s0
+
+persist.vendor.service.rcs u:object_r:vendor_mtk_service_rcs_prop:s0
+persist.vendor.service.tag.rcs u:object_r:vendor_mtk_service_rcs_prop:s0
+persist.vendor.service.tag.rcs.2 u:object_r:vendor_mtk_service_rcs_prop:s0
+persist.vendor.active.rcs.slot.id u:object_r:vendor_mtk_service_rcs_prop:s0
+
+# data shaping property
+persist.vendor.datashaping u:object_r:vendor_mtk_datashaping_prop:s0
+
+# MTK IMS Config Provision property
+persist.vendor.mtk.provision. u:object_r:vendor_mtk_provision_prop:s0
+
+# wfd hybrid encode property
+ro.vendor.mtk_hybrid_encode_support u:object_r:vendor_mtk_default_prop:s0
+
+vendor.mtk.secure.venc.alive u:object_r:vendor_mtk_secure_venc_prop:s0
+
+vendor.net.rndis.client u:object_r:vendor_mtk_netdagent_prop:s0
+
+# neuropilot property
+ro.vendor.mtk_nn_quant_preferred u:object_r:vendor_mtk_nn_quant_preferred_prop:s0
+ro.vendor.mtk_tflite_fuse_pad u:object_r:vendor_mtk_nn_quant_preferred_prop:s0
+
+# hdmi service property,used for tablet only
+ro.vendor.mtk_tb_hdmi u:object_r:vendor_mtk_default_prop:s0
+
+ro.vendor.sim_me_lock_mode u:object_r:vendor_mtk_default_prop:s0
+
+# MTK CAM Security property
+ro.vendor.mtk_cam_security u:object_r:vendor_mtk_cam_security_prop:s0
+
+persist.vendor.service.atci.atm_mode u:object_r:vendor_mtk_atci_sys_prop:s0
+
+# Wi-Fi Hotspot
+vendor.wifi.tethering.channel u:object_r:vendor_mtk_wifi_hotspot_prop:s0
+
+# Telephony Add-on
+ro.vendor.mtk_telephony_add_on_policy u:object_r:vendor_mtk_telephony_addon_prop:s0
+
+ro.vendor.mtk_cta_support u:object_r:vendor_mtk_cta_support_prop:s0
+
+ro.vendor.mtk_subsidy_lock_support u:object_r:vendor_mtk_subsidy_lock_support_prop:s0
+
+vendor.debug.camera. u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.cameng. u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.lsc_mgr. u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.ae. u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.ae_mgr. u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.awb_mgr. u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.hdr u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.shot. u:object_r:vendor_mtk_emcamera_prop:s0
+vendor.debug.eis. u:object_r:vendor_mtk_emcamera_prop:s0
+persist.vendor.mtkcam. u:object_r:vendor_mtk_emcamera_prop:s0
+
+# jpeg dec opt. property
+ro.vendor.jpeg_decode_sw_opt u:object_r:vendor_mtk_jpeg_opt_prop:s0
+
+# TEE property
+ro.vendor.mtk_trustonic_tee_support u:object_r:vendor_mtk_trustonic_tee_prop:s0
+ro.vendor.mtk_microtrust_tee_support u:object_r:vendor_mtk_microtrust_tee_prop:s0
+ro.vendor.mtk_trustkernel_tee_support u:object_r:vendor_mtk_trustkernel_tee_prop:s0
+
+# DMC control property
+ro.vendor.mtk_dmc_support u:object_r:vendor_mtk_dmc_prop:s0
+ro.vendor.mtk_mapi_support u:object_r:vendor_mtk_dmc_prop:s0
+vendor.dmc.apm.active u:object_r:vendor_mtk_dmc_prop:s0
+
+# MTK dynamic debug control property
+persist.vendor.em.dy.debug u:object_r:vendor_mtk_em_dy_debug_ctrl_prop:s0
+
+# MTK GWSD property
+ro.vendor.mtk_gwsd_capability u:object_r:vendor_mtk_gwsd_capability_prop:s0
+
+# APUWare debug property
+persist.vendor.apuware.debug. u:object_r:vendor_mtk_apuware_debug_prop:s0
+
+persist.vendor.gsm.netin. u:object_r:vendor_mtk_nwk_opt_prop:s0
+
+vendor.mtk.wfd.enable u:object_r:vendor_mtk_wfd_enable_prop:s0
+
+# mtu property
+persist.vendor.radio.mobile.mtu.sysenv u:object_r:vendor_mtk_em_mtu_prop:s0
+
+# MTK call drop reason report
+ro.vendor.mtk_calldrop_reason u:object_r:vendor_mtk_call_drop_prop:s0
+
+#=============allow build property to write default value=================
+ro.vendor.mtk_sec_video_path_support u:object_r:vendor_mtk_sec_video_path_support_prop:s0
+ro.vendor.mtk_svp_on_mtee_support u:object_r:vendor_mtk_svp_on_mtee_support_prop:s0
+
+# MTK MCF property
+ro.vendor.mtk_mcf_support u:object_r:vendor_mtk_mcf_prop:s0
diff --git a/bsp/non_plat/radio.te b/bsp/non_plat/radio.te
new file mode 100644
index 0000000..0029aad
--- /dev/null
+++ b/bsp/non_plat/radio.te
@@ -0,0 +1,103 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.09
+# Operation : Migration for SWO policy package survey
+allow radio rild_mal_socket:sock_file write;
+allow radio rild_mal_at_socket:sock_file write;
+allow radio rild_mal_md2_socket:sock_file write;
+allow radio rild_mal_at_md2_socket:sock_file write;
+
+# Date : 2018/06/25
+# Purpose: for world phone get modem type
+get_prop(radio, vendor_mtk_ril_active_md_prop)
+
+# Date : WK15.33 2015/08/13
+# Operation : IT
+# Purpose : for setting volte enable property
+get_prop(radio, vendor_mtk_volte_prop)
+
+# Date : WK15.48 2015/11/23
+# Operation : IT
+# Purpose : for setting wfc enable property
+get_prop(radio, vendor_mtk_wfc_prop)
+
+# Date : WK16.47 2016/11/17
+# Operation : IT
+# Purpose : for setting vilte enable property after 93 modem
+get_prop(radio, vendor_mtk_vilte_prop)
+
+# Date : WK16.47 2016/11/17
+# Operation : IT
+# Purpose : for setting viwifi enable property
+get_prop(radio, vendor_mtk_viwifi_prop)
+
+# Date : WK15.48 2015/11/23
+# Operation : IT
+# Purpose : for setting vt enable property
+get_prop(radio, vendor_mtk_vt_prop)
+
+# Date : 2017/08/14
+# Operation : VT development
+# Purpose : Add vtservice to support video telephony functionality
+# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild
+allow radio vtservice:binder call;
+allow radio vtservice:binder transfer;
+
+# Date: 2017/11/14
+# Operation : rcs hal developing
+# Purpose : Allow to use HAL rcs
+hal_client_domain(radio, hal_rcs);
+
+# Date : 2018/6/29
+# Operation: P migration
+# Purpose: Allow radio to get vendor_mtk_vsim_prop
+get_prop(radio, vendor_mtk_vsim_prop)
+
+# Date : 2018/05/16
+# Operation: P migration
+get_prop(radio, vendor_mtk_ims_prop)
+
+# Date : 2018/05/23
+# Purpose: for SWIFT connecting to ATCI
+hal_client_domain(radio, hal_mtk_atci)
+
+# Date: 2018/06/12
+# Purpose: P SQC, for SMS framework access PplAgent HIDL interface
+allow radio mtk_hal_pplagent_hwservice:hwservice_manager find;
+allow radio ppl_agent:binder call;
+
+# Date : 2018/06/19
+# Operation : P migration
+# Purpose : for SelfRegister to call nvram hal
+hal_client_domain(radio, hal_mtk_nvramagent)
+
+# Date : 2019/05/16
+# Operation : IT
+# Purpose : Add for HIDL service
+hal_client_domain(radio, md_monitor_hal)
+
+# Date : 2019/07/15
+# Operation : IT
+# Purpose : for setting ims nr enable property
+get_prop(radio, vendor_mtk_vonr_prop)
+get_prop(radio, vendor_mtk_vinr_prop)
+
+# Date : 2019/08/20
+# Operation : DMC Q Migration
+# Purpose : allow to get vendor_mtk_dmc_prop
+get_prop(radio, vendor_mtk_dmc_prop)
+
+# Date : 2020/10/30
+# Operation : QC
+# Purpose : for getting ims nr force enable property
+get_prop(radio, vendor_mtk_vonr_force_prop)
+
+# Date: 2021/3/30
+# Purpose: Allow rild to get call drop feature
+get_prop(radio, vendor_mtk_call_drop_prop)
+
+# Date : 2021/08/17
+# Purpose : Allow radio to read ro.vendor.mtk_mcf_support
+get_prop(radio, vendor_mtk_mcf_prop)
diff --git a/bsp/non_plat/rcs_volte_stack.te b/bsp/non_plat/rcs_volte_stack.te
new file mode 100644
index 0000000..5b16442
--- /dev/null
+++ b/bsp/non_plat/rcs_volte_stack.te
@@ -0,0 +1,31 @@
+# ==============================================
+# Policy File of /vendor/bin/rcs_volte_stack Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type rcs_volte_stack_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(rcs_volte_stack)
+
+# Date : WK14.42
+# Operation : Migration
+# Purpose : for VoLTE L early bring up and first call
+allow rcs_volte_stack vendor_shell_exec:file rx_file_perms;
+allow rcs_volte_stack self:key_socket { write read create setopt };
+allow rcs_volte_stack self:capability { net_admin setuid setgid };
+allow rcs_volte_stack self:tcp_socket create_stream_socket_perms;
+allow rcs_volte_stack self:udp_socket create_stream_socket_perms;
+allow rcs_volte_stack node:udp_socket node_bind;
+allow rcs_volte_stack node:tcp_socket node_bind;
+allow rcs_volte_stack port:tcp_socket { name_bind name_connect };
+allow rcs_volte_stack port:udp_socket name_bind;
+allow rcs_volte_stack fwmarkd_socket:sock_file write;
+
+allow rcs_volte_stack rcs_volte_stack_socket:sock_file write;
+allow rcs_volte_stack self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read };
+
+# Date : W1849
+# Operation : Migration
+# Purpose : for TMO ROI support Ipsec tunnel
+set_prop(rcs_volte_stack, vendor_mtk_network_prop)
diff --git a/bsp/non_plat/remosaic_daemon.te b/bsp/non_plat/remosaic_daemon.te
new file mode 100644
index 0000000..81892e6
--- /dev/null
+++ b/bsp/non_plat/remosaic_daemon.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type remosaic_daemon_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(remosaic_daemon)
+
+vndbinder_use(remosaic_daemon)
+
+allow remosaic_daemon remosaic_daemon_service:service_manager add;
+allow remosaic_daemon mtk_hal_camera:fd use;
+allow remosaic_daemon ion_device:chr_file { read ioctl open };
diff --git a/bsp/non_plat/rild.te b/bsp/non_plat/rild.te
new file mode 100644
index 0000000..275ba7e
--- /dev/null
+++ b/bsp/non_plat/rild.te
@@ -0,0 +1,60 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# For Rild hidl connection
+allow rild system_app:binder call;
+
+# Date: 2018/10/31
+# Operation: Support SubsidyLock
+# For Rild hidl connection
+allow rild em_app:binder call;
+
+allow rild statusd:unix_stream_socket connectto;
+allow rild rild_via_socket:sock_file write;
+allow rild viarild:unix_stream_socket connectto;
+set_prop(rild, vendor_mtk_cdma_prop)
+set_prop(rild, vendor_mtk_ril_cdma_report_prop)
+allow rild rild_vsim_socket:sock_file write;
+
+# Allow the find/call of netdagent for rilproxy
+allow rild mtk_hal_netdagent_hwservice:hwservice_manager find;
+allow rild netdagent:binder call;
+
+#Dat: 2017/02/14
+#Purpose: allow set telephony Sensitive property
+set_prop(rild, vendor_mtk_telephony_sensitive_prop)
+
+# Date : WK18.26
+# Operation: P migration
+# Purpose: Allow rild to set ims support property
+set_prop(rild, vendor_mtk_volte_support_prop)
+set_prop(rild, vendor_mtk_wfc_support_prop)
+set_prop(rild, vendor_mtk_vilte_support_prop)
+set_prop(rild, vendor_mtk_viwifi_support_prop)
+set_prop(rild, vendor_mtk_rcs_ua_support_prop)
+
+# Date : WK18.29
+# Operation: Ims config TelephonyWare dev
+# Purpose: Allow rild to get/set vendor_mtk_provision_prop
+set_prop(rild, vendor_mtk_provision_prop)
+
+# Date : WK18.33
+# Operation: IT
+# Purpose: Allow rild to set ims enable property
+set_prop(rild, vendor_mtk_volte_prop)
+set_prop(rild, vendor_mtk_wfc_prop)
+set_prop(rild, vendor_mtk_vilte_prop)
+set_prop(rild, vendor_mtk_viwifi_prop)
+set_prop(rild, vendor_mtk_vt_prop)
+
+# Date : WK19.29
+# Operation: IT
+# Purpose: Allow rild to set ims nr enable property
+set_prop(rild, vendor_mtk_vonr_prop)
+set_prop(rild, vendor_mtk_vinr_prop)
+
+# Date : 2020/10/30
+# Operation: IMS Config NR force value
+# Purpose: Allow rild to force set IMS NR feature
+set_prop(rild, vendor_mtk_vonr_force_prop)
diff --git a/bsp/non_plat/rsu_app.te b/bsp/non_plat/rsu_app.te
new file mode 100644
index 0000000..1be115c
--- /dev/null
+++ b/bsp/non_plat/rsu_app.te
@@ -0,0 +1,3 @@
+# ==============================================
+# Policy File of /system/priv-app/RsuService/RsuService.apk etc. Executable File
+hal_client_domain(rsu_app, hal_telephony)
\ No newline at end of file
diff --git a/bsp/non_plat/seapp_contexts b/bsp/non_plat/seapp_contexts
new file mode 100644
index 0000000..b42f15c
--- /dev/null
+++ b/bsp/non_plat/seapp_contexts
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# This is for trustonic tui-service
+user=_app seinfo=platform name=com.trustonic.tuiservice domain=mobicore_app type=app_data_file levelFrom=user
+
+# This is for emcamera apk to commnucate with hal1
+user=_app seinfo=platform name=com.mediatek.emcamera domain=emcamera_app type=app_data_file levelFrom=user
+
+# This is for sensorhub apk to commnucate with hal
+user=_app seinfo=platform name=com.mediatek.sensorhub.ui domain=sensorhub_app type=app_data_file levelFrom=user
+
diff --git a/bsp/non_plat/sensorhub_app.te b/bsp/non_plat/sensorhub_app.te
new file mode 100644
index 0000000..5c2bcf9
--- /dev/null
+++ b/bsp/non_plat/sensorhub_app.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Policy File of /vendor/app/sensorhub Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+app_domain(sensorhub_app)
+
+allow sensorhub_app activity_service:service_manager find;
+allow sensorhub_app surfaceflinger_service:service_manager find;
+allow sensorhub_app activity_task_service:service_manager find;
+allow sensorhub_app audio_service:service_manager find;
+allow sensorhub_app drmserver_service:service_manager find;
+allow sensorhub_app autofill_service:service_manager find;
+allow sensorhub_app sensorservice_service:service_manager find;
+allow sensorhub_app mediaextractor_service:service_manager find;
+allow sensorhub_app mediaserver_service:service_manager find;
+allow sensorhub_app mediametrics_service:service_manager find;
+
+# Date : 2019/03/25
+# Operation : IT
+# Purpose : for engineermode sensor can work normal
+allow sensorhub_app als_ps_device:chr_file r_file_perms;
+allow sensorhub_app gsensor_device:chr_file r_file_perms;
+allow sensorhub_app gyroscope_device:chr_file r_file_perms;
diff --git a/bsp/non_plat/service_contexts b/bsp/non_plat/service_contexts
new file mode 100644
index 0000000..9dda972
--- /dev/null
+++ b/bsp/non_plat/service_contexts
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+android.hardware.neuralnetworks.IDevice/mtk-gpu_shim u:object_r:hal_neuralnetworks_service:s0
+android.hardware.neuralnetworks.IDevice/mtk-dsp_shim u:object_r:hal_neuralnetworks_service:s0
+android.hardware.neuralnetworks.IDevice/mtk-mdla_shim u:object_r:hal_neuralnetworks_service:s0
+android.hardware.neuralnetworks.IDevice/mtk-neuron_shim u:object_r:hal_neuralnetworks_service:s0
diff --git a/bsp/non_plat/shell.te b/bsp/non_plat/shell.te
new file mode 100644
index 0000000..4131beb
--- /dev/null
+++ b/bsp/non_plat/shell.te
@@ -0,0 +1,24 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+userdebug_or_eng(`
+
+# MICROTRUST SEPolicy Rule
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: Microtrust init_thh service
+ allow shell init_thh_service_exec:file rx_file_perms;
+ allow shell init_thh_service_exec:dir r_dir_perms;
+ hal_client_domain(shell, hal_teei_thh)
+
+# Purpose: Allow shell to read trustkernel log
+allow shell tkcore_data_file:dir search;
+allow shell tkcore_log_file:file r_file_perms;
+
+# Date : WK19.07 2019/06/13
+# Operation : mdi_redirector integration test with AT&T Linkmaster
+# Purpose : Allow shell to read DMC property ro.vendor.mtk_mapi_support
+get_prop(shell, vendor_mtk_dmc_prop)
+
+')
diff --git a/bsp/non_plat/statusd.te b/bsp/non_plat/statusd.te
new file mode 100644
index 0000000..9073f97
--- /dev/null
+++ b/bsp/non_plat/statusd.te
@@ -0,0 +1,59 @@
+# ==============================================
+# Policy File of /vendor/bin/statusd Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+
+type statusd_exec, exec_type, file_type, vendor_file_type;
+typeattribute statusd mtkimsapdomain;
+
+init_daemon_domain(statusd)
+
+# Dat: 2017/02/14
+# Purpose: allow set telephony Sensitive property
+set_prop(statusd, vendor_mtk_telephony_sensitive_prop)
+
+allow statusd block_device:dir search;
+allow statusd flashlessd_exec:file rx_file_perms;
+set_prop(statusd, vendor_mtk_md_prop)
+set_prop(statusd, vendor_mtk_net_cdma_mdmstat_prop)
+
+allow statusd nvram_data_file:dir create_dir_perms;
+allow statusd nvram_data_file:file create_file_perms;
+allow statusd nvram_data_file:lnk_file read;
+allow statusd nvdata_file:lnk_file read;
+allow statusd nvdata_file:dir create_dir_perms;
+allow statusd nvdata_file:file create_file_perms;
+allow statusd nvram_device:chr_file rw_file_perms;
+allow statusd nvram_device:blk_file rw_file_perms;
+
+allow statusd nvdata_device:blk_file { read write open };
+set_prop(statusd, vendor_mtk_ril_cdma_report_prop)
+allow statusd self:capability net_admin;
+allow statusd self:udp_socket { create ioctl };
+allow statusd statusd_socket:sock_file { write setattr };
+allow statusd sysfs_wake_lock:file { read write open };
+
+allow statusd c2k_file:dir create_dir_perms;
+allow statusd c2k_file:file create_file_perms;
+allow statusd ttyMT_device:chr_file { read write ioctl open };
+allow statusd ttySDIO_device:chr_file { read write open setattr ioctl};
+allow statusd viarild_exec:file rx_file_perms;
+allow statusd vmodem_device:chr_file { read write open setattr ioctl};
+
+# property service
+set_prop(statusd, vendor_mtk_ril_mux_report_case_prop)
+set_prop(statusd, vendor_mtk_cdma_prop)
+
+# Search permission for findPidByName
+allow statusd domain:dir search;
+
+# N bringup: viarild is lunched by Statusd, should add the following permission to Status.
+allow statusd devpts:chr_file rw_file_perms;
+
+# Andorid O : Add permission to statusd.
+allowxperm statusd self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1};
+allow statusd sysfs_ccci:dir search;
+allow statusd sysfs_ccci:file r_file_perms;
+allow statusd vndbinder_device:chr_file r_file_perms;
diff --git a/bsp/non_plat/stflashtool.te b/bsp/non_plat/stflashtool.te
new file mode 100644
index 0000000..322ce01
--- /dev/null
+++ b/bsp/non_plat/stflashtool.te
@@ -0,0 +1,15 @@
+# ==============================================
+# Policy File of /vendor/bin/STFlashTool Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type stflashtool_exec, exec_type, file_type, vendor_file_type;
+
+# Date : WK1652
+# Operation : Migration
+# Purpose : Start STFlashTool to upgrade the FW for ST NFC Solution
+init_daemon_domain(stflashtool)
+
+allow stflashtool st21nfc_device:chr_file rw_file_perms;
+
diff --git a/bsp/non_plat/surfaceflinger.te b/bsp/non_plat/surfaceflinger.te
new file mode 100644
index 0000000..14cfb67
--- /dev/null
+++ b/bsp/non_plat/surfaceflinger.te
@@ -0,0 +1,96 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# for debug purpose
+allow surfaceflinger self:capability { net_admin sys_nice };
+allow surfaceflinger self:netlink_socket { read bind create };
+allow surfaceflinger anr_data_file:dir { write search create add_name };
+allow surfaceflinger anr_data_file:file { create write};
+allow surfaceflinger aee_dumpsys_data_file:file write;
+allow surfaceflinger RT_Monitor_device:chr_file { read ioctl open };
+
+# watch dog use shell to move debug file
+allow surfaceflinger shell_exec:file rx_file_perms;
+
+# for using toolbox
+allow surfaceflinger system_file:file x_file_perms;
+
+# for sf_dump
+userdebug_or_eng(`
+allow surfaceflinger sf_bqdump_data_file:{dir file} {relabelto open create read write getattr };
+allow surfaceflinger sf_bqdump_data_file:dir {search add_name};
+')
+
+# for driver access
+allow surfaceflinger MTK_SMI_device:chr_file { read write open ioctl };
+
+# for bootanimation
+allow surfaceflinger bootanim:dir search;
+allow surfaceflinger bootanim:file { read getattr open };
+
+# for MTK Emulator HW GPU
+allow surfaceflinger qemu_pipe_device:chr_file rw_file_perms;
+
+# for SVP secure memory allocation
+allow surfaceflinger proc_secmem:file { read write open ioctl };
+
+# for watchdog
+allow surfaceflinger anr_data_file:dir { relabelfrom read remove_name getattr };
+allow surfaceflinger anr_data_file:file { rename getattr unlink open append};
+allow surfaceflinger sf_rtt_file:dir { create search write add_name remove_name};
+allow surfaceflinger sf_rtt_file:file { open read write create rename append getattr unlink};
+allow surfaceflinger sf_rtt_file:dir {relabelto getattr};
+allow surfaceflinger crash_dump:process sigchld;
+
+# for BufferQueue check process name of em_svr
+allow surfaceflinger em_svr:dir search;
+allow surfaceflinger em_svr:file { read getattr open };
+
+allow surfaceflinger mobicore_user_device:chr_file { read write ioctl open };
+
+# take down the boot time for bootprof
+allow surfaceflinger proc_bootprof:file write;
+
+# Add permission for gpu access
+allow surfaceflinger dri_device:chr_file { read write open ioctl };
+
+# for rtt dump
+allow surfaceflinger toolbox_exec:file rx_file_perms;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(surfaceflinger, hal_mtk_pq)
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(surfaceflinger, hal_allocator)
+
+# Date : WK17.43
+# Stage: O Migration, SQC
+# purpose: Allow to SF communicate with HAL DFPS
+hal_client_domain(surfaceflinger, hal_dfps)
+
+allow surfaceflinger mtk_dfrc_device:chr_file rw_file_perms;
+
+# Data: 2019/09/28
+# Purpose: SurfaceFlinger need to call MMS to convert buffer format and PQ effect
+hal_client_domain(surfaceflinger, hal_mtk_mms)
+
+#allow get mtk_sec_video_path_support
+get_prop(surfaceflinger, vendor_mtk_sec_video_path_support_prop)
+get_prop(surfaceflinger, vendor_mtk_svp_on_mtee_support_prop)
+
+# Date: 2021/07/02
+# Operation: Allow 'getattr' for unlabeled:filesystem
+allow surfaceflinger unlabeled:filesystem {getattr};
+
+# Date: 2021/09/01
+# Operation: Allow 'r_file_perms_no_map' for dmabuf_system_secure_heap_device:chr_file
+allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms_no_map;
+
+# Data: 2021/09/07
+# Purpose: Call NpAgent
+hal_client_domain(surfaceflinger, hal_neuralnetworks)
diff --git a/bsp/non_plat/system_app.te b/bsp/non_plat/system_app.te
new file mode 100644
index 0000000..fdf05f8
--- /dev/null
+++ b/bsp/non_plat/system_app.te
@@ -0,0 +1,165 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2014/11/19
+# Operation: SQC
+# Purpose: [Settings][RenderThread][operate device file failed]
+# Package: com.android.settings
+allow system_app proc_secmem:file rw_file_perms;
+
+# Date: 2014/08/01
+# Operation: BaseUT
+# Purpose: [Settings][Settings used list views need velocity tracker access touch dev]
+# Package: com.android.settings
+allow system_app touch_device:chr_file r_file_perms;
+
+# Date: 2014/08/04
+# Stage: BaseUT
+# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies]
+# Package Name: com.mediatek.mtkthermalmanager
+allow system_app apk_private_data_file:dir getattr;
+allow system_app asec_image_file:dir getattr;
+allow system_app dontpanic_data_file:dir getattr;
+allow system_app drm_data_file:dir getattr;
+allow system_app install_data_file:file getattr;
+allow system_app lost_found_data_file:dir getattr;
+allow system_app media_data_file:dir getattr;
+allow system_app property_data_file:dir getattr;
+allow system_app proc_thermal:dir search;
+allow system_app proc_thermal:file rw_file_perms;
+allow system_app proc_mtkcooler:dir search;
+allow system_app proc_mtkcooler:file rw_file_perms;
+allow system_app proc_mtktz:dir search;
+allow system_app proc_mtktz:file rw_file_perms;
+allow system_app proc_slogger:file rw_file_perms;
+
+# Date : WK17.23
+# Stage: Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(system_app, hal_mtk_pq)
+
+# Date : WK17.29
+# Operation : Migration
+# Purpose : for device bring up, not to block early SQC
+allow system_app debugfs_ion:dir search;
+
+# Date:W17.29
+# Operation : presence hal developing
+# Purpose : Allow to use HAL presence
+hal_client_domain(system_app, hal_presence)
+
+# Date : WK17.31
+# Operation : Migration
+# Purpose : Carrier express service on BSP
+get_prop(system_app, vendor_mtk_volte_prop)
+get_prop(system_app, vendor_mtk_wfc_prop)
+get_prop(system_app, vendor_mtk_vt_prop)
+get_prop(system_app, vendor_mtk_cxp_vendor_prop)
+
+# Date:W17.31
+# Operation : rcs hal developing
+# Purpose : Allow to use HAL rcs
+hal_client_domain(system_app, hal_rcs)
+
+# Date : WK17.29
+# Operation : SQC
+# Purpose : allow SystemUpdate to access ota_package file
+allow system_app ota_package_file:dir { create_dir_perms };
+allow system_app ota_package_file:file { create_file_perms };
+
+# Date : WK17.30
+# Operation : SQC
+# Purpose : allow SystemUpdate to access Update engine
+allow system_app update_engine:binder { call transfer };
+
+# Date : WK17.41
+# Stage: Migration, IT
+# Purpose: allow PermissionControl use mtk_hal_netdagent_hwservice
+hal_client_domain(system_app, mtk_hal_netdagent)
+
+# Date: WK17.41
+# Operation: SQC
+# Purpose: [sysoper][sysoper will create folder /cache/recovery]
+# Package: com.mediatek.systemupdate.sysoper
+allow system_app cache_file:dir { write search create add_name remove_name };
+allow system_app cache_file:file { read write create open getattr unlink };
+
+# Date: 2016/07/05
+# Operation: SQC
+# Purpose: Add permission to access recovery folder and write command files to recovery for System Update
+allow system_app cache_recovery_file:dir { write search add_name remove_name };
+allow system_app cache_recovery_file:file { read write create open getattr unlink };
+
+# Date: 2018/05/08
+# Operation: Migration
+# Purpose : Allow Privacy protection lock to find ppl agent
+# Package: com.mediatek.PrivacyProtectionLock
+allow system_app mtk_hal_pplagent_hwservice:hwservice_manager find;
+allow system_app ppl_agent:binder call;
+
+# Date : WK18.25
+# Stage: Migration
+# Purpose: allow AtciService to access atcid
+hal_client_domain(system_app, hal_mtk_atci)
+
+# Date: 2018/07/30
+# Purpose: Allow BackupRestore can read /dev/block/mmcblk1.
+# Package Name: com.mediatek.backuprestore
+allow system_app block_device:dir search;
+
+# Date: W18.31
+# Purpose: Allow system-app to get vendor_mtk_ss_vendor_prop
+# Package Name: com.mediatek.engineermode
+get_prop(system_app, vendor_mtk_ss_vendor_prop)
+
+# Date: 2018/04/18
+# Purpose: Allow to use HIDL and access mtk_hal_neuralnetworks
+allow system_app mtk_hal_neuralnetworks:binder { call transfer };
+allow system_app debugfs_ion:dir search;
+
+# Date: 2018/10/31
+# Operation: Support SubsidyLock
+hal_client_domain(system_app, hal_telephony)
+binder_call(system_app, rild)
+
+# Date:W18.43
+# Operation : clientapi hal developing
+# Purpose : Allow to use HAL presence
+hal_client_domain(system_app, hal_clientapi)
+
+# Date : 2019/05/09
+# Operation: TrustKernel integration
+# Purpose: access for client device of TKCore
+allow system_app tkcore_admin_device:chr_file rw_file_perms;
+
+# Date: 2019/05/24
+# Purpose: System APP can submit KPI to DMC through APM HIDL interface
+# Package Name: com.mediatek.apmonitor
+hal_client_domain(system_app, hal_mtk_apm)
+
+# Date: 2019/05/24
+# Purpose: System APP can check DMC proerpty to submit KPI or not.
+# Package Name: com.mediatek.apmonitor
+get_prop(system_app, vendor_mtk_dmc_prop)
+
+# Date : 2019/06/27
+# Operation : system app need to read vendor_mtk_cta_support_prop property
+# Purpose : allow to get mtk_cta_support property
+get_prop(system_app, vendor_mtk_cta_support_prop)
+
+# Date : 2019/07/15
+# Operation : it
+# Purpose : for setting ims nr enable property
+get_prop(system_app, vendor_mtk_vonr_prop)
+get_prop(system_app, vendor_mtk_vinr_prop)
+
+# Date : 2019/07/08
+# Operation : New feature
+# Purpose : VoW 2E2K request model update: system APP write and audio HAL read
+# Package Name: com.mediatek.voicecommand
+allow system_app mtk_audiohal_data_file:dir create_dir_perms;
+allow system_app mtk_audiohal_data_file:file create_file_perms;
+
+
+hal_client_domain(system_app, hal_fingerprint)
diff --git a/bsp/non_plat/system_server.te b/bsp/non_plat/system_server.te
new file mode 100644
index 0000000..2f3c0c4
--- /dev/null
+++ b/bsp/non_plat/system_server.te
@@ -0,0 +1,148 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK14.43
+# Operation : Migration
+# Purpose : for bring up
+allow system_server sf_rtt_file:dir { relabelto r_dir_perms };
+
+# Date: WK14.47
+# Operation : MTBF
+# Purpose : for debug
+allow system_server sf_rtt_file:file r_file_perms;
+
+# Date: WK14.47
+# Operation : Sanity
+# Purpose : for /proc/secmem (TEE enable)
+allow system_server proc_secmem:file rw_file_perms;
+
+# Date: WK16.30
+# Operation : Migration
+# Purpose : for system_server operate /dev/RT_Monitor when enable hang detect
+allow system_server RT_Monitor_device:chr_file r_file_perms;
+
+# Date : WK15.24
+# Operation: TEEI integration
+# Purpose: access for fp device
+allow system_server teei_fp_device:chr_file rw_file_perms;
+allow system_server teei_client_device:chr_file r_file_perms;
+
+# Date : 2016/07/11
+# Operation : Migration
+# Purpose : Add permission for gpu access
+allow system_server dri_device:chr_file rw_file_perms;
+
+# Date : W17.24
+# Purpose: Allow to use HAL PQ
+hal_client_domain(system_server, hal_mtk_pq)
+
+# Date : W17.31
+# Purpose: Allow to use Ape swip decoder
+hal_client_domain(system_server, hal_mtk_codecservice)
+
+# Date:W17.33
+# Operation : camera hal developing
+# Purpose : camera hal binder_call permission
+binder_call(system_server, mtk_hal_camera)
+
+# Date:W17.36
+# Operation : Migration
+# Purpose : Allow to send signal
+allow system_server netd:process signal;
+
+# Date:W17.07
+# Operation : dfps hal
+# Purpose : dfps hal interface permission
+hal_client_domain(system_server, hal_dfps)
+
+allow system_server audioserver:file w_file_perms;
+
+# Date : 2018/03/06
+# Purpose : Add mtk_hal_netdagent_hwservice for EM firewall usage
+allow system_server mtk_hal_netdagent_hwservice:hwservice_manager find;
+allow system_server netdagent:binder call;
+
+# Date : W18.20
+# Operation : Migration
+# Purpose : for mobicore (Trustonic TEE)
+allow system_server mobicore_vendor_file:dir r_file_perms;
+
+# Date : 6/20/2018
+# Operation : MTK fm hal migration
+# Purpose : MTK fm hal interface permission
+hal_client_domain(system_server, hal_mtk_fm)
+
+# Date : W19.12
+# Operation : For DuraSpeed Migration
+allow system_server proc_cpu_loading:file rw_file_perms;
+userdebug_or_eng(`
+allow system_server debugfs_tracing_debug:file r_file_perms;
+')
+allow system_server proc_low_memory_hit:file rw_file_perms;
+allow system_server duraspeed_data_file:dir create_dir_perms;
+allow system_server duraspeed_data_file:file create_file_perms;
+
+# Date : WK18.36
+# Operation : omadm hidl
+# Purpose : hidl interface permission
+hal_client_domain(system_server, hal_mtk_omadm)
+
+# Date : WK19.29
+# Operation : nwk_opt hal
+# Purpose : nwk_opt hal permission
+hal_client_domain(system_server, hal_nwk_opt)
+
+# Date:2020/08/07
+# Operation:R Migration
+userdebug_or_eng(` allow system_server md_monitor:process signal; ')
+
+# Date:2020/08/26
+# Operation:kill hal_drm_widevine permission when ANR happened
+allow system_server hal_drm_widevine:process signal;
+
+# Date:2020/09/03
+# Operation:R Migration
+allow system_server proc_ion:dir search;
+
+# Date:2020/09/07
+# Operation:R Migration
+allow system_server proc_m4u_dbg:dir search;
+
+# Date:2020/09/08
+# Operation:R Migration
+allow system_server proc_displowpower:dir search;
+allow system_server proc_freqhopping:file getattr;
+
+# Date:2020/09/11
+# Operation:R Migration
+allow system_server proc_freqhopping:dir search;
+
+# Date:2020/09/18
+# Operation:R Migration
+allow system_server procfs_gpu_img:dir { search getattr };
+
+# Date:2020/09/30
+# Operation:R Migration
+allow system_server procfs_gpu_img:file getattr;
+
+# Read/Write /proc/pressure/cpu
+allow system_server proc_pressure_cpu:file rw_file_perms;
+
+# Search /proc/usb/plat
+allow system_server proc_usb_plat:dir search;
+
+# Search /proc/gpufreqv2
+allow system_server proc_gpufreqv2:dir search;
+
+# Search /proc/mtkfb
+allow system_server proc_mtkfb:dir search;
+
+# Search /proc/stat
+allow system_server proc_stat:dir search;
+
+# Date: 2021/08/10
+# Operation: S Migration
+# Purpose: InputReader read files under power_supply to detect battery device
+allow system_server sysfs_power_supply:dir {r_dir_perms};
+allow system_server sysfs_power_supply:file r_file_perms;
diff --git a/bsp/non_plat/tee.te b/bsp/non_plat/tee.te
new file mode 100644
index 0000000..2aab3be
--- /dev/null
+++ b/bsp/non_plat/tee.te
@@ -0,0 +1,83 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: Microtrust teei_daemon service
+allow tee self:capability { sys_module setuid setgid sys_rawio };
+
+allow tee teei_config_device:chr_file rw_file_perms;
+allow tee teei_client_device:chr_file { create setattr unlink rw_file_perms };
+allow tee teei_vfs_device:chr_file rw_file_perms;
+allow tee teei_rpmb_device:chr_file rw_file_perms;
+allow tee teei_data_file:dir create_dir_perms;
+allow tee teei_data_file:file create_file_perms;
+
+allow tee teei_control_file:dir r_dir_perms;
+allow tee teei_control_file:file rw_file_perms;;
+allow tee teei_control_file:lnk_file rw_file_perms;;
+
+# allow teei_daemon access /persist section
+allow tee mnt_vendor_file:dir create_dir_perms;
+allow tee mnt_vendor_file:file create_file_perms;
+allow tee persist_data_file:dir create_dir_perms;
+allow tee persist_data_file:file create_file_perms;
+
+# enable access android property
+set_prop(tee, vendor_mtk_soter_teei_prop)
+
+# for debug only
+allow tee kmsg_device:chr_file w_file_perms;
+
+# allow tee read ut_keymaster data
+allow tee ut_keymaster_device:chr_file rw_file_perms;
+
+# allow load teei drm drivers
+allow tee block_device:dir search;
+allow tee teei_rpmb_device:blk_file rw_file_perms;
+allow tee nvram_device:blk_file rw_file_perms;
+
+# kernel device
+allow tee tkcore_admin_device:chr_file rw_file_perms;
+
+# sfs
+allow tee tkcore_data_file:dir create_dir_perms;
+allow tee tkcore_data_file:file { create_file_perms link };
+
+# persist
+allow tee protect_f_data_file:dir search;
+allow tee tkcore_protect_data_file:dir create_dir_perms;
+allow tee tkcore_protect_data_file:file { create_file_perms link };
+
+#rpmb
+allow tee self:capability sys_rawio;
+allow tee block_device:dir search;
+set_prop(tee, vendor_mtk_rpmb_ready_prop)
+
+allow tee rpmb_block_device:blk_file rw_file_perms;
+allowxperm tee rpmb_block_device:blk_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB };
+allow tee rpmb_device:chr_file rw_file_perms;
+allowxperm tee rpmb_device:chr_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB };
+
+# systa loading
+allow tee tkcore_systa_file:dir r_dir_perms;
+allow tee tkcore_systa_file:file r_file_perms;
+
+# spta mgmt/loading
+allow tee tkcore_spta_file:dir create_dir_perms;
+allow tee tkcore_spta_file:file create_file_perms;
+
+# logging
+allow tee tkcore_log_file:file create_file_perms;
+
+# allow tkcore to read/write vendor.trustkernel.* properties
+set_prop(tee, vendor_mtk_trustkernel_tee_prop);
+
+# maintaining version through /proc fs
+allow tee proc_tkcore:file rw_file_perms;
+allow tee proc_tkcore:dir search;
+
+allow tee bootdevice_block_device:blk_file rw_file_perms;
+allowxperm tee bootdevice_block_device:blk_file ioctl { MMC_IOC_MULTI_CMD UFS_IOCTL_RPMB};
+allow tee tee_data_file:dir create_dir_perms;
diff --git a/bsp/non_plat/teei_hal_capi.te b/bsp/non_plat/teei_hal_capi.te
new file mode 100644
index 0000000..34b3054
--- /dev/null
+++ b/bsp/non_plat/teei_hal_capi.te
@@ -0,0 +1,21 @@
+# ==============================================
+# MICROTRUST SEPolicy Rule
+# ==============================================
+
+# Set exec file type
+type teei_hal_capi_exec, exec_type, vendor_file_type, file_type;
+
+# Setup for domain transition
+init_daemon_domain(teei_hal_capi)
+
+# Set teei_hal_capi as server domain of hal_teei_capi
+hal_server_domain(teei_hal_capi, hal_teei_capi)
+
+# Access capi devices at all.
+allow teei_hal_capi teei_client_device:chr_file rw_file_perms;
+
+# Allow to use shared memory for HAL PQ
+hal_client_domain(teei_hal_capi, hal_allocator)
+
+# Allow to set soter prop
+set_prop(teei_hal_capi, vendor_mtk_soter_teei_prop)
diff --git a/bsp/non_plat/teei_hal_ifaa.te b/bsp/non_plat/teei_hal_ifaa.te
new file mode 100644
index 0000000..ab129e0
--- /dev/null
+++ b/bsp/non_plat/teei_hal_ifaa.te
@@ -0,0 +1,12 @@
+# ==============================================
+# MICROTRUST SEPolicy Rule
+# ==============================================
+type teei_hal_ifaa_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(teei_hal_ifaa)
+hal_server_domain(teei_hal_ifaa, hal_teei_ifaa)
+
+hal_client_domain(teei_hal_ifaa, hal_teei_capi)
+hal_client_domain(teei_hal_ifaa, hal_allocator)
+
+allow teei_hal_ifaa teei_client_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/teei_hal_thh.te b/bsp/non_plat/teei_hal_thh.te
new file mode 100644
index 0000000..2b14e76
--- /dev/null
+++ b/bsp/non_plat/teei_hal_thh.te
@@ -0,0 +1,20 @@
+# ==============================================
+# MICROTRUST SEPolicy Rule
+# ==============================================
+# Set exec file type
+type teei_hal_thh_exec, exec_type, vendor_file_type, file_type;
+
+# Setup for domain transition
+init_daemon_domain(teei_hal_thh)
+
+# Set teei_hal_thh as server domain of hal_teei_thh
+hal_server_domain(teei_hal_thh, hal_teei_thh)
+
+hal_client_domain(teei_hal_thh, hal_teei_capi)
+hal_client_domain(teei_hal_thh, hal_allocator)
+
+# Access thh devices at all.
+allow teei_hal_thh teei_client_device:chr_file { create setattr unlink rw_file_perms };
+allow teei_hal_thh teei_data_file:dir create_dir_perms;
+allow teei_hal_thh teei_data_file:file create_file_perms;
+set_prop(teei_hal_thh, vendor_mtk_soter_teei_prop)
diff --git a/bsp/non_plat/teei_hal_tui.te b/bsp/non_plat/teei_hal_tui.te
new file mode 100644
index 0000000..dae2ca0
--- /dev/null
+++ b/bsp/non_plat/teei_hal_tui.te
@@ -0,0 +1,17 @@
+# ==============================================
+# MICROTRUST SEPolicy Rule
+# ==============================================
+# Set exec file type
+type teei_hal_tui_exec, exec_type, vendor_file_type, file_type;
+
+# Setup for domain transition
+init_daemon_domain(teei_hal_tui)
+
+# Set teei_hal_tui as server domain of hal_teei_tui
+hal_server_domain(teei_hal_tui, hal_teei_tui)
+
+# Access tui devices at all.
+allow teei_hal_tui utr_tui_device:chr_file rw_file_perms;
+
+# Allow to use shared memory for HAL PQ
+hal_client_domain(teei_hal_tui, hal_allocator)
diff --git a/bsp/non_plat/teei_hal_wechat.te b/bsp/non_plat/teei_hal_wechat.te
new file mode 100644
index 0000000..b7974e9
--- /dev/null
+++ b/bsp/non_plat/teei_hal_wechat.te
@@ -0,0 +1,12 @@
+# ==============================================
+# MICROTRUST SEPolicy Rule
+# ==============================================
+type teei_hal_wechat_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(teei_hal_wechat)
+hal_server_domain(teei_hal_wechat, hal_teei_wechat)
+
+hal_client_domain(teei_hal_wechat, hal_teei_capi)
+hal_client_domain(teei_hal_wechat, hal_allocator)
+
+allow teei_hal_wechat teei_client_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/terservice.te b/bsp/non_plat/terservice.te
new file mode 100644
index 0000000..a3fcb3f
--- /dev/null
+++ b/bsp/non_plat/terservice.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Policy File of /system/bin/terservice Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# ccci ioctl
+allow terservice ccci_device:chr_file rw_file_perms;
+allow terservice sysfs_ccci:dir r_dir_perms;
+allow terservice sysfs_ccci:file r_file_perms;
diff --git a/bsp/non_plat/tesiai_hal_hdcp.te b/bsp/non_plat/tesiai_hal_hdcp.te
new file mode 100644
index 0000000..b14e7d5
--- /dev/null
+++ b/bsp/non_plat/tesiai_hal_hdcp.te
@@ -0,0 +1,31 @@
+# ==============================================
+# Policy File of HDCP HAL service
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type tesiai_hal_hdcp_exec , exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Setup for domain transition
+init_daemon_domain(tesiai_hal_hdcp)
+
+
+# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
+hal_server_domain(tesiai_hal_hdcp, hal_tesiai_hdcp)
+
+# Allow HDCP to access Trustzone
+allow tesiai_hal_hdcp mobicore_user_device:chr_file rw_file_perms;
+allow tesiai_hal_hdcp mobicore_vendor_file:file lock;
+
+
+# Allow HDCP to access HDCP key folder
+allow tesiai_hal_hdcp mnt_vendor_file:dir { search getattr };
+allow tesiai_hal_hdcp persist_data_file:dir search;
+allow tesiai_hal_hdcp persist_data_file:file rw_file_perms;
+
+# Allow HDCP to access codec FD
+allow tesiai_hal_hdcp mtk_hal_c2:fd use;
diff --git a/bsp/non_plat/thermal.te b/bsp/non_plat/thermal.te
new file mode 100644
index 0000000..99c55ac
--- /dev/null
+++ b/bsp/non_plat/thermal.te
@@ -0,0 +1,37 @@
+# ==============================================
+# Policy File of /vendor/bin/thermal Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type thermal_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(thermal)
+net_domain(thermal)
+
+allow thermal mtkrild:unix_stream_socket connectto;
+allow thermal proc_thermal:dir search;
+allow thermal proc_thermal:file rw_file_perms;
+allow thermal rild_oem_socket:sock_file write;
+allow thermal netd_socket:sock_file write;
+allow thermal netd:unix_stream_socket connectto;
+allow thermal self:udp_socket create;
+allow thermal self:udp_socket ioctl;
+allow thermal rpc_socket:sock_file write;
+allow thermal viarild:unix_stream_socket connectto;
+allow thermal statusd:unix_stream_socket connectto;
+allow thermal rild:unix_stream_socket connectto;
+
+# If thermal(which belongs to vendor partition) want to open binder dev node(e.g. Parcel) will be
+# denied for no permission. Should use vndbinder dev node in vendor domain.
+# Using the following sepolicy rule to allow thermal to use vendor binder.
+vndbinder_use(thermal)
+
+# Data: 2018/08/26
+# Operation: Thermal
+# Purpose : add permission for thermal daemon to access mtcloader
+set_prop(thermal, vendor_mtk_thermal_config_prop)
+allow thermal thermal_manager_data_file:file rw_file_perms;
+allow thermal thermalloadalgod:unix_stream_socket connectto;
+allow thermal proc_mtkcooler:dir search;
+
diff --git a/bsp/non_plat/thermal_manager.te b/bsp/non_plat/thermal_manager.te
new file mode 100644
index 0000000..e8c6e68
--- /dev/null
+++ b/bsp/non_plat/thermal_manager.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow thermal_manager thermalloadalgod:unix_stream_socket connectto;
diff --git a/bsp/non_plat/thermald.te b/bsp/non_plat/thermald.te
new file mode 100644
index 0000000..c5fa906
--- /dev/null
+++ b/bsp/non_plat/thermald.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Policy File of /system/bin/thermald Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.28
+# Operation : SQC
+# Purpose : for thermal management to shutdown the phone
+allow thermald proc_thermal:dir search;
+allow thermald proc_thermal:file rw_file_perms;
diff --git a/bsp/non_plat/ueventd.te b/bsp/non_plat/ueventd.te
new file mode 100644
index 0000000..b3615a1
--- /dev/null
+++ b/bsp/non_plat/ueventd.te
@@ -0,0 +1,15 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# add for gmo+512M project
+allow ueventd platform_app:fd use;
+
+# add for sysfs:md32
+allow ueventd sysfs_md32:file w_file_perms;
+
+# add for sysfs:scp
+allow ueventd sysfs_scp:file w_file_perms;
+
+# add for sysfs:sspm
+allow ueventd sysfs_sspm:file w_file_perms;
diff --git a/bsp/non_plat/untrusted_app.te b/bsp/non_plat/untrusted_app.te
new file mode 100644
index 0000000..fcb9105
--- /dev/null
+++ b/bsp/non_plat/untrusted_app.te
@@ -0,0 +1,36 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# TODO:: Security Issue
+# Date : W1452
+# Operation : WVL1 Modular DRM IT
+# Purpose : Allow svp client alloc sec mem
+allow untrusted_app proc_secmem:file r_file_perms;
+
+# TrustKernel add
+userdebug_or_eng(`
+ allow untrusted_app tkcore_admin_device:chr_file rw_file_perms;
+')
+
+# Date : 2016/07/12
+# Operation : SQC
+# Purpose : allow untrusted_app access ntfs device
+allow untrusted_app fuseblk:dir search;
+allow untrusted_app fuseblk:file rw_file_perms;
+
+# Date : 2016/7/22
+# Operation: Migration
+# Purpose : Move from tk sepolicy for ViLTE
+allow untrusted_app vtservice:dir search;
+allow untrusted_app mediaserver:dir search;
+
+# Date: 2018/04/18
+# Purpose: Allow untrusted_app to use HIDL and access mtk_hal_neuralnetworks
+allow untrusted_app mtk_hal_neuralnetworks:binder { call transfer };
+allow untrusted_app debugfs_ion:dir search;
+
+# Date: 2020/06/29
+# Operation : eMBMS Migration
+# Purpose :allow EXPWAY middleware to access the socket
+allow untrusted_app radio:unix_stream_socket connectto;
diff --git a/bsp/non_plat/untrusted_app_25.te b/bsp/non_plat/untrusted_app_25.te
new file mode 100644
index 0000000..747f23a
--- /dev/null
+++ b/bsp/non_plat/untrusted_app_25.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# untrusted_app_25 for TUI
+allow untrusted_app_25 mobicore_vendor_file:dir search;
+
+# Date: 2019/06/17
+# Operation : Migration
+# Purpose :allow untrusted_app_25 to access procs
+allow untrusted_app_25 proc_uptime:file getattr;
+allow untrusted_app_25 proc_version:file getattr;
+allow untrusted_app_25 sysfs_net:dir search;
+allow untrusted_app_25 proc_net:file r_file_perms;
+
+# Date: 2020/06/29
+# Operation : eMBMS Migration
+# Purpose :allow EXPWAY middleware to access the socket
+allow untrusted_app_25 radio:unix_stream_socket connectto;
diff --git a/bsp/non_plat/untrusted_app_27.te b/bsp/non_plat/untrusted_app_27.te
new file mode 100644
index 0000000..595788d
--- /dev/null
+++ b/bsp/non_plat/untrusted_app_27.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2019/06/17
+# Operation : Migration
+# Purpose :allow untrusted_app_27 to get props
+get_prop(untrusted_app_27, vendor_mtk_atci_sys_prop)
+get_prop(untrusted_app_27, vendor_mtk_atm_ipaddr_prop)
+
+# Date: 2020/06/29
+# Operation : eMBMS Migration
+# Purpose :allow EXPWAY middleware to access the socket
+allow untrusted_app_27 radio:unix_stream_socket connectto;
diff --git a/bsp/non_plat/untrusted_app_29.te b/bsp/non_plat/untrusted_app_29.te
new file mode 100644
index 0000000..91260c2
--- /dev/null
+++ b/bsp/non_plat/untrusted_app_29.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2021/07/16
+# Purpose : Allow HMP custom api request
+allow untrusted_app_29 data_vendor_hmp_file:dir { rw_dir_perms };
+allow untrusted_app_29 data_vendor_hmp_file:file { rw_file_perms };
diff --git a/bsp/non_plat/untrusted_app_all.te b/bsp/non_plat/untrusted_app_all.te
new file mode 100644
index 0000000..ba97cd0
--- /dev/null
+++ b/bsp/non_plat/untrusted_app_all.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2019/06/17
+# Operation : Migration
+# Purpose :allow untrusted_app to search debugfs_ion dir
+allow untrusted_app_all debugfs_ion:dir search;
+
+# Date: 2019/06/17
+# Operation : Migration
+# Purpose :allow untrusted_app to search sysfs_mmcblk dir
+allow untrusted_app_all sysfs_devices_block:dir search;
+get_prop(untrusted_app_all, vendor_mtk_nn_option_prop)
diff --git a/bsp/non_plat/usp_service.te b/bsp/non_plat/usp_service.te
new file mode 100644
index 0000000..b90a398
--- /dev/null
+++ b/bsp/non_plat/usp_service.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow usp_service para_block_device:blk_file rw_file_perms;
+allow usp_service proc_lk_env:file rw_file_perms;
+allow usp_service ccci_device:chr_file rw_file_perms;
+get_prop(usp_service, vendor_mtk_cxp_vendor_prop)
diff --git a/bsp/non_plat/ut_ta_manager_service.te b/bsp/non_plat/ut_ta_manager_service.te
new file mode 100644
index 0000000..c95a625
--- /dev/null
+++ b/bsp/non_plat/ut_ta_manager_service.te
@@ -0,0 +1,7 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# MICROTRUST SEPolicy Rule
+allow platform_app teei_data_file:dir create_dir_perms;
+allow platform_app teei_data_file:file create_file_perms;
diff --git a/bsp/non_plat/vendor_init.te b/bsp/non_plat/vendor_init.te
new file mode 100644
index 0000000..c328aae
--- /dev/null
+++ b/bsp/non_plat/vendor_init.te
@@ -0,0 +1,76 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+set_prop(vendor_init, vendor_mtk_radio_prop)
+set_prop(vendor_init, vendor_mtk_ims_prop)
+set_prop(vendor_init, vendor_mtk_wfd_support_prop)
+set_prop(vendor_init, vendor_mtk_atci_prop)
+set_prop(vendor_init, vendor_mtk_mobile_management_prop)
+
+allow vendor_init proc_hps:file w_file_perms;
+allow vendor_init proc_cpufreq:file w_file_perms;
+
+allow vendor_init proc_usb_plat:dir search;
+allow vendor_init proc_usb_plat:file rw_file_perms;
+
+set_prop(vendor_init, vendor_mtk_soter_teei_prop)
+set_prop(vendor_init, vendor_mtk_trustkernel_tee_prop)
+set_prop(vendor_init, vendor_mtk_dx_hdcp_support_prop)
+set_prop(vendor_init, vendor_mtk_duraspeed_prop)
+set_prop(vendor_init, vendor_mtk_dynims_prop)
+set_prop(vendor_init, vendor_mtk_mims_prop)
+set_prop(vendor_init, vendor_mtk_extsim_prop)
+set_prop(vendor_init, vendor_mtk_volte_support_prop)
+set_prop(vendor_init, vendor_mtk_vonr_support_prop)
+set_prop(vendor_init, vendor_mtk_wfc_support_prop)
+set_prop(vendor_init, vendor_mtk_vilte_support_prop)
+set_prop(vendor_init, vendor_mtk_viwifi_support_prop)
+set_prop(vendor_init, vendor_mtk_rcs_ua_support_prop)
+set_prop(vendor_init, vendor_mtk_mdm_prop)
+set_prop(vendor_init, vendor_mtk_mcf_prop)
+set_prop(vendor_init, vendor_mtk_mdworldmode_prop)
+set_prop(vendor_init, vendor_mtk_oma_drm_support_prop)
+set_prop(vendor_init, vendor_mtk_miravision_support_prop)
+set_prop(vendor_init, vendor_mtk_default_write_disk_prop)
+set_prop(vendor_init, vendor_mtk_bg_power_saving_support_prop)
+set_prop(vendor_init, vendor_mtk_bg_power_saving_ui_prop)
+set_prop(vendor_init, vendor_mtk_besloudness_support_prop)
+set_prop(vendor_init, vendor_mtk_hifiaudio_support_prop)
+set_prop(vendor_init, vendor_mtk_active_noise_cancel_prop)
+set_prop(vendor_init, vendor_mtk_wapi_support_prop)
+set_prop(vendor_init, vendor_mtk_fd_support_prop)
+set_prop(vendor_init, vendor_mtk_st_nfc_gsma_support_prop)
+set_prop(vendor_init, vendor_mtk_st_nfc_ignore_modem_prop)
+set_prop(vendor_init, vendor_mtk_nfc_addon_support_prop)
+set_prop(vendor_init, vendor_mtk_nfc_uicc_clf_prop)
+set_prop(vendor_init, vendor_mtk_radio_seapi_off_prop)
+set_prop(vendor_init, vendor_mtk_nxp_nfc_gsma_support_prop)
+set_prop(vendor_init, vendor_mtk_num_md_protocol_prop)
+set_prop(vendor_init, vendor_mtk_wappush_prop)
+set_prop(vendor_init, vendor_mtk_operator_prop)
+set_prop(vendor_init, vendor_mtk_omacp_support_prop)
+set_prop(vendor_init, vendor_mtk_log_tel_dbg_prop)
+set_prop(vendor_init, vendor_mtk_camera_prop)
+set_prop(vendor_init, vendor_mtk_gallery_prop)
+set_prop(vendor_init, vendor_mtk_media_prop)
+set_prop(vendor_init, vendor_mtk_rsc_prop)
+set_prop(vendor_init, vendor_mtk_pms_prop)
+set_prop(vendor_init, vendor_mtk_logmuch_prop)
+set_prop(vendor_init, vendor_mtk_dsbp_support_prop)
+set_prop(vendor_init, vendor_mtk_datashaping_prop)
+set_prop(vendor_init, vendor_mtk_nn_quant_preferred_prop)
+set_prop(vendor_init, vendor_mtk_cam_security_prop)
+set_prop(vendor_init, vendor_mtk_dmc_prop)
+set_prop(vendor_init, vendor_mtk_cta_support_prop)
+set_prop(vendor_init, system_mtk_heavy_loading_prop)
+set_prop(vendor_init, vendor_mtk_jpeg_opt_prop)
+set_prop(vendor_init, vendor_mtk_trustonic_tee_prop)
+set_prop(vendor_init, vendor_mtk_microtrust_tee_prop)
+set_prop(vendor_init, vendor_mtk_md_c2k_cap_dep_check_prop)
+set_prop(vendor_init, vendor_mtk_gwsd_capability_prop)
+set_prop(vendor_init, vendor_mtk_fast_charging_support_prop)
+set_prop(vendor_init, vendor_mtk_call_drop_prop)
+set_prop(vendor_init, vendor_mtk_sec_video_path_support_prop)
+set_prop(vendor_init, vendor_mtk_svp_on_mtee_support_prop)
+set_prop(vendor_init, vendor_mtk_subsidy_lock_support_prop)
diff --git a/bsp/non_plat/vendor_shell.te b/bsp/non_plat/vendor_shell.te
new file mode 100644
index 0000000..6561678
--- /dev/null
+++ b/bsp/non_plat/vendor_shell.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+
+# Date : 2020/10/30
+# Operation: IMS Config NR force value
+# Purpose: Allow vendor_shell to force set IMS NR feature
+set_prop(vendor_shell, vendor_mtk_vonr_force_prop)
diff --git a/bsp/non_plat/viarild.te b/bsp/non_plat/viarild.te
new file mode 100644
index 0000000..1a59228
--- /dev/null
+++ b/bsp/non_plat/viarild.te
@@ -0,0 +1,81 @@
+# ==============================================
+# Policy File of /vendor/bin/viarild Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+type viarild_exec, exec_type, file_type, vendor_file_type;
+typeattribute viarild mtkimsapdomain;
+
+init_daemon_domain(viarild)
+net_domain(viarild)
+allow viarild self:netlink_route_socket nlmsg_write;
+allow viarild kernel:system module_request;
+allow viarild self:capability { setuid net_admin net_raw };
+allow viarild cgroup:dir create_dir_perms;
+allow viarild radio_device:chr_file rw_file_perms;
+allow viarild radio_device:blk_file r_file_perms;
+allow viarild mtd_device:dir search;
+allow viarild efs_file:dir create_dir_perms;
+allow viarild efs_file:file create_file_perms;
+
+allow viarild bluetooth_efs_file:file r_file_perms;
+allow viarild bluetooth_efs_file:dir r_dir_perms;
+allow viarild sdcardfs:dir r_dir_perms;
+
+set_prop(viarild, vendor_mtk_cdma_prop)
+set_prop(viarild, vendor_mtk_ril_cdma_report_prop)
+set_prop(viarild, vendor_mtk_ril_mux_report_case_prop)
+set_prop(viarild, vendor_mtk_radio_prop)
+set_prop(viarild, vendor_mtk_ril_ipo_prop)
+
+# Dat: 2017/02/14
+# Purpose: allow set telephony Sensitive property
+set_prop(viarild, vendor_mtk_telephony_sensitive_prop)
+
+allow viarild tty_device:chr_file rw_file_perms;
+
+# Allow viarild to create and use netlink sockets.
+allow viarild self:netlink_socket create_socket_perms_no_ioctl;
+allow viarild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access to wake locks
+wakelock_use(viarild)
+
+allow viarild self:socket create_socket_perms_no_ioctl;
+
+allow viarild Vcodec_device:chr_file { read write open };
+allow viarild devmap_device:chr_file { read ioctl open };
+allow viarild devpts:chr_file { read write open };
+
+allow viarild ccci_device:chr_file { read write ioctl open };
+allow viarild devpts:chr_file ioctl;
+allow viarild misc_device:chr_file { read write open };
+allow viarild proc_lk_env:file { read ioctl open };
+allow viarild sysfs_vcorefs_pwrctrl:file { open write };
+set_prop(viarild, vendor_mtk_ril_active_md_prop)
+
+# set for mux
+allow viarild devpts:chr_file setattr;
+allow viarild self:capability chown;
+allow viarild self:capability fowner;
+allow viarild self:capability setuid;
+
+# For MAL MFI
+allow viarild mal_mfi_socket:sock_file write;
+
+# For Vzw Phone CCP - Set IPV6 RS
+allow viarild proc_net:file write;
+
+# If viarild(which belongs to vendor partition) want to open binder dev node(e.g. Parcel) will be
+# denied for no permission. Should use vndbinder dev node in vendor domain.
+# Using the following sepolicy rule to allow viarild to use vendor binder.
+vndbinder_use(viarild)
+
+# Allow to trigger IPv6 RS
+allow viarild node:rawip_socket node_bind;
+
+# Allow to config network
+allowxperm viarild self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1};
+allow viarild sysfs_ccci:dir search;
+allow viarild sysfs_ccci:file r_file_perms;
diff --git a/bsp/non_plat/vndservice.te b/bsp/non_plat/vndservice.te
new file mode 100644
index 0000000..3a5ed22
--- /dev/null
+++ b/bsp/non_plat/vndservice.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+
+type remosaic_daemon_service, vndservice_manager_type;
diff --git a/bsp/non_plat/vndservice_contexts b/bsp/non_plat/vndservice_contexts
new file mode 100644
index 0000000..e893550
--- /dev/null
+++ b/bsp/non_plat/vndservice_contexts
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+android.IRemosaicDaemon u:object_r:remosaic_daemon_service:s0
+
diff --git a/bsp/non_plat/vold.te b/bsp/non_plat/vold.te
new file mode 100644
index 0000000..4411bf4
--- /dev/null
+++ b/bsp/non_plat/vold.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# MICROTRUST SEPolicy Rule
+# Date : 2016/06/01
+# Operation: TEEI integration
+# Purpose: Microtrust HW-backed Keymaster
+allow vold ut_keymaster_device:chr_file rw_file_perms;
+allow vold teei_client_device:chr_file rw_file_perms;
+
+# Purpose : write bootprof
+allow vold proc_bootprof:file w_file_perms;
diff --git a/bsp/non_plat/volte_clientapi_ua.te b/bsp/non_plat/volte_clientapi_ua.te
new file mode 100644
index 0000000..1401954
--- /dev/null
+++ b/bsp/non_plat/volte_clientapi_ua.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /vendor/bin/volte_clientapi_ua Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type volte_clientapi_ua_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(volte_clientapi_ua)
+
+# hwbinder access
+hal_server_domain(volte_clientapi_ua, hal_clientapi)
+
+# call into system_app process (callbacks)
+binder_call(volte_clientapi_ua, system_app)
+binder_call(volte_clientapi_ua, platform_app)
+
+# Date : W18.43
+# Operation : IT
+# Purpose: clientapi HIDL Migration
+get_prop(volte_clientapi_ua, hwservicemanager_prop)
+allow volte_clientapi_ua debugfs_tracing:file w_file_perms;
diff --git a/bsp/non_plat/volte_rcs_ua.te b/bsp/non_plat/volte_rcs_ua.te
new file mode 100644
index 0000000..c4aa31d
--- /dev/null
+++ b/bsp/non_plat/volte_rcs_ua.te
@@ -0,0 +1,38 @@
+# ==============================================
+# Policy File of /vendor/bin/volte_rcs_ua Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type volte_rcs_ua_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(volte_rcs_ua)
+
+# hwbinder access
+
+hal_server_domain(volte_rcs_ua, hal_rcs)
+
+# call into system_app process (callbacks)
+binder_call(volte_rcs_ua, system_app)
+
+# Date : W17.31
+# Operation : IT
+# Purpose: Rcs HIDL Migration
+allow volte_rcs_ua debugfs_tracing:file { write open };
+
+# Date : W1747
+# Operation: RCS over Internet development
+# Purpose: For volte_rcs_ua to be able to talk to rcs_volte_stack
+allow volte_rcs_ua rcs_volte_stack_socket:sock_file { open getattr read write append };
+allow volte_rcs_ua rcs_volte_stack:unix_stream_socket { read getattr connectto };
+
+# Date : W1827
+# Operation: P migration
+# Purpose: Allow rcs ua to set rcs property
+set_prop(volte_rcs_ua, vendor_mtk_service_rcs_prop)
+
+# Date : W1929
+# Operation: Volte stack submarine development
+# Purpose: For volte_rcs_ua to be able to talk to rcs_rild
+allow volte_rcs_ua rcs_rild_socket:sock_file { open getattr read write append };
+allow volte_rcs_ua rild:unix_stream_socket { read getattr connectto };
diff --git a/bsp/non_plat/vpud_native.te b/bsp/non_plat/vpud_native.te
new file mode 100644
index 0000000..f71862d
--- /dev/null
+++ b/bsp/non_plat/vpud_native.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow vpud_native teei_client_device:chr_file rw_file_perms;
+allow vpud_native mobicore_user_device:chr_file rw_file_perms;
+
+# Date: 2021/04/30
+# Operation : SVP Migration
+# Purpose :allow to access vendor_mtk_sec_video_path_support_prop
+get_prop(vpud_native, vendor_mtk_sec_video_path_support_prop)
diff --git a/bsp/non_plat/vtservice.te b/bsp/non_plat/vtservice.te
new file mode 100644
index 0000000..7170501
--- /dev/null
+++ b/bsp/non_plat/vtservice.te
@@ -0,0 +1,181 @@
+# ==============================================
+# Policy File of /system/bin/vtservice Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.33
+# Purpose : Add vtservice to support video telephony functionality
+# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild
+allow vtservice sdcard_type:dir search;
+allow vtservice sdcard_type:file { read write open };
+allow vtservice radio_service:service_manager find;
+allow vtservice mediaserver_service:service_manager find;
+allow vtservice power_service:service_manager find;
+allow vtservice batterystats_service:service_manager find;
+
+# Date : 2015/08/13
+# Purpose : for access ccci device
+allow vtservice ccci_device:chr_file { read write open ioctl };
+
+# Purpose : VDEC/VENC device node
+allow vtservice Vcodec_device:chr_file { read write ioctl open };
+
+# Date: 2016/06/27
+# This part is for both 3G VT/ViLTE
+# Purpose: add in N migration for access audioflinger etc.
+allow vtservice audioserver_service:service_manager find;
+allow vtservice mnt_user_file:dir search;
+allow vtservice surfaceflinger:binder call;
+
+# Date: 2016/06/30
+# This part is for both 3G VT/ViLTE
+# Purpose: add in N migration for access SDcard etc.
+allow vtservice audioserver:binder call;
+allow vtservice mnt_user_file:lnk_file read;
+
+# Date: 2016/07/01
+# This part is for both 3G VT/ViLTE
+# Purpose: add in N migration for write SDcard etc.
+allow vtservice media_rw_data_file:dir create_dir_perms;
+allow vtservice media_rw_data_file:file { write create open };
+
+# Date: 2016/07/26
+# Purpose: add for cleanup thread's AF_UNIX socket
+allow vtservice proc_ged:file r_file_perms;
+allowxperm vtservice proc_ged:file ioctl { proc_ged_ioctls };
+
+# for debug dump data
+allow vtservice storage_file:lnk_file read;
+allow vtservice devmap_device:chr_file read;
+
+allow vtservice devmap_device:chr_file open;
+allow vtservice devmap_device:chr_file ioctl;
+
+# for using surfaceflinger
+allow vtservice surfaceflinger_service:service_manager find;
+
+# for using camera
+allow vtservice cameraserver_service:service_manager find;
+allow vtservice cameraserver:binder call;
+allow vtservice cameraserver:fd use;
+
+# Change VTS uid to media
+allow vtservice mediacodec:binder call;
+allow vtservice qtaguid_device:chr_file r_file_perms;
+allow vtservice priv_app:binder call;
+
+# For loopback mode
+allow vtservice self:capability net_admin;
+
+# For vendro GPU
+allow vtservice gpu_device:dir search;
+allow vtservice dri_device:chr_file { open read write ioctl getattr};
+allow vtservice gpu_device:chr_file rw_file_perms;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(vtservice, hal_mtk_pq)
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(vtservice, hal_allocator)
+
+# 2017/07/
+# HiDL porting
+allow vtservice hwservicemanager:binder call;
+allow vtservice system_file:dir read;
+allow vtservice system_file:dir open;
+
+# give permission for hal client
+allow vtservice mtk_hal_videotelephony_hwservice:hwservice_manager find;
+
+# Date : 2017/08/14
+# Operation : VT development
+# Purpose : Add vtservice to support video telephony functionality
+# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild
+allow vtservice soc_vt_svc_socket:sock_file write;
+allow vtservice soc_vt_tcv_socket:sock_file write;
+allow vtservice rild_oem_socket:sock_file write;
+allow vtservice platform_app:binder call;
+allow vtservice system_server:binder call;
+allow vtservice sdcard_type:dir write;
+allow vtservice sdcard_type:dir add_name;
+allow vtservice sdcard_type:dir create;
+allow vtservice sdcard_type:file create;
+allow vtservice sdcard_type:file getattr;
+allow vtservice surfaceflinger:fd use;
+allow vtservice tmpfs:lnk_file read;
+allow vtservice radio:binder call;
+
+# for codec acces dev/ion
+allow vtservice ion_device:chr_file { open read };
+
+# for MA socket rebind
+hal_client_domain(vtservice, hal_omx)
+allow vtservice mediametrics_service:service_manager find;
+allow vtservice mediametrics:binder call;
+
+allow vtservice self:udp_socket create_socket_perms_no_ioctl;
+allow vtservice node:udp_socket node_bind;
+
+allow vtservice debugfs_ion:dir search;
+allow vtservice fwmarkd_socket:sock_file write;
+allow vtservice hal_graphics_allocator_default:binder call;
+allow vtservice hal_graphics_allocator_default:fd use;
+hal_client_domain(vtservice, hal_graphics_allocator);
+allow vtservice hal_graphics_mapper_hwservice:hwservice_manager find;
+allow vtservice netd:unix_stream_socket connectto;
+allow vtservice ion_device:chr_file ioctl;
+allow vtservice MTK_SMI_device:chr_file { read write ioctl open };
+allow vtservice mtk_cmdq_device:chr_file r_file_perms;
+allow vtservice mtk_mdp_device:chr_file r_file_perms;
+allow vtservice mtk_mdp_sync_device:chr_file r_file_perms;
+allow vtservice merged_hal_service:fd use;
+allow vtservice merged_hal_service:binder call;
+
+# Date : WK17.43
+# Operation : Migration
+# Purpose : DISP access
+allow vtservice graphics_device:chr_file { ioctl open read };
+allow vtservice graphics_device:dir search;
+
+# Date : WK18.10
+# Operation : SQC
+# Purpose : Allow perfmgr FPSGO access
+allow vtservice proc_perfmgr:dir {read search};
+allow vtservice proc_perfmgr:file r_file_perms;
+allowxperm vtservice proc_perfmgr:file ioctl {
+ PERFMGR_FPSGO_QUEUE
+ PERFMGR_FPSGO_DEQUEUE
+ PERFMGR_FPSGO_QUEUE_CONNECT
+ PERFMGR_FPSGO_BQID
+};
+
+# Date: 2018/07/19
+# Operation: P Migration
+get_prop(vtservice, vendor_mtk_vendor_vt_prop)
+
+# Date: 2018/08/24
+# Operation: add mdp
+hal_client_domain(vtservice, hal_mtk_mms)
+allow vtservice cameraserver:dir search;
+allow vtservice cameraserver:file { getattr open read };
+allow vtservice proc_uptime:file read;
+
+# Date: 2018/11/07
+# Operation: gen97
+allow vtservice port:udp_socket name_bind;
+allow vtservice self:capability net_raw;
+
+# Date: 2019/08/29
+# Operation: support c2 sw codec
+hal_client_domain(vtservice, hal_codec2)
+
+# Date: 2021/05/29
+# Operation: VT c2 for dmabuf heap
+allow vtservice dmabuf_system_heap_device:chr_file r_file_perms;
+
diff --git a/bsp/non_plat/vtservice_hidl.te b/bsp/non_plat/vtservice_hidl.te
new file mode 100644
index 0000000..58daa01
--- /dev/null
+++ b/bsp/non_plat/vtservice_hidl.te
@@ -0,0 +1,46 @@
+# ==============================================
+# Policy File of /vendor/bin/hw/vtservice_hidl Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type vtservice_hidl_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(vtservice_hidl)
+
+unix_socket_connect(vtservice_hidl, rild_oem, mtkrild)
+allow vtservice_hidl mtkrild:unix_stream_socket connectto;
+
+# Date: 2015/09/22
+# Purpose: for unix domain socket access /dev/socket/volte_vt
+allow vtservice_hidl MTK_SMI_device:chr_file { read write ioctl open };
+allow vtservice_hidl fwmarkd_socket:sock_file write;
+allow vtservice_hidl netd:unix_stream_socket connectto;
+allow vtservice_hidl untrusted_app:binder call;
+
+# For socket path between vt_service and volte_ua
+allow vtservice_hidl self:udp_socket { create bind connect read write setopt getattr getopt shutdown };
+allow vtservice_hidl node:udp_socket { node_bind };
+allow vtservice_hidl volte_imsvt1_socket:sock_file write;
+
+# 2017/07/
+# HiDL porting
+# Permission to use hwbinder functionality for communication:
+# 1. add_hwservice(server_domain, service_name)
+add_hwservice(vtservice_hidl, mtk_hal_videotelephony_hwservice)
+# 2. also permission to access to /dev/hwbinder
+hwbinder_use(vtservice_hidl)
+# 3. For binder transaction. HwBinder IPC from clients into server, and callbacks
+binder_call(vtservice, vtservice_hidl)
+binder_call(vtservice_hidl, vtservice)
+
+get_prop(vtservice_hidl, hwservicemanager_prop)
+
+allow vtservice_hidl debugfs_tracing:file w_file_perms;
+allow vtservice_hidl system_file:dir r_file_perms;
+allow vtservice_hidl rild:unix_stream_socket connectto;
+
+net_domain(vtservice_hidl)
+
+# ViLTE
+allow vtservice_hidl mtkimsmddomain:udp_socket { setopt getattr read write };
diff --git a/bsp/non_plat/wo_epdg_client.te b/bsp/non_plat/wo_epdg_client.te
new file mode 100644
index 0000000..31921b2
--- /dev/null
+++ b/bsp/non_plat/wo_epdg_client.te
@@ -0,0 +1,58 @@
+# ==============================================
+# Policy File of /vendor/bin/wo_epdg_client Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type wo_epdg_client_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(wo_epdg_client)
+net_domain(wo_epdg_client)
+
+domain_auto_trans(wo_epdg_client, wo_starter_exec, wo_ipsec)
+domain_auto_trans(wo_epdg_client, wo_charon_exec, wo_ipsec)
+domain_auto_trans(wo_epdg_client, wo_stroke_exec, wo_ipsec)
+domain_auto_trans(wo_epdg_client, netutils_wrapper_exec, netutils_wrapper)
+
+# Date: WK14.52
+# Operation : Feature for ePDG
+# Purpose : handle tunnel interface
+allow wo_epdg_client self:tun_socket { relabelfrom relabelto create };
+allow wo_epdg_client tun_device:chr_file rw_file_perms;
+allow wo_epdg_client self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
+allow wo_epdg_client self:capability { net_admin net_raw kill setuid setgid sys_module };
+
+# Purpose : update ipsec deamon
+allow wo_epdg_client wo_ipsec_exec:file rx_file_perms;
+
+# Purpose : send signal to process (ipsec/charon)
+allow wo_epdg_client wo_ipsec:process { signal sigkill signull };
+
+# Purpose : set property for debug messages
+set_prop(wo_epdg_client, vendor_mtk_persist_epdg_prop)
+
+# Purpose : Query ePDG IP address
+allow wo_epdg_client dnsproxyd_socket:sock_file write;
+allow wo_epdg_client netd:unix_stream_socket connectto;
+allow wo_epdg_client netd_socket:sock_file write;
+
+# tear_xfrm_policy
+allow wo_epdg_client self:netlink_xfrm_socket { write getattr setopt nlmsg_write read bind create };
+
+# Purpose : check tun device is ready
+allow wo_epdg_client self:udp_socket { create ioctl };
+
+# Purpose : create symbolic link for /dev/tun
+allow wo_epdg_client vendor_shell_exec:file rx_file_perms;
+
+# Purpose: Kill Process
+allow wo_epdg_client system_server:process { signal signull };
+allow wo_epdg_client kernel:process signal;
+
+# Purpose: access iptables for mss
+allow wo_epdg_client self:rawip_socket { getopt create setopt };
+
+allow wo_epdg_client devpts:chr_file rw_file_perms;
+allow wo_epdg_client kernel:system module_request;
+allowxperm wo_epdg_client self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU SIOCSIFADDR };
diff --git a/bsp/non_plat/wo_ipsec.te b/bsp/non_plat/wo_ipsec.te
new file mode 100644
index 0000000..84c2fca
--- /dev/null
+++ b/bsp/non_plat/wo_ipsec.te
@@ -0,0 +1,64 @@
+# ==============================================
+# Policy File of /vendor/bin/wo_ipsec Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type wo_ipsec_exec, exec_type, file_type, vendor_file_type;
+
+net_domain(wo_ipsec)
+
+domain_auto_trans(wo_ipsec, netutils_wrapper_exec, netutils_wrapper)
+
+# Purpose : access xfrm
+allow wo_ipsec proc_net:file w_file_perms;
+
+# Purpose : send command to epdg_wod
+allow wo_ipsec wo_epdg_ipsec_socket:sock_file write;
+
+# Purpose : create socket for IKEv2 protocol
+allow wo_ipsec node:udp_socket node_bind;
+allow wo_ipsec port:tcp_socket name_connect;
+allow wo_ipsec port:udp_socket name_bind;
+
+# Purpose : Query DNS address
+allow wo_ipsec netd:unix_stream_socket connectto;
+allow wo_ipsec dnsproxyd_socket:sock_file write;
+
+# Purpose : access socket of wod and property
+allow wo_ipsec wo_epdg_client:unix_stream_socket { read write connectto };
+
+# Purpose : output to /dev/null
+allow wo_ipsec wo_epdg_client:fd use;
+
+# Purpose : starter invoke charon
+allow wo_ipsec wo_charon_exec:file execute_no_trans;
+
+# Purpose : charon set fwmark
+allow wo_ipsec fwmarkd_socket:sock_file write;
+
+# Purpose : send/receive packet to/from peer
+allow wo_ipsec self:tcp_socket { write getattr connect read getopt create };
+allow wo_ipsec self:udp_socket { write bind create read setopt };
+
+# Purpose : kernel ip/route operations
+allow wo_ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read };
+allow wo_ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read };
+
+# Purpose : charon read certs
+allow wo_ipsec custom_file:dir r_dir_perms;
+allow wo_ipsec custom_file:file r_file_perms;
+
+# Purpose : set alarm for DPD
+allow wo_ipsec self:capability2 wake_alarm;
+
+allow wo_ipsec devpts:chr_file rw_file_perms;
+
+allow wo_ipsec proc_modules:file r_file_perms;
+allow wo_ipsec vendor_shell_exec:file rx_file_perms;;
+allow wo_ipsec netd_socket:sock_file write;
+
+allow wo_ipsec vendor_toolbox_exec:file x_file_perms;
+allow wo_ipsec kernel:system module_request;
+
diff --git a/bsp/non_plat/wpa.te b/bsp/non_plat/wpa.te
new file mode 100644
index 0000000..7eb304b
--- /dev/null
+++ b/bsp/non_plat/wpa.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow wpa mtkimsmddomain:unix_stream_socket connectto;
+allow wpa mtkimsmddomain:unix_dgram_socket sendto;
+allow wpa init:unix_dgram_socket sendto;
+allow wpa mtkimsmddomain:unix_stream_socket connectto;
+allow wpa mtkimsmddomain:unix_dgram_socket sendto;
diff --git a/bsp/non_plat/zygote.te b/bsp/non_plat/zygote.te
new file mode 100644
index 0000000..6e65086
--- /dev/null
+++ b/bsp/non_plat/zygote.te
@@ -0,0 +1,33 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK19.43
+# Operation : SQC
+# Purpose : for untrusted app to use ptrace (e.g. 360Mobile, taobao, com.duowan.kiwi)
+dontaudit zygote untrusted_app_all:process ptrace;
+
+# Date : WK14.43
+# Operation : SQC2
+# Purpose : found in FST Auto Test (ALPS01774709)
+allow zygote platform_app:fd use;
+
+# Date : WK14.46
+# Operation : SQC
+# Purpose : found in sanity test (ALPS01825280)
+allow zygote servicemanager:binder call;
+
+# Date : WK14.49
+# Operation : SQC
+# Purpose : for isolated_app to use fd (ex: share image by gmail)
+allow zygote isolated_app:fd use;
+
+# Date : WK15.02
+# Operation : SQC
+# Purpose : for "theScore Sports & Scores" app to play video(ALPS01897019)
+allow zygote untrusted_app:fd use;
+
+# Date : WK15.08
+# Operation : SQC
+# Purpose : for TTLIA
+allow zygote radio:fd use;
diff --git a/bsp/ota_upgrade/file_contexts b/bsp/ota_upgrade/file_contexts
new file mode 100644
index 0000000..417e8c6
--- /dev/null
+++ b/bsp/ota_upgrade/file_contexts
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# System files
+#
+# OTA upgrade from O to P for widevine data migration
+/system/bin/move_widevine_data\.sh u:object_r:move-widevine-data-sh_exec:s0
+
diff --git a/bsp/ota_upgrade/move-widevine-data-sh.te b/bsp/ota_upgrade/move-widevine-data-sh.te
new file mode 100644
index 0000000..2453631
--- /dev/null
+++ b/bsp/ota_upgrade/move-widevine-data-sh.te
@@ -0,0 +1,23 @@
+# ==============================================
+# MTK Attribute declarations
+# ==============================================
+
+type move-widevine-data-sh, domain, coredomain;
+type move-widevine-data-sh_exec, exec_type, file_type, system_file_type;
+typeattribute move-widevine-data-sh data_between_core_and_vendor_violators;
+
+init_daemon_domain(move-widevine-data-sh)
+
+allow move-widevine-data-sh shell_exec:file rx_file_perms;
+allow move-widevine-data-sh toolbox_exec:file rx_file_perms;
+
+allow move-widevine-data-sh file_contexts_file:file { read getattr open };
+
+allow move-widevine-data-sh media_data_file:file { getattr setattr relabelfrom };
+allow move-widevine-data-sh media_data_file:dir { reparent rename rmdir setattr rw_dir_perms relabelfrom };
+
+allow move-widevine-data-sh mediadrm_vendor_data_file:dir { create_dir_perms relabelto };
+
+# for writing files_moved so we only execute the move once
+allow move-widevine-data-sh mediadrm_vendor_data_file:file { create open write getattr relabelto };
+
diff --git a/bsp/plat_private/GoogleOtaBinder.te b/bsp/plat_private/GoogleOtaBinder.te
new file mode 100644
index 0000000..160b457
--- /dev/null
+++ b/bsp/plat_private/GoogleOtaBinder.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Policy File of /system/bin/GoogleOtaBinder Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type GoogleOtaBinder_exec, system_file_type, exec_type, file_type;
+typeattribute GoogleOtaBinder coredomain;
+
+init_daemon_domain(GoogleOtaBinder)
+
+# Date : 2014/09/10
+# Operation : Migration
+# Purpose : allow Binder IPC
+binder_use(GoogleOtaBinder)
+binder_service(GoogleOtaBinder)
+
+# to get offset
+allow GoogleOtaBinder ota_package_file:dir search;
+allow GoogleOtaBinder ota_package_file:file rw_file_perms;
+allow GoogleOtaBinder mota_proc_file:file rw_file_perms;;
+allow GoogleOtaBinder sysfs_dt_firmware_android:file r_file_perms;;
+
+allow GoogleOtaBinder ota_agent_service:service_manager add;
diff --git a/bsp/plat_private/aal.te b/bsp/plat_private/aal.te
new file mode 100644
index 0000000..222d7f1
--- /dev/null
+++ b/bsp/plat_private/aal.te
@@ -0,0 +1,46 @@
+# ==============================================
+# Policy File of /system/bin/aal Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute aal coredomain;
+type aal_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(aal)
+
+# Date : 2014/09/09 (or WK14.37)
+# Operation : Migration
+# Purpose : allow Binder IPC
+binder_use(aal)
+binder_call(aal, binderservicedomain)
+binder_service(aal)
+
+# Date : WK14.41
+# Operation : Migration
+# Purpose : All enforing mode
+allow aal graphics_device:chr_file r_file_perms;
+allow aal graphics_device:dir search;
+allow aal aal_service:service_manager add;
+
+# Date : WK15.37
+# Operation : Migration
+# Purpose : Allow permission check
+allow aal permission_service:service_manager { find };
+
+# Date : WK17.26
+# Operation : Migration
+# Purpose : Allow permission to get AmbientLux from SensorManager
+# denied { find } for service=sensorservice pid=441 uid=1000 scontext=u:r:aal:s0
+# tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager
+allow aal sensorservice_service:service_manager { find };
+
+# denied { read write } for path="socket:[25560]" dev="sockfs" ino=25560 scontext=u:r:aal:s0
+# tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0
+allow aal system_server:unix_stream_socket { read write };
+
+# Date : WK18.28
+# Operation : P0 Migration
+# Purpose : Allow permission to set property
+set_prop(aal, system_mtk_aal_prop)
diff --git a/bsp/plat_private/apmsrv_app.te b/bsp/plat_private/apmsrv_app.te
new file mode 100644
index 0000000..734489b
--- /dev/null
+++ b/bsp/plat_private/apmsrv_app.te
@@ -0,0 +1,22 @@
+# ==============================================
+# Policy File of /system/priv-app/ApmService/ApmService.apk Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute apmsrv_app mlstrustedsubject;
+app_domain(apmsrv_app)
+
+# Allow to use HAL APM
+hal_client_domain(apmsrv_app, hal_mtk_apm)
+
+# Allow to start Android service component
+allow apmsrv_app activity_service:service_manager find;
+
+# Used by LocationMessageKpiMonitor to get location info
+allow apmsrv_app location_service:service_manager find;
+
+# Used by NetworkServiceStateKpiMonitor to get Network info
+allow apmsrv_app radio_service:service_manager find;
+allow apmsrv_app registry_service:service_manager find;
diff --git a/bsp/plat_private/atci_service_sys.te b/bsp/plat_private/atci_service_sys.te
new file mode 100644
index 0000000..e7e3dd9
--- /dev/null
+++ b/bsp/plat_private/atci_service_sys.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Policy File of /system/bin/atci_service_sys Executable File
+# ==============================================
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type atci_service_sys_exec, system_file_type, exec_type, file_type;
+typeattribute atci_service_sys coredomain;
+
+init_daemon_domain(atci_service_sys)
diff --git a/bsp/plat_private/audioserver.te b/bsp/plat_private/audioserver.te
new file mode 100644
index 0000000..0ad8a22
--- /dev/null
+++ b/bsp/plat_private/audioserver.te
@@ -0,0 +1,11 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK16.40
+# Operation : Migration
+# Purpose : perf service for cpu control and rt thread
+allow audioserver mtk_perf_service:service_manager find;
+
+allow audioserver debuglog_data_file:dir { relabelto create_dir_perms };
+allow audioserver debuglog_data_file:file create_file_perms;
diff --git a/bsp/plat_private/batterywarning.te b/bsp/plat_private/batterywarning.te
new file mode 100644
index 0000000..36e0904
--- /dev/null
+++ b/bsp/plat_private/batterywarning.te
@@ -0,0 +1,36 @@
+# ==============================================
+# Policy File of /system/bin/batterywarning Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type batterywarning_exec, system_file_type, exec_type, file_type;
+typeattribute batterywarning coredomain;
+
+init_daemon_domain(batterywarning)
+
+# Date : 2014/10/15
+# Operation : Migration
+# Purpose : all Binder IPC for battery warning to call IActivityManager to send broadcast
+binder_use(batterywarning)
+
+# Date : 2014/10/16
+# Operation : Migration
+# Purpose : allow battery warning use AMS to send broadcast through binder call
+binder_call(batterywarning, system_server)
+
+# Date : 2015/07/27
+# Operation : Migration
+# Purpose : allow battery warning check AMS service status
+allow batterywarning activity_service:service_manager find;
+
+# Date : 2017/07/03
+# Operation : Migration
+# Purpose : allow battery warning read file
+allow batterywarning sysfs_battery_warning:file r_file_perms;
+
+# Date : 2019/07/31
+# Operation : Migration
+# Purpose : allow battery warning open socket connection
+allow batterywarning self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/bsp/plat_private/bluetooth.te b/bsp/plat_private/bluetooth.te
new file mode 100644
index 0000000..b7633e5
--- /dev/null
+++ b/bsp/plat_private/bluetooth.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2018/5/4
+# Operation : Migration
+# Purpose: Allow bluetooth to get/set system_mtk_bluetooth_prop
+set_prop(bluetooth, system_mtk_bluetooth_prop)
diff --git a/bsp/plat_private/bootanim.te b/bsp/plat_private/bootanim.te
new file mode 100644
index 0000000..75fba67
--- /dev/null
+++ b/bsp/plat_private/bootanim.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+#Date : W1728
+allow bootanim resourcecache_data_file:file r_file_perms;
diff --git a/bsp/plat_private/camerapostalgo.te b/bsp/plat_private/camerapostalgo.te
new file mode 100644
index 0000000..47033a3
--- /dev/null
+++ b/bsp/plat_private/camerapostalgo.te
@@ -0,0 +1,35 @@
+# ==============================================
+# Policy File of /system/bin/camerapostalgo Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type camerapostalgo_exec, system_file_type, exec_type, file_type;
+typeattribute camerapostalgo coredomain;
+init_daemon_domain(camerapostalgo)
+
+allow camerapostalgo camerapostalgo_service:service_manager { add find };
+
+allow camerapostalgo gpu_device:dir search;
+allow camerapostalgo gpu_device:chr_file rw_file_perms;
+
+allow camerapostalgo ion_device:chr_file r_file_perms;
+
+allow camerapostalgo sdcardfs:dir search;
+allow camerapostalgo sdcardfs:file r_file_perms;
+allow camerapostalgo mnt_user_file:dir search;
+allow camerapostalgo mnt_user_file:lnk_file r_file_perms;
+
+allow camerapostalgo storage_file:lnk_file r_file_perms;
+allow camerapostalgo media_rw_data_file:dir rw_dir_perms;
+allow camerapostalgo media_rw_data_file:file rw_file_perms;
+
+# ipc call
+binder_use(camerapostalgo)
+binder_service(camerapostalgo)
+
+binder_call(camerapostalgo, platform_app)
+binder_call(camerapostalgo, surfaceflinger)
+
+get_prop(camerapostalgo, system_mtk_debug_bq_dump_prop)
diff --git a/bsp/plat_private/cameraserver.te b/bsp/plat_private/cameraserver.te
new file mode 100644
index 0000000..22294fa
--- /dev/null
+++ b/bsp/plat_private/cameraserver.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.32
+# Operation : Migration
+# Purpose : for control CPU during camera working flow
+allow cameraserver mtk_perf_service:service_manager find;
+
+# Date : WK16.30
+# Operation : Migration
+set_prop(cameraserver, debug_prop)
+set_prop(cameraserver, system_prop)
+
+# Date : WK16.35
+# Operation : Migration
+# Purpose : allow camera to access log too much detect property
+set_prop(cameraserver, system_mtk_logmuch_prop)
diff --git a/bsp/plat_private/capability_app.te b/bsp/plat_private/capability_app.te
new file mode 100644
index 0000000..43b2adc
--- /dev/null
+++ b/bsp/plat_private/capability_app.te
@@ -0,0 +1,20 @@
+# ==============================================
+# Policy File of /system/priv-app/CapabilityTest/CapabilityTest.apk Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute capability_app mlstrustedobject;
+app_domain(capability_app)
+
+allow capability_app activity_service:service_manager find;
+allow capability_app activity_task_service:service_manager find;
+allow capability_app gpu_service:service_manager find;
+allow capability_app surfaceflinger_service:service_manager find;
+allow capability_app autofill_service:service_manager find;
+allow capability_app textservices_service:service_manager find;
+allow capability_app audio_service:service_manager find;
+binder_call(capability_app, gpuservice)
+
+hal_client_domain(capability_app, hal_power)
diff --git a/bsp/plat_private/dnsmasq.te b/bsp/plat_private/dnsmasq.te
new file mode 100644
index 0000000..b1bd4e4
--- /dev/null
+++ b/bsp/plat_private/dnsmasq.te
@@ -0,0 +1,5 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow dnsmasq netd:file r_file_perms;
diff --git a/bsp/plat_private/domain.te b/bsp/plat_private/domain.te
new file mode 100644
index 0000000..db713aa
--- /dev/null
+++ b/bsp/plat_private/domain.te
@@ -0,0 +1,15 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : W17.47
+# Allow system_server to enable/disable logmuch_prop for Wi-Fi logging purpose
+neverallow {
+ coredomain
+ -init
+ -logd
+ -cameraserver
+ -system_server
+ -em_app
+ -platform_app
+ } system_mtk_logmuch_prop:property_service set;
diff --git a/bsp/plat_private/drmserver.te b/bsp/plat_private/drmserver.te
new file mode 100644
index 0000000..084ea05
--- /dev/null
+++ b/bsp/plat_private/drmserver.te
@@ -0,0 +1,15 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Add by : Jackie
+# Date : WK15.34
+# Operation : Migration
+# Purpose : Allow drmserver to access some system_server opreration on M
+# and allow drmserver access file stored in sdcard
+allow drmserver nvram_agent_service:service_manager find;
+
+# Date : WK19.24
+# To let DRM server load ctaplugin based on property
+get_prop(drmserver, system_mtk_cta_set_prop)
+allow drmserver mediaprovider_app:dir search;
diff --git a/bsp/plat_private/em_app.te b/bsp/plat_private/em_app.te
new file mode 100644
index 0000000..2efe820
--- /dev/null
+++ b/bsp/plat_private/em_app.te
@@ -0,0 +1,264 @@
+# ==============================================
+# Policy File of /system/priv-app/EngineerMode/EngineerMode.apk Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute em_app mlstrustedsubject;
+app_domain(em_app)
+
+# Common
+allow em_app activity_service:service_manager find;
+allow em_app activity_task_service:service_manager find;
+allow em_app gpu_service:service_manager find;
+allow em_app surfaceflinger_service:service_manager find;
+allow em_app autofill_service:service_manager find;
+allow em_app textservices_service:service_manager find;
+
+# Sub menu start
+allow em_app audio_service:service_manager find;
+
+# Allow to use HAL em
+hal_client_domain(em_app, hal_mtk_em)
+
+# Allow for BT # Main activity start
+allow em_app bluetooth_manager_service:service_manager find;
+
+# Allow for GPS manager usage
+allow em_app location_service:service_manager find;
+
+# Allow for Wifi manager usage
+allow em_app wifi_service:service_manager find;
+
+# For Wifi
+allow em_app self:udp_socket { create ioctl };
+allowxperm em_app self:udp_socket ioctl { SIOCIWFIRSTPRIV_0B SIOCIWFIRSTPRIV_0F SIOCSIWMODE SIOCIWFIRSTPRIV_01 SIOCIWFIRSTPRIV_09 SIOCDEVPRIVATE_2 };
+
+#For clk tool and gnssat tool to access camera manager
+allow em_app cameraserver_service:service_manager find;
+
+# For debug utils
+allow em_app crash_dump:unix_stream_socket connectto;
+
+# For simulate input action
+allow em_app input_service:service_manager find;
+
+# For get keyguard
+allow em_app trust_service:service_manager find;
+
+# For connect to em_svr
+allow em_app em_svr:unix_stream_socket connectto;
+
+#For usb acm
+set_prop(em_app, system_mtk_atci_sys_prop)
+
+#For atci
+set_prop(em_app, system_mtk_ctl_atcid_daemon_u_prop)
+set_prop(em_app, ctl_start_prop)
+set_prop(em_app, ctl_stop_prop)
+
+#For voice application
+allow em_app audioserver_service:service_manager find;
+
+#For mnld connect
+allow em_app self:tcp_socket create_socket_perms_no_ioctl;
+
+#For tel log settings
+set_prop(em_app, log_tag_prop)
+
+#For mnld connection
+allow em_app fwmarkd_socket:sock_file write;
+allow em_app port:tcp_socket name_connect;
+allow em_app netd:unix_stream_socket connectto;
+
+#For telecom service
+#allow EM app to change vibration behavior by property.
+set_prop(em_app, system_mtk_telecom_vibrate_prop)
+
+#For wfd iot property settings
+set_prop(em_app, system_mtk_media_wfd_prop)
+
+#For setting md power off property
+set_prop(em_app, system_mtk_power_off_md_prop)
+
+#For video log
+set_prop(em_app, system_mtk_logmuch_prop)
+
+#For tel log
+set_prop(em_app, system_mtk_em_tel_log_prop)
+
+# For background_data_select
+set_prop(em_app, system_mtk_bgdata_disabled_prop)
+
+# For uce service
+get_prop(em_app, system_mtk_uce_support_prop)
+
+allow em_app radio_service:service_manager find;
+
+# Date: 2020/03/25
+# For power pmu register
+allow em_app sysfs_pmu:dir search;
+
+# Date: 2020/03/25
+# For usb test
+allow em_app sysfs_usb_plat:dir search;
+allow em_app sysfs_usb_plat:file r_file_perms;
+
+# Date: 2020/03/25
+# Purpose: Allow EM USB/UART switch
+allow em_app sysfs_android0_usb:dir search;
+allow em_app sysfs_android0_usb:file r_file_perms;
+allow em_app sysfs_android_usb:dir search;
+allow em_app sysfs_android_usb:file r_file_perms;
+
+# Date : 2020/03/25
+#For usb test
+set_prop(em_app, usb_prop)
+
+# Date: 2020/03/25
+# For PMU reading
+allow em_app sysfs_pmu:dir search;
+allow em_app sysfs_pmu:file r_file_perms;
+allow em_app sysfs_pmu:lnk_file r_file_perms;
+
+# Date: 2020/03/25
+# Purpose: EM battery temprature setting
+allow em_app sysfs_batteryinfo:dir search;
+
+# Date: 2020/03/25
+# For power battery info
+allow em_app sysfs_vbus:file r_file_perms;
+
+# Date: 2020/03/25
+# Purpose: EM power ChargeBattery
+allow em_app sysfs_battery_consumption:file r_file_perms;
+allow em_app sysfs_power_on_vol:file r_file_perms;
+allow em_app sysfs_power_off_vol:file r_file_perms;
+allow em_app sysfs_fg_disable:file r_file_perms;
+allow em_app sysfs_dis_nafg:file r_file_perms;
+
+# Date: 2020/03/25
+# Purpose:For wakelock get power manager service
+allow em_app thermal_service:service_manager find;
+
+# Date : 2020/03/25
+# Purpose: Allow EM detect Audio headset status
+allow em_app sysfs_headset:file r_file_perms;
+
+# Operation: Support GWSD
+allow em_app mtk_gwsd_service:service_manager find;
+allow em_app tethering_service:service_manager find;
+
+# For supplementary service's CFU to get IccCard type through MtkTelephonyManagerEx
+allow em_app mtk_radio_service:service_manager find;
+
+# For background_data_select
+hal_client_domain(em_app, mtk_hal_netdagent)
+
+# Date : 2020/04/13
+# Purpose: Allow EM get/set CT Register system property
+set_prop(em_app, system_mtk_selfreg_prop)
+
+# Date : 2020/04/14
+# Purpose: Allow EM get/set USB tethering system property for auto test
+set_prop(em_app, system_mtk_usb_tethering_prop)
+
+# Date: 2020/04/20
+# Purpose: Allow EM write MD log filter config file in /data
+allow em_app debuglog_data_file:dir r_dir_perms;
+allow em_app debuglog_data_file:file rw_file_perms;
+
+# Date: 2020/04/20
+# Purpose: Allow EM access mediaserver
+allow em_app media_session_service:service_manager find;
+allow em_app mediaserver_service:service_manager find;
+
+# Date : 2020/04/28
+# Purpose : STMicro NFC integration for Engineering mode
+allow em_app nfc_service:service_manager find;
+
+# Date : 2020/04/30
+# Purpose: EmRadioHidlAosp get AospRadioProxy
+hal_client_domain(em_app, hal_telephony)
+
+# Date : 2020/04/30
+# Purpose: getSystemService(TELEPHONY_SERVICE)
+allow em_app registry_service:service_manager find;
+binder_call(em_app, gpuservice)
+
+# Date : 2020/04/30
+# Purpose: telephony->npt, ccm hopping get serial
+get_prop(em_app, radio_prop)
+
+# Date : 2020/04/30
+# Purpose: FeatureSupport ro.build.type, ro.board.platform
+get_prop(em_app, exported_default_prop)
+
+# Date: 2020/04/30
+#Purpose: telephony ->WifiCalling.EntitlementConfigActivity
+set_prop(em_app, system_mtk_wfc_entitlement_prop)
+
+# Date: 2020/04/30
+#Purpose: telephony ->networkinfotc1.MDMCoreOperation
+set_prop(em_app, config_prop)
+
+# Date: 2020/04/30
+# For uce related access
+set_prop(em_app, system_mtk_uce_support_prop)
+allow em_app uce_service:service_manager find;
+
+# Date: 2020/05/08
+# For OTA airplane mode
+get_prop(em_app,system_mtk_init_svc_md_monitor_prop)
+hal_client_domain(em_app, md_monitor_hal)
+
+# Date: 2020/05/15
+# Purpose: Fix the exception for long pressing operation
+allow em_app clipboard_service:service_manager find;
+
+# Date: 2020/06/03
+# Operation: DEBUG
+# Purpose: Allow EM search usb_rawbulk
+allow em_app sys_usb_rawbulk:dir r_dir_perms;
+allow em_app usb_service:service_manager find;
+
+# Date : 2020/06/03
+# Operation : DEBUG
+# Purpose : Allow to use system_mtk_gprs_attach_type_prop
+set_prop(em_app, system_mtk_gprs_attach_type_prop)
+
+# Date: 2020/06/30
+allow em_app mtk_vodata_service:service_manager find;
+
+# Date: 2020/07/29
+# Purpose: Allow EM using search service for monkey bug fix
+allow em_app search_service:service_manager find;
+
+# Date: 2020/08/14
+# Purpose: Allow EM using uimode service for monkey bug fix
+allow em_app uimode_service:service_manager find;
+
+# Date : 2020/11/03
+# Operation : DEBUG
+# Purpose : Allow EM to set system_mtk_common_data_prop
+set_prop(em_app, system_mtk_common_data_prop)
+
+# Date : 2021/01/07
+# Purpose : Allow EM to read ro.vendor.mtk_gwsd_support
+get_prop(em_app, system_mtk_gwsd_prop)
+
+# Date: 2021/01/27
+# Purpose: Allow EM to read/set sys.usb.config
+set_prop(em_app, usb_control_prop)
+
+# Purpose: Allow EM to ro.build.type
+get_prop(em_app, build_prop)
+
+# Purpose: Allow EM to ro.vendor.vodata_support
+get_prop(em_app, system_mtk_vodata_prop)
+
+# Date: 2021/04/27
+# Purpose: Allow EM to access shared preference data
+allow em_app em_app_data_file:dir create_dir_perms;
+allow em_app em_app_data_file:file create_file_perms;
diff --git a/bsp/plat_private/em_svr.te b/bsp/plat_private/em_svr.te
new file mode 100644
index 0000000..f09d7a4
--- /dev/null
+++ b/bsp/plat_private/em_svr.te
@@ -0,0 +1,61 @@
+# ==============================================
+# Policy File of /system/bin/em_svr Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: WK1823
+# Purpose: Rsc switch
+allow em_svr sysfs_dt_firmware_android:dir r_dir_perms;
+allow em_svr sysfs_dt_firmware_android:file r_file_perms;
+
+# Date: 2020/03/25
+# Purpose : EM Power PMU reading/setting
+allow em_svr sysfs_pmu:dir search;
+allow em_svr sysfs_pmu:file rw_file_perms;
+allow em_svr sysfs_pmu:lnk_file r_file_perms;
+
+# Date: 2020/03/25
+# Purpose: EM battery temprature setting
+allow em_svr sysfs_batteryinfo:dir search;
+allow em_svr sysfs_battery_temp:file w_file_perms;
+
+# Date: 2020/03/25
+# Purpose: EM power ChargeBattery
+allow em_svr sysfs_battery_consumption:file r_file_perms;
+allow em_svr sysfs_power_on_vol:file r_file_perms;
+allow em_svr sysfs_power_off_vol:file r_file_perms;
+allow em_svr sysfs_fg_disable:file rw_file_perms;
+allow em_svr sysfs_dis_nafg:file rw_file_perms;
+
+# Date: 2020/03/25
+# Purpose : EM flash reading
+allow em_svr proc_flash:file r_file_perms;
+allow em_svr proc_partition:file r_file_perms;
+
+# Date: WK2013
+# Purpose: add for power battery charge/PMU
+allow em_svr toolbox_exec:file rx_file_perms;
+
+# Date: WK1812
+# Purpose: add for battery log
+allow em_svr proc_battery_cmd:dir search;
+allow em_svr proc_battery_cmd:file create_file_perms;
+
+# Date: WK2016
+# Purpose: add seolicy for em_svr write phone storage
+allow em_svr mnt_user_file:dir search;
+allow em_svr fuse:file create_file_perms;
+allow em_svr fuse:dir w_dir_perms;
+
+# Date: 2020/06/03
+# Operation: Telephony->Bypass
+# Purpose: Allow EM read usb_rawbulk
+allow em_svr sys_usb_rawbulk:dir r_dir_perms;
+allow em_svr sys_usb_rawbulk:file r_file_perms;
+
+# Date 2021/04/26
+# Purpose: Rsc usage
+allow em_svr gsi_metadata_file:dir search;
+allow em_svr metadata_file:dir search;
diff --git a/bsp/plat_private/file.te b/bsp/plat_private/file.te
new file mode 100644
index 0000000..38ce294
--- /dev/null
+++ b/bsp/plat_private/file.te
@@ -0,0 +1,82 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+##########################
+# Filesystem types
+#
+##########################
+# Proc Filesystem types
+#
+# MOTA permission
+# Purpose: Allow GoogleOtaBinder to access proc
+# path="/proc/cmdline"
+type mota_proc_file, fs_type, proc_type;
+
+# Purpose : Camera need read cl_cam_status
+# Package: com.mediatek.camera
+type proc_cl_cam_status, fs_type, proc_type;
+
+# Date : 2020/03/25
+# Operation: R migration
+# Purpose: mtk EM battery settings
+type proc_battery_cmd, fs_type, proc_type;
+
+# Date : 2020/03/25
+# Operation: R migration
+# Purpose : mtk EM flash reading
+type proc_flash, fs_type, proc_type;
+type proc_partition, fs_type, proc_type;
+
+##########################
+# Sys Filesystem types
+#
+# define new type
+# path = "/sys/devices/platform/(charger|mt-battery)/BatteryNotify"
+type sysfs_battery_warning, fs_type, sysfs_type;
+
+# define new type for sn process
+# path = "/sys/class/android_usb/android0/iSerial"
+# path = "/sys/devices/platform/mt_usb/cmode"
+# path = "/sys/class/udc/musb-hdrc/device/cmode"
+type sysfs_android0_usb, fs_type, sysfs_type;
+type sysfs_usb_plat, fs_type, sysfs_type;
+
+# Date : 2020/03/25
+# Operation: R migration
+# Purpose: mtk EM battery settings
+type sysfs_battery_temp, fs_type, sysfs_type;
+type sysfs_battery_consumption, fs_type, sysfs_type;
+type sysfs_power_on_vol, fs_type, sysfs_type;
+type sysfs_power_off_vol, fs_type, sysfs_type;
+type sysfs_fg_disable, fs_type, sysfs_type;
+type sysfs_dis_nafg, fs_type, sysfs_type;
+
+# Date : 2020/06/01
+# Operation: R migration
+# Purpose : Add permission for acess /sys/devices/platform/mhl@0/extcon/HDMI_audio_extcon/state.
+type sysfs_HDMI_audio_extcon_state, fs_type, sysfs_type;
+
+# Date : 2018/11/01 -> 2020/06/23
+# Operation: R migration
+# Purpose : mtk EM c2k bypass read usb file
+type sys_usb_rawbulk, fs_type, sysfs_type;
+
+# wifi throttle
+type sysfs_thermald, fs_type, sysfs_type;
+
+##########################
+# Debug Filesystem types
+#
+
+##########################
+# File types
+# Core domain data file types
+#
+# ATCI data file
+type atci_data_file, file_type, data_file_type, core_data_file_type;
+
+##########################
+# EngineerMode app data file types
+#
+# for engineermode to access own app files
+type em_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/bsp/plat_private/file_contexts b/bsp/plat_private/file_contexts
new file mode 100644
index 0000000..55a052e
--- /dev/null
+++ b/bsp/plat_private/file_contexts
@@ -0,0 +1,62 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+##########################
+# System files
+#
+# MTK Adv Camera Server
+/system/bin/mtk_advcamserver u:object_r:mtk_advcamserver_exec:s0
+
+/system/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0
+
+# MTK Thermald
+/system/bin/thermald u:object_r:thermald_exec:s0
+
+# MTK VTService
+/system/bin/vtservice u:object_r:vtservice_exec:s0
+
+# MTK ATCI
+/system/bin/atci_service_sys u:object_r:atci_service_sys_exec:s0
+
+# MTK Postalgo
+/system/bin/camerapostalgo u:object_r:camerapostalgo_exec:s0
+
+# MTK AAL
+/system/bin/aal u:object_r:aal_exec:s0
+
+# MTK Carrier express
+/system/bin/usp_service u:object_r:usp_service_exec:s0
+/system/bin/batterywarning u:object_r:batterywarning_exec:s0
+/system/bin/mmp u:object_r:mmp_exec:s0
+/system/bin/GoogleOtaBinder u:object_r:GoogleOtaBinder_exec:s0
+
+# MTK MET
+/system/bin/met_log_d u:object_r:met_log_d_exec:s0
+
+# MTK TerService
+/system/bin/terservice u:object_r:terservice_exec:s0
+
+# MTK MAPI (Modem Diagnostic Public Interface)
+/system/bin/mdi_redirector u:object_r:mdi_redirector_exec:s0
+
+# MTK MDMI test tool (Modem Diagnostic Monitoring Interface)
+/system/bin/mdmi_redirector u:object_r:mdmi_redirector_exec:s0
+
+# resize userdata's filesystem size
+/system/bin/resize.f2fs u:object_r:resize_exec:s0
+
+# VSIM 3.0
+/system/bin/osi u:object_r:osi_exec:s0
+
+##########################
+# Devices
+#
+# MTK touchll hal
+/dev/tll u:object_r:tll_device:s0
+
+##########################
+# Others
+#
+/eng u:object_r:rootfs:s0
+
diff --git a/bsp/plat_private/genfs_contexts b/bsp/plat_private/genfs_contexts
new file mode 100644
index 0000000..7822915
--- /dev/null
+++ b/bsp/plat_private/genfs_contexts
@@ -0,0 +1,174 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+##########################
+# proc files
+#
+# Purpose : Camera need read cl_cam_status
+# Package: com.mediatek.camera
+genfscon proc /driver/cl_cam_status u:object_r:proc_cl_cam_status:s0
+
+# Date : 2020/03/25
+# Operation: R migration
+# Purpose: mtk EM battery log
+genfscon proc /mtk_battery_cmd u:object_r:proc_battery_cmd:s0
+
+# Date : 2020/03/25
+# Operation: R migration
+# mtk EM flash reading
+genfscon proc /partitions u:object_r:proc_partition:s0
+
+##########################
+# sysfs files
+#
+# label for SN process
+genfscon sysfs /class/android_usb/android0 u:object_r:sysfs_android0_usb:s0
+
+genfscon sysfs /devices/platform/mt_usb/cmode u:object_r:sysfs_usb_plat:s0
+genfscon sysfs /class/udc/musb-hdrc/device/comde u:object_r:sysfs_usb_plat:s0
+
+# Date : 2020/03/25
+# Operation: R migration
+# Purpose: for engineermode Usb PHY Tuning
+genfscon sysfs /devices/platform/soc/usb-phy0 u:object_r:sysfs_usb_plat:s0
+
+# Purpose: Allow EM USB/UART switch
+genfscon sysfs /devices/platform/mt_usb/portmode u:object_r:sysfs_usb_plat:s0
+genfscon sysfs /devices/platform/musb-mtu3d/musb-hdrc/portmode u:object_r:sysfs_usb_plat:s0
+genfscon sysfs /bus/platform/devices/musb-hdrc/portmode u:object_r:sysfs_usb_plat:s0
+genfscon sysfs /class/udc/musb-hdrc/device/portmode u:object_r:sysfs_usb_plat:s0
+genfscon sysfs /devices/platform/11201000.mtu3_0/portmode u:object_r:sysfs_usb_plat:s0
+
+# for wifi throttle
+genfscon sysfs /devices/platform/CONNAC/net/wlan0/operstate u:object_r:sysfs_thermald:s0
+genfscon sysfs /devices/virtual/net/ap0/operstate u:object_r:sysfs_thermald:s0
+genfscon sysfs /devices/virtual/net/p2p0/operstate u:object_r:sysfs_thermald:s0
+
+# label for battery warning
+genfscon sysfs /devices/platform/charger/BatteryNotify u:object_r:sysfs_battery_warning:s0
+genfscon sysfs /devices/platform/mt-battery/BatteryNotify u:object_r:sysfs_battery_warning:s0
+
+# Date : 2020/03/25
+# Operation: R migration
+# Purpose: mtk EM battery temprature settings
+genfscon sysfs /devices/platform/battery/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+
+# Date: 2020/03/25
+# Operation: R migration
+# Purpose: EM power ChargeBattery
+genfscon sysfs /devices/platform/battery/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/battery/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/battery/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/battery/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/battery/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# 6762/6765/6789
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# 6779
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# 6873/6893
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# Date: 2021/08/16
+# Purpose: 6983
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# Purpose:6879
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# Date: 2021/10/19
+# Purpose: 6895
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# Date: 2021/12/25
+# Purpose: 6855
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/disable_nafg u:object_r:sysfs_dis_nafg:s0
+# Purpose:6789 mt6366 em/battery
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+
+genfscon sysfs /dev/gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0
+genfscon sysfs /dev/gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
+genfscon sysfs /dev/gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
+genfscon sysfs /dev/gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
+genfscon sysfs /dev/gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
+genfscon sysfs /dev/gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0
+
+# Date : 2020/03/25
+# Operation: R migration
+# mtk EM pmic & pmu register
+genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/1c015000.spmi/spmi-0/0-04/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/1c804000.spmi/spmi-0/0-04/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/mt6333-user u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/mt6311-user u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-03/10027000.spmi:mt6315@3:mt6315_3_regulator/extbuck_access u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-06/10027000.spmi:mt6315@6:mt6315_6_regulator/extbuck_access u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-07/10027000.spmi:mt6315@7:mt6315_7_regulator/extbuck_access u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-03/10027000.spmi:mt6315@3:extbuck_debug/extbuck_access u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-06/10027000.spmi:mt6315@6:extbuck_debug/extbuck_access u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-07/10027000.spmi:mt6315@7:extbuck_debug/extbuck_access u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/soc/11cb1000.i2c/i2c-9/9-0034/extdev_io/MT6375.9-0034 u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0018/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0
+# Purpose: 6855
+genfscon sysfs /devices/platform/soc/1c804000.spmi/spmi-0/0-04/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0
+# 6789 mt6375 em/pmic
+genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt-pmic u:object_r:sysfs_pmu:s0
+genfscon sysfs /devices/platform/soc/11017000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0
+
+# Date : 2020/06/01
+# Operation: R migration
+# Purpose : Add permission for acess /sys/devices/platform/mhl@0/extcon/HDMI_audio_extcon/state.
+genfscon sysfs /devices/platform/mhl@0/extcon/HDMI_audio_extcon/state u:object_r:sysfs_HDMI_audio_extcon_state:s0
+
+# Date : 2018/11/01 -> 2020/06/23
+# Operation: R migration
+# Purpose : mtk EM c2k bypass read usb file
+genfscon sysfs /devices/virtual/usb_rawbulk u:object_r:sys_usb_rawbulk:s0
+
+# Date : 2020/12/16
+# Operation: R migration
+# Purpose: mtk meta wifi daemon access pmu register
+genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt-pmic u:object_r:sysfs_pmu:s0
diff --git a/bsp/plat_private/init.te b/bsp/plat_private/init.te
new file mode 100644
index 0000000..b5e6522
--- /dev/null
+++ b/bsp/plat_private/init.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+set_prop(init, system_mtk_cta_set_prop)
+set_prop(init, system_mtk_rsc_sys_prop)
+
+# Date: W20.10
+# Purpose: resize filesystem(userdata) needs read link file
+allow init resize_exec:lnk_file r_file_perms;
diff --git a/bsp/plat_private/kpoc_charger.te b/bsp/plat_private/kpoc_charger.te
new file mode 100644
index 0000000..86446b9
--- /dev/null
+++ b/bsp/plat_private/kpoc_charger.te
@@ -0,0 +1,74 @@
+# ==============================================
+# Policy File of /system/bin/kpoc_charger Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+type kpoc_charger_exec, system_file_type, exec_type, file_type;
+typeattribute kpoc_charger coredomain;
+
+# Date : WK15.32
+# Operation : Migration
+# Purpose : Start kpoc_charger
+init_daemon_domain(kpoc_charger)
+
+# Use light HAL
+hal_client_domain(kpoc_charger, hal_light)
+
+# Use health HAL
+hal_client_domain(kpoc_charger, hal_health)
+
+# Date : WK15.32
+# Operation : Migration
+# Purpose : Interact with kernel to perform kpoc_charger
+allow kpoc_charger block_device:dir search;
+allow kpoc_charger graphics_device:dir search;
+allow kpoc_charger graphics_device:chr_file rw_file_perms;
+allow kpoc_charger input_device:dir r_dir_perms;
+allow kpoc_charger input_device:chr_file rw_file_perms;
+allow kpoc_charger self:capability { sys_nice net_admin sys_boot sys_admin };
+allow kpoc_charger self:netlink_kobject_uevent_socket { create bind read setopt };
+allow kpoc_charger sysfs:dir r_dir_perms;
+allow kpoc_charger kmsg_device:chr_file { getattr w_file_perms };
+allow kpoc_charger rtc_device:chr_file rw_file_perms;
+
+# Date : WK15.44
+# Operation : Migration
+# Purpose : add sepolicy for nand platform which use mtd_device
+allow kpoc_charger mtd_device:dir search;
+allow kpoc_charger mtd_device:chr_file r_file_perms;
+
+# Date : WK17.25
+# Operation : Android O migration
+# Purpose : add sepolicy for accessing rootfs and sysfs_leds
+allow kpoc_charger rootfs:file r_file_perms;
+allow kpoc_charger sysfs_leds:dir r_dir_perms;
+
+# Date : WK18.20
+# Operation : Android P migration
+# Purpose: add sepolicy for sysfs_batteryinfo
+allow kpoc_charger sysfs_batteryinfo:dir r_dir_perms;
+
+# Purpose: add sepolicy for sysfs_power
+allow kpoc_charger sysfs_power:file rw_file_perms;
+
+# Purpose: add sepolicy for sysfs_dt_firmware_android
+r_dir_file(kpoc_charger, sysfs_dt_firmware_android)
+allow kpoc_charger proc_cmdline:file r_file_perms;
+
+# Purpose: add sepolicy for BatteryNotify
+allow kpoc_charger sysfs_battery_warning:file r_file_perms;
+
+# Operation: Android R Migration
+# Purpose : access vbus
+allow kpoc_charger sysfs_vbus:file r_file_perms;
+
+# Date : WK20.37
+# Operation : common-kernel-5.4
+# Purpose: add sepolicy for acessing metadata_file
+allow kpoc_charger metadata_file:dir search;
+
+#Date: WK20.52
+# Purpose : DRM / DRI GPU driver required
+allow kpoc_charger gpu_device:dir search;
+
diff --git a/bsp/plat_private/logd.te b/bsp/plat_private/logd.te
new file mode 100644
index 0000000..d6022fd
--- /dev/null
+++ b/bsp/plat_private/logd.te
@@ -0,0 +1,10 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+set_prop(logd, logd_prop)
+set_prop(logd, log_tag_prop)
+
+# Date : W18.26
+# Allow logmuch related property
+set_prop(logd, system_mtk_logmuch_prop)
diff --git a/bsp/plat_private/mdi_redirector.te b/bsp/plat_private/mdi_redirector.te
new file mode 100644
index 0000000..015d0e1
--- /dev/null
+++ b/bsp/plat_private/mdi_redirector.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Policy File of /system/bin/mdi_redirector Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mdi_redirector_exec ,exec_type, file_type, system_file_type;
+typeattribute mdi_redirector coredomain;
+
+init_daemon_domain(mdi_redirector)
+net_domain(mdi_redirector)
+
+# Date : WK19.07 2019/02/15
+# Operation : mdi_redirector integration test with AT&T Linkmaster
+# Purpose : To allow mdi_redirector create socket to forward KPI to PC tool
+allow mdi_redirector fwmarkd_socket:sock_file write;
+allow mdi_redirector self:tcp_socket create_stream_socket_perms;
+allow mdi_redirector self:udp_socket create_stream_socket_perms;
+allow mdi_redirector node:tcp_socket node_bind;
+allow mdi_redirector port:tcp_socket name_bind;
+allow mdi_redirector netd:unix_stream_socket connectto;
+
+# Allow to connect DMC HIDL server
+hal_client_domain(mdi_redirector, hal_mtk_dmc)
diff --git a/bsp/plat_private/mdmi_redirector.te b/bsp/plat_private/mdmi_redirector.te
new file mode 100644
index 0000000..4e47f8f
--- /dev/null
+++ b/bsp/plat_private/mdmi_redirector.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Policy File of /system/bin/mdmi_redirector Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mdmi_redirector_exec, exec_type, file_type, system_file_type;
+typeattribute mdmi_redirector coredomain;
+
+init_daemon_domain(mdmi_redirector)
+net_domain(mdmi_redirector)
+
+# Date : WK19.07 2019/02/15
+# Operation : mdmi_redirector integration test with AT&T Linkmaster
+# Purpose : To allow mdmi_redirector create socket to forward KPI to PC tool
+allow mdmi_redirector fwmarkd_socket:sock_file write;
+allow mdmi_redirector self:tcp_socket create_stream_socket_perms;
+allow mdmi_redirector self:udp_socket create_stream_socket_perms;
+allow mdmi_redirector node:tcp_socket node_bind;
+allow mdmi_redirector port:tcp_socket name_bind;
+allow mdmi_redirector netd:unix_stream_socket connectto;
+
+# Allow to connect DMC HIDL server
+hal_client_domain(mdmi_redirector, hal_mtk_dmc)
diff --git a/bsp/plat_private/mediaserver.te b/bsp/plat_private/mediaserver.te
new file mode 100644
index 0000000..65c7eb5
--- /dev/null
+++ b/bsp/plat_private/mediaserver.te
@@ -0,0 +1,27 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.32
+# Operation : Migration
+# Purpose : for control CPU during camera working flow
+allow mediaserver mtk_perf_service:service_manager find;
+
+# Date : WK16.29
+# Operation : Migration
+# Purpose : Add permission for gpu access
+allow mediaserver gas_srv_service:service_manager find;
+
+# Date : WK17.50
+# Operation : CMCC
+# Purpose: Allow set property to notify rtsp server timeout
+set_prop(mediaserver, system_prop)
+
+# Date : WK19.16
+# Operation : WFD
+# Purpose: Allow property operations
+
+# Date : WK21.14
+# Operation : WFD
+# Purpose: Allow property set for HDR10 cast and EM setting
+set_prop(mediaserver, system_mtk_media_wfd_prop)
diff --git a/bsp/plat_private/met_log_d.te b/bsp/plat_private/met_log_d.te
new file mode 100644
index 0000000..a131568
--- /dev/null
+++ b/bsp/plat_private/met_log_d.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Policy File of /system/bin/met_log_d Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute met_log_d coredomain;
+type met_log_d_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(met_log_d)
+
+set_prop(met_log_d, debug_prop)
diff --git a/bsp/plat_private/mmp.te b/bsp/plat_private/mmp.te
new file mode 100644
index 0000000..699a609
--- /dev/null
+++ b/bsp/plat_private/mmp.te
@@ -0,0 +1,12 @@
+# ==============================================
+# Policy File of /system/bin/mmp Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute mmp coredomain;
+type mmp_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mmp)
+
diff --git a/bsp/plat_private/mtk_advcamserver.te b/bsp/plat_private/mtk_advcamserver.te
new file mode 100644
index 0000000..70a9984
--- /dev/null
+++ b/bsp/plat_private/mtk_advcamserver.te
@@ -0,0 +1,23 @@
+# ==============================================
+# Policy File of /system/bin/mtk_advcamserver Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type mtk_advcamserver_exec, system_file_type, exec_type, file_type;
+typeattribute mtk_advcamserver coredomain;
+
+init_daemon_domain(mtk_advcamserver)
+
+binder_use(mtk_advcamserver)
+hwbinder_use(mtk_advcamserver)
+binder_call(mtk_advcamserver, mtk_advcamserver)
+binder_service(mtk_advcamserver)
+binder_call(mtk_advcamserver, binderservicedomain)
+binder_call(mtk_advcamserver, appdomain)
+
+add_service(mtk_advcamserver, mtk_advcamserver_service)
+get_prop(mtk_advcamserver, hwservicemanager_prop)
+
+allow mtk_advcamserver ion_device:chr_file r_file_perms;
diff --git a/bsp/plat_private/netd.te b/bsp/plat_private/netd.te
new file mode 100644
index 0000000..8a6cf29
--- /dev/null
+++ b/bsp/plat_private/netd.te
@@ -0,0 +1,57 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.41
+# Operation : Migration
+# Purpose : ipv6 Tethering Test
+allow netd dhcp_data_file:dir rw_dir_perms;
+allow netd dhcp_data_file:file create_file_perms;
+allow netd self:capability { setuid net_bind_service setgid };
+
+# Date : W15.39
+# Operation : CAT6 T-put
+# Purpose : CAT6 T-put
+# Owner : Kang ouyang
+allow netd mtk_perf_service:service_manager find;
+
+# Date : W15.39
+# Operation : CAT6 T-put
+# Purpose : CAT6 T-put
+# Owner : Kang ouyang
+binder_call(netd, servicemanager)
+binder_call(netd, system_server)
+binder_use(netd)
+
+# Date : W16.27
+# Operation : nsiot set property(Only for Android N)
+# Purpose : nsiot set property
+# Owner : kang ouyang
+set_prop(netd, system_prop)
+
+# Date : W16.38
+# Operation : MD direct Tethering Test
+# Purpose : For support MDT
+allowxperm netd self:unix_stream_socket ioctl {SIOCSIFBR SIOCBRADDBR SIOCBRADDIF SIOCDEVPRIVATE};
+
+# Data : W18.38
+# Operation : Migration
+# Purpose : Trustonic TEE
+allow netd teeregistryd_app:fd use;
+allow netd teeregistryd_app:tcp_socket rw_socket_perms_no_ioctl;
+
+# Data : W19.24
+# Operation : Android Q DMC Migration
+# Purpose : To allow MAPI to create socket and submit data to PC
+allow netd mdi_redirector:fd use;
+allow netd mdi_redirector:tcp_socket rw_socket_perms_no_ioctl;
+
+# Data : W19.25
+# Operation : Android Q DMC Migration
+# Purpose : To allow MDMI to create socket as a test tool
+allow netd mdmi_redirector:fd use;
+allow netd mdmi_redirector:tcp_socket rw_socket_perms_no_ioctl;
+
+# Purpose: For EngineerMode communication with mnld
+allow netd em_app:fd use;
+allow netd em_app:tcp_socket rw_socket_perms_no_ioctl;
diff --git a/bsp/plat_private/nfc.te b/bsp/plat_private/nfc.te
new file mode 100644
index 0000000..1ec4436
--- /dev/null
+++ b/bsp/plat_private/nfc.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2016/11/10
+# Operation : SQC
+# Purpose : Allow NFC to use gas service
+allow nfc gas_srv_service:service_manager find;
diff --git a/bsp/plat_private/osi.te b/bsp/plat_private/osi.te
new file mode 100644
index 0000000..b645c5b
--- /dev/null
+++ b/bsp/plat_private/osi.te
@@ -0,0 +1,31 @@
+# ==============================================
+# Policy File of /system/bin/osi Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute osi coredomain;
+type osi_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+permissive osi;
+')
+
+# Date : WK15.45
+# Operation : create
+# Purpose : Start osi
+init_daemon_domain(osi)
+net_domain(osi)
+
+userdebug_or_eng(`
+allow osi media_rw_data_file:file r_file_perms;
+allow osi sdcardfs:file rw_file_perms;
+allow osi self:capability net_raw;
+allow osi self:udp_socket ioctl;
+allow osi shell_exec:file x_file_perms;
+allow osi sysfs:dir r_dir_perms;
+allow osi sysfs_android_usb:dir search;
+allow osi sysfs_android_usb:file r_file_perms;
+allow osi toolbox_exec:file x_file_perms;
+')
diff --git a/bsp/plat_private/platform_app.te b/bsp/plat_private/platform_app.te
new file mode 100644
index 0000000..93724a4
--- /dev/null
+++ b/bsp/plat_private/platform_app.te
@@ -0,0 +1,147 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2014/10/28
+# Operation : hs_xiangxu
+# Purpose : [ALPS01782971]Settings need read&write to system_app_data_file
+# Package: com.android.settings
+allow platform_app system_app_data_file:file rw_file_perms;
+
+# Date : 2015/09/06
+# Operation : SQC
+# Purpose : [NFC][can not get nfc service]
+# Package: com.android.gallery3d
+allow platform_app nfc_service:service_manager find;
+
+# Date : 2017/06/01
+# Operation : Migration
+# Purpose : Allow camera app to find advcam servive
+allow platform_app mtk_advcamserver_service:service_manager find;
+
+# Date: 2017/06/29
+# Operation: Migration
+# Purpose : Allow UICC terminal to find phoneEx service
+# Package: org.simalliance.openmobileapi
+allow platform_app mtk_radio_service:service_manager find;
+
+# Date : 2017/12/21
+# Operation: IT
+# Purpose : For hongbao optimization
+allow platform_app mtk_connmetrics_service:service_manager find;
+
+# Date: 2018/07/03
+# Operation: Migration
+# Purpose : Allow Rcs to get system_mtk_rcs_support_prop/system_mtk_em_tel_log_prop
+# Package: om.mediatek.rcs
+get_prop(platform_app, system_mtk_rcs_support_prop)
+get_prop(platform_app, system_mtk_em_tel_log_prop)
+
+# Date: 2018/07/03
+# Operation: Migration
+# Purpose : Allow Contacts to get system_mtk_uce_support_prop
+# Package: com.android.contacts
+get_prop(platform_app, system_mtk_uce_support_prop)
+
+# Date: 2018/07/04
+# Operation: P migration
+# Purpose : allow radio get vzw device type property
+get_prop(platform_app, system_mtk_persist_vendor_vzw_device_type_prop)
+
+# Date : 2018/07/02
+# Operation : Migration
+# Purpose : Allow platform app to get ECBM property
+get_prop(platform_app, system_mtk_cdma_ecm_prop)
+
+# Date: 2018/07/06
+# Operation: Migration
+# Purpose : Allow Entitlement to get system_mtk_wfc_entitlement_prop
+# Package: com.mediatek.entitlement
+get_prop(platform_app, system_mtk_wfc_entitlement_prop)
+
+# Date : 2018/07/27
+# Operation : Migration
+# Purpose : allow platform_app to find aal_service
+allow platform_app aal_service:service_manager find;
+
+# Date: 2018/10/25
+# Operation: Clientapi Develope
+# Purpose : Allow Contacts to get system_mtk_clientapi_support_prop
+# Package: com.android.contacts
+get_prop(platform_app, system_mtk_clientapi_support_prop)
+
+# Date: 2018/10/26
+# Purpose: Allow platform app to set and get Subsidy Lock properties
+set_prop(platform_app, system_mtk_subsidylock_connect_prop)
+
+# Date: 2018/10/26
+# Purpose: Allow platform app to set and get Subsidy Lock properties
+set_prop(platform_app, system_mtk_subsidylock_prop)
+
+# Date: 2019/02/13
+# Purpose : Allow ACS to get system_mtk_acs_url_prop, system_mtk_acs_version_prop and system_mtk_acs_support_prop
+get_prop(platform_app, system_mtk_acs_url_prop)
+get_prop(platform_app, system_mtk_acs_version_prop)
+get_prop(platform_app, system_mtk_acs_support_prop)
+
+# Date : 2019/05/28
+# Operation : Q Migration
+# Purpose : allow to get mtk_cta_set and mtk_cta_support property
+get_prop(platform_app, system_mtk_cta_set_prop)
+
+# Date: 2019/05/29
+# Operation : Migration
+# Purpose : Camera need read cl_cam_status
+# Package: com.mediatek.camera
+allow platform_app proc_cl_cam_status:file r_file_perms;
+
+# Date : 2019/06/03
+# Operation : Q Migration split build
+# Purpose : allow to get system_mtk_rsc_sys_prop
+get_prop(platform_app, system_mtk_rsc_sys_prop)
+
+# Date : 2019/06/27
+# Purpose : allow to set ctl.start/stop/restart property
+set_prop(platform_app, system_mtk_ctl_campostalgo_prop)
+
+# Date : 2019/06/27
+# Purpose : allow to find camera postalgo service.
+allow platform_app camerapostalgo_service:service_manager find;
+
+# Date : 2019/09/27
+# Operation : MDM IT with MDMLSample app
+# Purpose : For MDMLSample to auto start md_monitor
+set_prop(platform_app, config_prop)
+
+# Date: 2019/09/27
+# Operation : MDM IT with MDMLSample app
+# Purpose: allow to read init.svc.md_monitor property for calling SystemService.waitForState()
+get_prop(platform_app, system_mtk_init_svc_md_monitor_prop)
+
+# Date : 2020/03/26
+# Purpose : allow to find cta_networkdatacontroller_service.
+allow platform_app cta_networkdatacontroller_service:service_manager find;
+
+# Data : 2020/09/21
+# Purpose : allow to setprop persist.vendor.radio.bgdata.disable
+set_prop(platform_app, system_mtk_bgdata_disabled_prop)
+
+# Allow platform_app to interact with hal_teei_tui
+hal_client_domain(platform_app, hal_teei_tui)
+
+# Allow platform_app to interact with hal_teei_capi
+hal_client_domain(platform_app, hal_teei_capi)
+
+# Allow platform_app to interact with hal_teei_thh
+hal_client_domain(platform_app, hal_teei_thh)
+
+hal_client_domain(platform_app, hal_teei_ifaa)
+hal_client_domain(platform_app, hal_teei_wechat)
+
+# Date:2021/11/13
+# Operation: Add for DSDA in Dialer, add permission for accessing vendor.radio.dsda.state
+get_prop(platform_app, system_mtk_common_data_prop)
+
+# VoNR : 2021/11/26
+# Purpose : allow to setprop persist.vendor.dbg.vonr_ui_ovr
+set_prop(platform_app,system_mtk_dbg_ims_prop);
diff --git a/bsp/plat_private/priv_app.te b/bsp/plat_private/priv_app.te
new file mode 100644
index 0000000..1da670a
--- /dev/null
+++ b/bsp/plat_private/priv_app.te
@@ -0,0 +1,37 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use mtk telephony APIs (phoneEx)
+allow priv_app mtk_radio_service:service_manager find;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(priv_app, hal_mtk_pq)
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use shared memory for HAL PQ
+hal_client_domain(priv_app, hal_allocator)
+
+# Date : WK19.46
+# Purpose : access cta prop
+get_prop(priv_app, system_mtk_cta_set_prop)
+
+# Date: 2020/04/03
+# Operation : Network data controller feature
+# Purpose :allow priv_app to find cta_networkdatacontroller_service
+allow priv_app cta_networkdatacontroller_service:service_manager find;
+
+# Date: 2020/04/30
+# Operation : SQC
+# Purpose :allow priv_app to read write system_app_data_file
+allow priv_app system_app_data_file:file { read write };
+
+# Date: 2021/03/03
+# Operation : Migration
+# Purpose :allow priv_app Gallery to access drm service config property
+get_prop(priv_app, drm_service_config_prop)
diff --git a/bsp/plat_private/property.te b/bsp/plat_private/property.te
new file mode 100644
index 0000000..6a37df6
--- /dev/null
+++ b/bsp/plat_private/property.te
@@ -0,0 +1,126 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
+
+# Properties used only in /system
+system_internal_prop(system_mtk_aal_prop)
+system_internal_prop(system_mtk_acs_support_prop)
+system_internal_prop(system_mtk_acs_url_prop)
+system_internal_prop(system_mtk_acs_version_prop)
+system_internal_prop(system_mtk_amsaal_prop)
+system_internal_prop(system_mtk_apptoken_required_prop)
+system_internal_prop(system_mtk_atci_sys_prop)
+system_internal_prop(system_mtk_capctrl_sys_prop)
+system_internal_prop(system_mtk_bluetooth_prop)
+system_internal_prop(system_mtk_capability_switch_prop)
+system_internal_prop(system_mtk_cdma_ecm_prop)
+system_internal_prop(system_mtk_cdma_prop)
+system_internal_prop(system_mtk_clientapi_support_prop)
+system_internal_prop(system_mtk_common_data_prop)
+system_internal_prop(system_mtk_cta_set_prop)
+system_internal_prop(system_mtk_ctl_atcid_daemon_u_prop)
+system_internal_prop(system_mtk_ctl_campostalgo_prop)
+system_internal_prop(system_mtk_ctmslot_prop)
+system_internal_prop(system_mtk_debug_sf_prop)
+system_internal_prop(system_mtk_debug_bq_prop)
+system_internal_prop(system_mtk_duraspeed_drop_caches_prop)
+system_internal_prop(system_mtk_em_tel_log_prop)
+system_internal_prop(system_mtk_imsconfig_prop)
+system_internal_prop(system_mtk_logmuch_prop)
+system_internal_prop(system_mtk_media_wfd_prop)
+system_internal_prop(system_mtk_opt_in_url_prop)
+system_internal_prop(system_mtk_permission_control_prop)
+system_internal_prop(system_mtk_persist_vendor_vzw_device_type_prop)
+system_internal_prop(system_mtk_rcs_support_prop)
+system_internal_prop(system_mtk_rsc_sys_prop)
+system_internal_prop(system_mtk_rtt_prop)
+system_internal_prop(system_mtk_selfreg_prop)
+system_internal_prop(system_mtk_subsidylock_connect_prop)
+system_internal_prop(system_mtk_supp_serv_prop)
+system_internal_prop(system_mtk_telecom_vibrate_prop)
+system_internal_prop(system_mtk_terservice_prop)
+system_internal_prop(system_mtk_uce_support_prop)
+system_internal_prop(system_mtk_update_prop)
+system_internal_prop(system_mtk_usb_tethering_prop)
+system_internal_prop(system_mtk_usp_srv_prop)
+system_internal_prop(system_mtk_vsim_sys_prop)
+system_internal_prop(system_mtk_wfc_entitlement_prop)
+system_internal_prop(system_mtk_wfc_opt_in_prop)
+system_internal_prop(system_mtk_world_phone_prop)
+system_internal_prop(system_mtk_ctm_prop)
+system_internal_prop(system_mtk_graphics_sf_gll_prop)
+system_internal_prop(system_mtk_subsidylock_prop)
+system_internal_prop(system_mtk_gwsd_prop)
+system_internal_prop(system_mtk_vodata_prop)
+system_internal_prop(system_mtk_fd_prop)
+system_internal_prop(system_mtk_dbg_ims_prop)
+
+# Properties which can be written only by vendor_init
+system_vendor_config_prop(system_mtk_graphics_sf_gll_ro_prop)
+system_vendor_config_prop(system_mtk_update_support_prop)
+
+# Properties which can't be written outside vendor
+#=============allow netflix read property==============
+system_public_prop(netflix_bsp_rev_prop)
+
+# Properties with can't be accessed by device-sepcific domains
+typeattribute system_mtk_aal_prop extended_core_property_type;
+typeattribute system_mtk_acs_support_prop extended_core_property_type;
+typeattribute system_mtk_acs_url_prop extended_core_property_type;
+typeattribute system_mtk_acs_version_prop extended_core_property_type;
+typeattribute system_mtk_amsaal_prop extended_core_property_type;
+typeattribute system_mtk_apptoken_required_prop extended_core_property_type;
+typeattribute system_mtk_atci_sys_prop extended_core_property_type;
+typeattribute system_mtk_capctrl_sys_prop extended_core_property_type;
+typeattribute system_mtk_bluetooth_prop extended_core_property_type;
+typeattribute system_mtk_capability_switch_prop extended_core_property_type;
+typeattribute system_mtk_cdma_ecm_prop extended_core_property_type;
+typeattribute system_mtk_cdma_prop extended_core_property_type;
+typeattribute system_mtk_clientapi_support_prop extended_core_property_type;
+typeattribute system_mtk_common_data_prop extended_core_property_type;
+typeattribute system_mtk_cta_set_prop extended_core_property_type;
+typeattribute system_mtk_ctl_atcid_daemon_u_prop extended_core_property_type;
+typeattribute system_mtk_ctl_campostalgo_prop extended_core_property_type;
+typeattribute system_mtk_ctmslot_prop extended_core_property_type;
+typeattribute system_mtk_debug_sf_prop extended_core_property_type;
+typeattribute system_mtk_debug_bq_prop extended_core_property_type;
+typeattribute system_mtk_duraspeed_drop_caches_prop extended_core_property_type;
+typeattribute system_mtk_em_tel_log_prop extended_core_property_type;
+typeattribute system_mtk_heavy_loading_prop extended_core_property_type;
+typeattribute system_mtk_imsconfig_prop extended_core_property_type;
+typeattribute system_mtk_logmuch_prop extended_core_property_type;
+typeattribute system_mtk_media_wfd_prop extended_core_property_type;
+typeattribute system_mtk_opt_in_url_prop extended_core_property_type;
+typeattribute system_mtk_permission_control_prop extended_core_property_type;
+typeattribute system_mtk_persist_vendor_vzw_device_type_prop extended_core_property_type;
+typeattribute system_mtk_rcs_support_prop extended_core_property_type;
+typeattribute system_mtk_rsc_sys_prop extended_core_property_type;
+typeattribute system_mtk_rtt_prop extended_core_property_type;
+typeattribute system_mtk_selfreg_prop extended_core_property_type;
+typeattribute system_mtk_subsidylock_connect_prop extended_core_property_type;
+typeattribute system_mtk_subsidylock_prop extended_core_property_type;
+typeattribute system_mtk_supp_serv_prop extended_core_property_type;
+typeattribute system_mtk_telecom_vibrate_prop extended_core_property_type;
+typeattribute system_mtk_terservice_prop extended_core_property_type;
+typeattribute system_mtk_uce_support_prop extended_core_property_type;
+typeattribute system_mtk_update_prop extended_core_property_type;
+typeattribute system_mtk_update_support_prop extended_core_property_type;
+typeattribute system_mtk_usb_tethering_prop extended_core_property_type;
+typeattribute system_mtk_usp_srv_prop extended_core_property_type;
+typeattribute system_mtk_vsim_sys_prop extended_core_property_type;
+typeattribute system_mtk_wfc_entitlement_prop extended_core_property_type;
+typeattribute system_mtk_wfc_opt_in_prop extended_core_property_type;
+typeattribute system_mtk_world_phone_prop extended_core_property_type;
+typeattribute system_mtk_ctm_prop extended_core_property_type;
+typeattribute system_mtk_gwsd_prop extended_core_property_type;
+typeattribute system_mtk_vodata_prop extended_core_property_type;
+typeattribute system_mtk_fd_prop extended_core_property_type;
+typeattribute system_mtk_dbg_ims_prop extended_core_property_type;
diff --git a/bsp/plat_private/property_contexts b/bsp/plat_private/property_contexts
new file mode 100644
index 0000000..8689a95
--- /dev/null
+++ b/bsp/plat_private/property_contexts
@@ -0,0 +1,173 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+ctl.atcid-daemon-u u:object_r:system_mtk_ctl_atcid_daemon_u_prop:s0
+persist.vendor.radio.port_index u:object_r:system_mtk_atci_sys_prop:s0
+vendor.ril.atci.flightmode u:object_r:system_mtk_atci_sys_prop:s0
+persist.vendor.service.atci.autostart u:object_r:system_mtk_atci_sys_prop:s0
+persist.vendor.service.atci.usermode u:object_r:system_mtk_atci_sys_prop:s0
+
+vendor.ril.capctrl_loaded u:object_r:system_mtk_capctrl_sys_prop:s0
+
+persist.vendor.sys.aal. u:object_r:system_mtk_aal_prop:s0
+
+vendor.moms.permission.control.policy.set u:object_r:system_mtk_permission_control_prop:s0
+
+persist.vendor.ter u:object_r:system_mtk_terservice_prop:s0
+vendor.ter.service u:object_r:system_mtk_terservice_prop:s0
+
+ro.vendor.mtk_cta_set u:object_r:system_mtk_cta_set_prop:s0
+
+ro.sys.current_rsc_path u:object_r:system_mtk_rsc_sys_prop:s0
+ro.product.current_rsc_path u:object_r:system_mtk_rsc_sys_prop:s0
+ro.sys_ext.current_rsc_path u:object_r:system_mtk_rsc_sys_prop:s0
+
+# Restrict access to starting/stopping campostalgo
+ctl.start$camerapostalgo u:object_r:system_mtk_ctl_campostalgo_prop:s0
+ctl.stop$camerapostalgo u:object_r:system_mtk_ctl_campostalgo_prop:s0
+ctl.restart$camerapostalgo u:object_r:system_mtk_ctl_campostalgo_prop:s0
+
+persist.vendor.radio.telecom.vibrate u:object_r:system_mtk_telecom_vibrate_prop:s0
+
+ro.vendor.graphiclowlatency.version u:object_r:system_mtk_graphics_sf_gll_ro_prop:s0
+vendor.debug.sf. u:object_r:system_mtk_debug_sf_prop:s0
+vendor.debug.bq. u:object_r:system_mtk_debug_bq_prop:s0
+
+# CT SelfRegister property
+persist.vendor.radio.selfreg u:object_r:system_mtk_selfreg_prop:s0
+
+# USB tethering property for auto test
+persist.vendor.net.tethering u:object_r:system_mtk_usb_tethering_prop:s0
+
+# android log much detect
+persist.vendor.logmuch u:object_r:system_mtk_logmuch_prop:s0
+
+persist.vendor.entitlement_enabled u:object_r:system_mtk_wfc_entitlement_prop:s0
+persist.vendor.entitlement.sesurl u:object_r:system_mtk_wfc_entitlement_prop:s0
+persist.vendor.entitlement.dbg. u:object_r:system_mtk_wfc_entitlement_prop:s0
+persist.vendor.net.wo.epdg_fqdn u:object_r:system_mtk_wfc_entitlement_prop:s0
+
+persist.vendor.mtk_wfc_opt_in u:object_r:system_mtk_wfc_opt_in_prop:s0
+persist.vendor.opt-in.url u:object_r:system_mtk_opt_in_url_prop:s0
+persist.vendor.apptoken.required u:object_r:system_mtk_apptoken_required_prop:s0
+
+# common data releated property
+persist.vendor.radio.default.data.selected u:object_r:system_mtk_common_data_prop:s0
+persist.vendor.radio.mobile.mtu u:object_r:system_mtk_common_data_prop:s0
+vendor.radio.dsda.state u:object_r:system_mtk_common_data_prop:s0
+
+# carrier express (cxp)
+persist.vendor.operator.optr_1 u:object_r:system_mtk_usp_srv_prop:s0
+persist.vendor.operator.spec_1 u:object_r:system_mtk_usp_srv_prop:s0
+persist.vendor.operator.seg_1 u:object_r:system_mtk_usp_srv_prop:s0
+persist.vendor.mtk_usp u:object_r:system_mtk_usp_srv_prop:s0
+
+persist.vendor.update_finished u:object_r:system_mtk_update_prop:s0
+persist.vendor.previous_slot u:object_r:system_mtk_update_prop:s0
+
+vendor.media.wfd. u:object_r:system_mtk_media_wfd_prop:s0
+vendor.media.wfd.portrait u:object_r:system_mtk_media_wfd_prop:s0
+vendor.media.wfd.video-format u:object_r:system_mtk_media_wfd_prop:s0
+
+vendor.gsm.disable.sim.dialog u:object_r:system_mtk_vsim_sys_prop:s0
+
+# supplementary service property
+vendor.gsm.radio.ss.sc u:object_r:system_mtk_supp_serv_prop:s0
+vendor.gsm.radio.ss.imsdereg u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.radio.cfu.iccid. u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.radio.cfu.change. u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.radio.cfu_over_ims u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.radio.cfu.sync_for_ota u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.radio.cfu.mode u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.radio.cfu.timeslot. u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.radio.cfu.querytype u:object_r:system_mtk_supp_serv_prop:s0
+persist.vendor.suppserv. u:object_r:system_mtk_supp_serv_prop:s0
+vendor.suppserv. u:object_r:system_mtk_supp_serv_prop:s0
+
+vendor.bluetooth. u:object_r:system_mtk_bluetooth_prop:s0
+persist.vendor.bluetooth. u:object_r:system_mtk_bluetooth_prop:s0
+
+# tel log property
+persist.vendor.log.tel_dbg u:object_r:system_mtk_em_tel_log_prop:s0
+
+# ims config property
+vendor.ril.imsconfig.force.notify u:object_r:system_mtk_imsconfig_prop:s0
+
+# mtk duraspeed property
+persist.vendor.sys.vm.drop_caches u:object_r:system_mtk_duraspeed_drop_caches_prop:s0
+
+ro.vendor.mtk_system_update_support u:object_r:system_mtk_update_support_prop:s0
+
+# AMS dynamic enable log property
+persist.vendor.sys.activitylog u:object_r:system_mtk_amslog_prop:s0
+
+# AMS-aal dynamic enable property
+persist.vendor.sys.mtk_app_aal_support u:object_r:system_mtk_amsaal_prop:s0
+
+# MTK CDMA Less property
+persist.vendor.vzw_device_type u:object_r:system_mtk_persist_vendor_vzw_device_type_prop:s0
+
+persist.vendor.mtk_rtt_support u:object_r:system_mtk_rtt_prop:s0
+
+persist.vendor.ctm_slot_flag u:object_r:system_mtk_ctmslot_prop:s0
+
+persist.vendor.mtk_uce_support u:object_r:system_mtk_uce_support_prop:s0
+
+persist.vendor.mtk_clientapi_support u:object_r:system_mtk_clientapi_support_prop:s0
+
+vendor.cdma.icc.operator.mcc u:object_r:system_mtk_cdma_prop:s0
+
+# ECBM property
+vendor.ril.cdma.inecmmode_by_slot u:object_r:system_mtk_cdma_ecm_prop:s0
+
+persist.vendor.mtk_rcs_support u:object_r:system_mtk_rcs_support_prop:s0
+
+# MTK World Phone property
+persist.vendor.radio.wm_selectmode u:object_r:system_mtk_world_phone_prop:s0
+persist.vendor.radio.wm_fddtimer u:object_r:system_mtk_world_phone_prop:s0
+
+# MTK Capability Switch property
+persist.vendor.radio.unlock u:object_r:system_mtk_capability_switch_prop:s0
+persist.vendor.radio.unlock.roaming u:object_r:system_mtk_capability_switch_prop:s0
+persist.vendor.radio.wait.imsi u:object_r:system_mtk_capability_switch_prop:s0
+persist.vendor.radio.waitimsi.roaming u:object_r:system_mtk_capability_switch_prop:s0
+persist.vendor.radio.sim.status u:object_r:system_mtk_capability_switch_prop:s0
+persist.vendor.radio.new.sim.slot u:object_r:system_mtk_capability_switch_prop:s0
+vendor.ril.imsi.status. u:object_r:system_mtk_capability_switch_prop:s0
+persist.vendor.radio.simswitchstate u:object_r:system_mtk_capability_switch_prop:s0
+
+persist.vendor.subsidylock.connectivity_status u:object_r:system_mtk_subsidylock_connect_prop:s0
+persist.vendor.subsidylock u:object_r:system_mtk_subsidylock_prop:s0
+
+persist.vendor.mtk_acs_version u:object_r:system_mtk_acs_version_prop:s0
+persist.vendor.mtk_acs_support u:object_r:system_mtk_acs_support_prop:s0
+persist.vendor.mtk_acs_url u:object_r:system_mtk_acs_url_prop:s0
+
+# Modem Monitor property===========
+persist.vendor.mdmmonitor u:object_r:config_prop:s0
+
+init.svc.mtk_pkm_service u:object_r:system_mtk_pkm_init_prop:s0
+
+# MDM init control property
+init.svc.md_monitor u:object_r:system_mtk_init_svc_md_monitor_prop:s0
+
+# netflix HD property
+ro.netflix.bsp_rev u:object_r:netflix_bsp_rev_prop:s0
+
+service.ctm.slot_flag u:object_r:system_mtk_ctm_prop:s0
+
+vendor.sf.gll.istarget u:object_r:system_mtk_graphics_sf_gll_prop:s0
+vendor.sf.gll.q2l u:object_r:system_mtk_graphics_sf_gll_prop:s0
+vendor.sf.gll.avgl2p u:object_r:system_mtk_graphics_sf_gll_prop:s0
+
+ro.vendor.mtk_gwsd_support u:object_r:system_mtk_gwsd_prop:s0
+
+ro.vendor.vodata_support u:object_r:system_mtk_vodata_prop:s0
+
+# fastdormancy property
+persist.vendor.fd.on.charge u:object_r:system_mtk_fd_prop:s0
+persist.vendor.fd.screen.off.only u:object_r:system_mtk_fd_prop:s0
+
+#allow entitlement to set vonr debug
+persist.vendor.dbg.vonr_ui_ovr u:object_r:system_mtk_dbg_ims_prop:s0
diff --git a/bsp/plat_private/radio.te b/bsp/plat_private/radio.te
new file mode 100644
index 0000000..27bb5d2
--- /dev/null
+++ b/bsp/plat_private/radio.te
@@ -0,0 +1,183 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow radio mtk_registry_service:service_manager add;
+
+# Fix boot violation
+add_service(radio, mtk_radio_service)
+
+# Date : WK1721 2017/5/26
+# Operation : IT
+# Purpose : Allow to use HAL Wfo
+hal_client_domain(radio, hal_mtk_wfo)
+
+# Date : 2017/06/06
+# Purpose: for iphonesubinfoEx service
+add_service(radio, mtk_phonesubinfo_service)
+
+# Date : 2017/06/15
+# Purpose: for mtksimphonebook service
+add_service(radio, mtk_simphonebook_service)
+
+# Date : 2017/08/14
+# Operation : VT development
+# Purpose : Add vtservice to support video telephony functionality
+# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild
+allow radio vtservice_service:service_manager find;
+
+# Date : 2017/09/25
+# Operation : Migration IT with Privacy Protection Lock
+# Purpose : for pplSmsFilterExtension find ppl_agent service
+allow radio ppl_agent_service:service_manager find;
+
+# Date : 2018/06/22
+# Operation : P migration
+# Purpose : Allow ctm to set system_mtk_ctmslot_prop
+set_prop(radio, system_mtk_ctmslot_prop)
+
+# Date : WK18.26 2018/06/25
+# Operation : IT
+# Purpose : for setting ims config force notify property
+set_prop(radio, system_mtk_imsconfig_prop)
+
+# Date : 2018/06/28
+# Operation : P migration
+# Purpose : Allow radio to set vendor prop in core domain
+set_prop(radio, system_mtk_cdma_prop)
+
+# Date: 2018/06/29
+# Operation: P migration
+# Purpose : allow radio set world phohe property
+set_prop(radio, system_mtk_world_phone_prop)
+
+# Date : 2018/6/29
+# Operation: P migration
+set_prop(radio, system_mtk_vsim_sys_prop)
+set_prop(radio, ctl_start_prop)
+set_prop(radio, ctl_stop_prop)
+
+# Date : 2020/10/30
+# Operation: R migration
+set_prop(radio, system_mtk_capctrl_sys_prop)
+
+# Date : 2018/07/02
+# Operation : Migration
+# Purpose : Allow Phone process to set ECBM property
+set_prop(radio, system_mtk_cdma_ecm_prop)
+
+# Date : 2018/07/02
+# Operation : P migration
+# Purpose : Allow radio to get/set system_mtk_supp_serv_prop
+set_prop(radio, system_mtk_supp_serv_prop)
+
+# Date : 2018/07/03
+# Operation : P migration
+# Purpose : Allow framework to set system_mtk_common_data_prop
+set_prop(radio, system_mtk_common_data_prop)
+
+# Date: 2018/07/03
+# Operation: P migration
+# Purpose : allow radio set capability switch property
+set_prop(radio, system_mtk_capability_switch_prop)
+
+# Date: 2018/07/04
+# Operation: P migration
+# Purpose : allow radio get vzw device type property
+get_prop(radio, system_mtk_persist_vendor_vzw_device_type_prop)
+
+# Date : 2018/07/03
+# Stage: Migration
+# Purpose: allow radio to get RTT property
+get_prop(radio, system_mtk_rtt_prop)
+
+# Date: 2018/07/06
+# Operation: Migration
+# Purpose : Allow Entitlement to get system_mtk_wfc_entitlement_prop
+# Package: com.mediatek.entitlement
+set_prop(radio, system_mtk_wfc_entitlement_prop)
+
+# Date: 2018/09/13
+# Operation: Support UCE Property
+set_prop(radio, system_mtk_uce_support_prop)
+
+# Date : 2018/10/05
+# Operation : P Migration
+# Purpose : allow to find aal_service
+allow radio aal_service:service_manager find;
+
+# Date: 2018/10/31
+# Operation: Support SubsidyLock
+set_prop(radio, system_mtk_subsidylock_connect_prop)
+
+# Date: 2018/10/31
+# Operation: Support SubsidyLock
+get_prop(radio, system_mtk_subsidylock_prop)
+
+# Date: 2018/12/20
+# Operation: Support GWSD
+add_service(radio, mtk_gwsd_service)
+
+# Date : 2019/05/16
+# Operation : MDM IT with Swift app
+# Purpose : for app labeled by radio to auto start md_monitor
+set_prop(radio, config_prop)
+
+# Date : 2019/05/28
+# Operation : Q Migration
+# Purpose : allow to get mtk_cta_set and mtk_cta_support property
+get_prop(radio, system_mtk_cta_set_prop)
+
+# Date : 2019/06/03
+# Operation : Q Migration split build
+# Purpose : allow to get system_mtk_rsc_sys_prop
+get_prop(radio, system_mtk_rsc_sys_prop)
+
+# Date: 2019/07/23
+# Operation : Swift app IT
+# Purpose: allow to read init.svc.md_monitor property for calling SystemService.waitForState()
+get_prop(radio, system_mtk_init_svc_md_monitor_prop)
+
+# Date : 2020/03/20
+# Operation: R migration
+get_prop(radio, system_mtk_telecom_vibrate_prop)
+
+# Date : 2020/04/13
+# Purpose: get CT Register system property
+get_prop(radio, system_mtk_selfreg_prop)
+
+# Date : 2020/03/23
+# Operation : Migration
+# Purpose : apps need to get networkdatacontroller Service
+allow radio cta_networkdatacontroller_service:service_manager find;
+
+# Date : 2021/07/27
+# Operation : Migration
+# Purpose : Allow presence service to add AOSP service by ServiceManager
+allow radio uce_service:service_manager add;
+
+# Date: 2019/04/10
+# Purpose: ctm set property
+# Package Name: cn.richinfo.dm
+set_prop(radio, system_mtk_ctm_prop)
+
+# Date: 2020/06/30
+# Operation: Support VODATA
+add_service(radio, mtk_vodata_service)
+
+# Date : 2020/09/16
+# Operation : R Migration
+# Purpose : allow radio to get telephony log property
+get_prop(radio, system_mtk_em_tel_log_prop)
+
+# Date : 2021/01/07
+# Purpose : Allow radio to read ro.vendor.mtk_gwsd_support
+get_prop(radio, system_mtk_gwsd_prop)
+
+# Date : 2021/04/25
+# Purpose : Allow radio to read fastdormancy property
+get_prop(radio, system_mtk_fd_prop)
+
+# Date : 2021/12/22
+# Purpose : Allow radio to read ims debug property
+get_prop(radio, system_mtk_dbg_ims_prop)
diff --git a/bsp/plat_private/resize.te b/bsp/plat_private/resize.te
new file mode 100644
index 0000000..573125c
--- /dev/null
+++ b/bsp/plat_private/resize.te
@@ -0,0 +1,26 @@
+# ==============================================
+# Policy File of /system/bin/resize_xxx Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute resize coredomain;
+type resize_exec, exec_type, file_type, system_file_type;
+
+# Date : WK15.30 => WK20.10, Android R Version
+# Operation : Migration
+# Purpose : resize fs(ext4/f2fs) partition, only run once.
+init_daemon_domain(resize)
+
+allow resize resize_exec:file execute_no_trans;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow resize devpts:chr_file rw_file_perms;
+allow resize proc_swaps:file rw_file_perms;
+allow resize dm_device:blk_file rw_file_perms;
+allow resize userdata_block_device:blk_file rw_file_perms;
+allow resize metadata_block_device:blk_file getattr;
+allow resize block_device:dir search;
+allowxperm resize userdata_block_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET };
+allow resize sysfs_fs_ext4_features:dir search;
diff --git a/bsp/plat_private/rsu_app.te b/bsp/plat_private/rsu_app.te
new file mode 100644
index 0000000..73410e7
--- /dev/null
+++ b/bsp/plat_private/rsu_app.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Policy File of /system/priv-app/RsuService/RsuService.apk etc. Executable File
+
+typeattribute rsu_app mlstrustedobject;
+app_domain(rsu_app)
+
+# Common
+allow rsu_app activity_service:service_manager find;
+allow rsu_app activity_task_service:service_manager find;
+allow rsu_app gpu_service:service_manager find;
+allow rsu_app surfaceflinger_service:service_manager find;
+allow rsu_app autofill_service:service_manager find;
+allow rsu_app textservices_service:service_manager find;
+
+#Purpose:For wakelock get power manager service
+allow rsu_app thermal_service:service_manager find;
+
+
diff --git a/bsp/plat_private/sdcardd.te b/bsp/plat_private/sdcardd.te
new file mode 100644
index 0000000..816d76d
--- /dev/null
+++ b/bsp/plat_private/sdcardd.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK14.48
+# Purpose : unknown
+allow sdcardd platform_app:fd use;
+allow sdcardd untrusted_app:fd use;
+
+# Date : WK15.38
+# Operation : Migration
+# Purpose : for M migration SQC
+typeattribute sdcardd mlstrustedsubject;
+
+# Date : WK17.14
+# Operation : SD card format to internal storage
+# Purpose : for N1 SQC
+allow sdcardd sdcardfs:dir mounton;
diff --git a/bsp/plat_private/seapp_contexts b/bsp/plat_private/seapp_contexts
new file mode 100644
index 0000000..8f7a601
--- /dev/null
+++ b/bsp/plat_private/seapp_contexts
@@ -0,0 +1,17 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# This is for trustonic rootpa apk
+user=system seinfo=platform name=com.gd.mobicore.pa domain=teeregistryd_app
+user=system seinfo=platform name=com.trustonic.teeservice domain=teed_app
+
+# This is for EngineerMode apk
+user=_app seinfo=platform name=com.mediatek.engineermode domain=em_app type=em_app_data_file levelFrom=user
+user=_app seinfo=platform name=com.mediatek.apmonitor domain=apmsrv_app type=app_data_file levelFrom=user
+
+# This is for CapabilityTest apk
+user=_app seinfo=platform name=com.mediatek.capabilitytest domain=capability_app type=app_data_file levelFrom=user
+
+# This is for RsuService apk
+user=_app seinfo=platform name=com.mediatek.rsuprocess domain=rsu_app type=app_data_file levelFrom=user
diff --git a/bsp/plat_private/service.te b/bsp/plat_private/service.te
new file mode 100644
index 0000000..4796d8d
--- /dev/null
+++ b/bsp/plat_private/service.te
@@ -0,0 +1,44 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type nvram_agent_service, service_manager_type;
+type aal_service, service_manager_type;
+type mtk_connmetrics_service, service_manager_type;
+type terservice_service, service_manager_type;
+type camerapostalgo_service, service_manager_type;
+type cta_networkdatacontroller_service, service_manager_type;
+type mtk_vodata_service, service_manager_type;
+type mtk_anrmanager_service, app_api_service, system_server_service, service_manager_type;
+type mtk_permrecords_service, app_api_service, system_server_service, service_manager_type;
+type mtk_advcamserver_service, service_manager_type;
+type ota_agent_service, service_manager_type;
+type mtk_perf_service, app_api_service, system_server_service, service_manager_type;
+type mtk_power_hal_mgr_service, app_api_service, system_server_service, service_manager_type;
+type mtk_registry_service, app_api_service, service_manager_type;
+type mtk_phonesubinfo_service, app_api_service, service_manager_type;
+type mtk_radio_service, service_manager_type;
+type mtk_telecom_service, app_api_service, system_server_service, service_manager_type;
+type mtk_simphonebook_service, app_api_service, service_manager_type;
+type mtk_data_shaping_service, app_api_service, system_server_service, service_manager_type;
+type mtk_duraspeed_service, app_api_service, system_server_service, service_manager_type;
+type mtk_autoboot_service, app_api_service, system_server_service, service_manager_type;
+type gas_srv_service, service_manager_type;
+type fpspolicy-server_service, service_manager_type;
+type mtk_carrierexpress_service, app_api_service, service_manager_type;
+type vtservice_service, service_manager_type;
+type ppl_agent_service, service_manager_type;
+type mtk_gwsd_service, service_manager_type;
+type tee_service, service_manager_type;
+type teeregistry_service, service_manager_type;
+type mtk_mobile_service, app_api_service, system_server_service, service_manager_type;
+type mtk_msg_monitor_service, app_api_service, system_server_service, service_manager_type;
+type mtk_epdg_service, app_api_service, system_server_service, service_manager_type;
+type mtk_rns_service, app_api_service, system_server_service, service_manager_type;
+type mtk_search_engine_service, app_api_service, system_server_service, service_manager_type;
+type mtk_omadm_service, app_api_service, system_server_service, service_manager_type;
+type mtk_fm_radio_service, app_api_service, system_server_service, service_manager_type;
+type mtk_vowbridge_service, app_api_service, system_server_service, service_manager_type;
+type mtk_appdetection_service, app_api_service, system_server_service, service_manager_type;
+type vtservice_hidl_service, service_manager_type;
+type teei_ifaa_service, app_api_service, service_manager_type;
diff --git a/bsp/plat_private/service_contexts b/bsp/plat_private/service_contexts
new file mode 100644
index 0000000..f9b41f3
--- /dev/null
+++ b/bsp/plat_private/service_contexts
@@ -0,0 +1,56 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+anrmanager u:object_r:mtk_anrmanager_service:s0
+permrecords u:object_r:mtk_permrecords_service:s0
+media.mmsdk u:object_r:mtk_advcamserver_service:s0
+media.advcam u:object_r:mtk_advcamserver_service:s0
+AAL u:object_r:aal_service:s0
+terservice u:object_r:terservice_service:s0
+mtk-perfservice u:object_r:mtk_perf_service:s0
+power_hal_mgr_service u:object_r:mtk_power_hal_mgr_service:s0
+phoneEx u:object_r:mtk_radio_service:s0
+telephony.mtkregistry u:object_r:mtk_registry_service:s0
+iphonesubinfoEx u:object_r:mtk_phonesubinfo_service:s0
+mtk_telecom u:object_r:mtk_telecom_service:s0
+mtksimphonebook u:object_r:mtk_simphonebook_service:s0
+data_shaping u:object_r:mtk_data_shaping_service:s0
+mtkconnmetrics u:object_r:mtk_connmetrics_service:s0
+duraspeed u:object_r:mtk_duraspeed_service:s0
+capctrl u:object_r:mtk_radio_service:s0
+autoboot u:object_r:mtk_autoboot_service:s0
+smartratswitch u:object_r:mtk_radio_service:s0
+GoogleOtaBinder u:object_r:ota_agent_service:s0
+GpuAppSpectatorService u:object_r:gas_srv_service:s0
+FpsPolicyService u:object_r:fpspolicy-server_service:s0
+isubstub u:object_r:radio_service:s0
+wfo u:object_r:radio_service:s0
+imtksms u:object_r:radio_service:s0
+carrierexpress u:object_r:mtk_carrierexpress_service:s0
+media.VTS u:object_r:vtservice_service:s0
+mwis u:object_r:radio_service:s0
+PPLAgent u:object_r:ppl_agent_service:s0
+nfc.st_ext u:object_r:nfc_service:s0
+nfc_settings u:object_r:nfc_service:s0
+gwsd u:object_r:mtk_gwsd_service:s0
+ctanetworkdatacontroller u:object_r:cta_networkdatacontroller_service:s0
+vodata u:object_r:mtk_vodata_service:s0
+vendor.trustonic.teeservice.ITeeService u:object_r:tee_service:s0
+vendor.trustonic.teeregistryservice.ITeeRegistryService u:object_r:teeregistry_service:s0
+mediatek.campostalgo u:object_r:camerapostalgo_service:s0
+NvRAMAgent u:object_r:nvram_agent_service:s0
+mobile u:object_r:mtk_mobile_service:s0
+msgmonitorservice u:object_r:mtk_msg_monitor_service:s0
+epdg_service u:object_r:mtk_epdg_service:s0
+rns u:object_r:mtk_rns_service:s0
+search_engine_service u:object_r:mtk_search_engine_service:s0
+omadm_service u:object_r:mtk_omadm_service:s0
+fm_radio_service u:object_r:mtk_fm_radio_service:s0
+vow_bridge u:object_r:mtk_vowbridge_service:s0
+appdetection u:object_r:mtk_appdetection_service:s0
+media.VTS.HiDL u:object_r:vtservice_hidl_service:s0
+
+# MICROTRUST SEPolicy Rule
+# for ifaa upgrade on android O
+ifaa_service u:object_r:teei_ifaa_service:s0
diff --git a/bsp/plat_private/shell.te b/bsp/plat_private/shell.te
new file mode 100644
index 0000000..1142eca
--- /dev/null
+++ b/bsp/plat_private/shell.te
@@ -0,0 +1,36 @@
+# ==============================================
+# Common SEPolicy Rule
+# ============
+
+userdebug_or_eng(`
+# Date : WK19.07 2019/06/13
+# Operation : mdi_redirector integration test with AT&T Linkmaster
+# Purpose : Allow shell to listen MAPI payload from network socket
+allow shell mdi_redirector:unix_stream_socket { connectto };
+
+# Date : WK19.07 2019/06/13
+# Operation : mdi_redirector integration test with AT&T Linkmaster
+# Purpose : Allow shell to execute mdi_redirector_ctrl to start md_monitor & mdi_redirector daemons
+set_prop(shell, ctl_start_prop)
+set_prop(shell, ctl_stop_prop)
+
+# Date : 2019/07/15
+# Operation: support heavy loading
+# Purpose: Allow shell to write/read the property
+set_prop(shell, system_mtk_heavy_loading_prop)
+
+# Date : WK1925
+# Operation : MDMI Android Q migration
+# Purpose : Allow shell to listen MDMI payload from network socket
+allow shell mdmi_redirector:unix_stream_socket { connectto };
+
+# Date : WK20.14 2020/03/31
+# Operation : adb shell to read netlfix property for test
+# Purpose : Allow shell to read netlfix property
+get_prop(shell, netflix_bsp_rev_prop)
+
+# Date : 2020/04/14
+# Purpose: Allow adb shell to get/set USB tethering system property for auto test
+set_prop(shell, system_mtk_usb_tethering_prop)
+
+')
diff --git a/bsp/plat_private/surfaceflinger.te b/bsp/plat_private/surfaceflinger.te
new file mode 100644
index 0000000..fe5cf33
--- /dev/null
+++ b/bsp/plat_private/surfaceflinger.te
@@ -0,0 +1,41 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# notify perf service of SF information for performance
+allow surfaceflinger mtk_perf_service:service_manager find;
+
+# for FpsPolicyServer
+# GL context of each APP will send fps request, so we have loose policy
+# FpsPolicyServer control refresh rate through dfrc
+allow surfaceflinger fpspolicy-server_service:service_manager add;
+
+# Date: WK19.122
+# Stage: Q Migration, SQC
+# purpose: allow RTT_Dumper access file context
+allow surfaceflinger file_contexts_file:file r_file_perms;
+
+# Date : WK20.02
+# Operation: Graphics low latency 2.0
+# Purpose: Allow surfaceflinger and power hal can communicate with each other
+allow surfaceflinger mtk_power_hal_mgr_service:service_manager find;
+
+# Date : WK20.02
+# Operation: Graphic low latency 2.0
+# Purpose: Allow surfaceflinger to read the version of Graphic Low Latency
+get_prop(surfaceflinger, system_mtk_graphics_sf_gll_ro_prop)
+
+# Date : WK20.03
+# Operation: Mediatek Debug Functions
+# Purpose: Allow surfaceflinger getprop debug options
+get_prop(surfaceflinger, system_mtk_debug_sf_prop)
+
+# Date : WK20.25
+# Operation: Graphic low latency 2.0
+# Purpose: Allow surfaceflinger to set related information for HE2.0 debug tool
+set_prop(surfaceflinger, system_mtk_graphics_sf_gll_prop)
+
+# Date : WK20.28
+# Operation: Mediatek BufferQueue Debug
+# Purpose: Allow surfaceflinger getprop debug options for BufferQueue
+get_prop(surfaceflinger, system_mtk_debug_bq_prop)
diff --git a/bsp/plat_private/system_app.te b/bsp/plat_private/system_app.te
new file mode 100644
index 0000000..329bf69
--- /dev/null
+++ b/bsp/plat_private/system_app.te
@@ -0,0 +1,118 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2016/11/10
+# Purpose: [MDM] Modem monitor config
+# Package Name: com.mediatek.mdmconfig
+set_prop(system_app, config_prop)
+
+# Date : WK17.31
+# Operation : Migration
+# Purpose : Carrier express service on BSP
+allow system_app mtk_carrierexpress_service:service_manager add;
+set_prop(system_app, system_mtk_usp_srv_prop)
+set_prop(system_app, system_mtk_persist_vendor_vzw_device_type_prop)
+set_prop(system_app, system_mtk_uce_support_prop)
+set_prop(system_app, system_mtk_rcs_support_prop)
+set_prop(system_app, system_mtk_clientapi_support_prop)
+set_prop(system_app, radio_prop)
+
+# Date : W17.36
+# Operation : SQC
+# Purpose : allow MOTA app to write perist.update_finished, persist_update_started
+set_prop(system_app, system_mtk_update_prop)
+
+# Date : 2018/06/21
+# Operation : P Migration
+# Purpose : Allow AtciService to set ATCI property
+set_prop(system_app, system_mtk_atci_sys_prop)
+
+# Date : 2018/06/21
+# Stage: Migration
+# Purpose: allow system app to set RTT property
+set_prop(system_app, system_mtk_rtt_prop)
+
+#Date: 2018/07/18
+# Operation: Migration
+# Purpose: all System app to read property
+get_prop(system_app, system_mtk_update_support_prop)
+
+# Date : 2018/07/19
+# Operation : P Migration
+# Purpose : Allow to get AAL property
+get_prop(system_app, system_mtk_aal_prop)
+
+# Date: 2018/07/24
+# Operation: Migration
+# Purpose : Allow system-app to get system_mtk_wfc_opt_in_prop
+# Package: com.mediatek.settings.ext
+get_prop(system_app, system_mtk_wfc_opt_in_prop)
+
+# Date : W18.28
+# Operation : New feature for VSIM SQC
+set_prop(system_app, system_mtk_vsim_sys_prop)
+
+# Date : W18.28
+# Operation : New feature for VSIM SQC
+# Purpose : Allow OSI Permission control to tcp socket
+allow system_app osi:tcp_socket create_socket_perms_no_ioctl;
+
+# Date: 2018/10/26
+# Purpose: Allow system app to get Subsidy Lock properties
+get_prop(system_app, system_mtk_subsidylock_prop)
+
+# Date: 2018/10/31
+# Operation: Support SubsidyLock
+set_prop(system_app, system_mtk_subsidylock_connect_prop)
+
+# Date: 2019/02/14
+# Purpose: Permission Control configure
+# Package Name: com.mediatek.security
+set_prop(system_app, system_mtk_permission_control_prop)
+
+# Date:2019/05/21
+# Purpose: Allow OP12settings to get opt_in_url_prop
+# Package: com.mediatek.op12.settings;
+get_prop(system_app, system_mtk_opt_in_url_prop)
+get_prop(system_app, system_mtk_apptoken_required_prop)
+
+# Date: 2019/06/06
+# Operation: SimProcessor needs to read telephony log switch property
+# Purpose: allow to get system_mtk_em_tel_log_prop
+get_prop(system_app, system_mtk_em_tel_log_prop)
+
+# Date : 2019/05/28
+# Operation : Q Migration
+# Purpose : allow to get mtk_cta_set and mtk_cta_support property
+get_prop(system_app, system_mtk_cta_set_prop)
+
+# Date : 2019/06/03
+# Operation : Q Migration split build
+# Purpose : allow to get system_mtk_rsc_sys_prop
+get_prop(system_app, system_mtk_rsc_sys_prop)
+
+# Date: 2019/07/22
+# Purpose: Allow op07settings to get system_mtk_wfc_entitlement_prop
+# Package: com.mediatek.op07.settings
+get_prop(system_app, system_mtk_wfc_entitlement_prop)
+
+# Date: 2019/07/23
+# Purpose: allow to read init.svc.md_monitor property for calling SystemService.waitForState()
+# Package Name: com.mediatek.mdmconfig
+get_prop(system_app, system_mtk_init_svc_md_monitor_prop)
+
+# Date : 2020/03/23
+# Operation : Migration
+# Purpose : Allow cta_networkdatacontroller_service to add AOSP service by ServiceManager
+allow system_app cta_networkdatacontroller_service:service_manager add;
+
+# MICROTRUST SEPolicy Rule
+# Date : 2017/12/18
+# Operation: ifaa integration
+# Purpose: access for ifaa_service call
+# Package: org.ifaa.android.service
+add_service(system_app, teei_ifaa_service)
+
+hal_client_domain(system_app, hal_teei_ifaa)
+hal_client_domain(system_app, hal_teei_wechat)
diff --git a/bsp/plat_private/system_server.te b/bsp/plat_private/system_server.te
new file mode 100644
index 0000000..6b9a7a6
--- /dev/null
+++ b/bsp/plat_private/system_server.te
@@ -0,0 +1,172 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.30
+# Operation : Migration
+# Purpose : for device bring up, not to block early migration/sanity
+allow system_server aal_service:service_manager find;
+
+# Date : 2017/01/24
+# Purpose : Add permission for DRM / DRI GPU driver
+allow system_server gas_srv_service:service_manager find;
+
+# Date : 2017/4/14
+# Purpose : Add permission for registering MtkTelecomService to ServiceManager
+allow system_server mtk_telecom_service:service_manager add;
+
+# Date : 2017/09/15
+# Purpose : Add mtk_connmetrics_service for CTA's celluar data control
+allow system_server mtk_connmetrics_service:service_manager add;
+
+# Date:W17.20
+# Operation : wifioffload hal developing
+# Purpose : Allow to use HAL Wfo
+hal_client_domain(system_server, hal_mtk_wfo)
+
+# Date : W17.26
+# Purpose: Allow to use phoneEx
+allow system_server mtk_radio_service:service_manager find;
+
+# Date : 2017/10/09
+# Purpose : Record and get permission
+allow system_server mtk_permrecords_service:service_manager add;
+
+# Date : W17.36
+# Operation : Migration
+# Purpose : Allow system_server to add anrmanager
+allow system_server mtk_anrmanager_service:service_manager add;
+
+# Date: W17.42
+# Operation : Migration
+# Purpose : for WFD functionality
+set_prop(system_server, system_mtk_media_wfd_prop)
+set_prop(system_server, wifi_prop)
+
+# Date:W17.47
+# Purpose : Allow to enable/disable log too much
+set_prop(system_server, system_mtk_logmuch_prop)
+binder_call(system_server, hal_mtk_fm)
+
+# Date: 2018/07/04
+# Operation: P migration
+# Purpose : allow radio get vzw device type property
+get_prop(system_server, system_mtk_persist_vendor_vzw_device_type_prop)
+
+# Date : 2018/07/03
+# Stage: Migration
+# Purpose: allow system server to get RTT property
+get_prop(system_server, system_mtk_rtt_prop)
+
+# Date : W18.27
+# Operation : Migration
+allow system_server mtk_data_shaping_service:service_manager add;
+
+# Date : W18.28
+# Operation : Support telephony log
+get_prop(system_server, system_mtk_em_tel_log_prop)
+
+# Date : W18.29
+# Operation : For background data disable function
+get_prop(system_server, system_mtk_bgdata_disabled_prop)
+
+# Date : W18.24
+# Operation : for AMS log
+set_prop(system_server, system_mtk_amslog_prop)
+
+# Date : W18.25
+# Operation : for AMS-aal
+set_prop(system_server, system_mtk_amsaal_prop)
+
+# Date : W18.31
+# Purpose : Support Trustonic TeeService
+binder_call(system_server, teed_app)
+binder_call(system_server, teeregistryd_app)
+allow system_server tee_service:service_manager find;
+allow system_server teeregistry_service:service_manager find;
+
+# Date : W19.12
+# Operation : For DuraSpeed Migration
+set_prop(system_server, system_mtk_duraspeed_drop_caches_prop)
+
+# Date : W19.12
+# Operation : For DuraSpeed Migration
+allow system_server mtk_duraspeed_service:service_manager add;
+
+# Date : 2019/06/03
+# Operation : Q Migration split build
+# Purpose : allow to get system_mtk_rsc_sys_prop
+get_prop(system_server, system_mtk_rsc_sys_prop)
+
+# Date : W19.29
+# Operation : Support heavy loading
+get_prop(system_server, system_mtk_heavy_loading_prop)
+
+# Date : WK19.29
+# Operation : touchll hal
+# Purpose : touchll hal permission
+hal_client_domain(system_server, hal_mtk_touchll)
+
+# Date: 2020/01/16
+# Purpose : Allow system server to read tll dev
+allow system_server tll_device:chr_file r_file_perms;
+
+# Date : 2020/03/20
+# Operation: R migration
+get_prop(system_server, system_mtk_telecom_vibrate_prop)
+
+# Date:2020/03/26
+# Operation:Q Migration
+allow system_server proc_battery_cmd:dir search;
+
+# Date : 2020/04/14
+# Purpose: Allow ConnectivityService to get USB tethering system property for auto test
+get_prop(system_server, system_mtk_usb_tethering_prop)
+
+# Date : 2020/05/18
+# Operation : R Migration
+get_prop(system_server, system_mtk_graphics_sf_gll_ro_prop)
+
+# Date : 2020/05/19
+# Purpose : Add mtk_autoboot_service for CTA's autoboot app control
+allow system_server mtk_autoboot_service:service_manager add;
+
+# Date : 2020/06/01
+# Operation : R Migration
+allow system_server sysfs_HDMI_audio_extcon_state:file r_file_perms;
+
+# Date : 2020/07/13
+# Purpose : Add permission for AMS access to report Java Layer Exception
+allow system_server crash_dump:process { getpgid setsched };
+
+# Date : 2020/07/20
+# Purpose : Add permission for AMS access to report Java Layer Exception
+allow system_server zygote:process getpgid;
+
+# Date : 2020/07/23
+# Purpose : Add permission for AMS access to report Java Layer Exception
+allow system_server app_zygote:process getpgid;
+
+# Date:2020/07/27
+# Operation:R Migration
+allow system_server installd:process signal;
+
+# Date:2020/09/04
+# Operation:R Migration, add permission for AMS dump binderinfo when ANR happened in user load
+allow system_server binderfs_logs:dir r_dir_perms;
+allow system_server binderfs_logs:file r_file_perms;
+allow system_server binderfs_logs_proc:dir r_dir_perms;
+allow system_server binderfs_logs_proc:file r_file_perms;
+
+# Date:2020/09/24
+# Operation:R Migration, add permission for PMS access /data/media
+allow system_server media_rw_data_file:dir setattr;
+
+# Date:2020/09/25
+# Operation:R Migration, don't audit for PMS access /mnt/media_rw/XXXX-XXXX/Android/obb
+dontaudit system_server vfat:dir r_dir_perms;
+
+# Date:2021/11/13
+# Operation: Add for DSDA in Telecom, add permission for accessing vendor.radio.dsda.state
+get_prop(system_server, system_mtk_common_data_prop)
+
diff --git a/bsp/plat_private/teed_app.te b/bsp/plat_private/teed_app.te
new file mode 100644
index 0000000..0a89e9a
--- /dev/null
+++ b/bsp/plat_private/teed_app.te
@@ -0,0 +1,35 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute teed_app coredomain;
+
+app_domain(teed_app)
+binder_service(teed_app)
+binder_use(teed_app)
+
+add_service(teed_app, tee_service)
+
+hal_client_domain(teed_app, hal_tee)
+hal_client_domain(teed_app, hal_allocator)
+
+allow teed_app activity_service:service_manager find;
+allow teed_app connectivity_service:service_manager find;
+allow teed_app display_service:service_manager find;
+allow teed_app network_management_service:service_manager find;
+allow teed_app notification_service:service_manager find;
+
+allow teed_app system_app_data_file:dir { getattr search };
+
+#============= teed_app for TUI ==============
+allow teed_app surfaceflinger_service:service_manager find;
+allow teed_app activity_task_service:service_manager find;
+allow teed_app media_session_service:service_manager find;
+allow teed_app system_data_file:dir search;
+allow teed_app user_profile_root_file:dir search;
+allow teed_app audio_service:service_manager find;
+allow teed_app content_capture_service:service_manager find;
+allow teed_app gpu_service:service_manager find;
+
+#============= teed_app for thermal_service ==============
+allow teed_app thermal_service:service_manager find;
diff --git a/bsp/plat_private/teeregistryd_app.te b/bsp/plat_private/teeregistryd_app.te
new file mode 100644
index 0000000..b4b5f3d
--- /dev/null
+++ b/bsp/plat_private/teeregistryd_app.te
@@ -0,0 +1,29 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute teeregistryd_app coredomain;
+
+app_domain(teeregistryd_app)
+
+binder_service(teeregistryd_app)
+binder_use(teeregistryd_app)
+
+add_service(teeregistryd_app, teeregistry_service)
+
+hal_client_domain(teeregistryd_app, hal_teeregistry)
+hal_client_domain(teeregistryd_app, hal_allocator)
+
+allow teeregistryd_app activity_service:service_manager find;
+allow teeregistryd_app connectivity_service:service_manager find;
+allow teeregistryd_app display_service:service_manager find;
+allow teeregistryd_app network_management_service:service_manager find;
+allow teeregistryd_app tee_service:service_manager find;
+allow teeregistryd_app fwmarkd_socket:sock_file write;
+allow teeregistryd_app netd:unix_stream_socket connectto;
+allow teeregistryd_app node:udp_socket node_bind;
+allow teeregistryd_app port:udp_socket name_bind;
+allow teeregistryd_app port:tcp_socket name_connect;
+allow teeregistryd_app self:tcp_socket { create setopt read getopt getattr write connect };
+allow teeregistryd_app dnsproxyd_socket:sock_file write;
+allow teeregistryd_app self:udp_socket { create bind setattr };
diff --git a/bsp/plat_private/terservice.te b/bsp/plat_private/terservice.te
new file mode 100644
index 0000000..15e2851
--- /dev/null
+++ b/bsp/plat_private/terservice.te
@@ -0,0 +1,25 @@
+# ==============================================
+# Policy File of /system/bin/terservice Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type terservice_exec, system_file_type, exec_type, file_type;
+typeattribute terservice coredomain;
+
+init_daemon_domain(terservice)
+
+# Date : 2014/09/18 (WK14.38)
+# Operation : Migration
+# Purpose : allow register terservice service in servicemanager.
+allow terservice terservice_service:service_manager add;
+
+# property service
+set_prop(terservice, system_mtk_terservice_prop)
+
+# ipc call
+binder_use(terservice)
+binder_service(terservice)
+
+
diff --git a/bsp/plat_private/thermald.te b/bsp/plat_private/thermald.te
new file mode 100644
index 0000000..163a94d
--- /dev/null
+++ b/bsp/plat_private/thermald.te
@@ -0,0 +1,28 @@
+# ==============================================
+# Policy File of /system/bin/thermald Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type thermald_exec, system_file_type, exec_type, file_type;
+typeattribute thermald coredomain;
+
+init_daemon_domain(thermald)
+
+# Date : WK17.28
+# Operation : SQC
+# Purpose : for thermal management to shutdown the phone
+binder_use(thermald)
+binder_call(thermald, system_server)
+allow thermald activity_service:service_manager find;
+
+# for wifi throttle
+allow thermald sysfs_net:dir search;
+allow thermald sysfs_thermald:file r_file_perms;
+allow thermald shell_exec:file rx_file_perms;
+allow thermald toolbox_exec:file rx_file_perms;
+allow thermald proc_net:file r_file_perms;
+allow thermald devpts:chr_file rw_file_perms;
+allow thermald self:netlink_route_socket { create setopt bind getattr write nlmsg_read read nlmsg_write };
+allow thermald self:capability net_admin;
diff --git a/bsp/plat_private/untrusted_app.te b/bsp/plat_private/untrusted_app.te
new file mode 100644
index 0000000..c1f7a17
--- /dev/null
+++ b/bsp/plat_private/untrusted_app.te
@@ -0,0 +1,14 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/12/21
+# Operation: IT
+# Purpose : For hongbao optimization
+allow untrusted_app mtk_connmetrics_service:service_manager find;
+
+# Date: 2018/07/09
+# Operator: New feature for VSIM SQC
+# Purpose: allow vendor's osi to use tcp socket
+allow untrusted_app osi:tcp_socket create_socket_perms_no_ioctl;
+
diff --git a/bsp/plat_private/untrusted_app_25.te b/bsp/plat_private/untrusted_app_25.te
new file mode 100644
index 0000000..aea3eac
--- /dev/null
+++ b/bsp/plat_private/untrusted_app_25.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2017/12/21
+# Operation: IT
+# Purpose : For hongbao optimization
+allow untrusted_app_25 mtk_connmetrics_service:service_manager find;
diff --git a/bsp/plat_private/untrusted_app_27.te b/bsp/plat_private/untrusted_app_27.te
new file mode 100644
index 0000000..71c0060
--- /dev/null
+++ b/bsp/plat_private/untrusted_app_27.te
@@ -0,0 +1,8 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date: 2019/06/17
+# Operation : Migration
+# Purpose :allow untrusted_app_27 to get props
+get_prop(untrusted_app_27, apexd_prop)
diff --git a/bsp/plat_private/untrusted_app_all.te b/bsp/plat_private/untrusted_app_all.te
new file mode 100644
index 0000000..4aacd65
--- /dev/null
+++ b/bsp/plat_private/untrusted_app_all.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+allow untrusted_app_all tee_service:service_manager find;
+
+# Date: W1920
+# Purpose: Make app can get phoneEx
+allow untrusted_app_all mtk_radio_service:service_manager find;
+
+# netflix HD property
+get_prop(untrusted_app_all, netflix_bsp_rev_prop)
+
diff --git a/bsp/plat_private/usp_service.te b/bsp/plat_private/usp_service.te
new file mode 100644
index 0000000..b2af3b1
--- /dev/null
+++ b/bsp/plat_private/usp_service.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+type usp_service_exec, system_file_type, exec_type, file_type;
+typeattribute usp_service coredomain;
+
+init_daemon_domain(usp_service)
+
+allow usp_service block_device:dir search;
+set_prop(usp_service, radio_prop)
+set_prop(usp_service, system_mtk_usp_srv_prop)
+allow usp_service proc_net:file rw_file_perms;
diff --git a/bsp/plat_private/vendor_init.te b/bsp/plat_private/vendor_init.te
new file mode 100644
index 0000000..305259f
--- /dev/null
+++ b/bsp/plat_private/vendor_init.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# netflix HD property
+set_prop(vendor_init, netflix_bsp_rev_prop)
+
+# set fuse property
+set_prop(vendor_init, system_prop)
diff --git a/bsp/plat_private/vendor_shell.te b/bsp/plat_private/vendor_shell.te
new file mode 100644
index 0000000..b10da48
--- /dev/null
+++ b/bsp/plat_private/vendor_shell.te
@@ -0,0 +1,6 @@
+# ==============================================
+# Common SEPolicy Rule
+# =============================================
+
+# netflix HD property
+set_prop(vendor_shell, netflix_bsp_rev_prop)
diff --git a/bsp/plat_private/vold.te b/bsp/plat_private/vold.te
new file mode 100644
index 0000000..3c256f2
--- /dev/null
+++ b/bsp/plat_private/vold.te
@@ -0,0 +1,19 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : WK15.02
+# Purpose : fsck_msdos
+allow vold platform_app:fd use;
+
+# Date : WK15.11
+allow vold mtd_device:dir search;
+allow vold mtd_device:chr_file rw_file_perms;
+
+# Date : WK17.28
+# Purpose : encrypt phone
+allow vold kernel:system module_request;
+
+# Date : 2020/03/26
+# Android R migration
+dontaudit vold proc_battery_cmd:dir r_dir_perms;
diff --git a/bsp/plat_private/vtservice.te b/bsp/plat_private/vtservice.te
new file mode 100644
index 0000000..11b0831
--- /dev/null
+++ b/bsp/plat_private/vtservice.te
@@ -0,0 +1,24 @@
+# ==============================================
+# Policy File of /system/bin/vtservice Executable File
+
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+typeattribute vtservice coredomain;
+type vtservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(vtservice)
+binder_use(vtservice)
+binder_call(vtservice, mediaserver)
+binder_service(vtservice)
+
+# Date : WK15.33
+# Purpose : Add vtservice to support video telephony functionality
+# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild
+allow vtservice vtservice_service:service_manager add;
+
+# Date: 2018/08/24
+# Operation: add mdp
+get_prop(vtservice, system_mtk_debug_bq_dump_prop)
+
diff --git a/bsp/plat_private/zygote.te b/bsp/plat_private/zygote.te
new file mode 100644
index 0000000..f9625db
--- /dev/null
+++ b/bsp/plat_private/zygote.te
@@ -0,0 +1,9 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# Date : 2019/11/19
+# Operation : Q Migration split build
+# Purpose : allow to get system_mtk_rsc_sys_prop
+get_prop(zygote, system_mtk_rsc_sys_prop)
+
diff --git a/bsp/plat_public/attributes b/bsp/plat_public/attributes
new file mode 100644
index 0000000..0447d0f
--- /dev/null
+++ b/bsp/plat_public/attributes
@@ -0,0 +1,117 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# DMC HIDL
+attribute hal_mtk_dmc;
+attribute hal_mtk_dmc_client;
+attribute hal_mtk_dmc_server;
+
+# APM HIDL
+attribute hal_mtk_apm;
+attribute hal_mtk_apm_client;
+attribute hal_mtk_apm_server;
+
+# netdagent HIDL
+attribute mtk_hal_netdagent;
+attribute mtk_hal_netdagent_client;
+attribute mtk_hal_netdagent_server;
+
+attribute hal_mtk_wfo;
+attribute hal_mtk_wfo_client;
+attribute hal_mtk_wfo_server;
+
+attribute hal_presence;
+attribute hal_presence_client;
+attribute hal_presence_server;
+
+attribute hal_videotelephony;
+attribute hal_videotelephony_client;
+attribute hal_videotelephony_server;
+
+attribute hal_rcs;
+attribute hal_rcs_client;
+attribute hal_rcs_server;
+
+attribute hal_dfps;
+attribute hal_dfps_client;
+attribute hal_dfps_server;
+
+attribute hal_dplanner;
+attribute hal_dplanner_client;
+attribute hal_dplanner_server;
+
+attribute mtk_hal_pplagent;
+attribute mtk_hal_pplagent_client;
+attribute mtk_hal_pplagent_server;
+
+attribute hal_clientapi;
+attribute hal_clientapi_client;
+attribute hal_clientapi_server;
+
+# Trustonic Attribute declarations
+attribute hal_tee_client;
+attribute hal_tee_server;
+attribute hal_tee;
+
+attribute hal_teeregistry_client;
+attribute hal_teeregistry_server;
+attribute hal_teeregistry;
+
+# MDM HIDL
+attribute md_monitor_hal_client;
+attribute md_monitor_hal_server;
+attribute md_monitor_hal;
+
+# OMADM HIDL
+attribute hal_mtk_omadm;
+attribute hal_mtk_omadm_client;
+attribute hal_mtk_omadm_server;
+
+# HDCP HIDL
+attribute hal_tesiai_hdcp;
+attribute hal_tesiai_hdcp_client;
+attribute hal_tesiai_hdcp_server;
+
+# touch HIDL
+attribute hal_nwk_opt;
+attribute hal_nwk_opt_client;
+attribute hal_nwk_opt_server;
+
+# touchll HIDL
+attribute hal_mtk_touchll;
+attribute hal_mtk_touchll_client;
+attribute hal_mtk_touchll_server;
+
+# thp HIDL
+attribute hal_mtk_thp;
+attribute hal_mtk_thp_client;
+attribute hal_mtk_thp_server;
+
+# ==============================================
+# MICROTRUST Attribute declarations
+# ==============================================
+# THH ATTESTATION HIDL
+attribute hal_teei_thh;
+attribute hal_teei_thh_client;
+attribute hal_teei_thh_server;
+
+# TUI ATTESTATION HIDL
+attribute hal_teei_tui;
+attribute hal_teei_tui_client;
+attribute hal_teei_tui_server;
+
+# IFAA ATTESTATION HIDL
+attribute hal_teei_ifaa;
+attribute hal_teei_ifaa_client;
+attribute hal_teei_ifaa_server;
+
+# CLIENT API ATTESTATION HIDL
+attribute hal_teei_capi;
+attribute hal_teei_capi_client;
+attribute hal_teei_capi_server;
+
+# Wechat ATTESTATION HIDL
+attribute hal_teei_wechat;
+attribute hal_teei_wechat_client;
+attribute hal_teei_wechat_server;
diff --git a/bsp/plat_public/file.te b/bsp/plat_public/file.te
new file mode 100644
index 0000000..7569152
--- /dev/null
+++ b/bsp/plat_public/file.te
@@ -0,0 +1,13 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+##########################
+# Filesystem types
+#
+##########################
+# Sys Filesystem types
+#
+# Date : 2020/12/16
+# Operation: R migration
+# Purpose : mtk EM PMU reading/setting
+type sysfs_pmu, fs_type, sysfs_type;
diff --git a/bsp/plat_public/property.te b/bsp/plat_public/property.te
new file mode 100644
index 0000000..1ff71ec
--- /dev/null
+++ b/bsp/plat_public/property.te
@@ -0,0 +1,18 @@
+# ==============================================
+# Common SEPolicy Rule
+# ==============================================
+
+# system_internal_prop -- Properties used only in /system
+# system_restricted_prop -- Properties which can't be written outside system
+# system_public_prop -- Properties with no restrictions
+# system_vendor_config_prop -- Properties which can be written only by vendor_init
+# vendor_internal_prop -- Properties used only in /vendor
+# vendor_restricted_prop -- Properties which can't be written outside vendor
+# vendor_public_prop -- Properties with no restrictions
+
+# Properties which can't be written outside system
+system_restricted_prop(system_mtk_init_svc_md_monitor_prop)
+
+# Properties with no restrictions
+system_public_prop(system_mtk_heavy_loading_prop)
+system_public_prop(system_mtk_pkm_init_prop)