Merge tag 'LA.VENDOR.13.2.0.r1-21400-KAILUA.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr into lineage-21.0-caf-sm8550
LA.VENDOR.13.2.0.r1-21400-KAILUA.0
* tag 'LA.VENDOR.13.2.0.r1-21400-KAILUA.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy_vndr:
sepolicy_vndr: trinklet: Label device wakeup nodes - Label the nodes listed by SuspendSepolicyTests.sh
sepolicy: add rules for hal_vibrator_default
sepolicy: add rules for vendor_qti_init_shell
sepolicy : Fix vendor modprobe denial in trinket
UVC - Add sepolicy rule to access dmabuf_system_heap_device
trinket: Add display boot-up sepolicies. - Addresses device struck issues at snapdragon logo.
sepolicy_vndr: Add camera sepolicy rules for trinket
Add sepolicy rule for msm_evrc_in & msm_qcelp_in to rw file
Aidirector sepolicy changes to run in enforced mode
sepolicy_vndr: Add sepolicy rules for recovery
sepolicy_vndr: sepolicy rule to access the audio PCM Nodes to read and write
sepolicy: Add sepolicy rules to access the qseecom device node
Sepolicy: Add the rules required to make UAC/UVC run enforced
sepolicy : Add sepolicy rules media for record video
eSE: Added weaver service name for ST54x
sepolicy : Add sysfs_net related path entries
sepolicy_vndr: rename vendor specific strongbox service name
Fix for vndservicemanager Avc Denial
Add sepolicy rules for msm_rtac node
episteme: Add net domain for udp_socket denial
sepolicy : Add permissions for msm_lsm cdev
Add sepolicy rules for msm_audio_cal node
sepolicy_vndr: add permissions for keymint service
sepolicy_vndr: Add ruls for QFPS feature to read the system tats from procfs
Change-Id: I590c26b214fd02427915912ecb24b8fdcdd4ff31
diff --git a/generic/vendor/common/hal_keymint_qti.te b/generic/vendor/common/hal_keymint_qti.te
index c87bf34..2a6a82c 100644
--- a/generic/vendor/common/hal_keymint_qti.te
+++ b/generic/vendor/common/hal_keymint_qti.te
@@ -34,6 +34,7 @@
dontaudit vendor_hal_keymint_qti firmware_file:dir search;
get_prop(vendor_hal_keymint_qti, vendor_tee_listener_prop)
+get_prop(vendor_hal_keymint_qti, vendor_disable_spu_prop)
allow vendor_hal_keymint_qti tee_device:chr_file rw_file_perms;
diff --git a/generic/vendor/crow/file_contexts b/generic/vendor/crow/file_contexts
index 23a67e7..d309b7b 100644
--- a/generic/vendor/crow/file_contexts
+++ b/generic/vendor/crow/file_contexts
@@ -280,3 +280,6 @@
# eSE Strongbox
/vendor/bin/hw/android\.hardware\.security\.keymint-service\.strongbox-nxp u:object_r:vendor_hal_keymint_strongbox_exec:s0
+
+# eSE Thales Weaver
+/vendor/bin/hw/android\.hardware\.weaver@1\.0-service-thales u:object_r:vendor_hal_weaver_default_exec:s0
diff --git a/generic/vendor/crow/poweroptservice.te b/generic/vendor/crow/poweroptservice.te
index a71d8df..94e7b72 100644
--- a/generic/vendor/crow/poweroptservice.te
+++ b/generic/vendor/crow/poweroptservice.te
@@ -66,6 +66,7 @@
allow vendor_hal_poweroptservice_qti vendor_pm_data_file:file create_file_perms;
allow vendor_hal_poweroptservice_qti cgroup:file r_file_perms;
allow vendor_hal_poweroptservice_qti proc:file r_file_perms;
+allow vendor_hal_poweroptservice_qti proc_stat:file r_file_perms;
allow vendor_hal_poweroptservice_qti {appdomain}:process getpgid;
r_dir_file(vendor_hal_poweroptservice_qti, appdomain);
r_dir_file(vendor_hal_poweroptservice_qti, vendor_sysfs_battery_supply);
diff --git a/qva/vendor/common/cnd.te b/qva/vendor/common/cnd.te
index 30dfa7c..9a8d700 100644
--- a/qva/vendor/common/cnd.te
+++ b/qva/vendor/common/cnd.te
@@ -98,6 +98,9 @@
vndbinder_use(vendor_cnd)
allow vendor_cnd vendor_nwmgr_service:service_manager find;
+
+dontaudit vndservicemanager vendor_cnd:binder call;
+
##############################################################
#for using public interface vendor.qti.data.factory
#client should add their domain to vendor_cnd.te
diff --git a/qva/vendor/crow/recovery.te b/qva/vendor/crow/recovery.te
new file mode 100644
index 0000000..b92bfbb
--- /dev/null
+++ b/qva/vendor/crow/recovery.te
@@ -0,0 +1,6 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#============= recovery ==============
+set_prop(recovery, boottime_prop)
+allow recovery vendor_sysfs_scsi_host:dir search;
diff --git a/qva/vendor/kona/device.te b/qva/vendor/kona/device.te
index 37496fb..224830f 100644
--- a/qva/vendor/kona/device.te
+++ b/qva/vendor/kona/device.te
@@ -9,3 +9,6 @@
#define msm_lsm char device
type vendor_msm_lsm_cdev_device, dev_type;
+
+#define aidirector audio device
+type vendor_aid_audio_device, dev_type;
diff --git a/qva/vendor/kona/file_contexts b/qva/vendor/kona/file_contexts
index d32f64d..4328793 100644
--- a/qva/vendor/kona/file_contexts
+++ b/qva/vendor/kona/file_contexts
@@ -152,3 +152,9 @@
#tee
/dev/0:0:0:[0-5] u:object_r:vendor_dev_tee:s0
+
+#uac
+/dev/snd/pcmC[1-9].* u:object_r:vendor_pcm_device:s0
+
+#aidirector
+/dev/snd/controlC0 u:object_r:vendor_aid_audio_device:s0
diff --git a/qva/vendor/kona/genfs_contexts b/qva/vendor/kona/genfs_contexts
index be3c061..1dd0f5a 100644
--- a/qva/vendor/kona/genfs_contexts
+++ b/qva/vendor/kona/genfs_contexts
@@ -104,6 +104,10 @@
genfscon sysfs /devices/platform/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.2.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.2.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0
+#sysfs_net
+genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/1c10000.qcom,pcie/pci0002:00/0002:00:00.0/0002:01:00.0/net u:object_r:sysfs_net:s0
+
#vendor_sysfs_graphics nodes
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-05/c440000.qcom,spmi:qcom,pm8150l@5:qcom,leds@d000/leds/blue/brightness u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/0-05/c440000.qcom,spmi:qcom,pm8150l@5:qcom,leds@d000/leds/green/brightness u:object_r:vendor_sysfs_graphics:s0
diff --git a/qva/vendor/kona/hal_audio_default.te b/qva/vendor/kona/hal_audio_default.te
index ce71f48..d4c4613 100644
--- a/qva/vendor/kona/hal_audio_default.te
+++ b/qva/vendor/kona/hal_audio_default.te
@@ -6,3 +6,9 @@
# Allow audio hal to communicate with msm_lsm char dev
allow hal_audio_default vendor_msm_lsm_cdev_device:chr_file rw_file_perms;
+
+#Allow audio hal to communicate to usb pcm node
+allow hal_audio_default vendor_pcm_device:chr_file rw_file_perms;
+
+#Allow audio hal access to aid audio node
+allow hal_audio_default vendor_aid_audio_device:chr_file rw_file_perms;
diff --git a/qva/vendor/kona/hal_camera.te b/qva/vendor/kona/hal_camera.te
index 1c9ab9c..7a5a831 100644
--- a/qva/vendor/kona/hal_camera.te
+++ b/qva/vendor/kona/hal_camera.te
@@ -1,5 +1,21 @@
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
# SPDX-License-Identifier: BSD-3-Clause-Clear
+#Allow base set of permissions for camera hal to be a client of audio hal
+typeattribute hal_camera_default hal_audio_client;
+
#Allow camera to access hdmi bridge device
allow hal_camera_default vendor_hdmi_bdg_irq_device:chr_file rw_file_perms;
+
+#Allow camera to read vendor_umd_prop and binder call vendor_hal_umd_qti
+get_prop(hal_camera_default, vendor_umd_prop)
+allow hal_camera_default vendor_hal_umd_qti:binder call;
+
+#Allow audio related and read file permissions
+allow hal_camera_default vendor_aid_audio_device:chr_file rw_file_perms;
+allow hal_camera_default audio_device:dir r_dir_perms;
+get_prop(hal_camera_default, vendor_audio_prop)
+
+#Allow access to /data/vendor/camera
+allow hal_camera_default vendor_camera_data_file:dir { add_name write };
+allow hal_camera_default vendor_camera_data_file:file { create getattr open write };
diff --git a/qva/vendor/kona/hwservice.te b/qva/vendor/kona/hwservice.te
index b4e246d..ab8a2f1 100644
--- a/qva/vendor/kona/hwservice.te
+++ b/qva/vendor/kona/hwservice.te
@@ -1,4 +1,4 @@
# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
# SPDX-License-Identifier: BSD-3-Clause-Clear
-type vendor_hal_umd_hwservice , hwservice_manager_type;
+type vendor_hal_umd_hwservice , hwservice_manager_type, protected_hwservice;
diff --git a/qva/vendor/kona/platform_app.te b/qva/vendor/kona/platform_app.te
new file mode 100644
index 0000000..d841664
--- /dev/null
+++ b/qva/vendor/kona/platform_app.te
@@ -0,0 +1,35 @@
+# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#allow platform_app to read vendor_umd_prop
+get_prop(platform_app, vendor_umd_prop)
+
+hal_client_domain(platform_app, vendor_hal_umd)
diff --git a/qva/vendor/kona/property.te b/qva/vendor/kona/property.te
new file mode 100644
index 0000000..209340c
--- /dev/null
+++ b/qva/vendor/kona/property.te
@@ -0,0 +1,33 @@
+# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#umd property
+vendor_restricted_prop(vendor_umd_prop);
diff --git a/qva/vendor/kona/property_contexts b/qva/vendor/kona/property_contexts
index ccb460c..b521808 100644
--- a/qva/vendor/kona/property_contexts
+++ b/qva/vendor/kona/property_contexts
@@ -3,3 +3,7 @@
#mm-video
persist.vendor.wfd.source.hdmi.enable u:object_r:vendor_video_prop:s0
+
+#umd
+persist.vendor.umdadaptor.mode u:object_r:vendor_umd_prop:s0
+persist.vendor.umd. u:object_r:vendor_umd_prop:s0
diff --git a/qva/vendor/kona/umdservice.te b/qva/vendor/kona/umdservice.te
index 884d1df..46fc722 100644
--- a/qva/vendor/kona/umdservice.te
+++ b/qva/vendor/kona/umdservice.te
@@ -5,6 +5,11 @@
type vendor_hal_umd_qti, domain;
type vendor_hal_umd_qti_exec, file_type, vendor_file_type, exec_type;
+type vendor_pcm_device, dev_type;
+
+typeattribute vendor_hal_umd_qti hal_camera_client;
+typeattribute vendor_hal_umd_qti hal_audio_client;
+
#Allow for transition from init domain to umdservice
init_daemon_domain(vendor_hal_umd_qti)
@@ -16,3 +21,26 @@
#Ability for domain to get vendor_hal_umd_hwservice to hwservice_manager
#and find it
hal_attribute_hwservice(vendor_hal_umd, vendor_hal_umd_hwservice)
+
+#Allow a base set of permissions for the domain to be the client of hal_graphics_allocator
+hal_client_domain(vendor_hal_umd_qti, hal_graphics_allocator)
+
+allow vendor_hal_umd_qti video_device:chr_file rw_file_perms;
+
+#Allow the domain to access the properties required
+get_prop(vendor_hal_umd_qti, vendor_umd_prop)
+get_prop(vendor_hal_umd_qti, usb_control_prop)
+get_prop(vendor_hal_umd_qti, codec2_config_prop)
+get_prop(vendor_hal_umd_qti, vendor_video_prop)
+
+#Allow the domain to access the uvent socket and the audio device
+allow vendor_hal_umd_qti self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vendor_hal_umd_qti vendor_pcm_device:chr_file rw_file_perms;
+allow vendor_hal_umd_qti audio_device:dir r_dir_perms;
+
+#Allow the domain to access the configfs file and dir
+allow vendor_hal_umd_qti configfs:file r_file_perms;
+allow vendor_hal_umd_qti configfs:dir r_dir_perms;
+
+#allow the domain to access dmabuf
+allow vendor_hal_umd_qti dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/qva/vendor/test/episteme_app.te b/qva/vendor/test/episteme_app.te
index 945e0ec..9d96211 100644
--- a/qva/vendor/test/episteme_app.te
+++ b/qva/vendor/test/episteme_app.te
@@ -3,6 +3,7 @@
type vendor_episteme_app, domain;
app_domain(vendor_episteme_app)
+net_domain(vendor_episteme_app)
allow vendor_episteme_app app_api_service:service_manager find;
hal_client_domain(vendor_episteme_app, vendor_hal_qms_qti)
hal_client_domain(vendor_episteme_app, vendor_hal_qesdhal)
diff --git a/qva/vendor/trinket/bootanim.te b/qva/vendor/trinket/bootanim.te
new file mode 100644
index 0000000..6fea5d2
--- /dev/null
+++ b/qva/vendor/trinket/bootanim.te
@@ -0,0 +1,5 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+binder_call(bootanim, vendor_hal_qspmhal_default)
+allow bootanim vendor_sysfs_kgsl_gpu_model:file r_file_perms;
diff --git a/qva/vendor/trinket/device.te b/qva/vendor/trinket/device.te
index 28e7e54..1fe970a 100644
--- a/qva/vendor/trinket/device.te
+++ b/qva/vendor/trinket/device.te
@@ -30,3 +30,13 @@
type vendor_mba_debug_dev, dev_type;
type vendor_dip_device, dev_type;
type vendor_rawdump_block_device, dev_type;
+
+#define msm_lsm char device
+type vendor_msm_lsm_cdev_device, dev_type;
+
+# for mediacodec permission
+type vendor_audio_cal_device, dev_type;
+type vendor_msm_rtac_device, dev_type;
+type vendor_media_aac_device, dev_type;
+type vendor_media_evrc_device, dev_type;
+type vendor_media_qcelp_device, dev_type;
\ No newline at end of file
diff --git a/qva/vendor/trinket/file.te b/qva/vendor/trinket/file.te
index 4e2b1fd..e253644 100644
--- a/qva/vendor/trinket/file.te
+++ b/qva/vendor/trinket/file.te
@@ -25,4 +25,9 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
type vendor_sysfs_fps_attr, fs_type, sysfs_type;
+type vendor_sysfs_uevent, fs_type, sysfs_type;
diff --git a/qva/vendor/trinket/file_contexts b/qva/vendor/trinket/file_contexts
index 9f38a24..c004202 100644
--- a/qva/vendor/trinket/file_contexts
+++ b/qva/vendor/trinket/file_contexts
@@ -28,6 +28,8 @@
# Dev block nodes
#Primary storage device nodes
+/dev/block/mmcblk0boot1 u:object_r:root_block_device:s0
+/dev/block/mmcblk0boot0 u:object_r:root_block_device:s0
/dev/block/mmcblk0rpmb u:object_r:vendor_rpmb_device:s0
/dev/block/mmcblk0 u:object_r:root_block_device:s0
@@ -183,3 +185,15 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-fpc u:object_r:vendor_hal_fingerprint_fpc_exec:s0
/sys/devices/platform/soc/1b46018.qfprom/qfprom0/nvmem u:object_r:vendor_sysfs_qfprom:s0
+
+# Audio
+/dev/msm_audio_cal u:object_r:vendor_audio_cal_device:s0
+#msm_lsm cdev
+/dev/msm_lsm_cdev u:object_r:vendor_msm_lsm_cdev_device:s0
+/dev/msm_rtac u:object_r:vendor_msm_rtac_device:s0
+/dev/msm_aac_in u:object_r:vendor_media_aac_device:s0
+
+/dev/msm_evrc_in u:object_r:vendor_media_evrc_device:s0
+/dev/msm_qcelp_in u:object_r:vendor_media_qcelp_device:s0
+
+/sys/devices/platform/soc/5900000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_model u:object_r:vendor_sysfs_kgsl_gpu_model:s0
diff --git a/qva/vendor/trinket/genfs_contexts b/qva/vendor/trinket/genfs_contexts
index 384659d..c70dccb 100644
--- a/qva/vendor/trinket/genfs_contexts
+++ b/qva/vendor/trinket/genfs_contexts
@@ -26,6 +26,10 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
###################################
+# Changes from Qualcomm Innovation Center are provided under the following license:
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
#pmic sysfs_nodes
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,pm6125_rtc/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,qpnp-smb5/power_supply/battery u:object_r:vendor_sysfs_battery_supply:s0
@@ -53,6 +57,46 @@
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,power-on@800/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,qpnp-smb5/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+# wakeup nodes listed from SuspendSepolicyTests.sh
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,qpnp-smb5/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-000c/4a84000.i2c:qcom,smb1355@c:qcom,smb1355-charger@1000/power_supply/parallel/wakeup12 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,qpnp-smb5/power_supply/usb/wakeup13 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,qpnp-smb5/power_supply/pc_port/wakeup14 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,qpnp-smb5/power_supply/battery/wakeup15 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qpnp,qg/power_supply/bms/wakeup18 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/6080000.remoteproc-mss/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,pm6125_rtc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/ab00000.remoteproc-adsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b300000.remoteproc-cdsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-0028/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a88000.i2c/i2c-1/1-0020/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_aac/wakeup25 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_alac/wakeup26 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrnb/wakeup27 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrwb/wakeup28 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrwbplus/wakeup29 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,pm6125_rtc/rtc/rtc0/alarmtimer.0.auto/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_ape/wakeup30 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_evrc/wakeup31 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_g711alaw/wakeup32 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_g711mlaw/wakeup33 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_mp3/wakeup34 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_multi_aac/wakeup35 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_qcelp/wakeup36 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_wma/wakeup37 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_wmapro/wakeup38 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup8 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup9 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1610000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/tx-macro/tx_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4cc0000.qcom,qupv3_1_geni_se/4c90000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0
+
# USB device wakeup nodes
genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup/wakeup u:object_r:sysfs_wakeup:s0
@@ -84,3 +128,12 @@
#net sysfs
genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/net u:object_r:sysfs_net:s0
+
+#camera sysfs
+genfscon sysfs /devices/platform/soc/5c0c000.qcom,cci/5c0c000.qcom,cci:qcom,camera@0/video4linux/video2/name u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/5c0c000.qcom,cci/5c0c000.qcom,cci:qcom,camera@1/video4linux/video3/name u:object_r:vendor_sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/5c0c000.qcom,cci/5c0c000.qcom,cci:qcom,camera@2/video4linux/video4/name u:object_r:vendor_sysfs_graphics:s0
+
+#uevent sysfs
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qcom,qpnp-smb5/power_supply/battery/uevent u:object_r:vendor_sysfs_uevent:s0
+genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/0-02/1c40000.qcom,spmi:qcom,pmi632@2:qpnp,qg/power_supply/bms/uevent u:object_r:vendor_sysfs_uevent:s0
diff --git a/qva/vendor/trinket/hal_audio_default.te b/qva/vendor/trinket/hal_audio_default.te
new file mode 100644
index 0000000..d5e2854
--- /dev/null
+++ b/qva/vendor/trinket/hal_audio_default.te
@@ -0,0 +1,9 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# for hal_audio_default to device permission
+allow hal_audio_default vendor_audio_cal_device:chr_file rw_file_perms;
+
+# Allow audio hal to communicate with msm_lsm char dev
+allow hal_audio_default vendor_msm_lsm_cdev_device:chr_file rw_file_perms;
+allow hal_audio_default vendor_msm_rtac_device:chr_file rw_file_perms;
diff --git a/qva/vendor/trinket/hal_camera.te b/qva/vendor/trinket/hal_camera.te
index 094cb7e..15ab135 100644
--- a/qva/vendor/trinket/hal_camera.te
+++ b/qva/vendor/trinket/hal_camera.te
@@ -25,4 +25,8 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-binder_call(hal_camera, system_server)
\ No newline at end of file
+binder_call(hal_camera, system_server)
+
+get_prop(hal_camera_default, vendor_video_prop)
+get_prop(hal_camera_default, bootanim_system_prop)
+allow hal_camera_default vendor_membuf_dev:chr_file r_file_perms;
diff --git a/qva/vendor/trinket/hal_graphics_allocator_default.te b/qva/vendor/trinket/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..fed16a3
--- /dev/null
+++ b/qva/vendor/trinket/hal_graphics_allocator_default.te
@@ -0,0 +1,6 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+allow hal_graphics_allocator_default vendor_sysfs_kgsl_gpu_model:file r_file_perms;
+allow hal_graphics_allocator_default vendor_dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vendor_dmabuf_system_uncached_heap_device:chr_file r_file_perms;
\ No newline at end of file
diff --git a/qva/vendor/trinket/hal_vibrator_default.te b/qva/vendor/trinket/hal_vibrator_default.te
new file mode 100644
index 0000000..c62deed
--- /dev/null
+++ b/qva/vendor/trinket/hal_vibrator_default.te
@@ -0,0 +1,5 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#hal_vibrator_default permission
+allow hal_vibrator_default vendor_qc_aon_prop:file { read };
diff --git a/qva/vendor/trinket/init_shell.te b/qva/vendor/trinket/init_shell.te
new file mode 100644
index 0000000..40565f9
--- /dev/null
+++ b/qva/vendor/trinket/init_shell.te
@@ -0,0 +1,6 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#init_shell
+allow vendor_qti_init_shell vendor_sysfs_uevent:file { setattr };
+allow vendor_qti_init_shell vendor_qc_aon_prop:file { open getattr map };
diff --git a/qva/vendor/trinket/mediacodec.te b/qva/vendor/trinket/mediacodec.te
new file mode 100644
index 0000000..b1c5112
--- /dev/null
+++ b/qva/vendor/trinket/mediacodec.te
@@ -0,0 +1,10 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+
+allow mediacodec vendor_audio_cal_device:chr_file rw_file_perms;
+allow mediacodec vendor_msm_rtac_device:chr_file rw_file_perms;
+allow mediacodec vendor_media_aac_device:chr_file rw_file_perms;
+allow mediacodec vendor_media_evrc_device:chr_file rw_file_perms;
+allow mediacodec vendor_media_qcelp_device:chr_file rw_file_perms;
+allow mediacodec logdr_socket:sock_file { write };
diff --git a/qva/vendor/trinket/mediaserver.te b/qva/vendor/trinket/mediaserver.te
new file mode 100644
index 0000000..5c97f80
--- /dev/null
+++ b/qva/vendor/trinket/mediaserver.te
@@ -0,0 +1,5 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# for mediaserver permission
+allow mediaserver package_native_service:service_manager { find };
diff --git a/qva/vendor/trinket/qseecomd.te b/qva/vendor/trinket/qseecomd.te
new file mode 100644
index 0000000..7740135
--- /dev/null
+++ b/qva/vendor/trinket/qseecomd.te
@@ -0,0 +1,5 @@
+#Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+#SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#allow tee to read /dev/block/mmcblk0 for gpt listener
+allow tee root_block_device:blk_file r_file_perms;
diff --git a/qva/vendor/trinket/surfaceflinger.te b/qva/vendor/trinket/surfaceflinger.te
new file mode 100644
index 0000000..0795921
--- /dev/null
+++ b/qva/vendor/trinket/surfaceflinger.te
@@ -0,0 +1,5 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+binder_call(surfaceflinger, vendor_hal_qspmhal_default)
+allow surfaceflinger vendor_sysfs_kgsl_gpu_model:file r_file_perms;
diff --git a/qva/vendor/trinket/vendor_modprobe.te b/qva/vendor/trinket/vendor_modprobe.te
new file mode 100644
index 0000000..6a4060f
--- /dev/null
+++ b/qva/vendor/trinket/vendor_modprobe.te
@@ -0,0 +1,5 @@
+# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+#modprobe
+allow vendor_modprobe self:key { write };