diff --git a/BoardConfig.mk b/BoardConfig.mk
index 68fdd65..f129a1c 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -65,8 +65,6 @@ BOARD_USES_SEPERATED_VOIP := true
BOARD_HAVE_HTC_CSDCLIENT := true
# Camera
-USE_CAMERA_STUB := false
-TARGET_PROVIDES_CAMERA_HAL := true
BOARD_NEEDS_MEMORYHEAPPMEM := true
COMMON_GLOBAL_CFLAGS += -DDISABLE_HW_ID_MATCH_CHECK
COMMON_GLOBAL_CFLAGS += -DHTC_CAMERA_HARDWARE
@@ -108,6 +106,42 @@ WIFI_DRIVER_FW_PATH_P2P := "/system/etc/firmware/fw_bcm4334_p2p.bin"
BOARD_VENDOR_QCOM_GPS_LOC_API_HARDWARE := $(TARGET_BOARD_PLATFORM)
TARGET_NO_RPC := true
+# SElinux
+BOARD_SEPOLICY_DIRS := \
+ device/htc/dlx/sepolicy
+
+BOARD_SEPOLICY_UNION := \
+ file_contexts \
+ property_contexts \
+ te_macros \
+ bluetooth_loader.te \
+ bridge.te \
+ camera.te \
+ conn_init.te \
+ device.te \
+ dhcp.te \
+ domain.te \
+ drmserver.te \
+ file.te \
+ kickstart.te \
+ init.te \
+ mediaserver.te \
+ mpdecision.te \
+ netmgrd.te \
+ property.te \
+ qmux.te \
+ restorecon.te \
+ rild.te \
+ rmt.te \
+ sensors.te \
+ surfaceflinger.te \
+ system.te \
+ tee.te \
+ thermald.te \
+ ueventd.te \
+ wpa_supplicant.te \
+ zygote.te
+
# Filesystem
TARGET_USERIMAGES_USE_EXT4 := true
BOARD_BOOTIMAGE_PARTITION_SIZE := 16777216
diff --git a/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml b/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
deleted file mode 100644
index 591aace..0000000
--- a/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-
-
-
-
- 1
-
diff --git a/overlay/packages/apps/Phone/res/values/network_mode.xml b/overlay/packages/apps/Phone/res/values/network_mode.xml
index 3836d11..38989fe 100755
--- a/overlay/packages/apps/Phone/res/values/network_mode.xml
+++ b/overlay/packages/apps/Phone/res/values/network_mode.xml
@@ -34,5 +34,5 @@
- 10
+ 8
diff --git a/rootdir/etc/fstab.dlx b/rootdir/etc/fstab.dlx
index 65140e9..4fd816e 100644
--- a/rootdir/etc/fstab.dlx
+++ b/rootdir/etc/fstab.dlx
@@ -1,10 +1,15 @@
# Android fstab file.
-#
+#
+# The filesystem that contains the filesystem checker binary (typically /system) cannot
+# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
-/dev/block/mmcblk0p32 /system ext4 ro,barrier=1 wait
-/dev/block/mmcblk0p34 /data ext4 noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc wait,check,encryptable=/dev/block/mmcblk0p29
-/dev/block/mmcblk0p33 /cache ext4 noatime,nosuid,nodev,barrier=1,data=ordered wait,check
-#/dev/block/mmcblk0p24 /devlog ext4 noatime,nosuid,nodev,data=ordered,noauto_da_alloc wait
+/dev/block/mmcblk0p19 /boot emmc defaults defaults
+/dev/block/mmcblk0p20 /recovery emmc defaults defaults
+/dev/block/mmcblk0p32 /system ext4 rw,noatime,barrier=1 wait
+/dev/block/mmcblk0p33 /cache ext4 nosuid,nodev,noatime,barrier=1 wait,check
+/dev/block/mmcblk0p34 /data ext4 noatime,nosuid,nodev,noauto_da_alloc,barrier=1 wait,check,encryptable=footer
+/dev/block/mmcblk0p16 /firmware/mdm vfat ro,fmask=0000,dmask=0000,shortname=lower,context=u:object_r:radio_efs_file:s0 wait
+/dev/block/mmcblk0p17 /firmware/q6 vfat ro,fmask=0000,dmask=0000,shortname=lower,context=u:object_r:radio_efs_file:s0 wait
# USB storage
-/devices/platform/msm_hsusb_host/usb /storage/usbdisk auto defaults voldmanaged=usbdisk:auto
+/devices/platform/msm_hsusb_host/usb /storage/usbdisk auto defaults voldmanaged=usbdisk:auto
diff --git a/rootdir/etc/init.dlx.rc b/rootdir/etc/init.dlx.rc
index 6035e28..f4c2726 100755
--- a/rootdir/etc/init.dlx.rc
+++ b/rootdir/etc/init.dlx.rc
@@ -70,6 +70,16 @@ on fs
symlink /system/vendor/pittpatt /vendor/pittpatt
symlink /system/vendor/firmware/libpn544_fw.so /vendor/firmware/libpn544_fw.so
+ # Restorecon
+ restorecon /system/bin/efsks
+ restorecon /system/bin/ks
+ restorecon /system/bin/qcks
+ restorecon /system/etc/hldm.bin
+ restorecon /system/etc/hltof.bin
+ restorecon /system/etc/hltrd.bin
+ restorecon /system/etc/firmware/a300_pfp.fw
+ restorecon /system/etc/firmware/a300_pm4.fw
+
on early-boot
# set RLIMIT_MEMLOCK to 64MB
setrlimit 8 67108864 67108864
@@ -297,6 +307,7 @@ service mpdecision /system/bin/mpdecision --no_sleep --avg_comp
service kickstart /system/bin/qcks -1 modem_st1 -2 modem_st2 -3 radio_config -4 cdma_record -i /vendor/firmware/
class core
user root
+ seclabel u:r:kickstart:s0
oneshot
service startup /system/bin/sh /init.qcom.sh
@@ -311,14 +322,14 @@ service sdcard /system/bin/sdcard /data/media /mnt/shell/emulated 1023 1023
service wpa_supplicant /system/bin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/misc/wifi/wpa_supplicant.conf
user root
group wifi inet
- socket wpa_wlan0 dgram 0660 wifi wifi
+ socket wpa_wlan0 dgram 0660 wifi wifi u:object_r:wpa_socket:s0
disabled
oneshot
service p2p_supplicant /system/bin/wpa_supplicant -Dnl80211 -iwlan0 -c/data/misc/wifi/wpa_supplicant.conf
user root
group wifi inet
- socket wpa_wlan0 dgram 0660 wifi wifi
+ socket wpa_wlan0 dgram 0660 wifi wifi u:object_r:wpa_socket:s0
disabled
oneshot
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
new file mode 100644
index 0000000..d68ef0c
--- /dev/null
+++ b/sepolicy/bluetooth_loader.te
@@ -0,0 +1,39 @@
+# Bluetooth executables and script (bdAddrLoader, init.qcom.bt.sh)
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+# Run init.qcom.bt.sh
+allow bluetooth_loader shell_exec:file { entrypoint read };
+allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans };
+
+# init.qcom.bt.sh needs /system/bin/log access
+allow bluetooth_loader devpts:chr_file rw_file_perms;
+
+# Run hci_qcomm_init from init.qcom.bt.sh
+domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)
+
+# hci_qcomm_init started with logwrapper
+allow hci_attach devpts:chr_file rw_file_perms;
+allow hci_attach bluetooth_loader:fd use;
+
+# Read mac address from persist partition
+allow bluetooth_loader persist_file:dir search;
+r_dir_file(bluetooth_loader, persist_bluetooth_file)
+
+# Talk to init over the property socket
+unix_socket_connect(bluetooth_loader, property, init)
+# Set persist.service.bdroid.* and bluetooth.* property values
+allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set;
+
+# Shared memory node access
+allow hci_attach bluetooth_device:chr_file rw_file_perms;
+
+# Allow getprop/setprop for init.mako.bt.sh
+allow bluetooth_loader system_file:file execute_no_trans;
+
+# Bluetooth
+allow bluetooth radio_efs_file:file r_file_perms;
+allow bluetooth radio_efs_file:dir { open read search };
diff --git a/sepolicy/bridge.te b/sepolicy/bridge.te
new file mode 100644
index 0000000..381ea16
--- /dev/null
+++ b/sepolicy/bridge.te
@@ -0,0 +1,17 @@
+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(bridge)
+
+allow bridge self:netlink_kobject_uevent_socket { create bind read };
+
+# Allow logging diagnostic items
+allow bridge diagnostic_device:chr_file rw_file_perms;
+
+# Talk to qmuxd
+qmux_socket(bridge)
+
+# XXX Label sysfs files with a specific type?
+allow bridge sysfs:file { open write read getattr };
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
new file mode 100644
index 0000000..fb31e0a
--- /dev/null
+++ b/sepolicy/camera.te
@@ -0,0 +1,26 @@
+# Qualcomm MSM camera
+type camera, domain;
+type camera_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(camera)
+
+allow camera self:process execmem;
+
+allow camera camera_device:dir search;
+allow camera { video_device camera_device }:chr_file rw_file_perms;
+allow camera { surfaceflinger mediaserver }:fd use;
+
+# Create /data/cam_socket0 as camera_socket
+type_transition camera system_data_file:sock_file camera_socket "cam_socket0";
+allow camera camera_socket:sock_file { create unlink };
+dontaudit camera system_data_file:dir remove_name;
+
+# All others under /data get camera_data_file
+file_type_auto_trans(camera, system_data_file, camera_data_file);
+allow camera camera_data_file:dir { write add_name };
+allow camera camera_data_file:file create_file_perms;
+
+# Connect to /data/app/sensor_ctl_socket
+unix_socket_connect(camera, sensors, sensors)
+allow camera sensors_socket:sock_file read;
diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te
new file mode 100644
index 0000000..4acd65c
--- /dev/null
+++ b/sepolicy/conn_init.te
@@ -0,0 +1,15 @@
+# wifi connection service
+type conn_init, domain;
+type conn_init_exec, exec_type, file_type;
+
+# Started by logwrapper in init
+domain_auto_trans(init, conn_init_exec, conn_init)
+allow conn_init devpts:chr_file { read write };
+
+# allow /persist/wifi access
+allow conn_init persist_file:dir search;
+r_dir_file(conn_init, persist_wifi_file)
+
+# allow /data/misc/wifi access for firmware files
+allow conn_init wifi_data_file:dir w_dir_perms;
+allow conn_init wifi_data_file:file create_file_perms;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..e022fb8
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,9 @@
+type diagnostic_device, dev_type;
+type kgsl_device, dev_type, mlstrustedobject;
+type mpdecision_device, dev_type;
+type shared_log_device, dev_type;
+type power_control_device, dev_type;
+type efs_block_device, dev_type;
+type bluetooth_device, dev_type;
+type shared_memory_device, dev_type;
+type rfkill_device, dev_type;
diff --git a/sepolicy/dhcp.te b/sepolicy/dhcp.te
new file mode 100644
index 0000000..c403b9b
--- /dev/null
+++ b/sepolicy/dhcp.te
@@ -0,0 +1 @@
+allow dhcp self:rawip_socket { create write setopt };
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
new file mode 100644
index 0000000..8fdcb15
--- /dev/null
+++ b/sepolicy/domain.te
@@ -0,0 +1,3 @@
+allow domain kgsl_device:chr_file rw_file_perms;
+# libgsl is chatty about accessing /data/local/tmp
+dontaudit { surfaceflinger appdomain } shell_data_file:dir search;
diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te
new file mode 100644
index 0000000..2c224e1
--- /dev/null
+++ b/sepolicy/drmserver.te
@@ -0,0 +1,2 @@
+# Drm wants to read /firmware/image/tzapps.mdt
+r_dir_file(drmserver, radio_efs_file)
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..2e634e6
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,22 @@
+type mpdecision_socket, file_type;
+type qmuxd_socket, file_type;
+type sensors_socket, file_type;
+type camera_socket, file_type;
+
+type kickstart_data_file, file_type, data_file_type;
+type sensors_data_file, file_type, data_file_type;
+type camera_data_file, file_type, data_file_type;
+
+# Default type for anything under /firmware
+type radio_efs_file, fs_type;
+allow fs_type radio_efs_file:filesystem associate;
+
+allow radio_efs_file labeledfs:filesystem associate;
+allow radio_efs_file rootfs:filesystem associate;
+
+# Persist firmware types
+type persist_file, file_type;
+type persist_bluetooth_file, file_type;
+type persist_drm_file, file_type;
+type persist_sensors_file, file_type;
+type persist_wifi_file, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..800d72a
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,127 @@
+/dev/msm_acdb u:object_r:audio_device:s0
+/dev/msm_mp3 u:object_r:audio_device:s0
+/dev/msm_rtac u:object_r:audio_device:s0
+/dev/msm_vidc.* u:object_r:audio_device:s0
+/dev/msm_amrnb.* u:object_r:audio_device:s0
+/dev/msm_amrwb.* u:object_r:audio_device:s0
+/dev/msm_aac.* u:object_r:audio_device:s0
+
+/dev/pn544 u:object_r:nfc_device:s0
+/dev/qseecom u:object_r:tee_device:s0
+
+# Jpeg Engine support
+/dev/gemini.* u:object_r:camera_device:s0
+
+# MSM camera related
+/dev/v4l-subdev.* u:object_r:camera_device:s0
+/dev/video.* u:object_r:camera_device:s0
+/dev/msm_camera.* u:object_r:camera_device:s0
+
+# Media interface
+/dev/media.* u:object_r:video_device:s0
+
+# Image Rotator Driver
+/dev/msm_rotator u:object_r:video_device:s0
+
+# Audio
+/dev/rt5501 u:object_r:audio_device:s0
+/dev/tfa9887 u:object_r:audio_device:s0
+/dev/tpa6185 u:object_r:audio_device:s0
+
+# Sensors
+/dev/msm_dsps u:object_r:sensors_device:s0
+/dev/smd_sns_dsps u:object_r:sensors_device:s0
+/dev/akm8963_dev u:object_r:sensors_device:s0
+/dev/cm3602 u:object_r:sensors_device:s0
+/dev/lightsensor u:object_r:sensors_device:s0
+
+/dev/mdm u:object_r:radio_device:s0
+/dev/hsicctl[0-3] u:object_r:radio_device:s0
+/dev/rmnet_mux_ctrl u:object_r:radio_device:s0
+/dev/qmi[0-2] u:object_r:radio_device:s0
+/dev/smd7 u:object_r:radio_device:s0
+/dev/smdcntl0 u:object_r:radio_device:s0
+/dev/smdcntl1 u:object_r:radio_device:s0
+/dev/smdcntl2 u:object_r:radio_device:s0
+/dev/smdcntl3 u:object_r:radio_device:s0
+/dev/smdcntl4 u:object_r:radio_device:s0
+/dev/smdcntl5 u:object_r:radio_device:s0
+/dev/smdcntl6 u:object_r:radio_device:s0
+/dev/smdcntl7 u:object_r:radio_device:s0
+/dev/ttyUSB0 u:object_r:radio_device:s0
+
+/dev/ttyHS0 u:object_r:hci_attach_dev:s0
+/dev/ttyMSM0 u:object_r:hci_attach_dev:s0
+/dev/smd2 u:object_r:hci_attach_dev:s0
+/dev/smd3 u:object_r:hci_attach_dev:s0
+
+/dev/cpu_dma_latency u:object_r:power_control_device:s0
+/dev/diag u:object_r:diagnostic_device:s0
+/dev/smd.* u:object_r:shared_memory_device:s0
+/dev/smem_log u:object_r:shared_log_device:s0
+/dev/kgsl-3d0 u:object_r:kgsl_device:s0
+/dev/kgsl u:object_r:kgsl_device:s0
+
+# Sockets
+/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0
+
+# Block labeling
+/dev/block/mmcblk0p22 u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p23 u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p30 u:object_r:efs_block_device:s0
+/dev/block/mmcblk0p18 u:object_r:efs_block_device:s0
+
+# Modem firmware loader
+/dev/ks_hsic_bridge u:object_r:kickstart_device:s0
+/dev/efs_hsic_bridge u:object_r:kickstart_device:s0
+
+# Data labeling
+/data/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/qcks(/.*)? u:object_r:kickstart_data_file:s0
+/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/misc/playready(/.*)? u:object_r:drm_data_file:s0
+/data/misc/tzapps(/.*)? u:object_r:tee_data_file:s0
+/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0
+
+# System binaries
+/system/bin/rmt_storage u:object_r:rmt_exec:s0
+/system/bin/thermald u:object_r:thermald_exec:s0
+/system/bin/mpdecision u:object_r:mpdecision_exec:s0
+/system/bin/mm-qcamera-daemon u:object_r:camera_exec:s0
+/system/bin/sensors.qcom u:object_r:sensors_exec:s0
+/system/bin/qmuxd u:object_r:qmux_exec:s0
+/system/bin/bridgemgrd u:object_r:bridge_exec:s0
+/system/bin/netmgrd u:object_r:netmgrd_exec:s0
+/system/bin/qseecomd u:object_r:tee_exec:s0
+/system/bin/conn_init u:object_r:conn_init_exec:s0
+/system/bin/efsks u:object_r:kickstart_exec:s0
+/system/bin/ks u:object_r:kickstart_exec:s0
+/system/bin/qcks u:object_r:kickstart_exec:s0
+/system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0
+/system/bin/restorecon u:object_r:restorecon_exec:s0
+
+# Persist firmware filesystem
+/persist(/.*)? u:object_r:persist_file:s0
+/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0
+/persist/sensors(/.*)? u:object_r:persist_sensors_file:s0
+/persist/playready(/.*)? u:object_r:persist_drm_file:s0
+/persist/widevine(/.*)? u:object_r:persist_drm_file:s0
+/persist/wifi(/.*)? u:object_r:persist_wifi_file:s0
+
+# Firmwares
+/firmware/mdm/image(/.*)? u:object_r:kickstart_data_file:s0
+/firmware/q6(/.*)? u:object_r:radio_efs_file:s0
+/system/etc/firmware(/.*)? u:object_r:radio_efs_file:s0
+
+/system/etc/hldm.bin u:object_r:radio_efs_file:s0
+/system/etc/hltof.bin u:object_r:radio_efs_file:s0
+/system/etc/hltrd.bin u:object_r:radio_efs_file:s0
+
+# for wpa_supp
+/dev/rfkill u:object_r:rfkill_device:s0
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..63b8233
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,4 @@
+allow init wpa_socket:unix_dgram_socket { bind create };
+
+allow init labeledfs:filesystem { associate };
+allow init rootfs:filesystem { associate };
diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te
new file mode 100644
index 0000000..15a84c3
--- /dev/null
+++ b/sepolicy/kickstart.te
@@ -0,0 +1,51 @@
+# kickstart processes and scripts
+type kickstart, domain;
+type kickstart_exec, exec_type, file_type;
+type kickstart_device, dev_type;
+
+# kickstart_checker.sh talks to init over the property socket
+unix_socket_connect(kickstart, property, init)
+
+# Start /system/bin/qcks from init
+init_daemon_domain(kickstart)
+
+# Spawn /system/bin/efsks and /system/bin/ks
+allow kickstart kickstart_exec:file { open execute_no_trans getattr };
+
+# Run dd on m9kefs[123] block devices; write to /data/qcks/
+# Run cat on firmware and m9kefs[123] data; write to /data/qcks/
+allow kickstart efs_block_device:blk_file rw_file_perms;
+
+allow kickstart kickstart_data_file:file create_file_perms;
+allow kickstart kickstart_data_file:dir rw_dir_perms;
+
+allow kickstart radio_efs_file:file r_file_perms;
+allow kickstart radio_efs_file:dir search;
+
+# Let efsks access /dev/mdm and /dev/ttyUSB0 nodes
+allow kickstart radio_device:chr_file { open read write ioctl getattr };
+
+# Allow to run toolbox commands
+allow kickstart shell_exec:file rx_file_perms;
+
+# Toolbox commands for firmware dd
+allow kickstart system_file:file execute_no_trans;
+
+# Access to /dev/block/platform/msm_sdcc.1/by-name/m9kefs2
+allow kickstart block_device:dir { getattr write search };
+
+# Set system property key
+allow kickstart radio_prop:property_service set;
+
+allow kickstart shell_exec:file entrypoint;
+# ls on /data/qcks/
+allow kickstart self:capability dac_override;
+
+allow kickstart kickstart_tmpfs:file { open write create getattr setattr unlink };
+allow kickstart tmpfs:dir { add_name remove_name };
+
+# Access to the modem bridge chardevs
+allow kickstart kickstart_device:chr_file rw_file_perms;
+
+# set wake locks
+allow kickstart sysfs:file { write };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..0dc6af3
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,12 @@
+allow mediaserver audio_data_file:dir w_dir_perms;
+allow mediaserver audio_data_file:file create_file_perms;
+allow mediaserver camera_data_file:sock_file w_file_perms;
+
+qmux_socket(mediaserver)
+
+unix_socket_send(mediaserver, camera, camera)
+
+allow mediaserver self:socket create;
+
+# Allow logging diagnostic items
+allow mediaserver diagnostic_device:chr_file rw_file_perms;
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
new file mode 100644
index 0000000..349d440
--- /dev/null
+++ b/sepolicy/mpdecision.te
@@ -0,0 +1,20 @@
+# CPU governor (root process)
+type mpdecision, domain;
+type mpdecision_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(mpdecision)
+
+# dac_override to unlink /dev/socket/mpdecision/touchboost
+allow mpdecision self:capability { dac_override fsetid net_admin };
+allow mpdecision self:netlink_kobject_uevent_socket { create read setopt bind read };
+
+# Create under /dev/socket/mpdecision
+allow mpdecision mpdecision_socket:dir w_dir_perms;
+allow mpdecision mpdecision_socket:sock_file { create setattr write };
+
+allow mpdecision socket_device:dir { write add_name };
+allow mpdecision socket_device:sock_file { create setattr write };
+
+# XXX Should we label with own type?
+allow mpdecision sysfs:file { read open write setattr };
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
new file mode 100644
index 0000000..eeb5395
--- /dev/null
+++ b/sepolicy/netmgrd.te
@@ -0,0 +1,28 @@
+# Network utilities (radio process)
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(netmgrd)
+
+allow netmgrd self:udp_socket { create ioctl };
+# fsetid, dac_override unlink on /dev/socket/qmux_radio/qmux_client_socket
+allow netmgrd self:capability { sys_module fsetid setuid setgid net_admin net_raw dac_override };
+allow netmgrd self:packet_socket { write bind read create };
+allow netmgrd self:netlink_socket { write read create bind setopt };
+allow netmgrd self:netlink_route_socket { create bind read write nlmsg_read nlmsg_write setopt getattr };
+
+# Talk to qmuxd
+qmux_socket(netmgrd)
+
+# Allow logging diagnostic items
+allow netmgrd diagnostic_device:chr_file rw_file_perms;
+
+# /data/data_test/ access with shell
+allow netmgrd shell_exec:file { execute read open execute_no_trans };
+allow netmgrd system_file:file { execute_no_trans };
+
+# Talk to init over the property socket
+unix_socket_connect(netmgrd, property, init)
+# Set net.rmnet_usb0. values
+allow netmgrd radio_prop:property_service set;
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..74e15e1
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1 @@
+type bluetooth_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..d47798d
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,3 @@
+persist.service.bdroid. u:object_r:bluetooth_prop:s0
+bluetooth. u:object_r:bluetooth_prop:s0
+net.rmnet_usb0. u:object_r:radio_prop:s0
diff --git a/sepolicy/qmux.te b/sepolicy/qmux.te
new file mode 100644
index 0000000..2815adb
--- /dev/null
+++ b/sepolicy/qmux.te
@@ -0,0 +1,19 @@
+# Qualcomm Management Interface Multiplexer
+type qmux, domain;
+type qmux_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(qmux)
+
+# Create local qmux_connect_socket
+allow qmux qmuxd_socket:dir w_dir_perms;
+allow qmux qmuxd_socket:sock_file { create setattr getattr unlink };
+
+# /dev/hsicctl* node access
+allow qmux radio_device:chr_file rw_file_perms;
+
+# Allow logging diagnostic items
+allow qmux diagnostic_device:chr_file rw_file_perms;
+
+# XXX Should we label with own type
+allow qmux sysfs:file { open write append read getattr };
diff --git a/sepolicy/restorecon.te b/sepolicy/restorecon.te
new file mode 100644
index 0000000..4410ece
--- /dev/null
+++ b/sepolicy/restorecon.te
@@ -0,0 +1,6 @@
+# restorecon processes and scripts
+type restorecon, domain;
+type restorecon_exec, exec_type, file_type;
+
+allow restorecon radio_efs_file:file { getattr };
+allow restorecon radio_efs_file:filesystem { associate };
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
new file mode 100644
index 0000000..4f675d1
--- /dev/null
+++ b/sepolicy/rild.te
@@ -0,0 +1,12 @@
+allow rild self:netlink_socket { create bind read write };
+allow rild self:netlink_route_socket { write };
+allow rild self:netlink_kobject_uevent_socket { create setopt bind };
+
+# Talk to qmuxd
+qmux_socket(rild)
+
+# Allow logging diagnostic items
+allow rild diagnostic_device:chr_file rw_file_perms;
+
+# XXX label with own type?
+allow rild sysfs:file { read open write getattr };
diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
new file mode 100644
index 0000000..b0b5289
--- /dev/null
+++ b/sepolicy/rmt.te
@@ -0,0 +1,27 @@
+# remote storage process
+type rmt, domain;
+type rmt_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(rmt)
+
+# opens and reads the primary block device
+allow rmt block_device:blk_file { open read };
+allow rmt block_device:dir search;
+
+# XXX should we allow sys_rawio on /dev/mem?
+allow rmt self:capability { sys_rawio };
+# dac_override on open /sys/power/wake_lock
+allow rmt self:capability { setuid setgid dac_override };
+allow rmt self:socket { create ioctl bind setopt read };
+
+allow rmt cgroup:dir { create add_name };
+# XXX do we need write access?
+allow rmt kmem_device:chr_file rw_file_perms;
+
+# Allow shared memory logging access
+allow rmt shared_log_device:chr_file rw_file_perms;
+
+# XXX Should we label with own type?
+allow rmt sysfs:file { open append read getattr write };
+allow rmt sysfs:dir rw_dir_perms;
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
new file mode 100644
index 0000000..430fad4
--- /dev/null
+++ b/sepolicy/sensors.te
@@ -0,0 +1,33 @@
+# Integrated qualcomm sensor process
+type sensors, domain;
+type sensors_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(sensors)
+
+# dac_override open /dev/msm_dsps
+allow sensors self:capability { setuid setgid chown dac_override };
+
+# Allow logging diagnostic items
+allow sensors diagnostic_device:chr_file rw_file_perms;
+
+# Create /data/app/sensor_ctl_socket
+file_type_auto_trans(sensors, apk_data_file, sensors_socket);
+
+allow sensors sensors_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:file create_file_perms;
+dontaudit sensors apk_data_file:dir remove_name;
+
+# Access to sensor nodes
+allow sensors sensors_device:chr_file rw_file_perms;
+
+# XXX should power_control_device be labeled differently?
+allow sensors power_control_device:chr_file { write open append };
+
+# Access to /persist/sensors
+allow sensors persist_file:dir { search getattr };
+allow sensors persist_sensors_file:dir r_dir_perms;
+allow sensors persist_sensors_file:file rw_file_perms;
+
+# XXX label with own type?
+allow sensors sysfs:file { open append read write getattr };
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..aca5928
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger sysfs:file rw_file_perms;
diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..cbec79b
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1,22 @@
+allow system diagnostic_device:chr_file rw_file_perms;
+
+allow system init:unix_dgram_socket sendto;
+allow system wpa_socket:unix_dgram_socket sendto;
+
+qmux_socket(system)
+
+# PowerManagerService
+unix_socket_connect(system, sensors, sensors)
+allow system sensors_socket:sock_file read;
+allow system sensors:unix_stream_socket sendto;
+
+# mpdecision access
+unix_socket_connect(system, mpdecision, mpdecision)
+unix_socket_send(system, mpdecision, mpdecision)
+allow system mpdecision:unix_stream_socket sendto;
+allow system mpdecision_socket:dir search;
+
+allow system sysfs:file { read open write };
+
+# WifiStateMachine
+allow system self:capability { sys_module };
diff --git a/sepolicy/te_macros b/sepolicy/te_macros
new file mode 100644
index 0000000..274fd55
--- /dev/null
+++ b/sepolicy/te_macros
@@ -0,0 +1,12 @@
+#####################################
+# qmux_socket(clientdomain)
+# Allow client to send via a local
+# socket to the qmux domain.
+define(`qmux_socket', `
+type $1_qmuxd_socket, file_type;
+file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
+unix_socket_connect($1, qmuxd, qmux)
+allow qmux $1_qmuxd_socket:sock_file { getattr unlink };
+')
+
+
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
new file mode 100644
index 0000000..745de3c
--- /dev/null
+++ b/sepolicy/tee.te
@@ -0,0 +1,12 @@
+# Qualcomm Secure Execution Environment Communicator policy
+allow tee self:process execmem;
+
+# Access /data/misc/playready
+allow tee system_data_file:dir { open read };
+allow tee drm_data_file:dir rw_dir_perms;
+allow tee drm_data_file:file rw_file_perms;
+
+# Access /persist/{widevine,playready}
+allow tee persist_file:dir search;
+allow tee persist_drm_file:dir r_dir_perms;
+allow tee persist_drm_file:file r_file_perms;
diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
new file mode 100644
index 0000000..a0e30db
--- /dev/null
+++ b/sepolicy/thermald.te
@@ -0,0 +1,22 @@
+# Temperature sensor daemon (root process)
+type thermald, domain;
+type thermald_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(thermald)
+
+# XXX should we allow kexec_load with /dev/socket/qmux_radio/qmux_client_socket
+# dac_override open, unlink with /dev/socket/qmux_radio/qmux_client_socket
+allow thermald self:capability { net_admin fsetid dac_override };
+
+allow thermald self:socket { ioctl create write read };
+allow thermald self:netlink_kobject_uevent_socket { read create setopt bind };
+
+# Talk to qmuxd
+qmux_socket(thermald)
+
+# Access to shared memory logger and logging diagnostic items
+allow thermald { shared_log_device diagnostic_device }:chr_file rw_file_perms;
+
+# XXX Should we label with own type?
+allow thermald sysfs:file { open read write getattr };
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..6594147
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1,5 @@
+# Drivers read firmware files (/firmware/image, /system/etc/firmware)
+allow ueventd { radio_device radio_efs_file wifi_data_file }:file r_file_perms;
+allow ueventd { radio_efs_file wifi_data_file }:dir search;
+
+allow ueventd radio_efs_file:file { read open getattr };
diff --git a/sepolicy/wpa_supplicant.te b/sepolicy/wpa_supplicant.te
new file mode 100644
index 0000000..9bd4da6
--- /dev/null
+++ b/sepolicy/wpa_supplicant.te
@@ -0,0 +1,12 @@
+allow wpa init:unix_dgram_socket { read write };
+
+# logwrapper used with wpa_supplicant
+allow wpa devpts:chr_file { read write };
+
+allow wpa wpa_socket:unix_dgram_socket { read write };
+allow wpa_socket system:unix_dgram_socket sendto;
+
+allow wpa radio_efs_file:file r_file_perms;
+
+## /dev/rfkill for wpa_supp
+allow wpa rfkill_device:chr_file rw_file_perms;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..a0828fd
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1 @@
+allow zygote init:unix_stream_socket { read write accept getopt setopt getattr setattr listen };