Add 'sepolicy/' from tag 'android-13.0.0_r1'

git-subtree-dir: sepolicy git-subtree-mainline: 7678310 git-subtree-split: 2d01ce0 Change-Id: I336a2f4a9b170e773f508032ce934104a0d2fd2d
Evolution-XYZ-Devices · Aug 26, 2022 · 8b9bf3e · 8b9bf3e
2 parents 7678310 + 2d01ce0
commit 8b9bf3e
Show file tree

Hide file tree

Showing 227 changed files with 4,198 additions and 0 deletions.
diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS
@@ -0,0 +1,3 @@
+include platform/system/sepolicy:/OWNERS
+
+[email protected]
diff --git a/sepolicy/PREUPLOAD.cfg b/sepolicy/PREUPLOAD.cfg
@@ -0,0 +1,3 @@
+[Hook Scripts]
+aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "."
+
diff --git a/sepolicy/private/certs/wfcactivation.x509.pem b/sepolicy/private/certs/wfcactivation.x509.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIJAODrqTpclyUkMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEXMBUG
+A1UEAwwOd2ZjX2FjdGl2YXRpb24wHhcNMTgwMjIxMDA1NTM4WhcNNDUwNzA5MDA1
+NTM4WjB7MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UE
+BwwNTW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsM
+B0FuZHJvaWQxFzAVBgNVBAMMDndmY19hY3RpdmF0aW9uMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAruKdMaQjRrlTwLHWAhUwLXoq+1glzoQ5ibqHDg4i
+GPPlwT7qPG8xWW6UmTiLNES6YSDpvCvptqrZccecviYfYIg7/JCF/xr2cFt9Gyyo
+L0muemdUMFjGQJxKCQMi8jlqPVgfcy7ZEfVvoDWUupD7hVVA6TFkWH1nv/5GzJVK
+h7D4vBaYE6qwM1+NJjrbk1O8SMMCES7MkJhpnfbRYr8d5uxSzDWqqeqvM6CFSvKw
+cxqbCcNl0MDgSCgtnxzZZjg5AFuPECV8lgJpxFEqgEIK1fsebK5G8o4buokMW+W4
+ZT2LZtMq/qsZXl59h22KQX2w5mcI6KyV8WZOcPPOm8uf8wIDAQABo1AwTjAdBgNV
+HQ4EFgQU9jpHDUfkIqBODCp9/c5TsraA9sowHwYDVR0jBBgwFoAU9jpHDUfkIqBO
+DCp9/c5TsraA9sowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZMf+
+KD3oFS0cv/C0qQx28wW5BKFb/PM6RxDwTRF7yyJj4+uZU0+O8NJEqBNDgHusFJR6
+2ZXXiWDqzNb0scZxD95FP1YxiLPAcbn2oCTkGPYcCsBmT1i25RsIKTb7fR3UJ/bY
+V55CQy1FjX5H1katVpezi1bs17stqrjL0aCk8s7wZPQ9KTy7SfMF9rUfg8ltrj8s
+MD5cq21GJuJMpI2kNUV7IT+4B3CeHzpm0iy8NmbavgNezZAx1za4QIySNcKfdsSs
+7PsNYPS0R9BeZK/4u4/yrQvRV0lXzQcIJPpwr0cfuhcgcHG8sbCLaw4Ph6go9kRL
+hvY7ZX9pdBLS8ukQ4w==
+-----END CERTIFICATE-----
diff --git a/sepolicy/private/dataservice_app.te b/sepolicy/private/dataservice_app.te
@@ -0,0 +1,13 @@
+typeattribute dataservice_app coredomain;
+app_domain(dataservice_app)
+net_domain(dataservice_app)
+
+add_service(dataservice_app, cne_service)
+add_service(dataservice_app, uce_service)
+
+allow dataservice_app app_api_service:service_manager find;
+
+#for video call
+allow dataservice_app radio_service:service_manager find;
+
+allow dataservice_app radio_data_file:dir create_dir_perms;
diff --git a/sepolicy/private/google_camera_app.te b/sepolicy/private/google_camera_app.te
@@ -0,0 +1,23 @@
+## Custom security policy for Google Camera App, the default camera application on Pixel devices.
+##
+## Google Camera App is a standard app for the most part, but on Pixel devices
+## it has access to hardware accelerators such as Hexagon and Airbrush.
+##
+## This policy defines the extra rules necessary for that access,
+## that reference private core sepolicy
+
+# Duplicate all access that normal untrusted_app has, except for untrusted_app_domain
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+bluetooth_domain(google_camera_app)
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow google_camera_app traced:fd use;
+allow google_camera_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(google_camera_app, traced_producer, traced)
+
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(google_camera_app)
+
diff --git a/sepolicy/private/keys.conf b/sepolicy/private/keys.conf
@@ -0,0 +1,2 @@
+[@WFCACTIVATION]
+ALL : device/google/sunfish-sepolicy/private/certs/wfcactivation.x509.pem
diff --git a/sepolicy/private/mac_permissions.xml b/sepolicy/private/mac_permissions.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <signer signature="@WFCACTIVATION" >
+      <seinfo value="wfcactivation" />
+    </signer>
+</policy>
diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te
@@ -0,0 +1,3 @@
+add_service(radio, qchook_service)
+
+allow radio uce_service:service_manager find;
diff --git a/sepolicy/private/seapp_contexts b/sepolicy/private/seapp_contexts
@@ -0,0 +1,17 @@
+# Domain for WfcActivation app
+user=_app seinfo=wfcactivation name=com.google.android.wfcactivation domain=wfc_activation_app levelFrom=all
+
+# Domain for vzw omadm trigger
+user=_app isPrivApp=true seinfo=platform name=com.google.omadm.trigger domain=vzw_omadm_trigger type=app_data_file levelFrom=all
+
+# Domain for vzw omadm connmo
+user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.connmo domain=vzw_omadm_connmo type=app_data_file levelFrom=all
+
+# Domain for vzw omadm dcmo
+user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.dcmo domain=vzw_omadm_dcmo type=app_data_file levelFrom=all
+
+# Domain for vzw omadm diagmon
+user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.diagmon domain=vzw_omadm_diagmon type=app_data_file levelFrom=all
+
+# Domain for uscc omadm
+user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.usccdm domain=uscc_omadm type=app_data_file levelFrom=all
diff --git a/sepolicy/private/service.te b/sepolicy/private/service.te
@@ -0,0 +1,2 @@
+type qchook_service,              service_manager_type;
+type cne_service,                 service_manager_type;
diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts
@@ -0,0 +1,2 @@
+qchook                                               u:object_r:qchook_service:s0
+cneservice                                           u:object_r:cne_service:s0
diff --git a/sepolicy/private/toolbox.te b/sepolicy/private/toolbox.te
@@ -0,0 +1,6 @@
+# b/191834767
+dontaudit toolbox virtualizationservice_data_file:dir getattr;
+# b/193365943
+dontaudit toolbox toolbox:capability dac_read_search;
+dontaudit toolbox toolbox:capability dac_override;
+dontaudit toolbox toolbox:capability fowner;
diff --git a/sepolicy/private/uscc_omadm.te b/sepolicy/private/uscc_omadm.te
@@ -0,0 +1,9 @@
+type uscc_omadm, domain, coredomain;
+
+app_domain(uscc_omadm)
+net_domain(uscc_omadm)
+
+# Services
+allow uscc_omadm app_api_service:service_manager find;
+allow uscc_omadm qchook_service:service_manager find;
+allow uscc_omadm radio_service:service_manager find;
diff --git a/sepolicy/private/vzw_omadm_connmo.te b/sepolicy/private/vzw_omadm_connmo.te
@@ -0,0 +1,9 @@
+type vzw_omadm_connmo, domain, coredomain;
+
+app_domain(vzw_omadm_connmo)
+net_domain(vzw_omadm_connmo)
+
+# Services
+allow vzw_omadm_connmo app_api_service:service_manager find;
+allow vzw_omadm_connmo qchook_service:service_manager find;
+allow vzw_omadm_connmo radio_service:service_manager find;
diff --git a/sepolicy/private/vzw_omadm_dcmo.te b/sepolicy/private/vzw_omadm_dcmo.te
@@ -0,0 +1,9 @@
+type vzw_omadm_dcmo, domain, coredomain;
+
+app_domain(vzw_omadm_dcmo)
+net_domain(vzw_omadm_dcmo)
+
+# Services
+allow vzw_omadm_dcmo app_api_service:service_manager find;
+allow vzw_omadm_dcmo qchook_service:service_manager find;
+allow vzw_omadm_dcmo radio_service:service_manager find;
diff --git a/sepolicy/private/vzw_omadm_diagmon.te b/sepolicy/private/vzw_omadm_diagmon.te
@@ -0,0 +1,9 @@
+type vzw_omadm_diagmon, domain, coredomain;
+
+app_domain(vzw_omadm_diagmon)
+net_domain(vzw_omadm_diagmon)
+
+# Services
+allow vzw_omadm_diagmon app_api_service:service_manager find;
+allow vzw_omadm_diagmon qchook_service:service_manager find;
+allow vzw_omadm_diagmon radio_service:service_manager find;
diff --git a/sepolicy/private/vzw_omadm_trigger.te b/sepolicy/private/vzw_omadm_trigger.te
@@ -0,0 +1,9 @@
+type vzw_omadm_trigger, domain, coredomain;
+
+app_domain(vzw_omadm_trigger)
+net_domain(vzw_omadm_trigger)
+
+# Services
+allow vzw_omadm_trigger app_api_service:service_manager find;
+allow vzw_omadm_trigger qchook_service:service_manager find;
+allow vzw_omadm_trigger radio_service:service_manager find;
diff --git a/sepolicy/private/wfc_activation_app.te b/sepolicy/private/wfc_activation_app.te
@@ -0,0 +1,9 @@
+type wfc_activation_app, domain, coredomain;
+
+app_domain(wfc_activation_app)
+net_domain(wfc_activation_app)
+
+# Services
+allow wfc_activation_app app_api_service:service_manager find;
+allow wfc_activation_app qchook_service:service_manager find;
+allow wfc_activation_app radio_service:service_manager find;
diff --git a/sepolicy/public/dataservice_app.te b/sepolicy/public/dataservice_app.te
@@ -0,0 +1 @@
+type dataservice_app, domain;
diff --git a/sepolicy/public/device.te b/sepolicy/public/device.te
@@ -0,0 +1 @@
+type smcinvoke_device, dev_type;
diff --git a/sepolicy/public/file.te b/sepolicy/public/file.te
@@ -0,0 +1 @@
+type dpmtcm_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/sepolicy/public/google_camera_app.te b/sepolicy/public/google_camera_app.te
@@ -0,0 +1 @@
+type google_camera_app, domain, coredomain;
diff --git a/sepolicy/public/property.te b/sepolicy/public/property.te
@@ -0,0 +1,2 @@
+vendor_internal_prop(persist_dpm_prop)
+vendor_internal_prop(vendor_bt_prop)
diff --git a/sepolicy/public/te_macros b/sepolicy/public/te_macros
@@ -0,0 +1,9 @@
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+  hal_client_domain(dumpstate, $1);
+  allow $1_server dumpstate:fifo_file write;
+  allow $1_server dumpstate:fd use;
+')
diff --git a/sepolicy/sunfish-sepolicy.mk b/sepolicy/sunfish-sepolicy.mk
@@ -0,0 +1,16 @@
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/sunfish-sepolicy/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/sunfish-sepolicy/private
+
+# vendors
+BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/vendor/google
+BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/vendor/qcom/common
+BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/vendor/qcom/sm7150
+BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/tracking_denials
+BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/vendor/st
+BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/vendor/verizon
+
+# system_ext
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/sunfish-sepolicy/system_ext/private
+
+# Pixel-wide sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
diff --git a/sepolicy/system_ext/private/platform_app.te b/sepolicy/system_ext/private/platform_app.te
@@ -0,0 +1,2 @@
+# allow systemui to set boot animation colors
+set_prop(platform_app, bootanim_system_prop);
diff --git a/sepolicy/system_ext/private/property_contexts b/sepolicy/system_ext/private/property_contexts
@@ -0,0 +1,5 @@
+# Boot animation dynamic colors
+persist.bootanim.color1     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color2     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color3     u:object_r:bootanim_system_prop:s0     exact    int
+persist.bootanim.color4     u:object_r:bootanim_system_prop:s0     exact    int
diff --git a/sepolicy/tracking_denials/incidentd.te b/sepolicy/tracking_denials/incidentd.te
@@ -0,0 +1,2 @@
+# b/187253611
+dontaudit incidentd apex_info_file:file getattr;
diff --git a/sepolicy/tracking_denials/netmgrd.te b/sepolicy/tracking_denials/netmgrd.te
@@ -0,0 +1,2 @@
+# b/183070459
+dontaudit netmgrd vendor_default_prop:property_service set;
diff --git a/sepolicy/tracking_denials/platform_app.te b/sepolicy/tracking_denials/platform_app.te
@@ -0,0 +1,2 @@
+# b/162700611
+dontaudit platform_app default_android_hwservice:hwservice_manager find;
diff --git a/sepolicy/tracking_denials/surfaceflinger.te b/sepolicy/tracking_denials/surfaceflinger.te
@@ -0,0 +1,3 @@
+# b/177624282
+dontaudit surfaceflinger hal_graphics_composer_default:dir search ;
+dontaudit surfaceflinger hal_graphics_composer_default:dir search ;
diff --git a/sepolicy/tracking_denials/thermal-engine.te b/sepolicy/tracking_denials/thermal-engine.te
@@ -0,0 +1,3 @@
+# b/143579151
+dontaudit thermal-engine ion_device:chr_file read;
+dontaudit thermal-engine sysfs:dir read;
diff --git a/sepolicy/vendor/google/bug_map b/sepolicy/vendor/google/bug_map
@@ -0,0 +1,15 @@
+cnd wifi_hal_prop file b/162700455
+google_camera_app selinuxfs file b/175910397
+hal_health_default unlabeled file b/156200409
+hal_neuralnetworks_default default_prop file b/159570217
+hal_vibrator_default default_prop file b/162700134
+init_qti_chg_policy sysfs_charge file b/162702119
+pixelstats_vendor sysfs file b/161875858
+platform_app default_android_hwservice hwservice_manager b/156059972
+shell debugfs file b/175106535
+shell device_config_runtime_native_boot_prop file b/175106535
+shell sysfs file b/175106535
+tee tee capability2 b/156045688
+mediaswcodec gpu_device chr_file b/194313013
+mediaswcodec sysfs_msm_subsys dir b/194313013
+mediaserver sysfs_msm_subsys dir b/194313013
diff --git a/sepolicy/vendor/google/cbrs_setup.te b/sepolicy/vendor/google/cbrs_setup.te
@@ -0,0 +1,13 @@
+type cbrs_setup_app, domain;
+
+userdebug_or_eng(`
+  app_domain(cbrs_setup_app)
+  net_domain(cbrs_setup_app)
+
+  allow cbrs_setup_app app_api_service:service_manager find;
+  allow cbrs_setup_app cameraserver_service:service_manager find;
+  allow cbrs_setup_app radio_service:service_manager find;
+  allow cbrs_setup_app surfaceflinger_service:service_manager find;
+  set_prop(cbrs_setup_app, radio_prop)
+  set_prop(cbrs_setup_app, vendor_radio_prop)
+')
diff --git a/sepolicy/vendor/google/certs/app.x509.pem b/sepolicy/vendor/google/certs/app.x509.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR
+24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy
+xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X
+W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC
+69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA
+cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw
+HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c
+xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP
+zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla
+XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a
+IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a
+ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW
+Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs=
+-----END CERTIFICATE-----
diff --git a/sepolicy/vendor/google/certs/com_google_mds.x509.pem b/sepolicy/vendor/google/certs/com_google_mds.x509.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----
diff --git a/sepolicy/vendor/google/certs/pulse-release.x509.pem b/sepolicy/vendor/google/certs/pulse-release.x509.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
diff --git a/sepolicy/vendor/google/charger.te b/sepolicy/vendor/google/charger.te
@@ -0,0 +1 @@
+allow charger device:dir r_dir_perms;
diff --git a/sepolicy/vendor/google/chre.te b/sepolicy/vendor/google/chre.te
@@ -0,0 +1,12 @@
+type chre, domain;
+type chre_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(chre)
+
+allow chre ion_device:chr_file r_file_perms;
+allow chre qdsp_device:chr_file r_file_perms;
+
+# Allow CHRE to obtain wakelock
+wakelock_use(chre)
+
+# To communicate with ST HAL
+hal_client_domain(chre, hal_audio)
diff --git a/sepolicy/vendor/google/citadeld.te b/sepolicy/vendor/google/citadeld.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+  allow citadeld debugfs_ipc:dir search;
+')
+
+dontaudit citadeld debugfs_ipc:dir search;
diff --git a/sepolicy/vendor/google/color_init.te b/sepolicy/vendor/google/color_init.te
@@ -0,0 +1,3 @@
+type color_init, domain;
+type color_init_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(color_init)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		include platform/system/sepolicy:/OWNERS

		[email protected]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		[Hook Scripts]
		aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "."
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		[@WFCACTIVATION]
		ALL : device/google/sunfish-sepolicy/private/certs/wfcactivation.x509.pem
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		add_service(radio, qchook_service)

		allow radio uce_service:service_manager find;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		type qchook_service, service_manager_type;
		type cne_service, service_manager_type;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		qchook u:object_r:qchook_service:s0
		cneservice u:object_r:cne_service:s0
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		type dpmtcm_socket, file_type, coredomain_socket, mlstrustedobject;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		vendor_internal_prop(persist_dpm_prop)
		vendor_internal_prop(vendor_bt_prop)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# allow systemui to set boot animation colors
		set_prop(platform_app, bootanim_system_prop);
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# b/187253611
		dontaudit incidentd apex_info_file:file getattr;