sm6225-common: sepolicy: Initial import sepolicy
Change-Id: Id0975fa225f837ae4ef4d6795e7a479caf09dc2b
Signed-off-by: ReStranger <restranger@disroot.org>
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
new file mode 100644
index 0000000..56cc703
--- /dev/null
+++ b/sepolicy/vendor/app.te
@@ -0,0 +1,2 @@
+get_prop({ appdomain -isolated_app_all }, vendor_fp_prop)
+get_prop({ appdomain -isolated_app_all }, vendor_tee_listener_prop)
diff --git a/sepolicy/vendor/attributes b/sepolicy/vendor/attributes
new file mode 100755
index 0000000..0f7802e
--- /dev/null
+++ b/sepolicy/vendor/attributes
@@ -0,0 +1,4 @@
+# Mlipay
+attribute hal_mlipay;
+attribute hal_mlipay_client;
+attribute hal_mlipay_server;
diff --git a/sepolicy/vendor/audioadsprpcd.te b/sepolicy/vendor/audioadsprpcd.te
new file mode 100644
index 0000000..3d09e8c
--- /dev/null
+++ b/sepolicy/vendor/audioadsprpcd.te
@@ -0,0 +1,2 @@
+allow vendor_audioadsprpcd vendor_audio_data_file:dir search;
+allow vendor_audioadsprpcd vendor_audio_data_file:file { append create getattr open read setattr write };
diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te
new file mode 100644
index 0000000..66e8b39
--- /dev/null
+++ b/sepolicy/vendor/audioserver.te
@@ -0,0 +1,8 @@
+allow audioserver system_server:dir search;
+allow audioserver mediaserver:dir search;
+allow audioserver mediaserver:file { open read };
+allow audioserver system_app:dir search;
+allow audioserver hal_audio_default:process signal;
+allow audioserver sound_device:chr_file rw_file_perms;
+get_prop(audioserver, bootanim_system_prop)
+set_prop(audioserver, audio_prop)
diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te
new file mode 100644
index 0000000..aeaf192
--- /dev/null
+++ b/sepolicy/vendor/batterysecret.te
@@ -0,0 +1,35 @@
+allow batterysecret rootfs:dir write;
+allow batterysecret self:capability sys_tty_config;
+allow batterysecret self:capability sys_boot;
+allow batterysecret self:capability { chown fsetid };
+allow batterysecret self:netlink_kobject_uevent_socket { bind create read setopt };
+allow batterysecret self:capability2 block_suspend;
+allow batterysecret self:cap2_userns block_suspend;
+allow batterysecret sysfs_wake_lock:file rw_file_perms;
+allow batterysecret vendor_sysfs_battery_supply:file rw_file_perms;
+allow batterysecret vendor_sysfs_battery_supply:dir r_dir_perms;
+allow batterysecret vendor_sysfs_qcom_battery:file rw_file_perms;
+allow batterysecret vendor_sysfs_qcom_battery:file write;
+allow batterysecret vendor_sysfs_qcom_battery:file { open read write };
+allow batterysecret vendor_sysfs_qcom_battery:dir r_dir_perms;
+allow batterysecret system_suspend_server:binder { call transfer };
+allow batterysecret system_suspend_server:fd *;
+allow batterysecret system_suspend_hwservice:hwservice_manager find;
+allow batterysecret hidl_manager_hwservice:hwservice_manager find;
+allow batterysecret sysfs:file write;
+allow batterysecret sysfs_usb:file w_file_perms;
+allow batterysecret vendor_sysfs_usb_supply:file write;
+allow batterysecret sysfs_batteryinfo:file r_file_perms;
+allow batterysecret kmsg_device:chr_file rw_file_perms;
+allow batterysecret mnt_vendor_file:dir rw_dir_perms;
+init_daemon_domain(batterysecret)
+r_dir_file(batterysecret, sysfs_type)
+r_dir_file(batterysecret, rootfs)
+r_dir_file(batterysecret, cgroup)
+r_dir_file(batterysecret, vendor_sysfs_usb_supply)
+get_prop(batterysecret, hwservicemanager_prop)
+get_prop(batterysecret, vendor_default_prop)
+set_prop(batterysecret, vendor_system_prop)
+hwbinder_use(batterysecret)
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;
diff --git a/sepolicy/vendor/bluetooth.te b/sepolicy/vendor/bluetooth.te
new file mode 100644
index 0000000..74bfac0
--- /dev/null
+++ b/sepolicy/vendor/bluetooth.te
@@ -0,0 +1,25 @@
+allow bluetooth hal_audio:binder { call transfer };
+allow bluetooth hal_audio:fd *;
+allow bluetooth sysfs_bluetooth_writable:file w_file_perms;
+allow bluetooth media_rw_data_file:dir create_dir_perms;
+allow bluetooth media_rw_data_file:file create_file_perms;
+allow bluetooth serial_device:chr_file rw_file_perms;
+allow bluetooth uhid_device:chr_file rw_file_perms;
+allow bluetooth vendor_bt_device:chr_file rw_file_perms;
+allow bluetooth vendor_smd_device:chr_file rw_file_perms;
+allow bluetooth vendor_hal_iop_hwservice:hwservice_manager find;
+allow bluetooth vendor_default_prop:file { getattr map };
+allow bluetooth vendor_bt_data_file:dir search;
+allow bluetooth vendor_bt_data_file:file { getattr open read };
+allow bluetooth system_app_data_file:dir getattr;
+allow bluetooth system_app_data_file:file { getattr open read };
+allow bluetooth self:socket { create getopt read write };
+allow bluetooth servicemanager:fd *;
+allow bluetooth system_app:binder { call transfer };
+allow bluetooth system_app:fd *;
+allow bluetooth vendor_dun_service:service_manager find;
+allow bluetooth hal_audio_hwservice:hwservice_manager find;
+dontaudit bluetooth netd_service:service_manager find;
+get_prop(bluetooth, vendor_display_prop)
+get_prop(bluetooth, vendor_audio_prop)
+binder_use(bluetooth)
diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te
new file mode 100644
index 0000000..af475a9
--- /dev/null
+++ b/sepolicy/vendor/bootanim.te
@@ -0,0 +1,4 @@
+allow bootanim vendor_audio_prop:file read;
+allow bootanim vendor_proc_audiod:file read;
+
+binder_call(bootanim, vendor_hal_qspmhal_default)
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..73cd076
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,2 @@
+type sound_device, dev_type, mlstrustedobject;
+type fingerprint_device, dev_type;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
new file mode 100644
index 0000000..d0edc72
--- /dev/null
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1,22 @@
+# Audio
+type audio_socket, file_type;
+
+# Battery
+type vendor_sysfs_qcom_battery, fs_type, sysfs_type;
+
+# Camera
+type camera_persist_file, file_type, mlstrustedobject, vendor_persist_type;
+
+# DT2W
+type proc_tp_gesture, fs_type, proc_type;
+
+# Fingerprint
+type goodix_fingerprint_data_file, data_file_type, file_type, core_data_file_type;
+type vendor_fingerprint_data_file, data_file_type, file_type, vendor_persist_type;
+type sysfs_msm_subsys, fs_type, sysfs_type;
+
+# Mac Address
+type vendor_mac_vendor_data_file, data_file_type, file_type, mlstrustedobject;
+
+# Thermal
+type thermal_data_file, data_file_type, file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..95cd2d8
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,53 @@
+# Audio
+/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
+
+# Battery
+/(vendor|system/vendor)/bin/batterysecret u:object_r:batterysecret_exec:s0
+
+# Camera
+/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
+/(vendor|system/vendor)/lib(64)?/libipebpsstriping\.so u:object_r:same_process_hal_file:s0
+
+# Fingerprint data
+/data/gf_data(/.*)? u:object_r:goodix_fingerprint_data_file:s0
+/data/vendor/goodix/gf_data(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/data/vendor/fpdump(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/mnt/vendor/persist/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/mnt/vendor/persist/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0
+/sys/devices/platform/soc/soc:fpc1020(/.*?) u:object_r:vendor_sysfs_fps_attr:s0
+
+# Fingerprint devices
+/dev/goodix_fp u:object_r:fingerprint_device:s0
+
+# Fingerprint HAL
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0
+
+# Fix Goodix events
+/vendor/bin/init.goodix.events.sh u:object_r:vendor_goodix_events_exec:s0
+
+# Health
+/vendor/bin/hw/android\.hardware\.health-service\.xiaomi u:object_r:hal_health_default_exec:s0
+
+# IR
+/dev/spidev0.1 u:object_r:lirc_device:s0
+
+# Mac Address
+/data/vendor/mac_addr(/.*)? u:object_r:vendor_mac_vendor_data_file:s0
+/vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0
+
+# Mlipay
+/(odm|vendor/odm|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
+
+# NFC
+/vendor/bin/STFlashTool u:object_r:stflashtool_exec:s0
+/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service u:object_r:hal_secure_element_default_exec:s0
+
+# Power
+/vendor/bin/hw/android\.hardware\.power-service-qti u:object_r:hal_power_default_exec:s0
+
+# Thermal
+/(vendor|system/vendor)/bin/mi_thermald u:object_r:mi_thermald_exec:s0
+/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te
new file mode 100644
index 0000000..59ae7b3
--- /dev/null
+++ b/sepolicy/vendor/fsck.te
@@ -0,0 +1,2 @@
+allow fsck fsck:capability kill;
+allow fsck vendor_custom_ab_block_device:blk_file { read write open ioctl };
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..270f32d
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,38 @@
+# Battery
+genfscon sysfs /class/qcom-battery/quick_charge_type u:object_r:vendor_sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,nopmi-chg/power_supply/usb(/.*)? u:object_r:vendor_sysfs_usb_supply:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,nopmi-chg/power_supply/battery(/.*)? u:object_r:vendor_sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,nopmi-chg/qcom-battery/odm_battery(/.*)? u:object_r:vendor_sysfs_battery_supply:s0
+
+# Battery wakeup nodes
+genfscon sysfs /devices/platform/soc/soc:qcom,nopmi-chg/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,nopmi-chg/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
+
+# DT2W
+genfscon proc /tp_gesture u:object_r:proc_tp_gesture:s0
+
+# Fingerprint
+genfscon sysfs /devices/platform/soc/soc:fpc1020/device_prepare u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/fingerdown_wait u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/irq u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/power_cfg u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/request_vreg u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup_enable u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/vendor u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fpc1020 u:object_r:vendor_sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup/wakeup26 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/goodix_ts.0/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_goodix/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-006a/power_supply/bbc/wakeup18 u:object_r:sysfs_wakeup:s0
+
+# Wakeup
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-0051/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-006a/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-0051/wakeup/wakeup[0-9]* u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-006a/power_supply/bbc/wakeup[0-9]* u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-0071/power_supply/bms/wakeup[0-9]* u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-004e/tcpc/type_c_port0/wakeup[0-9]* u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/4ac0000.qcom,qupv3_0_geni_se/4a84000.i2c/i2c-0/0-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup[0-9]* u:object_r:sysfs_wakeup:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..931ef06
--- /dev/null
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1,14 @@
+allow hal_audio_default vendor_persist_audio_file:file rw_file_perms;
+allow hal_audio_default mnt_vendor_file:dir r_dir_perms;
+allow hal_audio_default vendor_audio_prop:property_service set;
+allow hal_audio_default audio_socket:sock_file rw_file_perms;
+allow hal_audio_default sound_device:chr_file rw_file_perms;
+allow hal_audio_default sysfs:file rw_file_perms;
+allow hal_audio_default dmabuf_system_heap_device:chr_file { read open ioctl };
+allow hal_audio_default debugfs:dir { open read };
+allow hal_audio_default vendor_agm_device:chr_file { read write open ioctl };
+allow hal_audio_default vendor_pd_locater_dbg_prop:file { map };
+get_prop(hal_audio_default, vendor_pd_locater_dbg_prop)
+unix_socket_connect(hal_audio_default, property, init)
+unix_socket_connect(hal_audio_default, property, hal_sensors_default)
+set_prop(hal_audio_default, vendor_audio_prop)
diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te
new file mode 100644
index 0000000..7036782
--- /dev/null
+++ b/sepolicy/vendor/hal_bluetooth_default.te
@@ -0,0 +1,2 @@
+allow hal_bluetooth_default vendor_mac_vendor_data_file:dir search;
+allow hal_bluetooth_default vendor_mac_vendor_data_file:file { open read };
diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..e5c73b6
--- /dev/null
+++ b/sepolicy/vendor/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..acfef12
--- /dev/null
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -0,0 +1,9 @@
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default camera_persist_file:dir search;
+allow hal_camera_default vendor_persist_sensors_file:dir search;
+dontaudit hal_camera graphics_device:dir search;
+dontaudit hal_camera_default default_prop:file read;
+r_dir_file(hal_camera_default, mnt_vendor_file)
+r_dir_file(hal_camera_default, camera_persist_file)
+r_dir_file(hal_camera_default, vendor_persist_sensors_file)
+set_prop(hal_camera_default, vendor_camera_sensor_prop)
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
new file mode 100644
index 0000000..2626bcc
--- /dev/null
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,54 @@
+type vendor_hal_fingerprint_hwservice_xiaomi, hwservice_manager_type;
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+
+allow hal_fingerprint_default goodix_fingerprint_data_file:dir create_dir_perms;
+allow hal_fingerprint_default goodix_fingerprint_data_file:file create_file_perms;
+allow hal_fingerprint_default fingerprint_device:chr_file rwx_file_perms;
+allow hal_fingerprint_default fingerprint_device:chr_file ioctl;
+allow hal_fingerprint_default firmware_file:dir r_dir_perms;
+allow hal_fingerprint_default input_device:dir r_dir_perms;
+allow hal_fingerprint_default input_device:chr_file rwx_file_perms;
+allow hal_fingerprint_default mnt_vendor_file:dir search;
+allow hal_fingerprint_default rootfs:dir r_dir_perms;
+allow hal_fingerprint_default sysfs:file rw_file_perms;
+allow hal_fingerprint_default sysfs:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_leds:dir { search open };
+allow hal_fingerprint_default sysfs_msm_subsys:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_msm_subsys:file rw_file_perms;
+allow hal_fingerprint_default sysfs_rtc:file rw_file_perms;
+allow hal_fingerprint_default sysfs_rtc:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_rtc:dir { search open };
+allow hal_fingerprint_default system_data_root_file:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_devices_system_cpu:file rw_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default sysfs_wakeup:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_wakeup:file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file ioctl;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint_default vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms;
+allow hal_fingerprint_default vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
+allow hal_fingerprint_default vendor_dmabuf_secure_cdsp_heap_device:chr_file { ioctl open read };
+allow hal_fingerprint_default vendor_fingerprint_data_file:dir create_dir_perms;
+allow hal_fingerprint_default vendor_fingerprint_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
+allow hal_fingerprint_default vendor_hal_fingerprint_hwservice_xiaomi:hwservice_manager { add find };
+allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;
+allow hal_fingerprint_default vendor_hal_perf_default:binder call;
+allow hal_fingerprint_default vendor_sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint_default vendor_sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_default vendor_sysfs_fps_attr:dir r_dir_perms;
+allow hal_fingerprint_default vendor_sysfs_fps_attr:file rw_file_perms;
+allow hal_fingerprint_default vendor_sysfs_graphics:dir r_dir_perms;
+allow hal_fingerprint_default vendor_sysfs_graphics:file rw_file_perms;
+allow hal_fingerprint_default vendor_sysfs_spss:dir r_dir_perms;
+allow hal_fingerprint_default vendor_sysfs_spss:file rw_file_perms;
+allow hal_fingerprint_default vendor_hal_fingerprint_hwservice_xiaomi:hwservice_manager { add find };
+
+set_prop(hal_fingerprint_default, vendor_fp_prop)
+set_prop(hal_fingerprint_default, vendor_fp_info_prop)
+set_prop(hal_fingerprint_default, vendor_system_prop)
+get_prop(hal_fingerprint_default, vendor_adsprpc_prop)
+get_prop(hal_fingerprint_default, vendor_system_prop)
+get_prop(system_server, vendor_fp_prop)
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
new file mode 100644
index 0000000..355c471
--- /dev/null
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -0,0 +1,6 @@
+type vendor_mistcdisplay_service, vndservice_manager_type;
+
+set_prop(hal_graphics_composer_default, vendor_ctl_vendor_display_prop)
+set_prop(hal_graphics_composer_default, vendor_display_prop)
+allow hal_graphics_composer_default vendor_mistcdisplay_service:service_manager find;
+add_service(hal_graphics_composer_default, vendor_mistcdisplay_service)
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..64e4b19
--- /dev/null
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1 @@
+allow hal_health_default sysfs:file { getattr open read };
diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te
new file mode 100644
index 0000000..825e1e2
--- /dev/null
+++ b/sepolicy/vendor/hal_ir_default.te
@@ -0,0 +1 @@
+allow hal_ir_default lirc_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_mlipay_default.te b/sepolicy/vendor/hal_mlipay_default.te
new file mode 100644
index 0000000..a0b7f6d
--- /dev/null
+++ b/sepolicy/vendor/hal_mlipay_default.te
@@ -0,0 +1,25 @@
+type hal_mlipay_default, domain;
+type hal_mlipay_default_exec, exec_type, file_type, vendor_file_type;
+type hal_mlipay_hwservice, hwservice_manager_type;
+allow hal_mlipay_client hal_mlipay_server:binder { call transfer };
+allow hal_mlipay_client hal_mlipay_server:binder transfer;
+allow hal_mlipay_client hal_mlipay_server:fd *;
+allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager { add find };
+allow hal_mlipay_server hal_mlipay_client:binder transfer;
+allow hal_mlipay_server hal_mlipay_client:binder { call transfer };
+allow hal_mlipay_server hal_mlipay_client:fd *;
+allow hal_mlipay_default hal_mlipay_hwservice:hwservice_manager { add find };
+allow hal_mlipay_default tee_device:chr_file rw_file_perms;
+allow hal_mlipay_default firmware_file:dir r_dir_perms;
+allow hal_mlipay_default firmware_file:file r_file_perms;
+allow hal_mlipay_default ion_device:chr_file rw_file_perms;
+allow hal_mlipay_default rootfs:lnk_file r_file_perms;
+allow hal_mlipay_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
+allow hal_mlipay_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
+init_daemon_domain(hal_mlipay_default)
+get_prop(hal_mlipay_default, vendor_fp_prop)
+get_prop(hal_mlipay_default, vendor_system_prop)
+set_prop(hal_mlipay_default, vendor_payment_security_prop)
+hwbinder_use(hal_mlipay_default)
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)
diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..ee949cc
--- /dev/null
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -0,0 +1,6 @@
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_data_file:dir rw_dir_perms;
+allow hal_nfc_default vendor_data_file:file { create rw_file_perms };
+
+get_prop(hal_nfc_default, vendor_nfc_prop)
+set_prop(hal_nfc_default, vendor_nfc_prop)
diff --git a/sepolicy/vendor/hal_perf_default.te b/sepolicy/vendor/hal_perf_default.te
new file mode 100644
index 0000000..744e91f
--- /dev/null
+++ b/sepolicy/vendor/hal_perf_default.te
@@ -0,0 +1,18 @@
+allow vendor_hal_perf_default hal_graphics_composer_default:process getpgid;
+allow vendor_hal_perf_default hal_graphics_composer_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_graphics_composer_default:file r_file_perms;
+allow vendor_hal_perf_default hal_graphics_composer_default:file append;
+allow vendor_hal_perf_default hal_graphics_composer:dir search;
+allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_camera_default:file r_file_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms;
+allow vendor_hal_perf_default sysfs_thermal:file rw_file_perms;
+allow vendor_hal_perf_default hal_audio_default:dir search;
+allow vendor_hal_perf_default hal_audio_default:file { open read };
+allow vendor_hal_perf_default thermal_data_file:dir { read search watch };
+allow vendor_hal_perf_default thermal_data_file:file { getattr open read setattr unlink };
+allow vendor_hal_perf_default mi_thermald:dir r_dir_perms;
+allow vendor_hal_perf_default mi_thermald:file r_file_perms;
+
+set_prop(vendor_hal_perf_default, vendor_wlc_public_prop)
\ No newline at end of file
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
new file mode 100644
index 0000000..1d28a5c
--- /dev/null
+++ b/sepolicy/vendor/hal_power_default.te
@@ -0,0 +1,15 @@
+# Allow hal_power_default to write to dt2w nodes
+allow hal_power_default input_device:dir r_dir_perms;
+allow hal_power_default input_device:chr_file rw_file_perms;
+allow hal_power_default proc_tp_gesture:dir search;
+allow hal_power_default proc_tp_gesture:file rw_file_perms;
+
+r_dir_file(hal_power_default, input_device)
+
+allow hal_power_default {
+ cgroup
+ proc
+}:{
+ file
+ lnk_file
+} rw_file_perms;
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..976bd05
--- /dev/null
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1,6 @@
+allow hal_sensors_default audio_socket:sock_file rw_file_perms;
+allow hal_sensors_default hal_audio_default:unix_stream_socket connectto;
+allow hal_sensors_default sound_device:chr_file rw_file_perms;
+allow hal_sensors_default sysfs:file { read open write };
+allow hal_sensors_default vendor_sysfs_graphics:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_graphics:file r_file_perms;
diff --git a/sepolicy/vendor/hal_vibrator_default.te b/sepolicy/vendor/hal_vibrator_default.te
new file mode 100644
index 0000000..31469f4
--- /dev/null
+++ b/sepolicy/vendor/hal_vibrator_default.te
@@ -0,0 +1 @@
+allow hal_vibrator_default sysfs:file { open read write };
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..560b7a9
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,9 @@
+# Fingerprint
+com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint u:object_r:hal_fingerprint_hwservice:s0
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
new file mode 100644
index 0000000..a133979
--- /dev/null
+++ b/sepolicy/vendor/init.te
@@ -0,0 +1,2 @@
+allow init proc:file { setattr };
+allow init hal_fingerprint_default:process ptrace;
diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te
new file mode 100644
index 0000000..e857bcc
--- /dev/null
+++ b/sepolicy/vendor/mi_thermald.te
@@ -0,0 +1,28 @@
+type mi_thermald, domain, mlstrustedsubject;
+type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
+allow mi_thermald self:capability { fsetid sys_boot };
+allow mi_thermald sysfs_thermal:file w_file_perms;
+allow mi_thermald sysfs:file w_file_perms;
+allow mi_thermald vendor_sysfs_kgsl:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_kgsl:file rw_file_perms;
+allow mi_thermald vendor_sysfs_kgsl:lnk_file r_file_perms;
+allow mi_thermald vendor_sysfs_battery_supply:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_battery_supply:file rw_file_perms;
+allow mi_thermald vendor_sysfs_battery_supply:lnk_file r_file_perms;
+allow mi_thermald vendor_sysfs_qcom_battery:file rw_file_perms;
+allow mi_thermald vendor_sysfs_graphics:dir r_dir_perms;
+allow mi_thermald vendor_sysfs_graphics:file rw_file_perms;
+allow mi_thermald vendor_sysfs_graphics:lnk_file r_file_perms;
+allow mi_thermald thermal_data_file:dir { add_name read remove_name search watch write };
+allow mi_thermald thermal_data_file:file { create getattr open read rename setattr unlink write };
+allow mi_thermald mi_thermald:capability { chown fowner };
+allow mi_thermald mi_thermald:capability2 { block_suspend wake_alarm };
+allow mi_thermald vendor_data_file:dir { add_name read remove_name watch write };
+allow mi_thermald vendor_data_file:file { create getattr open read rename setattr unlink write };
+init_daemon_domain(mi_thermald)
+r_dir_file(mi_thermald, sysfs_thermal)
+r_dir_file(mi_thermald, sysfs)
+r_dir_file(mi_thermald, sysfs_leds)
+r_dir_file(mi_thermald, vendor_sysfs_qcom_battery)
+set_prop(mi_thermald, vendor_thermal_normal_prop)
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..06d9cca
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,23 @@
+# Camera
+vendor_public_prop(vendor_camera_sensor_prop)
+
+# Device ID
+vendor_public_prop(vendor_deviceid_prop)
+vendor_public_prop(vendor_sno_prop)
+vendor_public_prop(vendor_cpuid_prop)
+
+# Display
+vendor_internal_prop(vendor_ctl_vendor_display_prop)
+
+# Fingerprint
+vendor_restricted_prop(vendor_fp_info_prop)
+vendor_public_prop(vendor_fp_prop)
+
+# Mlipay
+vendor_public_prop(vendor_payment_security_prop)
+
+# Thermal
+vendor_public_prop(vendor_thermal_normal_prop)
+
+# WiFi
+vendor_public_prop(vendor_wifimac_prop)
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..0e0d3a5
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,39 @@
+# Camera
+vendor.camera.sensor. u:object_r:vendor_camera_sensor_prop:s0
+
+# Device ID
+persist.vendor.radio.imei u:object_r:vendor_deviceid_prop:s0
+persist.vendor.radio.meid u:object_r:vendor_deviceid_prop:s0
+ro.vendor.oem.imei u:object_r:vendor_deviceid_prop:s0
+ro.vendor.oem.meid u:object_r:vendor_deviceid_prop:s0
+ro.vendor.oem.psno u:object_r:vendor_sno_prop:s0
+ro.vendor.oem.sno u:object_r:vendor_sno_prop:s0
+
+# Fingerprint
+persist.vendor.fingerprint. u:object_r:vendor_fp_prop:s0
+persist.vendor.fpc. u:object_r:vendor_fp_prop:s0
+persist.vendor.goodix. u:object_r:vendor_fp_prop:s0
+persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0
+persist.vendor.sys.fp.info u:object_r:vendor_fp_info_prop:s0
+persist.vendor.sys.fp.uid u:object_r:vendor_fp_info_prop:s0
+ro.hardware.fp. u:object_r:vendor_fp_prop:s0
+vendor.fps_hal. u:object_r:vendor_fp_prop:s0
+vendor.fps_hal_lc u:object_r:vendor_fp_prop:s0
+vendor.panel.display. u:object_r:vendor_fp_prop:s0
+vendor.sys.fp. u:object_r:vendor_fp_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay. u:object_r:vendor_payment_security_prop:s0
+persist.vendor.sys.provision.status u:object_r:vendor_payment_security_prop:s0
+vendor.sys.feature_state u:object_r:vendor_payment_security_prop:s0
+vendor.sys.rpmb_state u:object_r:vendor_payment_security_prop:s0
+
+# NFC
+persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0
+
+# Radio
+ro.vendor.ril.svlte1x u:object_r:vendor_radio_prop:s0
+ro.vendor.ril.svdo u:object_r:vendor_radio_prop:s0
+
+# Thermal
+vendor.sys.thermal.data.path u:object_r:vendor_thermal_normal_prop:s0
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
new file mode 100644
index 0000000..c8ae49c
--- /dev/null
+++ b/sepolicy/vendor/rild.te
@@ -0,0 +1,4 @@
+set_prop(rild, vendor_deviceid_prop)
+set_prop(rild, vendor_sno_prop)
+allow rild vendor_data_file:dir create_dir_perms;
+allow rild vendor_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/stflashtool.te b/sepolicy/vendor/stflashtool.te
new file mode 100644
index 0000000..a5feae0
--- /dev/null
+++ b/sepolicy/vendor/stflashtool.te
@@ -0,0 +1,10 @@
+type stflashtool, domain;
+type stflashtool_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(stflashtool)
+
+allow stflashtool nfc_device:chr_file {ioctl read write getattr lock append map open watch watch_reads};
+
+get_prop(stflashtool, vendor_radio_prop)
+get_prop(stflashtool, vendor_nfc_prop)
+set_prop(stflashtool, vendor_nfc_prop)
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
new file mode 100644
index 0000000..587488a
--- /dev/null
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger vendor_sysfs_graphics:dir { open read search };
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
new file mode 100644
index 0000000..be4fabb
--- /dev/null
+++ b/sepolicy/vendor/system_app.te
@@ -0,0 +1,10 @@
+allow system_app proc_pagetypeinfo:file { read open getattr };
+allow system_app sysfs_zram:dir r_dir_perms;
+allow system_app sysfs_zram:file r_file_perms;
+allow system_app sysfs_thermal:file { rw_file_perms getattr };
+
+binder_call(system_app, hal_audio_default)
+binder_call(system_app, hal_health_default)
+binder_call(system_app, hal_ir_default)
+binder_call(system_app, hal_memtrack_default)
+binder_call(system_app, vendor_hal_gnss_qti)
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
new file mode 100644
index 0000000..9f32935
--- /dev/null
+++ b/sepolicy/vendor/system_server.te
@@ -0,0 +1,3 @@
+# OEM Fastcharge
+allow system_server sysfs_wakeup:file r_file_perms;
+allow system_server vendor_sysfs_battery_supply:file r_file_perms;
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
new file mode 100644
index 0000000..17e742d
--- /dev/null
+++ b/sepolicy/vendor/tee.te
@@ -0,0 +1,9 @@
+allow tee mnt_vendor_file:file create_file_perms;
+allow tee mnt_vendor_file:dir rw_dir_perms;
+allow tee vendor_fingerprint_data_file:dir rw_dir_perms;
+allow tee vendor_fingerprint_data_file:file rw_file_perms;
+allow tee vendor_fingerprint_data_file:file create_file_perms;
+allow tee vendor_gpt_block_device:blk_file { read };
+allow tee vendor_xbl_block_device:blk_file { read };
+
+typeattribute tee data_between_core_and_vendor_violators;
diff --git a/sepolicy/vendor/toolbox.te b/sepolicy/vendor/toolbox.te
new file mode 100644
index 0000000..f490084
--- /dev/null
+++ b/sepolicy/vendor/toolbox.te
@@ -0,0 +1 @@
+allow toolbox unlabeled:dir { getattr };
diff --git a/sepolicy/vendor/vdc.te b/sepolicy/vendor/vdc.te
new file mode 100644
index 0000000..ec5fb3d
--- /dev/null
+++ b/sepolicy/vendor/vdc.te
@@ -0,0 +1 @@
+allow vdc self:capability kill;
diff --git a/sepolicy/vendor/vendor_goodix_events.te b/sepolicy/vendor/vendor_goodix_events.te
new file mode 100644
index 0000000..346afa8
--- /dev/null
+++ b/sepolicy/vendor/vendor_goodix_events.te
@@ -0,0 +1,12 @@
+type vendor_goodix_events, domain;
+type vendor_goodix_events_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_goodix_events)
+
+allow vendor_goodix_events vendor_file:file rx_file_perms;
+allow vendor_goodix_events proc:file r_file_perms;
+allow vendor_goodix_events input_device:chr_file { rw_file_perms unlink };
+allow vendor_goodix_events input_device:dir create_dir_perms;
+allow vendor_goodix_events vendor_toolbox_exec:file rx_file_perms;
+
+vndbinder_use(vendor_goodix_events)
diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te
new file mode 100644
index 0000000..c567d3e
--- /dev/null
+++ b/sepolicy/vendor/vendor_hal_perf_default.te
@@ -0,0 +1,11 @@
+allow vendor_hal_perf_default hal_audio_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_audio_default:file r_file_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms;
+allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_camera_default:file { read open };
+allow vendor_hal_perf_default hal_graphics_composer_default:dir r_dir_perms;
+allow vendor_hal_perf_default hal_graphics_composer_default:file r_file_perms;
+allow vendor_hal_perf_default sysfs:file r_file_perms;
+
+r_dir_file(vendor_hal_perf_default, system_server)
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..86f4315
--- /dev/null
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,17 @@
+allow vendor_init block_device:lnk_file { setattr };
+allow vendor_init cgroup:file getattr;
+allow vendor_init hwservicemanager:binder { transfer };
+allow vendor_init tee_device:chr_file { ioctl };
+allow vendor_init tee_device:chr_file rw_file_perms;
+
+allow vendor_init vendor_dmabuf_qseecom_heap_device:chr_file ioctl;
+allow vendor_init vendor_dmabuf_qseecom_heap_device:chr_file rw_file_perms;
+allow vendor_init vendor_dmabuf_qseecom_ta_heap_device:chr_file ioctl;
+allow vendor_init vendor_dmabuf_qseecom_ta_heap_device:chr_file rw_file_perms;
+allow vendor_init vendor_qce_device:chr_file ioctl;
+allow vendor_init vendor_qce_device:chr_file rw_file_perms;
+
+set_prop(vendor_init, vendor_fp_prop)
+set_prop(vendor_init, vendor_fp_info_prop)
+set_prop(vendor_init, vendor_nfc_prop)
+set_prop(vendor_init, vendor_thermal_normal_prop)
diff --git a/sepolicy/vendor/vendor_modprobe.te b/sepolicy/vendor/vendor_modprobe.te
new file mode 100644
index 0000000..98f6b2e
--- /dev/null
+++ b/sepolicy/vendor/vendor_modprobe.te
@@ -0,0 +1,7 @@
+allow vendor_modprobe block_device:dir search;
+allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe self:cap_userns sys_module;
+allow vendor_modprobe vendor_file:system module_load;
+allow vendor_modprobe vendor_modprobe:key { write };
+
+r_dir_file(vendor_modprobe, vendor_file)
diff --git a/sepolicy/vendor/vendor_qcc_trd.te b/sepolicy/vendor/vendor_qcc_trd.te
new file mode 100644
index 0000000..01cda7c
--- /dev/null
+++ b/sepolicy/vendor/vendor_qcc_trd.te
@@ -0,0 +1 @@
+allow vendor_qcc_trd vendor_sysfs_microdump:dir { search };
diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te
new file mode 100644
index 0000000..d6d9fb4
--- /dev/null
+++ b/sepolicy/vendor/vendor_qti_init_shell.te
@@ -0,0 +1,9 @@
+allow vendor_qti_init_shell configfs:dir { add_name create write };
+# NECESSARY?
+allow vendor_qti_init_shell configfs:dir setattr;
+# END
+allow vendor_qti_init_shell device:dir r_dir_perms;
+allow vendor_qti_init_shell sysfs_dm:file rw_file_perms;
+allow vendor_qti_init_shell sysfs_dm:dir r_dir_perms;
+allow vendor_qti_init_shell vendor_sysfs_msm_perf:file w_file_perms;
+allow vendor_qti_init_shell vendor_sysfs_qdss_dev:file { setattr write };
diff --git a/sepolicy/vendor/vendor_wcnss_service.te b/sepolicy/vendor/vendor_wcnss_service.te
new file mode 100644
index 0000000..e3bd13e
--- /dev/null
+++ b/sepolicy/vendor/vendor_wcnss_service.te
@@ -0,0 +1,20 @@
+allow vendor_wcnss_service self:capability { net_raw setgid setuid };
+allow vendor_wcnss_service self:packet_socket write;
+allow vendor_wcnss_service sysfs_net:file read;
+allow vendor_wcnss_service vendor_mac_vendor_data_file:dir { add_name open read search setattr write };
+allow vendor_wcnss_service vendor_mac_vendor_data_file:dir rw_dir_perms;
+allow vendor_wcnss_service vendor_mac_vendor_data_file:file { create getattr open read setattr write };
+allow vendor_wcnss_service mnt_vendor_file:dir { add_name create read search write };
+allow vendor_wcnss_service mnt_vendor_file:file { create open read setattr write };
+allow vendor_wcnss_service vendor_sysfs_diag:dir search;
+allow vendor_wcnss_service vendor_sysfs_diag:file { open read };
+allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:dir { add_name getattr open read remove_name search setattr write };
+allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:file { append create getattr open read rename setattr unlink write };
+allow vendor_wcnss_service vendor_proc_wifi_dbg:file { create getattr open read setattr write };
+
+get_prop(vendor_wcnss_service, vendor_bluetooth_prop)
+set_prop(vendor_wcnss_service, vendor_radio_prop)
+set_prop(vendor_wcnss_service, vendor_wifimac_prop)
+set_prop(vendor_wcnss_service, vendor_public_vendor_default_prop)
+
+unix_socket_connect(vendor_wcnss_service, property, init)
diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te
new file mode 100644
index 0000000..39e13ae
--- /dev/null
+++ b/sepolicy/vendor/vndservice.te
@@ -0,0 +1 @@
+type fingerprint_vndservice, vndservice_manager_type;
diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts
new file mode 100644
index 0000000..cbfbc26
--- /dev/null
+++ b/sepolicy/vendor/vndservice_contexts
@@ -0,0 +1,4 @@
+display.mistcservice u:object_r:vendor_mistcdisplay_service:s0
+
+# Fingerprint
+FocalFingerprintService u:object_r:fingerprint_vndservice:s0
diff --git a/sepolicy/vendor/vndservicemanager.te b/sepolicy/vendor/vndservicemanager.te
new file mode 100644
index 0000000..11a0291
--- /dev/null
+++ b/sepolicy/vendor/vndservicemanager.te
@@ -0,0 +1 @@
+binder_call(vndservicemanager vendor_cnd)