DO NOT MERGE - Merge pie-platform-release (PPRL.181205.001) into master

Bug: 120502534
Change-Id: I8711d074ffe68f57c40b8b08e9b9c7208b3f1999
diff --git a/vendor/google/device.te b/vendor/google/device.te
index dfbfd94..d4bb97a 100644
--- a/vendor/google/device.te
+++ b/vendor/google/device.te
@@ -1,2 +1,3 @@
 type citadel_device, dev_type;
 type ramoops_device, dev_type;
+type maxfg_device, dev_type;
\ No newline at end of file
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index c68a73e..31a0882 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -2,6 +2,7 @@
 /dev/citadel0                                                               u:object_r:citadel_device:s0
 /dev/access-metadata                                                        u:object_r:ramoops_device:s0
 /dev/access-ramoops                                                         u:object_r:ramoops_device:s0
+/dev/maxfg_history                                                          u:object_r:maxfg_device:s0
 
 /vendor/bin/hw/android\.hardware\.authsecret@1\.0-service\.citadel          u:object_r:hal_authsecret_citadel_exec:s0
 /vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.citadel             u:object_r:hal_oemlock_citadel_exec:s0
@@ -12,6 +13,7 @@
 /vendor/bin/hw/wait_for_strongbox                                           u:object_r:wait_for_strongbox_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.0-service-disabled      u:object_r:hal_secure_element_default_exec:s0
 /vendor/bin/hw/android\.hardware\.power@1\.3-service\.crosshatch-libperfmgr u:object_r:hal_power_default_exec:s0
+/vendor/bin/init\.firstboot\.sh                                             u:object_r:init-firstboot_exec:s0
 /vendor/bin/ramoops                                                         u:object_r:ramoops_exec:s0
 /vendor/bin/init\.ramoops\.sh                                               u:object_r:ramoops_exec:s0
 /vendor/bin/pixelstats-vendor                                               u:object_r:pixelstats_vendor_exec:s0
diff --git a/vendor/google/fsck.te b/vendor/google/fsck.te
new file mode 100644
index 0000000..9c64f10
--- /dev/null
+++ b/vendor/google/fsck.te
@@ -0,0 +1,2 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+
diff --git a/vendor/google/init-firstboot.te b/vendor/google/init-firstboot.te
new file mode 100644
index 0000000..7ca7168
--- /dev/null
+++ b/vendor/google/init-firstboot.te
@@ -0,0 +1,15 @@
+type init-firstboot, domain;
+type init-firstboot_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-firstboot)
+
+allow init-firstboot vendor_shell_exec:file rx_file_perms;
+allow init-firstboot vendor_toolbox_exec:file rx_file_perms;
+
+# Read USB connection state
+allow init-firstboot sysfs_msm_subsys:dir search;
+r_dir_file(init-firstboot, sysfs_batteryinfo)
+
+# Set property to trigger a shutdown
+set_prop(init-firstboot, powerctl_prop)
+
diff --git a/vendor/qcom/common/device.te b/vendor/qcom/common/device.te
index 8b92ebf..b20c09c 100644
--- a/vendor/qcom/common/device.te
+++ b/vendor/qcom/common/device.te
@@ -5,14 +5,15 @@
 type diag_device, dev_type, mlstrustedobject;
 type dsp_device, dev_type;
 type easel_device, dev_type, mlstrustedobject;
+type gpt_block_device, dev_type;
 type ipa_dev, dev_type;
 type latency_device, dev_type;
 type modem_block_device, dev_type;
+type persist_block_device, dev_type;
 type qsee_ipc_irq_spss_device, dev_type;
 type qdsp_device, dev_type, mlstrustedobject;
 type ramdump_device, dev_type;
 type rmnet_device, dev_type;
-type gpt_block_device, dev_type;
 type ramdump_block_device, dev_type;
 type seemplog_device, dev_type;
 type sg_device, dev_type;
diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te
index 83b88f8..6c6f48f 100644
--- a/vendor/qcom/common/file.te
+++ b/vendor/qcom/common/file.te
@@ -53,6 +53,7 @@
 # /proc
 type proc_wifi_dbg, proc_type, fs_type;
 type proc_f2fs, proc_type, fs_type;
+type proc_swappiness, proc_type, fs_type;
 type proc_sysctl_autogroup, proc_type, fs_type;
 type proc_sysctl_schedboost, proc_type, fs_type;
 
diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts
index 9c1b535..ab58600 100644
--- a/vendor/qcom/common/genfs_contexts
+++ b/vendor/qcom/common/genfs_contexts
@@ -3,6 +3,7 @@
 genfscon proc /ath_pktlog/cld                         u:object_r:proc_wifi_dbg:s0
 genfscon proc /irq                                    u:object_r:proc_irq:s0
 genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness                      u:object_r:proc_swappiness:s0
 genfscon proc /sys/kernel/sched_autogroup_enabled     u:object_r:proc_sysctl_autogroup:s0
 genfscon proc /sys/kernel/sched_boost                 u:object_r:proc_sysctl_schedboost:s0
 
diff --git a/vendor/qcom/common/hal_dumpstate_impl.te b/vendor/qcom/common/hal_dumpstate_impl.te
index 6ad57bf..72a9427 100644
--- a/vendor/qcom/common/hal_dumpstate_impl.te
+++ b/vendor/qcom/common/hal_dumpstate_impl.te
@@ -107,7 +107,16 @@
 # Dump Maxim FG content
 allow hal_dumpstate_impl debugfs_maxfg:dir search;
 allow hal_dumpstate_impl debugfs_maxfg:file r_file_perms;
+allow hal_dumpstate_impl tmpfs:dir search;
+allow hal_dumpstate_impl maxfg_device:chr_file r_file_perms;
 
 # Dump PMIC votables
 allow hal_dumpstate_impl debugfs_pmic_votable:dir r_dir_perms;
 allow hal_dumpstate_impl debugfs_pmic_votable:file r_file_perms;
+
+userdebug_or_eng(`
+  # Citadel communication must be via citadeld
+  vndbinder_use(hal_dumpstate_impl)
+  binder_call(hal_dumpstate_impl, citadeld)
+  allow hal_dumpstate_impl citadeld_service:service_manager find;
+')
diff --git a/vendor/qcom/common/hardware_info_app.te b/vendor/qcom/common/hardware_info_app.te
index 9e8e401..5c290fd 100644
--- a/vendor/qcom/common/hardware_info_app.te
+++ b/vendor/qcom/common/hardware_info_app.te
@@ -24,3 +24,7 @@
 allow hardware_info_app sysfs_soc:file { getattr open read };
 allow hardware_info_app sysfs_display:dir search;
 allow hardware_info_app sysfs_display:file { getattr open read };
+
+# Devices
+allow hardware_info_app tmpfs:dir search;
+allow hardware_info_app maxfg_device:chr_file r_file_perms;
diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts
index f633637..d54b8f0 100644
--- a/vendor/qcom/common/property_contexts
+++ b/vendor/qcom/common/property_contexts
@@ -1,6 +1,7 @@
 vendor.debug.camera.       u:object_r:vendor_camera_prop:s0
 persist.vendor.camera.     u:object_r:vendor_camera_prop:s0
 persist.camera.            u:object_r:vendor_camera_prop:s0
+ro.vendor.camera.          u:object_r:vendor_camera_prop:s0
 persist.vendor.sys.cnd     u:object_r:cnd_prop:s0
 ro.boot.sota               u:object_r:factory_ota_prop:s0
 vendor.ims.                u:object_r:ims_prop:s0
diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te
index be7e18d..280ab02 100644
--- a/vendor/qcom/common/rfs_access.te
+++ b/vendor/qcom/common/rfs_access.te
@@ -8,6 +8,8 @@
 
 wakelock_use(rfs_access)
 
+r_dir_file(rfs_access, firmware_file);
+
 # For tftp server file access
 allow rfs_access mnt_vendor_file:dir search;
 allow rfs_access mnt_vendor_file:file r_file_perms;
diff --git a/vendor/qcom/common/ueventd.te b/vendor/qcom/common/ueventd.te
index e7799ab..f0a175d 100644
--- a/vendor/qcom/common/ueventd.te
+++ b/vendor/qcom/common/ueventd.te
@@ -12,6 +12,7 @@
 allow ueventd sysfs_msm_subsys:file w_file_perms;
 allow ueventd sysfs_bluetooth_writable:file w_file_perms;
 allow ueventd sysfs_usb_c:file w_file_perms;
+allow ueventd firmware_file:lnk_file read;
 allow ueventd firmware_file:dir search;
 allow ueventd firmware_file:file r_file_perms;
 allow ueventd tmpfs:blk_file getattr;
diff --git a/vendor/qcom/common/vendor_init.te b/vendor/qcom/common/vendor_init.te
index 9680f19..2ee704d 100644
--- a/vendor/qcom/common/vendor_init.te
+++ b/vendor/qcom/common/vendor_init.te
@@ -3,6 +3,7 @@
 allow vendor_init proc_sysctl_autogroup:file w_file_perms;
 allow vendor_init proc_sysctl_schedboost:file w_file_perms;
 allow vendor_init proc_irq:file w_file_perms;
+allow vendor_init proc_swappiness:file w_file_perms;
 allow vendor_init camera_vendor_data_file:dir create_dir_perms;
 dontaudit vendor_init kernel:system module_request;
 
diff --git a/vendor/qcom/sdm845/file_contexts b/vendor/qcom/sdm845/file_contexts
index ee215e5..4603b8d 100644
--- a/vendor/qcom/sdm845/file_contexts
+++ b/vendor/qcom/sdm845/file_contexts
@@ -27,6 +27,7 @@
 /dev/block/platform/soc/1d84000\.ufshc/by-name/modem_[ab]      u:object_r:modem_block_device:s0
 /dev/block/platform/soc/1d84000\.ufshc/by-name/modemst[12]     u:object_r:modem_block_device:s0
 /dev/block/platform/soc/1d84000\.ufshc/by-name/ssd             u:object_r:ssd_block_device:s0
+/dev/block/platform/soc/1d84000\.ufshc/by-name/persist         u:object_r:persist_block_device:s0
 /dev/block/platform/soc/1d84000\.ufshc/by-name/product_[ab]    u:object_r:system_block_device:s0
 /dev/block/platform/soc/1d84000\.ufshc/by-name/system_[ab]     u:object_r:system_block_device:s0
 /dev/block/platform/soc/1d84000\.ufshc/by-name/vendor_[ab]     u:object_r:system_block_device:s0