Initial selinux policy.
The majority of the policy was taken
from the existing flo and mako policies
as both of those use qcom bits too.
Change-Id: I51ac30414abb7cf79e54faa7feb17e154ee07b8c
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 6fe0d9f..d302404 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -99,12 +99,30 @@
# The list below is order dependent
BOARD_SEPOLICY_UNION += \
- file.te \
- device.te \
app.te \
+ bluetooth_loader.te \
+ bridge.te \
+ camera.te \
+ device.te \
+ file.te \
+ mediaserver.te \
+ mpdecision.te \
+ netmgrd.te \
+ qmux.te \
+ rild.te \
rmt.te \
+ sensors.te \
+ ssr.te \
+ surfaceflinger.te \
+ system_server.te \
+ tee.te \
+ thermald.te \
+ time.te \
ueventd.te \
- file_contexts
+ vss.te \
+ file_contexts \
+ genfs_contexts \
+ te_macros
HAVE_ADRENO_SOURCE:= false
diff --git a/init.hammerhead.rc b/init.hammerhead.rc
index 644b004..47f0397 100644
--- a/init.hammerhead.rc
+++ b/init.hammerhead.rc
@@ -41,6 +41,7 @@
on fs
mount_all ./fstab.hammerhead
+ restorecon_recursive /persist
setprop ro.crypto.fuse_sdcard true
write /sys/kernel/boot_adsp/boot 1
@@ -59,7 +60,9 @@
# bluetooth LPM
chown bluetooth net_bt_stack /proc/bluetooth/sleep/lpm
+ restorecon /proc/bluetooth/sleep/lpm
chown bluetooth net_bt_stack /proc/bluetooth/sleep/btwrite
+ restorecon /proc/bluetooth/sleep/btwrite
#bluetooth UART dev
chown bluetooth net_bt_stack /sys/devices/platform/msm_serial_hs.0/clock
@@ -170,12 +173,15 @@
mkdir /data/misc/dhcp 0770 dhcp dhcp
chown dhcp dhcp /data/misc/dhcp
+ # Apply correct labeling to DRM files
+ restorecon_recursive /data/misc/playready
+
# communicate with mpdecision and thermald
- mkdir /dev/socket/mpdecision 0770 system system
- chmod 2770 /dev/socket/mpdecision
+ mkdir /dev/socket/mpdecision 2770 root system
# save rtc time offsets
- mkdir /data/system/time/ 0700 system system
+ mkdir /data/system/time 0700 system system
+ restorecon_recursive /data/system/time
# Ecc_Handler qcril.db
mkdir /data/misc/radio 0770 radio radio
@@ -287,6 +293,7 @@
service rmt_storage /system/bin/rmt_storage
class core
user root
+ group system
service bridgemgrd /system/bin/bridgemgrd
class main
@@ -301,6 +308,7 @@
service netmgrd /system/bin/netmgrd
class main
+ group radio
# QCOM sensor
service sensors /system/bin/sensors.qcom
@@ -313,7 +321,7 @@
user root
oneshot
-service p2p_supplicant /system/bin/logwrapper /system/bin/wpa_supplicant \
+service p2p_supplicant /system/bin/wpa_supplicant \
-iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf \
-I/system/etc/wifi/wpa_supplicant_overlay.conf \
-O/data/misc/wifi/sockets -N \
@@ -330,7 +338,7 @@
disabled
oneshot
-service wpa_supplicant /system/bin/logwrapper /system/bin/wpa_supplicant \
+service wpa_supplicant /system/bin/wpa_supplicant \
-iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf \
-I/system/etc/wifi/wpa_supplicant_overlay.conf \
-O/data/misc/wifi/sockets \
@@ -439,7 +447,7 @@
service thermal-engine /system/bin/thermal-engine-hh
class main
user root
- group root
+ group radio
service vss_init /vendor/bin/vss_init
class late_start
@@ -451,4 +459,3 @@
class late_start
user root
group root
-
diff --git a/sepolicy/app.te b/sepolicy/app.te
index 19da482..34f3c06 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -1,3 +1,6 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow appdomain gpu_device:chr_file { rw_file_perms execute };
+
+# Grant access to qmux socket that is created by rild
+allow radio rild_qmuxd_socket:sock_file rw_file_perms;
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
new file mode 100644
index 0000000..1d32185
--- /dev/null
+++ b/sepolicy/bluetooth_loader.te
@@ -0,0 +1,17 @@
+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+permissive bluetooth_loader;
+
+# Read mac address from persist partition
+allow bluetooth_loader persist_file:dir search;
+r_dir_file(bluetooth_loader, persist_bluetooth_file)
+
+# Talk to init over the property socket
+unix_socket_connect(bluetooth_loader, property, init)
+# Set persist.service.bdroid.* and bluetooth.* property values
+allow bluetooth_loader bluetooth_prop:property_service set;
diff --git a/sepolicy/bridge.te b/sepolicy/bridge.te
new file mode 100644
index 0000000..1b5c886
--- /dev/null
+++ b/sepolicy/bridge.te
@@ -0,0 +1,21 @@
+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(bridge)
+
+permissive bridge;
+
+# Uevent for usb connection
+allow bridge self:netlink_kobject_uevent_socket { create bind read };
+
+# Allow logging diagnostic items to /dev/diag
+allow bridge diag_device:chr_file rw_file_perms;
+
+# Talk to qmuxd (qmux_radio)
+qmux_socket(bridge)
+
+# Alert the RmNet SMD & SDIO function driver of the correct transport.
+# (/sys/class/android_usb/f_rmnet_smd_sdio/transport)
+allow bridge sysfs_rmnet:file { open read write getattr };
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
new file mode 100644
index 0000000..5eeea84
--- /dev/null
+++ b/sepolicy/camera.te
@@ -0,0 +1,33 @@
+# Qualcomm MSM camera
+type camera, domain;
+type camera_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(camera)
+
+permissive camera;
+
+# Interact with other media devices
+allow camera camera_device:dir search;
+allow camera { gpu_device video_device camera_device }:chr_file rw_file_perms;
+allow camera { surfaceflinger mediaserver }:fd use;
+
+# Create front and back camera sockets (/data/cam_socket[12])
+type_transition camera system_data_file:sock_file camera_socket "cam_socket1";
+type_transition camera system_data_file:sock_file camera_socket "cam_socket2";
+allow camera camera_socket:sock_file { create unlink };
+allow camera system_data_file:dir w_dir_perms;
+allow camera system_data_file:sock_file unlink;
+
+type_transition camera system_data_file:file camera_data_file "fdAlbum";
+allow camera camera_data_file:file create_file_perms;
+
+# Connect to sensor socket (/data/app/sensor_ctl_socket)
+unix_socket_connect(camera, sensors, sensors)
+allow camera sensors_socket:sock_file read;
+
+allow camera sensors_device:chr_file rw_file_perms;
+
+# Read camera files from persist filesystem
+allow camera persist_file:dir search;
+r_dir_file(camera, persist_camera_file)
diff --git a/sepolicy/device.te b/sepolicy/device.te
index f29322b..645e8d7 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -1,2 +1,16 @@
# GPU (used by most UI apps)
-type gpu_device, dev_type;
+type gpu_device, dev_type, mlstrustedobject;
+
+type wlan_device, dev_type;
+
+type diag_device, dev_type;
+
+type smd_device, dev_type;
+
+# Shared memory logger
+type shared_log_device, dev_type;
+
+type power_control_device, dev_type;
+
+# Real Time Clock
+type rtc, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 8cad101..18b7563 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,2 +1,26 @@
# Default type for anything under /firmware
type firmware_file, fs_type;
+
+type qmuxd_socket, file_type;
+type sensors_socket, file_type;
+type camera_socket, file_type;
+type thermald_socket, file_type;
+
+type sensors_data_file, file_type, data_file_type;
+type time_data_file, file_type, data_file_type;
+
+type mpdecision_socket, file_type;
+
+# Persist firmware types
+type persist_file, file_type;
+type persist_bluetooth_file, file_type;
+type persist_camera_file, file_type;
+type persist_data_file, file_type;
+type persist_drm_file, file_type;
+type persist_sensors_file, file_type;
+type persist_wifi_file, file_type;
+
+type sysfs_rmnet, fs_type, sysfs_type;
+type sysfs_mpdecision, fs_type, sysfs_type;
+type sysfs_surfaceflinger, fs_type, sysfs_type;
+type sysfs_smdcntl_open_timeout, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index d631d00..1155e36 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,5 +1,6 @@
# GPU device
/dev/kgsl-3d0 u:object_r:gpu_device:s0
+/dev/kgsl u:object_r:gpu_device:s0
# Bluetooth
/dev/ttyHS99 u:object_r:hci_attach_dev:s0
@@ -10,6 +11,119 @@
# Used by keystore to access trustzone
/dev/qseecom u:object_r:tee_device:s0
+# GPS
+/dev/gss u:object_r:sensors_device:s0
+
+# WLAN
+/dev/wcnss_wlan u:object_r:wlan_device:s0
+
+# Image Rotator Driver
+/dev/msm_rotator u:object_r:video_device:s0
+
+# Qualcomm MSM Interface (QMI) devices
+/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0
+/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0
+
+/dev/diag u:object_r:diag_device:s0
+
+# CPU governor controls
+/dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0
+
+## Radio related
+# modem driver
+/dev/mdm u:object_r:radio_device:s0
+# high speed inter-chip controls
+/dev/hsicctl[0-3] u:object_r:radio_device:s0
+# mux controller
+/dev/rmnet_mux_ctrl u:object_r:radio_device:s0
+# qmi protocol driver
+/dev/qmi[0-2] u:object_r:radio_device:s0
+# shared memory drivers
+/dev/smdcntl[0-7] u:object_r:radio_device:s0
+
+# Default label for shared memory drivers
+/dev/smd([0-9])+ u:object_r:smd_device:s0
+/dev/smem_log u:object_r:shared_log_device:s0
+
+# Serial-to-Usb support
+/dev/ttyUSB0 u:object_r:radio_device:s0
+
+# Jpeg Engine support
+/dev/gemini.* u:object_r:camera_device:s0
+# MSM camera related
+/dev/v4l-subdev.* u:object_r:camera_device:s0
+/dev/video([0-9])+ u:object_r:camera_device:s0
+/dev/msm_camera(/.*)? u:object_r:camera_device:s0
+/dev/media([0-9])+ u:object_r:camera_device:s0
+
+# Qualcomm MSM Audio devices
+/dev/msm_acdb u:object_r:audio_device:s0
+/dev/msm_mp3 u:object_r:audio_device:s0
+/dev/msm_rtac u:object_r:audio_device:s0
+/dev/msm_vidc.* u:object_r:audio_device:s0
+/dev/msm_amrnb.* u:object_r:audio_device:s0
+/dev/msm_amrwb.* u:object_r:audio_device:s0
+/dev/msm_aac.* u:object_r:audio_device:s0
+
+# MSM Dedicated Sensors Processor Subsystem
+/dev/msm_dsps u:object_r:sensors_device:s0
+# Sensors shared Memory Packet Interface
+/dev/smd_sns_dsps u:object_r:sensors_device:s0
+
+/dev/sensors u:object_r:sensors_device:s0
+
+/dev/cpu_dma_latency u:object_r:power_control_device:s0
+/dev/rtc0 u:object_r:rtc:s0
+
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/system/sensors(/.*)? u:object_r:sensors_data_file:s0
+/data/misc/playready(/.*)? u:object_r:drm_data_file:s0
+/data/fdAlbum u:object_r:camera_data_file:s0
+/data/system/time(/.*)? u:object_r:time_data_file:s0
+
# rmt_storage is a qualcomm specific daemon responsible
# for servicing modem filesystem requests.
/system/bin/rmt_storage u:object_r:rmt_exec:s0
+/system/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0
+/system/bin/bridgemgrd u:object_r:bridge_exec:s0
+/system/bin/qmuxd u:object_r:qmux_exec:s0
+/system/bin/netmgrd u:object_r:netmgrd_exec:s0
+/system/bin/mpdecision u:object_r:mpdecision_exec:s0
+/system/bin/sensors.qcom u:object_r:sensors_exec:s0
+/system/bin/mm-qcamera-daemon u:object_r:camera_exec:s0
+/system/bin/qseecomd u:object_r:tee_exec:s0
+/system/bin/subsystem_ramdump u:object_r:ssr_exec:s0
+/system/bin/thermal-engine-hh u:object_r:thermald_exec:s0
+/system/vendor/bin/vss_init u:object_r:vss_exec:s0
+/system/bin/time_daemon u:object_r:time_exec:s0
+
+# Persist firmware filesystem
+/persist(/.*)? u:object_r:persist_file:s0
+/persist/bluetooth(/.*)? u:object_r:persist_bluetooth_file:s0
+/persist/camera_calibration(/.*)? u:object_r:persist_camera_file:s0
+/persist/data(/.*)? u:object_r:persist_data_file:s0
+/persist/sensors(/.*)? u:object_r:persist_sensors_file:s0
+/persist/playready(/.*)? u:object_r:persist_drm_file:s0
+/persist/widevine(/.*)? u:object_r:persist_drm_file:s0
+/persist/wifi(/.*)? u:object_r:persist_wifi_file:s0
+
+# Sysfs entry for the RmNet function driver
+/sys/class/android_usb/f_rmnet_smd_sdio/transport -- u:object_r:sysfs_rmnet:s0
+/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport -- u:object_r:sysfs_rmnet:s0
+
+# Sysfs files used by mpdecision
+/sys/module/pm2/modes(/.*)? u:object_r:sysfs_mpdecision:s0
+/sys/module/pm_8x60/modes(/.*)? u:object_r:sysfs_mpdecision:s0
+
+# Sysfs files used by surfaceflinger
+/sys/devices/virtual/graphics/fb1/format_3d -- u:object_r:sysfs_surfaceflinger:s0
+/sys/devices/virtual/graphics/fb1/hpd -- u:object_r:sysfs_surfaceflinger:s0
+
+# Sysfs files used by qmuxd
+/sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0
+
+# Bluetooth
+/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..51f0c78
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,2 @@
+genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..7986c23
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,8 @@
+# Grant access to Qualcomm MSM Interface (QMI) audio sockets to mediaserver
+qmux_socket(mediaserver)
+
+unix_socket_send(mediaserver, camera, camera)
+unix_socket_send(mediaserver, mpdecision, mpdecision)
+
+# Permit mediaserver to create sockets
+allow mediaserver self:socket { read create };
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
new file mode 100644
index 0000000..0275bea
--- /dev/null
+++ b/sepolicy/mpdecision.te
@@ -0,0 +1,41 @@
+# CPU governor (root process)
+type mpdecision, domain;
+type mpdecision_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(mpdecision)
+
+permissive mpdecision;
+
+# CPU hotplug uevent to manage cores
+allow mpdecision self:netlink_kobject_uevent_socket { create setopt bind read };
+allow mpdecision self:capability net_admin;
+
+# Create under /dev/socket/mpdecision
+allow mpdecision mpdecision_socket:dir w_dir_perms;
+allow mpdecision mpdecision_socket:sock_file create_file_perms;
+
+# Also support mpdecision creating the /dev/socket/pb socket
+type_transition mpdecision socket_device:sock_file mpdecision_socket;
+allow mpdecision self:capability chown;
+allow mpdecision socket_device:dir w_dir_perms;
+
+# By-product of setting owner on sock_file (don't allow)
+dontaudit mpdecision self:capability fsetid;
+
+allow mpdecision sysfs_devices_system_cpu:file rw_file_perms;
+allow mpdecision sysfs_mpdecision:dir r_dir_perms;
+allow mpdecision sysfs_mpdecision:file rw_file_perms;
+
+# Some files in /sys/devices/system/cpu may pop in and out of existance,
+# defeating our attempt to label them. As a result, they could have the
+# sysfs label, not the sysfs_devices_system_cpu label.
+# Allow write access for now until we figure out a better solution.
+# For example, the following files pop in and out of existance:
+# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
+# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
+allow mpdecision sysfs:file write;
+
+# This is needed to allow mpdecision to look at system_server's
+# /proc/PID/status file.
+r_dir_file(mpdecision, system_server)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
new file mode 100644
index 0000000..1142aa9
--- /dev/null
+++ b/sepolicy/netmgrd.te
@@ -0,0 +1,35 @@
+# Network utilities (radio process)
+type netmgrd, domain;
+type netmgrd_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(netmgrd)
+
+permissive netmgrd;
+
+# Starts as (root,radio) changes to (radio,radio)
+allow netmgrd self:capability { setuid setgid net_admin net_raw };
+dontaudit netmgrd self:capability fsetid;
+
+# Support modprobe??
+dontaudit netmgrd self:capability sys_module;
+
+allow netmgrd self:udp_socket { create ioctl };
+allow netmgrd self:netlink_socket create_socket_perms;
+allow netmgrd self:netlink_route_socket { create_socket_perms nlmsg_write nlmsg_read };
+
+# Talk to qmuxd (qmux_radio)
+qmux_socket(netmgrd)
+
+# Allow logging diagnostic items (/dev/diag)
+allow netmgrd diag_device:chr_file rw_file_perms;
+
+# Tries to access /data/data_test/ with toolbox. The data_test
+# directory doesn't exist so deny access.
+dontaudit netmgrd shell_exec:file rx_file_perms;
+dontaudit netmgrd system_file:file execute_no_trans;
+
+# Talk to init over the property socket
+unix_socket_connect(netmgrd, property, init)
+# Set net.rmnet0.* values
+allow netmgrd radio_prop:property_service set;
diff --git a/sepolicy/qmux.te b/sepolicy/qmux.te
new file mode 100644
index 0000000..c1822df
--- /dev/null
+++ b/sepolicy/qmux.te
@@ -0,0 +1,24 @@
+# Qualcomm Management Interface Multiplexer
+type qmux, domain;
+type qmux_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(qmux)
+
+permissive qmux;
+
+# Create sockets under each /dev/socket/qmux_* directory.
+allow qmux qmuxd_socket:dir w_dir_perms;
+allow qmux qmuxd_socket:sock_file { create setattr getattr unlink };
+
+# /dev/hsicctl* node access
+allow qmux radio_device:chr_file rw_file_perms;
+
+# Allow logging diagnostic items
+allow qmux diag_device:chr_file rw_file_perms;
+
+# wake lock access
+allow qmux sysfs_wake_lock:file { open append };
+
+# Access to /sys/devices/virtual/smdpkt/smdcntl*/open_timeout
+allow qmux sysfs_smdcntl_open_timeout:file rw_file_perms;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
new file mode 100644
index 0000000..834c128
--- /dev/null
+++ b/sepolicy/rild.te
@@ -0,0 +1,4 @@
+allow rild diag_device:chr_file rw_file_perms;
+
+# Grant access to Qualcomm MSM Interface (QMI) radio sockets to RILD
+qmux_socket(rild)
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
new file mode 100644
index 0000000..d08d769
--- /dev/null
+++ b/sepolicy/sensors.te
@@ -0,0 +1,58 @@
+# Integrated qualcomm sensor process
+type sensors, domain;
+type sensors_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(sensors)
+
+permissive sensors;
+
+# Change own perms to (nobody,nobody)
+allow sensors self:capability { setuid setgid };
+# Chown /data/misc/sensors/debug/ to nobody
+allow sensors self:capability chown;
+dontaudit sensors self:capability fsetid;
+
+# Access /data/misc/sensors/debug and /data/system/sensors/settings
+allow sensors self:capability dac_read_search;
+dontaudit sensors self:capability dac_override;
+
+# Log diagnostic items (/dev/diag)
+allow sensors diag_device:chr_file rw_file_perms;
+
+# Create /data/app/sensor_ctl_socket (Might want to change location).
+type_transition sensors apk_data_file:sock_file sensors_socket "sensor_ctl_socket";
+allow sensors sensors_socket:sock_file create_file_perms;
+# Trying to be restrictive with perms on apk_data_file
+allow sensors apk_data_file:dir { add_name write };
+# Socket can be deleted. So might have to keep in order to work.
+allow sensors apk_data_file:dir remove_name;
+
+# Create directories and files under /data/misc/sensors
+# and /data/system/sensors. Allow generic r/w file access.
+allow sensors sensors_data_file:dir create_dir_perms;
+allow sensors sensors_data_file:file create_file_perms;
+
+# Access sensor nodes (/dev/msm_dsps, /dev/sensors)
+allow sensors sensors_device:chr_file rw_file_perms;
+
+# Access power management controls
+allow sensors power_control_device:chr_file w_file_perms;
+
+# Access to /persist/sensors
+allow sensors persist_file:dir r_dir_perms;
+allow sensors persist_sensors_file:dir r_dir_perms;
+allow sensors persist_sensors_file:file rw_file_perms;
+
+# Wake lock access
+allow sensors sysfs_wake_lock:file { open append };
+
+allow sensors cgroup:dir { create add_name };
+
+allow sensors self:socket *;
+
+# Access shared memory logger
+allow sensors shared_log_device:chr_file rw_file_perms;
+
+# Talk to qmuxd (qmux_radio)
+qmux_socket(sensors)
diff --git a/sepolicy/ssr.te b/sepolicy/ssr.te
new file mode 100644
index 0000000..51c2551
--- /dev/null
+++ b/sepolicy/ssr.te
@@ -0,0 +1,7 @@
+type ssr, domain;
+type ssr_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(ssr)
+
+permissive ssr;
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..8099523
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,4 @@
+# Grant GPU access to SurfaceFlinger
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
+allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..a2abc2e
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,20 @@
+# Grant GPU access to system services (e.g., PowerManagerService)
+allow system_server gpu_device:chr_file rw_file_perms;
+
+# Grant access to Qualcomm MSM Interface (QMI) radio sockets to system services
+# (e.g., LocationManager)
+qmux_socket(system_server)
+
+# PowerManagerService access to sensors socket
+unix_socket_connect(system_server, sensors, sensors)
+unix_socket_send(system_server, sensors, sensors)
+allow system_server sensors:unix_stream_socket sendto;
+allow system_server sensors_socket:sock_file r_file_perms;
+
+# mpdecision socket access
+unix_socket_connect(system_server, mpdecision, mpdecision)
+unix_socket_send(system_server, mpdecision, mpdecision)
+allow system_server mpdecision:unix_stream_socket sendto;
+allow system_server mpdecision_socket:dir search;
+
+allow system_server self:netlink_socket create_socket_perms;
diff --git a/sepolicy/te_macros b/sepolicy/te_macros
new file mode 100644
index 0000000..68100e2
--- /dev/null
+++ b/sepolicy/te_macros
@@ -0,0 +1,13 @@
+#####################################
+# qmux_socket(clientdomain)
+# Allow client domain to connecto and send
+# via a local socket to the qmux domain.
+# Also allow the client domain to remove
+# its own socket.
+define(`qmux_socket', `
+type $1_qmuxd_socket, file_type;
+file_type_auto_trans($1, qmuxd_socket, $1_qmuxd_socket)
+allow $1 qmuxd_socket:dir remove_name;
+unix_socket_connect($1, qmuxd, qmux)
+allow qmux $1_qmuxd_socket:sock_file { getattr unlink };
+')
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
new file mode 100644
index 0000000..4535f6d
--- /dev/null
+++ b/sepolicy/tee.te
@@ -0,0 +1,11 @@
+# /data/misc/playready labeling
+type_transition tee system_data_file:dir drm_data_file;
+
+# Access /data/misc/playready
+allow tee system_data_file:dir ra_dir_perms;
+allow tee drm_data_file:dir create_dir_perms;
+allow tee drm_data_file:file create_file_perms;
+
+# Read from persist partition
+allow tee persist_file:dir search;
+r_dir_file(tee, persist_data_file)
diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
new file mode 100644
index 0000000..428545c
--- /dev/null
+++ b/sepolicy/thermald.te
@@ -0,0 +1,37 @@
+# Temperature sensor daemon (root process)
+type thermald, domain;
+type thermald_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(thermald)
+
+permissive thermald;
+
+allow thermald self:socket create_socket_perms;
+
+# CPU hotplug uevent
+allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };
+allow thermald self:capability net_admin;
+
+# Talk to qmuxd (/dev/socket/qmux_radio)
+qmux_socket(thermald)
+
+# Access shared logger (/dev/smem_log) and diagnostic logger (/dev/diag)
+allow thermald { shared_log_device diag_device }:chr_file rw_file_perms;
+
+# Access /sys/devices/system/cpu/
+allow thermald sysfs_devices_system_cpu:file rw_file_perms;
+
+# Some files in /sys/devices/system/cpu may pop in and out of existance,
+# defeating our attempt to label them. As a result, they could have the
+# sysfs label, not the sysfs_devices_system_cpu label.
+# Allow write access for now until we figure out a better solution.
+# For example, the following files pop in and out of existance:
+# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
+# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
+allow thermald sysfs:file write;
+
+# Create and access to /dev/socket/thermal-.*
+type_transition thermald socket_device:sock_file thermald_socket;
+allow thermald socket_device:dir w_dir_perms;
+allow thermald thermald_socket:sock_file create_file_perms;
diff --git a/sepolicy/time.te b/sepolicy/time.te
new file mode 100644
index 0000000..a1522c8
--- /dev/null
+++ b/sepolicy/time.te
@@ -0,0 +1,19 @@
+type time, domain;
+type time_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(time)
+
+# Is r_file_perms sufficient for /dev/rtc0 ?
+allow time rtc:chr_file rw_file_perms;
+
+allow time time_data_file:dir rw_dir_perms;
+allow time time_data_file:file create_file_perms;
+
+allow time shared_log_device:chr_file rw_file_perms;
+allow time alarm_device:chr_file rw_file_perms;
+allow time self:socket *;
+
+allow time self:capability { setuid setgid };
+
+permissive time;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
index f224810..ca386db 100644
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@@ -1,2 +1,3 @@
-allow ueventd firmware_file:dir r_dir_perms;
-allow ueventd firmware_file:file r_file_perms;
+allow ueventd { firmware_file wifi_data_file }:dir r_dir_perms;
+allow ueventd { firmware_file wifi_data_file }:file r_file_perms;
+allow ueventd sysfs_smdcntl_open_timeout:file setattr;
diff --git a/sepolicy/vss.te b/sepolicy/vss.te
new file mode 100644
index 0000000..fdbe5dd
--- /dev/null
+++ b/sepolicy/vss.te
@@ -0,0 +1,7 @@
+type vss, domain;
+type vss_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(vss)
+
+permissive vss;
