summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Bestas <mikeioannina@gmail.com>2017-01-02 02:00:30 +0200
committerMichael Bestas <mikeioannina@gmail.com>2017-01-02 02:00:30 +0200
commit988a518c3bb62890100950d5b83485f9e3467e4a (patch)
tree6cc5a32a6fcb9fd2691fc3f9f6e11de476f0a58b
parentd9d06c2c5b83dd352d6158e547bda89fcc247649 (diff)
parent625c892b5557fbeb9fbf8a779b993dda843ae180 (diff)
downloadandroid_device_qcom_sepolicy-staging/cm-14.1-cafrebase.tar.gz
android_device_qcom_sepolicy-staging/cm-14.1-cafrebase.tar.bz2
android_device_qcom_sepolicy-staging/cm-14.1-cafrebase.zip
Merge tag 'LA.UM.5.5.r1-02200-8x96.0' of https://source.codeaurora.org/quic/la/device/qcom/sepolicy into cm-14.1staging/cm-14.1-cafrebase
"LA.UM.5.5.r1-02200-8x96.0" Change-Id: Ib0496c25c7a1dc2ea988f219c0ba12d0eda6623c
-rw-r--r--common/bluetooth.te5
-rw-r--r--common/dataservice_app.te1
-rw-r--r--common/device.te3
-rw-r--r--common/file.te3
-rw-r--r--common/file_contexts4
-rw-r--r--common/init.te3
-rw-r--r--common/init_shell.te3
-rwxr-xr-xcommon/mmi.te2
-rw-r--r--common/nqnfcinfo.te39
-rwxr-xr-xcommon/property.te4
-rwxr-xr-xcommon/property_contexts3
-rwxr-xr-x[-rw-r--r--]common/qcomsysd.te3
-rw-r--r--common/qseecomd.te3
-rw-r--r--common/recovery.te6
-rw-r--r--common/rfs_access.te1
-rw-r--r--common/rmt_storage.te2
-rw-r--r--common/system_server.te2
-rw-r--r--common/wcnss_filter.te4
-rw-r--r--common/wfdservice.te3
-rw-r--r--msm8952/mediaserver.te1
-rw-r--r--msm8992/file_contexts2
-rw-r--r--msm8994/file_contexts2
-rw-r--r--msm8998/app.te30
-rw-r--r--msm8998/bootanim.te (renamed from msmcobalt/bootanim.te)0
-rw-r--r--msm8998/device.te (renamed from msmcobalt/device.te)0
-rw-r--r--msm8998/file.te (renamed from msmcobalt/file.te)6
-rw-r--r--msm8998/file_contexts (renamed from msmcobalt/file_contexts)21
-rw-r--r--msm8998/idmap.te (renamed from msmcobalt/idmap.te)0
-rw-r--r--msm8998/init-qcom-fbe-sh.te36
-rw-r--r--msm8998/init_shell.te (renamed from msmcobalt/init_shell.te)3
-rw-r--r--msm8998/mm-qcamerad.te29
-rw-r--r--msm8998/platform_app.te (renamed from msmcobalt/platform_app.te)0
-rw-r--r--msm8998/priv_app.te (renamed from msmcobalt/priv_app.te)0
-rw-r--r--msm8998/property.te29
-rw-r--r--msm8998/property_contexts28
-rw-r--r--msm8998/qseecomd.te (renamed from msmcobalt/qseecomd.te)0
-rw-r--r--msm8998/qti-logkit.te (renamed from msmcobalt/qti-logkit.te)0
-rw-r--r--msm8998/qvop.te (renamed from msmcobalt/qvop.te)0
-rw-r--r--msm8998/qvrd.te99
-rw-r--r--msm8998/recovery.te (renamed from msmcobalt/recovery.te)0
-rw-r--r--msm8998/ridl.te (renamed from msmcobalt/ridl.te)0
-rw-r--r--msm8998/service.te (renamed from msmcobalt/service.te)0
-rw-r--r--msm8998/service_contexts (renamed from msmcobalt/service_contexts)0
-rw-r--r--msm8998/surfaceflinger.te (renamed from msmcobalt/surfaceflinger.te)0
-rw-r--r--msm8998/system_app.te (renamed from msmcobalt/system_app.te)0
-rw-r--r--msm8998/system_server.te (renamed from msmcobalt/system_server.te)0
-rw-r--r--msm8998/untrusted_app.te (renamed from msmcobalt/untrusted_app.te)0
-rw-r--r--msm8998/zygote.te (renamed from msmcobalt/zygote.te)0
48 files changed, 373 insertions, 7 deletions
diff --git a/common/bluetooth.te b/common/bluetooth.te
index ffe1ed90..eef36b8d 100644
--- a/common/bluetooth.te
+++ b/common/bluetooth.te
@@ -11,6 +11,10 @@ type btsnoop, bluetoothdomain, domain_deprecated;
type btsnoop_exec, exec_type, file_type;
domain_auto_trans(init, btsnoop_exec, bluetooth)
+type bt_logger, bluetoothdomain;
+type bt_logger_exec, exec_type, file_type;
+domain_auto_trans(init, bt_logger_exec, bluetooth)
+
type btnvtool, bluetoothdomain, domain_deprecated;
type btnvtool_exec, exec_type, file_type;
domain_auto_trans(init, btnvtool_exec, bluetooth)
@@ -37,6 +41,7 @@ allow bluetooth {
serial_device
#BT needes read and write on smd device node
smd_device
+ bt_device
}:chr_file rw_file_perms;
#Access to persist_file
diff --git a/common/dataservice_app.te b/common/dataservice_app.te
index 36056c17..140f0363 100644
--- a/common/dataservice_app.te
+++ b/common/dataservice_app.te
@@ -33,6 +33,7 @@ net_domain(dataservice_app)
allow dataservice_app { qtitetherservice_service dpmservice cne_service } :service_manager { add find } ;
allow dataservice_app { app_api_service system_api_service audioserver_service radio_service } :service_manager find;
+set_prop(dataservice_app, persist_dpm_prop)
set_prop(dataservice_app, sys_usb_tethering_prop)
diff --git a/common/device.te b/common/device.te
index 362be377..22179749 100644
--- a/common/device.te
+++ b/common/device.te
@@ -138,3 +138,6 @@ type avtimer_device, dev_type;
#define AT device
type at_device, dev_type;
+
+#define Bluetooth device
+type bt_device, dev_type;
diff --git a/common/file.te b/common/file.te
index 2d31a6d4..b2290e7e 100644
--- a/common/file.te
+++ b/common/file.te
@@ -206,3 +206,6 @@ type persist_time_file, file_type;
# kgsl file type for sysfs access
type sysfs_kgsl, sysfs_type, fs_type;
+
+# secure touch files
+type sysfs_securetouch, fs_type, sysfs_type;
diff --git a/common/file_contexts b/common/file_contexts
index b0bb68b6..fb1e296b 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -10,6 +10,7 @@
/dev/bhi u:object_r:bhi_device:s0
/dev/msm_.* u:object_r:audio_device:s0
/dev/i2c-6 u:object_r:audio_device:s0
+/dev/wcd_dsp0_control u:object_r:audio_device:s0
/dev/wcd-dsp-glink u:object_r:audio_device:s0
/dev/usf1 u:object_r:usf_device:s0
/dev/msm_dsps u:object_r:sensors_device:s0
@@ -25,6 +26,7 @@
/dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0
/dev/seemplog u:object_r:seemplog_device:s0
/dev/radio0 u:object_r:fm_radio_device:s0
+/dev/btpower u:object_r:bt_device:s0
/dev/rtc0 u:object_r:rtc_device:s0
/dev/sdsprpc-smd u:object_r:dsp_device:s0
/dev/sensors u:object_r:sensors_device:s0
@@ -135,6 +137,7 @@
/system/bin/ATFWD-daemon u:object_r:atfwd_exec:s0
/system/bin/PktRspTest u:object_r:diag_exec:s0
/system/bin/audiod u:object_r:audiod_exec:s0
+/system/vendor/bin/nqnfcinfo u:object_r:nqnfcinfo_exec:s0
/system/bin/charger_monitor u:object_r:charger_monitor_exec:s0
/system/bin/hvdcp_opti u:object_r:hvdcp_exec:s0
/system/bin/cnd u:object_r:cnd_exec:s0
@@ -231,6 +234,7 @@
/system/bin/sapd u:object_r:sapd_exec:s0
/system/bin/btnvtool u:object_r:btnvtool_exec:s0
/system/bin/btsnoop u:object_r:btsnoop_exec:s0
+/system/bin/bt_logger u:object_r:bt_logger_exec:s0
/system/bin/dun-server u:object_r:dun-server_exec:s0
/system/bin/wfdservice u:object_r:wfdservice_exec:s0
/system/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0
diff --git a/common/init.te b/common/init.te
index 6cde24b0..772e5fe4 100644
--- a/common/init.te
+++ b/common/init.te
@@ -31,3 +31,6 @@ allow init configfs:lnk_file create_file_perms;
#Allow init to mount non-hlos partitions in A/B builds
allow init firmware_file:dir { mounton };
allow init bt_firmware_file:dir { mounton };
+
+#dontaudit non configfs usb denials
+dontaudit init sysfs:dir write;
diff --git a/common/init_shell.te b/common/init_shell.te
index 487caf05..22dc2769 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -160,6 +160,9 @@ allow qti_init_shell kernel:key search;
# To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };
+# To change owner/permissions of secure touch sysfs files
+r_dir_file(qti_init_shell, sysfs_securetouch)
+
# core-ctl
allow qti_init_shell cgroup:dir add_name;
diff --git a/common/mmi.te b/common/mmi.te
index 3fedc290..417f6009 100755
--- a/common/mmi.te
+++ b/common/mmi.te
@@ -61,6 +61,8 @@ allow mmi bluetooth_data_file:dir rw_dir_perms;
allow mmi bluetooth_data_file:file create_file_perms;
allow mmi bluetooth_prop:property_service set;
allow mmi smd_device:chr_file rw_file_perms;
+allow mmi persist_bluetooth_file:file r_file_perms;
+allow mmi wcnss_filter:unix_stream_socket connectto;
#GPS case
allow mmi location_data_file:fifo_file create_file_perms;
diff --git a/common/nqnfcinfo.te b/common/nqnfcinfo.te
new file mode 100644
index 00000000..3efc94c3
--- /dev/null
+++ b/common/nqnfcinfo.te
@@ -0,0 +1,39 @@
+#Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+#Redistribution and use in source and binary forms, with or without
+#modification, are permitted provided that the following conditions are
+#met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type nqnfcinfo, domain;
+type nqnfcinfo_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(nqnfcinfo)
+
+r_dir_file(nqnfcinfo, sysfs_socinfo);
+
+set_prop(nqnfcinfo, nfc_nq_prop);
+
+# Access device nodes inside /dev/nq-nci
+allow nqnfcinfo nfc_device:chr_file rw_file_perms;
diff --git a/common/property.te b/common/property.te
index c3032b10..5ae8f71e 100755
--- a/common/property.te
+++ b/common/property.te
@@ -72,6 +72,8 @@ type sys_usb_configfs_prop, property_type;
type sys_usb_tethering_prop, property_type;
type coresight_prop, property_type, core_property_type;
+type persist_dpm_prop, property_type, core_property_type;
+
type ctl_hbtp_prop, property_type;
type alarm_boot_prop, property_type, core_property_type;
@@ -95,3 +97,5 @@ type hwui_prop, property_type, core_property_type;
type graphics_vulkan_prop, property_type, core_property_type;
#boot mode property
type boot_mode_prop, property_type;
+#properties for nfc
+type nfc_nq_prop, property_type, core_property_type;
diff --git a/common/property_contexts b/common/property_contexts
index bbaf87b4..5d457153 100755
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -68,6 +68,7 @@ qemu.hw.mainkeys u:object_r:qemu_hw_mainkeys_prop:s0
ro.dbg.coresight.cfg_file u:object_r:coresight_prop:s0
ctl.hbtp u:object_r:ctl_hbtp_prop:s0
sys.audio.init u:object_r:audio_prop:s0
+persist.dpm.feature u:object_r:persist_dpm_prop:s0
ro.alarm_boot u:object_r:alarm_boot_prop:s0
debug.sf.nobootanimation u:object_r:boot_animation_prop:s0
debug.gralloc. u:object_r:debug_gralloc_prop:s0
@@ -88,3 +89,5 @@ persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0
sys.boot_mode u:object_r:boot_mode_prop:s0
# GPU
ro.gpu.available_frequencies u:object_r:freq_prop:s0
+# NFC
+sys.nfc.nq. u:object_r:nfc_nq_prop:s0
diff --git a/common/qcomsysd.te b/common/qcomsysd.te
index c1257cb8..d9edea1f 100644..100755
--- a/common/qcomsysd.te
+++ b/common/qcomsysd.te
@@ -21,9 +21,10 @@ allow qcomsysd sysfs_socinfo:file w_file_perms;
allow qcomsysd self:capability { dac_override sys_boot };
use_per_mgr(qcomsysd);
#allow qcomsysd access boot mode switch
-allow qcomsysd boot_mode_prop:property_service set;
+set_prop(qcomsysd, boot_mode_prop);
#diag
userdebug_or_eng(`
diag_use(qcomsysd)
+ allow qcomsysd sysfs:file w_file_perms;
')
diff --git a/common/qseecomd.te b/common/qseecomd.te
index a2118202..8e2f8955 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -47,6 +47,9 @@ allow tee time_daemon:unix_stream_socket connectto;
allow tee graphics_device:dir r_dir_perms;
allow tee graphics_device:chr_file r_file_perms;
+#allow tee access for secure touch to work
+allow tee sysfs_securetouch:file rw_file_perms;
+
allow tee surfaceflinger_service : service_manager find;
binder_call(tee, surfaceflinger)
diff --git a/common/recovery.te b/common/recovery.te
index 210c4050..c5b2c0ec 100644
--- a/common/recovery.te
+++ b/common/recovery.te
@@ -17,4 +17,10 @@ recovery_only(`
allow recovery sg_device:chr_file rw_file_perms;
allow recovery self:capability sys_rawio;
allow recovery sg_device:chr_file ioctl;
+ # Enable adb on configfs devices
+ allow recovery configfs:file rw_file_perms;
+ allow recovery configfs:dir rw_dir_perms;
+ set_prop(recovery, ffs_prop);
+ get_prop(recovery, sys_usb_controller_prop);
+ get_prop(recovery, boot_mode_prop);
')
diff --git a/common/rfs_access.te b/common/rfs_access.te
index 318fffc1..629f9e46 100644
--- a/common/rfs_access.te
+++ b/common/rfs_access.te
@@ -54,7 +54,6 @@ allow rfs_access self:capability {
setgid
setpcap
net_bind_service
- net_raw
};
# RFS UID and GIDs were changed and moved from old values to new ones OEM range.
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index f043becc..56f6f928 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -17,9 +17,7 @@ allow rmt_storage self:capability {
setuid
setgid
sys_admin
- dac_override
net_bind_service
- net_raw
setpcap
};
diff --git a/common/system_server.te b/common/system_server.te
index f77d8a71..d95864c3 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -87,6 +87,8 @@ allow system_server {
graphics_device
audio_device
tee_device
+ #allow access to power control ANT chip
+ bt_device
}:chr_file rw_file_perms;
#For firmware
diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te
index 7d84a76e..41045f60 100644
--- a/common/wcnss_filter.te
+++ b/common/wcnss_filter.te
@@ -50,6 +50,10 @@ r_dir_file(wcnss_filter, bt_firmware_file)
allow wcnss_filter bluetooth_data_file:dir create_dir_perms;
allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow wcnss_filter persist_bluetooth_file:dir r_dir_perms;
+allow wcnss_filter persist_bluetooth_file:file r_file_perms;
+allow wcnss_filter persist_file:dir r_dir_perms;
+
#diag
userdebug_or_eng(`
diag_use(wcnss_filter)
diff --git a/common/wfdservice.te b/common/wfdservice.te
index 276e2e15..1514e055 100644
--- a/common/wfdservice.te
+++ b/common/wfdservice.te
@@ -39,6 +39,9 @@ allow wfdservice audio_device:dir r_dir_perms;
#Allow access to /dev/graphics/fb* for screen capture
allow wfdservice graphics_device:chr_file rw_file_perms;
+#Allow access to encoder for YUV statistics
+allow wfdservice gpu_device:chr_file rw_file_perms;
+
#Allow communication with init over property server
unix_socket_connect(wfdservice, property, init);
diff --git a/msm8952/mediaserver.te b/msm8952/mediaserver.te
index 5bd54323..f642e817 100644
--- a/msm8952/mediaserver.te
+++ b/msm8952/mediaserver.te
@@ -30,3 +30,4 @@ allow mediaserver media_msm8956hw_prop:file r_file_perms;
allow mediaserver media_settings_xml_prop:file r_file_perms;
allow mediaserver seempd:unix_dgram_socket sendto;
allow mediaserver seempdw_socket:sock_file write;
+allow mediaserver media_msm8956_version_prop:file r_file_perms;
diff --git a/msm8992/file_contexts b/msm8992/file_contexts
index 841a6c61..00fbce29 100644
--- a/msm8992/file_contexts
+++ b/msm8992/file_contexts
@@ -37,7 +37,7 @@
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/cache u:object_r:cache_block_device:s0
-/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/config u:object_r:frp_block_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/logdump u:object_r:logdump_partition:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
/dev/block/mmcblk0 u:object_r:root_block_device:s0
diff --git a/msm8994/file_contexts b/msm8994/file_contexts
index 2957d5de..436b659c 100644
--- a/msm8994/file_contexts
+++ b/msm8994/file_contexts
@@ -57,5 +57,5 @@
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/cache u:object_r:cache_block_device:s0
-/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/config u:object_r:frp_block_device:s0
/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/logdump u:object_r:logdump_partition:s0
diff --git a/msm8998/app.te b/msm8998/app.te
new file mode 100644
index 00000000..9893883f
--- /dev/null
+++ b/msm8998/app.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Allow all apps to connect to VR service
+allow appdomain qvrd:fd use;
+unix_socket_connect(appdomain, qvrd, qvrd)
diff --git a/msmcobalt/bootanim.te b/msm8998/bootanim.te
index 51701259..51701259 100644
--- a/msmcobalt/bootanim.te
+++ b/msm8998/bootanim.te
diff --git a/msmcobalt/device.te b/msm8998/device.te
index 66dd4e50..66dd4e50 100644
--- a/msmcobalt/device.te
+++ b/msm8998/device.te
diff --git a/msmcobalt/file.te b/msm8998/file.te
index 7679b9d9..b6d287ab 100644
--- a/msmcobalt/file.te
+++ b/msm8998/file.te
@@ -29,4 +29,8 @@
type sysfs_emmc_dload, sysfs_type, fs_type;
# Data type for QVOP
-type qvop_data_file, file_type, data_file_type; \ No newline at end of file
+type qvop_data_file, file_type, data_file_type;
+
+# Data type for qvrd
+type qvrd_data_file, file_type, data_file_type;
+type qvrd_socket, file_type, mlstrustedobject;
diff --git a/msmcobalt/file_contexts b/msm8998/file_contexts
index f842623a..05fc2c62 100644
--- a/msmcobalt/file_contexts
+++ b/msm8998/file_contexts
@@ -42,21 +42,42 @@
/dev/block/platform/soc/1da4000\.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0
/dev/block/platform/soc/1da4000\.ufshc/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc/1da4000\.ufshc/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/platform/soc/1da4000\.ufshc/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/soc/1da4000\.ufshc/by-name/mdtp u:object_r:mdtp_device:s0
+/dev/block/platform/soc/1da4000\.ufshc/by-name/dip u:object_r:dip_device:s0
#rawdump partition
/dev/block/platform/soc/1da4000\.ufshc/by-name/rawdump u:object_r:rawdump_block_device:s0
/sys/kernel/dload/emmc_dload u:object_r:sysfs_emmc_dload:s0
###################################
+# Dev socket nodes
+#
+/dev/socket/qvrservice u:object_r:qvrd_socket:s0
+
+###################################
# System files
#
/system/bin/qvop-daemon u:object_r:qvop_exec:s0
+/system/vendor/bin/qvrservice u:object_r:qvrd_exec:s0
+
###################################
# data files
#
/data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0
+/data/misc/qvr(/.*)? u:object_r:qvrd_data_file:s0
##################################
# non-hlos mount points
/firmware u:object_r:firmware_file:s0
/bt_firmware u:object_r:bt_firmware_file:s0
+
+##################################
+# FBE
+/system/bin/init.qcom.qseecomd.sh u:object_r:init-qcom-fbe-sh_exec:s0
+
+###################################
+# sysfs files
+#
+/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0
+/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value u:object_r:sysfs_graphics:s0
diff --git a/msmcobalt/idmap.te b/msm8998/idmap.te
index 84b11e8f..84b11e8f 100644
--- a/msmcobalt/idmap.te
+++ b/msm8998/idmap.te
diff --git a/msm8998/init-qcom-fbe-sh.te b/msm8998/init-qcom-fbe-sh.te
new file mode 100644
index 00000000..2eba9da1
--- /dev/null
+++ b/msm8998/init-qcom-fbe-sh.te
@@ -0,0 +1,36 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type init-qcom-fbe-sh, domain;
+type init-qcom-fbe-sh_exec, exec_type, file_type;
+
+init_daemon_domain(init-qcom-fbe-sh)
+
+allow init-qcom-fbe-sh shell_exec:file rx_file_perms;
+
+# execute toybox/toolbox
+allow init-qcom-fbe-sh toolbox_exec:file rx_file_perms;
diff --git a/msmcobalt/init_shell.te b/msm8998/init_shell.te
index 5f2ea564..ef747698 100644
--- a/msmcobalt/init_shell.te
+++ b/msm8998/init_shell.te
@@ -28,3 +28,6 @@
# For regionalization
allow qti_init_shell regionalization_file:dir r_dir_perms;
allow qti_init_shell regionalization_file:file create_file_perms;
+
+# For VR
+allow qti_init_shell ctl_qvrd_prop:property_service set;
diff --git a/msm8998/mm-qcamerad.te b/msm8998/mm-qcamerad.te
new file mode 100644
index 00000000..5e3ff470
--- /dev/null
+++ b/msm8998/mm-qcamerad.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Allow camera to work normally in VR mode
+binder_call(mm-qcamerad, qvrd)
diff --git a/msmcobalt/platform_app.te b/msm8998/platform_app.te
index 919f16f5..919f16f5 100644
--- a/msmcobalt/platform_app.te
+++ b/msm8998/platform_app.te
diff --git a/msmcobalt/priv_app.te b/msm8998/priv_app.te
index 203ed549..203ed549 100644
--- a/msmcobalt/priv_app.te
+++ b/msm8998/priv_app.te
diff --git a/msm8998/property.te b/msm8998/property.te
new file mode 100644
index 00000000..e317966c
--- /dev/null
+++ b/msm8998/property.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#properties for qvrd
+type ctl_qvrd_prop, property_type;
diff --git a/msm8998/property_contexts b/msm8998/property_contexts
new file mode 100644
index 00000000..9548ba89
--- /dev/null
+++ b/msm8998/property_contexts
@@ -0,0 +1,28 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ctl.qvrd u:object_r:ctl_qvrd_prop:s0
diff --git a/msmcobalt/qseecomd.te b/msm8998/qseecomd.te
index 0e940c59..0e940c59 100644
--- a/msmcobalt/qseecomd.te
+++ b/msm8998/qseecomd.te
diff --git a/msmcobalt/qti-logkit.te b/msm8998/qti-logkit.te
index 725cf476..725cf476 100644
--- a/msmcobalt/qti-logkit.te
+++ b/msm8998/qti-logkit.te
diff --git a/msmcobalt/qvop.te b/msm8998/qvop.te
index ce69fa4d..ce69fa4d 100644
--- a/msmcobalt/qvop.te
+++ b/msm8998/qvop.te
diff --git a/msm8998/qvrd.te b/msm8998/qvrd.te
new file mode 100644
index 00000000..778ae61e
--- /dev/null
+++ b/msm8998/qvrd.te
@@ -0,0 +1,99 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qvrd, domain, mlstrustedsubject;
+type qvrd_exec, exec_type, file_type;
+
+init_daemon_domain(qvrd)
+
+#
+# General
+#
+
+# Allow interracting with qvrd directory
+allow qvrd qvrd_data_file:dir create_dir_perms;
+allow qvrd qvrd_data_file:file create_file_perms;
+
+# Allow access to our socket
+allow qvrd qvrd_socket:sock_file rw_file_perms;
+
+#
+# Sensors
+#
+
+# Allow access to ADSP & SLPI
+allow qvrd { ion_device qdsp_device dsp_device }:chr_file r_file_perms;
+
+# Allow access to adsprpcd
+r_dir_file(qvrd, adsprpcd_file);
+allow qvrd system_file:dir read;
+
+#
+# Display
+#
+
+# Allow access to /sys/devices/virtual/graphics/fb* for lineptr interrupts
+allow qvrd sysfs_graphics:file rw_file_perms;
+
+# Allow access to /dev/graphics/fb0 for configuring vsync interrupts
+allow qvrd graphics_device:dir r_dir_perms;
+allow qvrd graphics_device:chr_file rw_file_perms;
+
+#
+# Scheduler
+#
+
+allow qvrd self:capability { sys_nice };
+userdebug_or_eng(`
+ allow qvrd su:process setsched;
+')
+allow qvrd appdomain:process setsched;
+
+#
+# Camera
+#
+
+# Allow access to camera HAL
+allow qvrd { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms;
+allow qvrd camera_data_file:dir rw_dir_perms;
+allow qvrd camera_data_file:sock_file w_file_perms;
+allow qvrd mm-qcamerad:unix_dgram_socket sendto;
+binder_use(qvrd)
+binder_call(qvrd, surfaceflinger);
+allow qvrd surfaceflinger_service:service_manager find;
+allow qvrd sysfs:file r_file_perms;
+
+# Allow access to /dev/video/* devices
+allow qvrd video_device:dir r_dir_perms;
+
+unix_socket_connect(qvrd, mpctl, perfd)
+
+# Allow access to sensor1 API
+allow qvrd self:socket create_socket_perms;
+allow qvrd persist_file:dir r_dir_perms;
+allow qvrd sensors_persist_file:dir r_dir_perms;
+allow qvrd sensors_persist_file:file r_file_perms;
diff --git a/msmcobalt/recovery.te b/msm8998/recovery.te
index ef6eb7b0..ef6eb7b0 100644
--- a/msmcobalt/recovery.te
+++ b/msm8998/recovery.te
diff --git a/msmcobalt/ridl.te b/msm8998/ridl.te
index 0147c26c..0147c26c 100644
--- a/msmcobalt/ridl.te
+++ b/msm8998/ridl.te
diff --git a/msmcobalt/service.te b/msm8998/service.te
index ad41b5fa..ad41b5fa 100644
--- a/msmcobalt/service.te
+++ b/msm8998/service.te
diff --git a/msmcobalt/service_contexts b/msm8998/service_contexts
index 20ab6358..20ab6358 100644
--- a/msmcobalt/service_contexts
+++ b/msm8998/service_contexts
diff --git a/msmcobalt/surfaceflinger.te b/msm8998/surfaceflinger.te
index ff6ea3d3..ff6ea3d3 100644
--- a/msmcobalt/surfaceflinger.te
+++ b/msm8998/surfaceflinger.te
diff --git a/msmcobalt/system_app.te b/msm8998/system_app.te
index d11659b6..d11659b6 100644
--- a/msmcobalt/system_app.te
+++ b/msm8998/system_app.te
diff --git a/msmcobalt/system_server.te b/msm8998/system_server.te
index 54c7faa6..54c7faa6 100644
--- a/msmcobalt/system_server.te
+++ b/msm8998/system_server.te
diff --git a/msmcobalt/untrusted_app.te b/msm8998/untrusted_app.te
index e8b029e1..e8b029e1 100644
--- a/msmcobalt/untrusted_app.te
+++ b/msm8998/untrusted_app.te
diff --git a/msmcobalt/zygote.te b/msm8998/zygote.te
index c8d772e4..c8d772e4 100644
--- a/msmcobalt/zygote.te
+++ b/msm8998/zygote.te