summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordianlujitao <dianlujitao@lineageos.org>2020-02-20 21:35:33 +0800
committerMichael Bestas <mkbestas@lineageos.org>2020-04-30 00:49:34 +0300
commitc61ad40914bd6040877cb8ee3789c76bd893f607 (patch)
tree72b475632bb145c0c49eb800e6cab0de003294f3
parent7345a9725ca2a7269f8179457c80e385b50f00f3 (diff)
sdm660-common: Address SELinux denials and clean up
Change-Id: I997a268c9ce23eab80f1981293720e17d21bbb7a
-rw-r--r--rootdir/etc/init.qcom.post_boot.sh20
-rw-r--r--rootdir/etc/init.qcom.rc58
-rw-r--r--rootdir/etc/init.qcom.sensors.sh4
-rw-r--r--sepolicy/vendor/app.te3
-rw-r--r--sepolicy/vendor/file.te2
-rw-r--r--sepolicy/vendor/file_contexts36
-rw-r--r--sepolicy/vendor/genfs_contexts29
-rw-r--r--sepolicy/vendor/hal_audio_default.te1
-rw-r--r--sepolicy/vendor/hal_camera_default.te5
-rw-r--r--sepolicy/vendor/hal_fingerprint_sdm660.te42
-rw-r--r--sepolicy/vendor/hal_power_default.te1
-rw-r--r--sepolicy/vendor/hwservice.te1
-rw-r--r--sepolicy/vendor/hwservice_contexts14
-rw-r--r--sepolicy/vendor/property_contexts47
-rw-r--r--sepolicy/vendor/system_server.te2
-rw-r--r--sepolicy/vendor/thermal-engine.te1
-rw-r--r--sepolicy/vendor/vendor_init.te2
-rw-r--r--sepolicy/vendor/vndservice.te1
-rw-r--r--sepolicy/vendor/vndservice_contexts1
19 files changed, 136 insertions, 134 deletions
diff --git a/rootdir/etc/init.qcom.post_boot.sh b/rootdir/etc/init.qcom.post_boot.sh
index 8dd85a8..af9f424 100644
--- a/rootdir/etc/init.qcom.post_boot.sh
+++ b/rootdir/etc/init.qcom.post_boot.sh
@@ -5590,16 +5590,16 @@ if [ -f /sys/devices/soc0/select_image ]; then
fi
# Change console log level as per console config property
-console_config=`getprop persist.console.silent.config`
-case "$console_config" in
- "1")
- echo "Enable console config to $console_config"
- echo 0 > /proc/sys/kernel/printk
- ;;
- *)
- echo "Enable console config to $console_config"
- ;;
-esac
+# console_config=`getprop persist.console.silent.config`
+# case "$console_config" in
+# "1")
+# echo "Enable console config to $console_config"
+# echo 0 > /proc/sys/kernel/printk
+# ;;
+# *)
+# echo "Enable console config to $console_config"
+# ;;
+# esac
# Parse misc partition path and set property
misc_link=$(ls -l /dev/block/bootdevice/by-name/misc)
diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc
index 4eacd5e..fe328dd 100644
--- a/rootdir/etc/init.qcom.rc
+++ b/rootdir/etc/init.qcom.rc
@@ -476,12 +476,12 @@ on property:vendor.radio.atfwd.start=false
stop vendor.atfwd
# corefile limit
-on property:persist.debug.trace=1
- mkdir /data/core 0777 root root
- write /proc/sys/kernel/core_pattern "/data/core/%E.%p.%e"
+#on property:persist.debug.trace=1
+# mkdir /data/core 0777 root root
+# write /proc/sys/kernel/core_pattern "/data/core/%E.%p.%e"
-on property:init.svc.wpa_supplicant=stopped
- stop dhcpcd
+#on property:init.svc.wpa_supplicant=stopped
+# stop dhcpcd
on property:vendor.bluetooth.dun.status=running
start vendor.bt-dun
@@ -489,8 +489,8 @@ on property:vendor.bluetooth.dun.status=running
on property:vendor.bluetooth.dun.status=stopped
stop vendor.bt-dun
-on property:ro.bluetooth.ftm_enabled=true
- start ftmd
+#on property:ro.bluetooth.ftm_enabled=true
+# start ftmd
on property:vendor.bluetooth.startbtlogger=true
start vendor.bt_logger
@@ -516,8 +516,8 @@ on property:vold.decrypt=trigger_restart_framework
start qcom-c_main-sh
start wcnss-service
-on property:persist.env.fastdorm.enabled=true
- setprop persist.radio.data_no_toggle 1
+#on property:persist.env.fastdorm.enabled=true
+# setprop persist.radio.data_no_toggle 1
service vendor.qrtr-ns /vendor/bin/qrtr-ns -f
class core
@@ -581,8 +581,8 @@ service vendor.sensors.qti /vendor/bin/sensors.qti
# Adjust socket buffer to enlarge TCP receive window for high bandwidth
# but only if ro.data.large_tcp_window_size property is set.
-on property:ro.data.large_tcp_window_size=true
- write /proc/sys/net/ipv4/tcp_adv_win_scale 2
+#on property:ro.data.large_tcp_window_size=true
+# write /proc/sys/net/ipv4/tcp_adv_win_scale 2
on property:sys.sysctl.tcp_adv_win_scale=*
write /proc/sys/net/ipv4/tcp_adv_win_scale ${sys.sysctl.tcp_adv_win_scale}
@@ -749,9 +749,9 @@ service loc_launcher /system/vendor/bin/loc_launcher
user gps
group gps
-on property:crypto.driver.load=1
- insmod /system/lib/modules/qce.ko
- insmod /system/lib/modules/qcedev.ko
+#on property:crypto.driver.load=1
+# insmod /system/lib/modules/qce.ko
+# insmod /system/lib/modules/qcedev.ko
service drmdiag /system/vendor/bin/drmdiagapp
class late_start
@@ -759,11 +759,11 @@ service drmdiag /system/vendor/bin/drmdiagapp
disabled
oneshot
-on property:drmdiag.load=1
- start drmdiag
+#on property:drmdiag.load=1
+# start drmdiag
-on property:drmdiag.load=0
- stop drmdiag
+#on property:drmdiag.load=0
+# stop drmdiag
service qcom-sh /vendor/bin/init.qcom.sh
class late_start
@@ -845,12 +845,12 @@ service ims_regmanager /system/vendor/bin/exe-ims-regmanagerprocessnative
group net_bt_admin inet radio wifi
disabled
-on property:persist.ims.regmanager.mode=1
- start ims_regmanager
+#on property:persist.ims.regmanager.mode=1
+# start ims_regmanager
-on property:ro.data.large_tcp_window_size=true
- # Adjust socket buffer to enlarge TCP receive window for high bandwidth (e.g. DO-RevB)
- write /proc/sys/net/ipv4/tcp_adv_win_scale 2
+#on property:ro.data.large_tcp_window_size=true
+# # Adjust socket buffer to enlarge TCP receive window for high bandwidth (e.g. DO-RevB)
+# write /proc/sys/net/ipv4/tcp_adv_win_scale 2
service battery_monitor /system/bin/battery_monitor
user system
@@ -895,11 +895,11 @@ service hvdcp /system/bin/hvdcp
user root
disabled
-on property:persist.usb.hvdcp.detect=true
- start hvdcp
+#on property:persist.usb.hvdcp.detect=true
+# start hvdcp
-on property:persist.usb.hvdcp.detect=false
- stop hvdcp
+#on property:persist.usb.hvdcp.detect=false
+# stop hvdcp
service charger_monitor /system/bin/charger_monitor
user root
@@ -1012,8 +1012,8 @@ service logdumpd /system/bin/logcat -b all -v threadtime -D -w /dev/block/bootde
disabled
# Logdumpd is enabled only for userdebug non-perf build
-on property:ro.logdumpd.enabled=1
- start logdumpd
+#on property:ro.logdumpd.enabled=1
+# start logdumpd
service time_daemon /vendor/bin/time_daemon
class main
diff --git a/rootdir/etc/init.qcom.sensors.sh b/rootdir/etc/init.qcom.sensors.sh
index daf7de2..978324e 100644
--- a/rootdir/etc/init.qcom.sensors.sh
+++ b/rootdir/etc/init.qcom.sensors.sh
@@ -32,8 +32,8 @@
start_sensors()
{
- chmod -h 664 /persist/sensors/sensors_settings
- chown -h -R system.system /persist/sensors
+ # chmod -h 664 /persist/sensors/sensors_settings
+ # chown -h -R system.system /persist/sensors
start vendor.sensors.qti
# Only for SLPI
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
index a2d8aa6..511cc3f 100644
--- a/sepolicy/vendor/app.te
+++ b/sepolicy/vendor/app.te
@@ -1,3 +1,2 @@
-# Allow appdomain to get vendor_camera_prop
-get_prop({ appdomain -isolated_app }, mlipay_prop)
get_prop({ appdomain -isolated_app }, hal_fingerprint_prop)
+get_prop({ appdomain -isolated_app }, mlipay_prop)
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index c9eeaf7..3901f9c 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,5 +1,5 @@
type debugfs_wlan, debugfs_type, fs_type;
type ir_dev_file, file_type;
type sysfs_touchpanel, fs_type, sysfs_type;
-type fingerprint_sysfs, fs_type, sysfs_type;
+type sysfs_fingerprint, fs_type, sysfs_type;
type thermal_data_file, file_type, data_file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index bc1cbb6..616afd3 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,50 +1,26 @@
# Biometric
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
-# Fpc Fingerprint
-/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0
-
-# For Goodix fingerprint
-/dev/goodix_fp u:object_r:fingerprint_device:s0
-
-# Goodix Fingerprint data
+# Fingerprint
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
-/data/misc/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
-/data/misc/goodix(/.*)? u:object_r:fingerprintd_data_file:s0
-/persist/data/gf* u:object_r:fingerprintd_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+/dev/goodix_fp u:object_r:fingerprint_device:s0
# Firmware
-/firmware u:object_r:firmware_file:s0
-/bt_firmware u:object_r:bt_firmware_file:s0
-
-# Fpc Fingerprint data
-/persist/fpc(/.*)? u:object_r:fingerprintd_data_file:s0
-
-# HVDCP
-/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
+/firmware u:object_r:firmware_file:s0
+/bt_firmware u:object_r:bt_firmware_file:s0
# IR
/dev/lirc0 u:object_r:spidev_device:s0
/dev/spidev7.1 u:object_r:spidev_device:s0
-# Keylayout
-/vendor/usr/idc(/.*)? u:object_r:vendor_keylayout_file:s0
-/vendor/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0
-
# Light HAL
-/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
# Mlipay
/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
-# Persist
-/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0
-
-# RTC
-/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0(/.*)? u:object_r:sysfs_rtc:s0
-
# Thermal
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
index d80c532..4589cfc 100644
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -1,7 +1,26 @@
-genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0
-genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0
+# Battery
+genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0
+
+# Fingerprint
+genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq_enable u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fpc1020/device_prepare u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fpc1020/fingerdown_wait u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fpc1020/irq_enable u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:sysfs_fingerprint:s0
# LED
-genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0
-genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0
-genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0
+
+# Power
+genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0
+
+# RTC
+genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc u:object_r:sysfs_rtc:s0
+
+# Touchpanel
+genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..fb3a241
--- /dev/null
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -0,0 +1 @@
+allow hal_audio_default sysfs:dir r_dir_perms;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
deleted file mode 100644
index 34531cb..0000000
--- a/sepolicy/vendor/hal_camera_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-binder_call(hal_camera_default, hal_configstore_default)
-binder_call(hal_camera_default, hal_graphics_allocator_default)
-
-allow hal_camera_default sysfs:file { getattr open read };
-allow hal_camera_default sysfs_kgsl:file { getattr open read };
diff --git a/sepolicy/vendor/hal_fingerprint_sdm660.te b/sepolicy/vendor/hal_fingerprint_sdm660.te
index 6cef299..5809cfd 100644
--- a/sepolicy/vendor/hal_fingerprint_sdm660.te
+++ b/sepolicy/vendor/hal_fingerprint_sdm660.te
@@ -1,38 +1,30 @@
-type hal_fingerprint_sdm660, domain, binder_in_vendor_violators;
+type hal_fingerprint_sdm660, domain;
hal_server_domain(hal_fingerprint_sdm660, hal_fingerprint)
-
+
type hal_fingerprint_sdm660_exec, exec_type, vendor_file_type, file_type;
-typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators;
-binder_use(hal_fingerprint_sdm660)
init_daemon_domain(hal_fingerprint_sdm660)
-allow hal_fingerprint_sdm660 fingerprint_device:chr_file { read write open ioctl };
-allow hal_fingerprint_sdm660 { tee_device uhid_device }:chr_file { read write open ioctl };
+allow hal_fingerprint_sdm660 {
+ fingerprint_device
+ tee_device
+ uhid_device
+}:chr_file rw_file_perms;
+
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# hal_fingerprint no longer directly accesses fingerprintd_data_file.
+typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators;
+# access to /data/system/users/[0-9]+/fpdata
allow hal_fingerprint_sdm660 fingerprintd_data_file:dir rw_dir_perms;
allow hal_fingerprint_sdm660 fingerprintd_data_file:file create_file_perms;
-allow hal_fingerprint_sdm660 { fuse mnt_user_file storage_file }:dir search;
-allow hal_fingerprint_sdm660 { mnt_user_file storage_file }:lnk_file read;
-allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms;
-allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms;
-allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read };
+allow hal_fingerprint_sdm660 sysfs_fingerprint:file rw_file_perms;
-binder_call(hal_fingerprint_sdm660, vndservicemanager)
-binder_call(hal_fingerprint_sdm660, hal_perf_default)
+allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl;
-binder_use(hal_fingerprint_sdm660)
+allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
+binder_call(hal_fingerprint_sdm660, hal_perf_default)
r_dir_file(hal_fingerprint_sdm660, firmware_file)
-
-add_service(hal_fingerprint_sdm660, goodixvnd_service)
-
-allow hal_fingerprint_sdm660 vndbinder_device:chr_file ioctl;
-
set_prop(hal_fingerprint_sdm660, hal_fingerprint_prop)
-vndbinder_use(hal_fingerprint_sdm660)
-
-dontaudit hal_fingerprint_sdm660 { media_rw_data_file sdcardfs}:dir search;
-dontaudit hal_fingerprint_sdm660 media_rw_data_file:dir { read open };
-dontaudit hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
-dontaudit hal_fingerprint_sdm660 hal_fingerprint_hwservice:hwservice_manager add;
+dontaudit hal_fingerprint_default storage_file:dir search;
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
index 6ecf0a0..d09d621 100644
--- a/sepolicy/vendor/hal_power_default.te
+++ b/sepolicy/vendor/hal_power_default.te
@@ -1,2 +1,3 @@
+allow hal_power_default sysfs_touchpanel:dir search;
allow hal_power_default sysfs_touchpanel:file rw_file_perms;
r_dir_file(hal_power_default, debugfs_wlan)
diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te
index 6c299d1..158b6cc 100644
--- a/sepolicy/vendor/hwservice.te
+++ b/sepolicy/vendor/hwservice.te
@@ -1,2 +1 @@
-type goodixhw_service, hwservice_manager_type;
type hal_mlipay_hwservice, hwservice_manager_type;
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
index 1f1df2d..6ffb1fc 100644
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@@ -1,7 +1,7 @@
-vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
-com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
-com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
-com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
-com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0
-com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0
-vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
+com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index c5212b1..617ac13 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -1,12 +1,35 @@
-persist.camera. u:object_r:camera_prop:s0
-ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0
-sys.fp.goodix u:object_r:hal_fingerprint_prop:s0
-sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
-persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
-persist.vendor.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
-persist.vendor.sys.pay.fido u:object_r:mlipay_prop:s0
-persist.vendor.sys.pay.ifaa u:object_r:mlipay_prop:s0
-persist.vendor.sys.pay.soter u:object_r:mlipay_prop:s0
-persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
-persist.sys.thermal. u:object_r:thermal_engine_prop:s0
-sys.thermal. u:object_r:thermal_engine_prop:s0
+# Audio
+audio.sys.noisy.broadcast.delay u:object_r:vendor_default_prop:s0
+audio.sys.offload.pstimeout.secs u:object_r:vendor_default_prop:s0
+audio_hal.in_period_size u:object_r:vendor_default_prop:s0
+audio_hal.period_multiplier u:object_r:vendor_default_prop:s0
+persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0
+
+# Camera
+cameradaemon.SaveMemAtBoot u:object_r:vendor_default_prop:s0
+cpp.set.clock u:object_r:vendor_default_prop:s0
+disable.cpp.power.collapse u:object_r:vendor_default_prop:s0
+persist.camera. u:object_r:vendor_default_prop:s0
+
+# Fingerprint
+fpc_kpi u:object_r:vendor_default_prop:s0
+gf.debug.dump_data u:object_r:vendor_default_prop:s0
+persist.sys.fp. u:object_r:hal_fingerprint_prop:s0
+persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0
+ro.boot.fp. u:object_r:hal_fingerprint_prop:s0
+ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0
+sys.fp. u:object_r:hal_fingerprint_prop:s0
+
+# Media
+gpu.stats.debug.level u:object_r:vendor_default_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay. u:object_r:mlipay_prop:s0
+persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
+
+# Thermal engine
+persist.sys.thermal. u:object_r:thermal_engine_prop:s0
+sys.thermal. u:object_r:thermal_engine_prop:s0
+
+# Wlan
+persist.vendor.wigig.npt.enable u:object_r:vendor_default_prop:s0
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
deleted file mode 100644
index b364128..0000000
--- a/sepolicy/vendor/system_server.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow system_server vendor_keylayout_file:dir search;
-allow system_server vendor_keylayout_file:file r_file_perms;
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
index 0e03308..f6f5331 100644
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -1,5 +1,6 @@
allow thermal-engine thermal_data_file:dir rw_dir_perms;
allow thermal-engine thermal_data_file:file create_file_perms;
+allow thermal-engine sysfs:dir r_dir_perms;
allow thermal-engine self:capability { chown fowner };
dontaudit thermal-engine self:capability dac_override;
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 8d3b1e6..b3d4c00 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -5,4 +5,4 @@ allow vendor_init {
tombstone_data_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
-set_prop(vendor_init, camera_prop)
+set_prop(vendor_init, freq_prop)
diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te
deleted file mode 100644
index ebc594c..0000000
--- a/sepolicy/vendor/vndservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type goodixvnd_service, vndservice_manager_type;
diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts
deleted file mode 100644
index 92d3f21..0000000
--- a/sepolicy/vendor/vndservice_contexts
+++ /dev/null
@@ -1 +0,0 @@
-android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixvnd_service:s0