Update the bug_map for the denials from shell during PTS am: f540e81113
Original change: https://googleplex-android-review.googlesource.com/c/device/google/bonito-sepolicy/+/13262320
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: I84cb6ac6a6a9f1614fce051bf3dd6ca43921637c
diff --git a/OWNERS b/OWNERS
index e9baa1e..791abb4 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,12 +1,3 @@
-adamshih@google.com
-alanstokes@google.com
-bowgotsai@google.com
-jbires@google.com
-jeffv@google.com
-jgalenson@google.com
-jiyong@google.com
-nnk@google.com
-smoreland@google.com
-sspatil@google.com
-tomcherry@google.com
-trong@google.com
+include platform/system/sepolicy:/OWNERS
+
+rurumihong@google.com
diff --git a/bonito-sepolicy.mk b/bonito-sepolicy.mk
index b63f345..750a32e 100644
--- a/bonito-sepolicy.mk
+++ b/bonito-sepolicy.mk
@@ -7,3 +7,7 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/google
BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/vendor/verizon
BOARD_VENDOR_SEPOLICY_DIRS += device/google/bonito-sepolicy/tracking_denials
+
+# Pixel-wide policy
+BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
+BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
diff --git a/public/hwservice.te b/public/hwservice.te
index f0c1e33..1b2a2e5 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1 +1 @@
-type hal_pixelstats_hwservice, hwservice_manager_type;
+type hal_pixelstats_hwservice, hwservice_manager_type, vendor_hwservice_type;
diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te
new file mode 100644
index 0000000..646067b
--- /dev/null
+++ b/tracking_denials/vold.te
@@ -0,0 +1,2 @@
+# b/174214346
+dontaudit vold vendor_apex_file:file getattr;
diff --git a/vendor/google/bug_map b/vendor/google/bug_map
index d5e8737..de4630d 100644
--- a/vendor/google/bug_map
+++ b/vendor/google/bug_map
@@ -24,3 +24,4 @@
system_server vendor_default_prop file b/78460200
ueventd tmpfs lnk_file b/133126350
untrusted_app vendor_default_prop file b/78460200
+pixelstats_vendor sysfs_usb_c dir b/161946931
diff --git a/vendor/google/citadeld.te b/vendor/google/citadeld.te
index 9db1a5e..e042518 100644
--- a/vendor/google/citadeld.te
+++ b/vendor/google/citadeld.te
@@ -1,20 +1 @@
-type citadeld, domain;
-type citadeld_exec, exec_type, vendor_file_type, file_type;
-
-vndbinder_use(citadeld)
-add_service(citadeld, citadeld_service)
-
-allow citadeld citadel_device:chr_file rw_file_perms;
-
-init_daemon_domain(citadeld)
-
allow citadeld debugfs_ipc:dir search;
-
-allow citadeld hal_power_stats_default:binder { call transfer };
-allow citadeld power_stats_service:service_manager find;
-
-# Let citadeld find and use statsd.
-hwbinder_use(citadeld)
-get_prop(citadeld, hwservicemanager_prop)
-allow citadeld fwk_stats_hwservice:hwservice_manager find;
-binder_call(citadeld, stats_service_server)
diff --git a/vendor/google/device.te b/vendor/google/device.te
index 5908c53..8bf9256 100644
--- a/vendor/google/device.te
+++ b/vendor/google/device.te
@@ -1,4 +1,3 @@
-type citadel_device, dev_type;
type ramoops_device, dev_type;
# Mark system_block_devices as super partition block devices for retrofit
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index f05a961..5080760 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -1,18 +1,10 @@
# dev nodes
-/dev/citadel0 u:object_r:citadel_device:s0
/dev/access-kregistry u:object_r:rebootescrow_device:s0
/dev/access-metadata u:object_r:ramoops_device:s0
/dev/access-ramoops u:object_r:ramoops_device:s0
/vendor/bin/hw/android\.hardware\.atrace@1\.0-service.pixel u:object_r:hal_atrace_default_exec:s0
/vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0
-/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
-/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
-/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
-/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
-/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
-/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
-/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0
/vendor/bin/hw/android\.hardware\.secure_element@1\.1-service-disabled u:object_r:hal_secure_element_default_exec:s0
/vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0
/vendor/bin/modem_svc u:object_r:modem_svc_exec:s0
@@ -26,6 +18,5 @@
/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0
/data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0
-/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0
/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0
diff --git a/vendor/google/google_camera_app.te b/vendor/google/google_camera_app.te
index 4ef42fe..560fc1a 100644
--- a/vendor/google/google_camera_app.te
+++ b/vendor/google/google_camera_app.te
@@ -13,12 +13,8 @@
allow google_camera_app mediametrics_service:service_manager find;
allow google_camera_app nfc_service:service_manager find;
allow google_camera_app surfaceflinger_service:service_manager find;
-allow google_camera_app gpu_service:service_manager find;
allow google_camera_app hidl_token_hwservice:hwservice_manager find;
-# Allow google_camera_app to interact with gpuservice
-binder_call(google_camera_app, gpuservice)
-
# Execute libraries from RenderScript cache
allow google_camera_app app_data_file:file { rx_file_perms };
diff --git a/vendor/google/hal_keymaster_citadel.te b/vendor/google/hal_keymaster_citadel.te
index ebca378..5561126 100644
--- a/vendor/google/hal_keymaster_citadel.te
+++ b/vendor/google/hal_keymaster_citadel.te
@@ -1,12 +1 @@
-type hal_keymaster_citadel, domain;
-type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type;
-
-vndbinder_use(hal_keymaster_citadel)
-binder_call(hal_keymaster_citadel, citadeld)
-allow hal_keymaster_citadel citadeld_service:service_manager find;
-
-hal_server_domain(hal_keymaster_citadel, hal_keymaster)
-init_daemon_domain(hal_keymaster_citadel)
-
get_prop(hal_keymaster_citadel, vendor_tee_listener_prop)
-get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop)
diff --git a/vendor/google/hal_rebootescrow_citadel.te b/vendor/google/hal_rebootescrow_citadel.te
deleted file mode 100644
index 401a985..0000000
--- a/vendor/google/hal_rebootescrow_citadel.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type hal_rebootescrow_citadel, domain;
-type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type;
-type hal_rebootescrow_citadel_data_file, file_type, data_file_type;
-
-hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow)
-
-vndbinder_use(hal_rebootescrow_citadel)
-binder_call(hal_rebootescrow_citadel, citadeld)
-allow hal_rebootescrow_citadel citadeld_service:service_manager find;
-
-hal_client_domain(hal_rebootescrow_citadel, hal_keymaster)
-
-init_daemon_domain(hal_rebootescrow_citadel)
-
-allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms;
-allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms;
diff --git a/vendor/google/hal_weaver_citadel.te b/vendor/google/hal_weaver_citadel.te
deleted file mode 100644
index aa16960..0000000
--- a/vendor/google/hal_weaver_citadel.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type hal_weaver_citadel, domain;
-type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
-
-vndbinder_use(hal_weaver_citadel)
-binder_call(hal_weaver_citadel, citadeld)
-allow hal_weaver_citadel citadeld_service:service_manager find;
-
-hal_server_domain(hal_weaver_citadel, hal_weaver)
-hal_server_domain(hal_weaver_citadel, hal_oemlock)
-hal_server_domain(hal_weaver_citadel, hal_authsecret)
-init_daemon_domain(hal_weaver_citadel)
diff --git a/vendor/google/hwservice.te b/vendor/google/hwservice.te
index 57044a8..1b3f60c 100644
--- a/vendor/google/hwservice.te
+++ b/vendor/google/hwservice.te
@@ -1 +1 @@
-type hal_wifi_ext_hwservice, hwservice_manager_type;
+type hal_wifi_ext_hwservice, hwservice_manager_type, vendor_hwservice_type;
diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te
deleted file mode 100644
index 1f055c6..0000000
--- a/vendor/google/init_citadel.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type init_citadel, domain;
-type init_citadel_exec, exec_type, vendor_file_type, file_type;
-
-# Shell script exec (toolbox)
-allow init_citadel vendor_shell_exec:file r_file_perms;
-allow init_citadel vendor_toolbox_exec:file rx_file_perms;
-allow init_citadel vendor_file:file rx_file_perms;
-
-allow init_citadel citadel_device:chr_file rw_file_perms;
-
-# Citadel communication must be via citadeld
-vndbinder_use(init_citadel)
-binder_call(init_citadel, citadeld)
-allow init_citadel citadeld_service:service_manager find;
-
-init_daemon_domain(init_citadel)
diff --git a/vendor/google/modem_diagnostics.te b/vendor/google/modem_diagnostics.te
index 4943bb3..1077a40 100644
--- a/vendor/google/modem_diagnostics.te
+++ b/vendor/google/modem_diagnostics.te
@@ -12,9 +12,11 @@
allow modem_diagnostic_app sysfs_esim:file r_file_perms;
- typeattribute modem_diagnostic_app mlstrustedsubject;
+ allow modem_diagnostic_app ssr_log_file:dir r_dir_perms;
+ allow modem_diagnostic_app ssr_log_file:file r_file_perms;
+
unix_socket_connect(modem_diagnostic_app, diag, qlogd);
set_prop(modem_diagnostic_app, vendor_modem_diag_prop)
- set_prop(modem_diagnostic_app, exported3_radio_prop)
+ set_prop(modem_diagnostic_app, radio_control_prop)
')
diff --git a/vendor/google/modem_svc.te b/vendor/google/modem_svc.te
index f039ba1..eb2d70a 100644
--- a/vendor/google/modem_svc.te
+++ b/vendor/google/modem_svc.te
@@ -11,8 +11,7 @@
set_prop(modem_svc, vendor_modem_diag_prop)
set_prop(modem_svc, vendor_modem_prop)
get_prop(modem_svc, vendor_build_type_prop)
-get_prop(modem_svc, exported2_default_prop)
-get_prop(modem_svc, exported3_radio_prop)
+get_prop(modem_svc, radio_control_prop)
# For bugreport collection
allow modem_svc hal_dumpstate_impl:fd use;
diff --git a/vendor/google/property.te b/vendor/google/property.te
index 497f454..46c5a80 100644
--- a/vendor/google/property.te
+++ b/vendor/google/property.te
@@ -1,12 +1,12 @@
-type vendor_ramoops_prop, property_type;
-type vendor_shutdown_prop, property_type;
-type vendor_vibrator_prop, property_type;
+vendor_internal_prop(vendor_ramoops_prop)
+vendor_internal_prop(vendor_shutdown_prop)
+vendor_internal_prop(vendor_vibrator_prop)
# fingerprint
-type vendor_fingerprint_prop, property_type;
+vendor_internal_prop(vendor_fingerprint_prop)
-type vendor_build_type_prop, property_type;
-type vendor_modem_prop, property_type;
+vendor_internal_prop(vendor_build_type_prop)
+vendor_internal_prop(vendor_modem_prop)
# hal_health
-type vendor_battery_defender_prop, property_type;
+vendor_internal_prop(vendor_battery_defender_prop)
diff --git a/vendor/google/vndservice.te b/vendor/google/vndservice.te
index 2518809..3ad0227 100644
--- a/vendor/google/vndservice.te
+++ b/vendor/google/vndservice.te
@@ -1,2 +1 @@
-type citadeld_service, vndservice_manager_type;
type perfstatsd_service, vndservice_manager_type;
diff --git a/vendor/google/vndservice_contexts b/vendor/google/vndservice_contexts
index b7d8a72..32ecbbd 100644
--- a/vendor/google/vndservice_contexts
+++ b/vendor/google/vndservice_contexts
@@ -1,2 +1 @@
-android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0
perfstatsd_pri u:object_r:perfstatsd_service:s0
diff --git a/vendor/google/wait_for_strongbox.te b/vendor/google/wait_for_strongbox.te
deleted file mode 100644
index c9586c8..0000000
--- a/vendor/google/wait_for_strongbox.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# wait_for_strongbox service
-type wait_for_strongbox, domain;
-type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(wait_for_strongbox)
-
-hal_client_domain(wait_for_strongbox, hal_keymaster)
-
-allow wait_for_strongbox kmsg_device:chr_file w_file_perms;
\ No newline at end of file
diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te
index abf4511..6f43cdc 100644
--- a/vendor/qcom/common/cnd.te
+++ b/vendor/qcom/common/cnd.te
@@ -57,3 +57,5 @@
binder_call(cnd, location)
dontaudit cnd kernel:system module_request;
+
+get_prop(cnd, wifi_hal_prop)
diff --git a/vendor/qcom/common/con_monitor.te b/vendor/qcom/common/con_monitor.te
index c4930a5..e42862d 100644
--- a/vendor/qcom/common/con_monitor.te
+++ b/vendor/qcom/common/con_monitor.te
@@ -1,5 +1,5 @@
# ConnectivityMonitor app
-type con_monitor_app, domain;
+type con_monitor_app, domain, coredomain;
app_domain(con_monitor_app)
diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te
index d44f079..23853c9 100644
--- a/vendor/qcom/common/file.te
+++ b/vendor/qcom/common/file.te
@@ -66,7 +66,7 @@
type cnd_socket, file_type;
type chre_socket, file_type;
type location_socket, file_type;
-type diag_socket, file_type;
+type diag_socket, file_type, mlstrustedobject;
type cnd_data_file, file_type, data_file_type;
type location_data_file, file_type, data_file_type;
diff --git a/vendor/qcom/common/hal_power_stats_default.te b/vendor/qcom/common/hal_power_stats_default.te
index c1faa6e..a119f2f 100644
--- a/vendor/qcom/common/hal_power_stats_default.te
+++ b/vendor/qcom/common/hal_power_stats_default.te
@@ -2,10 +2,6 @@
r_dir_file(hal_power_stats, sysfs_rpm)
r_dir_file(hal_power_stats, sysfs_system_sleep_stats)
r_dir_file(hal_power_stats, debugfs_wlan)
-get_prop(hal_power_stats_default, exported_wifi_prop) # Needed to detect wifi on/off
-
-# Allow power.stats hal to add the power_stats_service
-vndbinder_use(hal_power_stats)
-add_service(hal_power_stats_server, power_stats_service)
+get_prop(hal_power_stats_default, wifi_hal_prop) # Needed to detect wifi on/off
binder_call(hal_power_stats, citadeld)
diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te
index d67e9ee..b2aae30 100644
--- a/vendor/qcom/common/hwservice.te
+++ b/vendor/qcom/common/hwservice.te
@@ -1,14 +1,14 @@
-type vnd_ims_radio_hwservice, hwservice_manager_type;
-type vnd_qcrilhook_hwservice, hwservice_manager_type;
-type vnd_atcmdfwd_hwservice, hwservice_manager_type;
-type hal_imsrtp_hwservice, hwservice_manager_type;
-type hal_imscallinfo_hwservice, hwservice_manager_type;
-type hal_cne_hwservice, hwservice_manager_type;
-type hal_imsrcsd_hwservice, hwservice_manager_type;
-type hal_radioext_hwservice, hwservice_manager_type;
-type hal_display_config_hwservice, hwservice_manager_type;
-type nxpese_hwservice, hwservice_manager_type;
-type nxpnfc_hwservice, hwservice_manager_type;
-type hal_tui_comm_hwservice, hwservice_manager_type;
-type hal_paintbox_hwservice, hwservice_manager_type;
-type hal_wlc_hwservice, hwservice_manager_type;
+type vnd_ims_radio_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type vnd_qcrilhook_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type vnd_atcmdfwd_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_imsrtp_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_imscallinfo_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_cne_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_imsrcsd_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_radioext_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_display_config_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type nxpese_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type nxpnfc_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_tui_comm_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_paintbox_hwservice, hwservice_manager_type, vendor_hwservice_type;
+type hal_wlc_hwservice, hwservice_manager_type, vendor_hwservice_type;
diff --git a/vendor/qcom/common/location.te b/vendor/qcom/common/location.te
index 24f5c63..182391e 100644
--- a/vendor/qcom/common/location.te
+++ b/vendor/qcom/common/location.te
@@ -27,7 +27,6 @@
allowxperm location self:udp_socket ioctl { SIOCGIFINDEX SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
allow location self:socket create_socket_perms;
-# whitelist socket ioctl commands
allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
# files in /sys
@@ -55,3 +54,5 @@
allow location hal_cne_hwservice:hwservice_manager find;
binder_call(location, cnd)
+
+get_prop(location, wifi_hal_prop)
diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te
index 32868b3..aaf0064 100644
--- a/vendor/qcom/common/property.te
+++ b/vendor/qcom/common/property.te
@@ -1,36 +1,36 @@
-type vendor_camera_prop, property_type;
-type cnd_prop, property_type;
-type ims_prop, property_type;
-type vendor_ramdump_prop, property_type;
-type public_vendor_default_prop, property_type;
-type public_vendor_system_prop, property_type;
-type vendor_ssr_prop, property_type;
-type vendor_cnss_diag_prop, property_type;
-type vendor_tee_listener_prop, property_type;
-type vendor_modem_diag_prop, property_type;
-type vendor_usb_prop, property_type;
-type vendor_time_prop, property_type;
-type vendor_wifi_version, property_type;
-type per_mgr_state_prop, property_type;
-type vendor_bluetooth_prop, property_type;
-type vendor_net_radio_prop, property_type;
-type vendor_secure_element_prop, property_type;
-type vendor_device_prop, property_type;
-type vendor_radio_prop, property_type;
-type vendor_display_prop, property_type;
-type vendor_nfc_prop, property_type;
-type vendor_bluetooth_log_prop, property_type;
-type vendor_usb_config_prop, property_type;
-type vendor_radio_sku_prop, property_type;
-type vendor_tcpdump_log_prop, property_type;
-type ctl_vendor_rmt_storage_prop, property_type;
-type vendor_wifi_sniffer_prop, property_type;
+vendor_restricted_prop(vendor_camera_prop)
+vendor_restricted_prop(cnd_prop)
+vendor_restricted_prop(ims_prop)
+vendor_internal_prop(vendor_ramdump_prop)
+vendor_restricted_prop(public_vendor_default_prop)
+vendor_internal_prop(public_vendor_system_prop)
+vendor_restricted_prop(vendor_ssr_prop)
+vendor_internal_prop(vendor_cnss_diag_prop)
+vendor_restricted_prop(vendor_tee_listener_prop)
+vendor_internal_prop(vendor_modem_diag_prop)
+vendor_internal_prop(vendor_usb_prop)
+vendor_internal_prop(vendor_time_prop)
+vendor_internal_prop(vendor_wifi_version)
+vendor_internal_prop(per_mgr_state_prop)
+vendor_public_prop(vendor_bluetooth_prop)
+vendor_internal_prop(vendor_net_radio_prop)
+vendor_internal_prop(vendor_secure_element_prop)
+vendor_internal_prop(vendor_device_prop)
+vendor_restricted_prop(vendor_radio_prop)
+vendor_restricted_prop(vendor_display_prop)
+vendor_internal_prop(vendor_nfc_prop)
+vendor_internal_prop(vendor_bluetooth_log_prop)
+vendor_internal_prop(vendor_usb_config_prop)
+vendor_internal_prop(vendor_radio_sku_prop)
+vendor_internal_prop(vendor_tcpdump_log_prop)
+vendor_internal_prop(ctl_vendor_rmt_storage_prop)
+vendor_internal_prop(vendor_wifi_sniffer_prop)
#imsrcsservice
-type ctl_vendor_imsrcsservice_prop, property_type;
+vendor_internal_prop(ctl_vendor_imsrcsservice_prop)
#time service
-type vendor_time_service_prop, property_type;
+vendor_internal_prop(vendor_time_service_prop)
# vendor verbose logging property
-type vendor_logging_prop, property_type;
+vendor_internal_prop(vendor_logging_prop)
diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts
index f3c98c7..48c9b4f 100644
--- a/vendor/qcom/common/seapp_contexts
+++ b/vendor/qcom/common/seapp_contexts
@@ -1,4 +1,4 @@
-user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file
+user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all
user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
@@ -6,7 +6,7 @@
#Add new domain for DataServices
# Domain for CNEService , uceShimService and other connectivity services
-user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file
+user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file levelFrom=user
# The default domain for tango_core process
user=_app seinfo=tango name=com.google.tango domain=tango_core type=app_data_file levelFrom=user
@@ -22,7 +22,7 @@
user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user
#Needed for time service apk
-user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file
+user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file levelFrom=all
# Domain for easelservice app
user=_app seinfo=easel name=com.google.android.imaging.easel.service domain=easelservice_app type=app_data_file levelFrom=user
@@ -35,4 +35,4 @@
user=_app seinfo=platform name=com.qualcomm.qti.services.secureui* domain=secure_ui_service_app levelFrom=all
-user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
+user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all
diff --git a/vendor/qcom/common/time_daemon.te b/vendor/qcom/common/time_daemon.te
index d97cdbb..f0aa0e5 100644
--- a/vendor/qcom/common/time_daemon.te
+++ b/vendor/qcom/common/time_daemon.te
@@ -1,4 +1,4 @@
-type time_daemon, domain;
+type time_daemon, domain, mlstrustedsubject;
type time_daemon_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(time_daemon)
diff --git a/vendor/qcom/common/vndservice.te b/vendor/qcom/common/vndservice.te
index d15f3bf..44c45ca 100644
--- a/vendor/qcom/common/vndservice.te
+++ b/vendor/qcom/common/vndservice.te
@@ -1,3 +1,2 @@
type qdisplay_service, vndservice_manager_type;
type per_mgr_service, vndservice_manager_type;
-type power_stats_service, vndservice_manager_type;
diff --git a/vendor/qcom/common/vndservice_contexts b/vendor/qcom/common/vndservice_contexts
index 39e94cf..1db4aa0 100644
--- a/vendor/qcom/common/vndservice_contexts
+++ b/vendor/qcom/common/vndservice_contexts
@@ -1,3 +1,2 @@
display.qservice u:object_r:qdisplay_service:s0
vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0
-power.stats-vendor u:object_r:power_stats_service:s0