8 files changed, 13 insertions, 0 deletions

diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
new file mode 100644
index 0000000..d5742fd
--- /dev/null
+++ b/sepolicy/bluetooth.te
@@ -0,0 +1,3 @@
+# Bluetooth app depend on /vendor/lib64/libaptX_encoder.so
+
+allow bluetooth vendor_file:file { r_file_perms execute };
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index b66fa5f..d0d8d59 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1 +1,2 @@
 allow cnd cnd:capability { setuid dac_override chown dac_override dac_read_search setgid fsetid net_raw };
+allow cnd system_data_file:dir read;
diff --git a/sepolicy/idmap.te b/sepolicy/idmap.te
new file mode 100644
index 0000000..b268823
--- /dev/null
+++ b/sepolicy/idmap.te
@@ -0,0 +1 @@
+allow idmap install_data_file:file rw_file_perms;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 90c9593..7294485 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,2 +1,3 @@
 allow init adsprpcd_file:filesystem { mount relabelfrom relabelto };
 allow init debugfs:file write;
+allow init system_data_file:file rename;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 975336c..431e096 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -2,6 +2,8 @@ allow system_server alarm_boot_prop:file { read open getattr };
 allow system_server persist_file:dir write;
 allow system_server sysfs_fpc_utouch_disable:file rw_file_perms;
 
+allow system_server install_data_file:file getattr;
+
 # /vendor/usr/keylayout
 r_dir_file(system_server, idc_file)
 # /vendor/usr/idc
diff --git a/sepolicy/tombstoned.te b/sepolicy/tombstoned.te
new file mode 100644
index 0000000..08f529d
--- /dev/null
+++ b/sepolicy/tombstoned.te
@@ -0,0 +1,2 @@
+allow tombstoned system_data_file:dir r_dir_perms;
+allow tombstoned system_data_file:file getattr;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
index e830681..c0e3d3e 100644
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@@ -1 +1,2 @@
 allow zygote cgroup:file create; 
+allow zygote system_data_file:dir write;
diff --git a/untrusted_app.te b/untrusted_app.te
new file mode 100644
index 0000000..8aeb709
--- /dev/null
+++ b/untrusted_app.te
@@ -0,0 +1,2 @@
+dontaudit untrusted_app_all sysfs_zram:dir search;
+dontaudit untrusted_app_all sysfs_zram:file r_file_perms;