Snap for 6897438 from 3d809cd26669fc96816b939701a80df53070277e to sc-release

Change-Id: If44bb088acd0adcfb30bbaa75270c13fa01fe9f8

39 files changed, 372 insertions, 125 deletions

diff --git a/neverallows/non_plat/app_neverallows.te b/neverallows/non_plat/app_neverallows.te
index d66bb15..48d161d 100644
--- a/neverallows/non_plat/app_neverallows.te
+++ b/neverallows/non_plat/app_neverallows.te
@@ -58,6 +58,7 @@ neverallow all_untrusted_apps ~{
   hidl_manager_hwservice         # coredomain_hwservice. Designed for use by any domain
   hidl_memory_hwservice          # coredomain_hwservice. Designed for use by any domain
   hidl_token_hwservice           # coredomain_hwservice. Designed for use by any domain
+  mtk_safe_hwservice_manager_type
 }:hwservice_manager find;
 
 # Restrict *Binder access from apps to HAL domains. We can only do this on full
@@ -65,6 +66,15 @@ neverallow all_untrusted_apps ~{
 # restricted.
 full_treble_only(`
   neverallow all_untrusted_apps {
-  hwservice_manager_type
+    halserverdomain
+    -coredomain
+    -hal_cas_server
+    -hal_codec2_server
+    -hal_configstore_server
+    -hal_drm_server
+    -hal_graphics_allocator_server
+    -hal_neuralnetworks_server
+    -hal_omx_server
+    -mtk_safe_halserverdomain_type
 }:binder { call transfer };
 ')
diff --git a/neverallows/plat_private/app_neverallows.te b/neverallows/plat_private/app_neverallows.te
index 6992f83..92a48bd 100644
--- a/neverallows/plat_private/app_neverallows.te
+++ b/neverallows/plat_private/app_neverallows.te
@@ -58,6 +58,7 @@ neverallow all_untrusted_apps ~{
   hidl_manager_hwservice         # coredomain_hwservice. Designed for use by any domain
   hidl_memory_hwservice          # coredomain_hwservice. Designed for use by any domain
   hidl_token_hwservice           # coredomain_hwservice. Designed for use by any domain
+  mtk_safe_hwservice_manager_type
 }:hwservice_manager find;
 
 # Restrict *Binder access from apps to HAL domains. We can only do this on full
@@ -65,6 +66,15 @@ neverallow all_untrusted_apps ~{
 # restricted.
 full_treble_only(`
   neverallow all_untrusted_apps {
-  hwservice_manager_type
+    halserverdomain
+    -coredomain
+    -hal_cas_server
+    -hal_codec2_server
+    -hal_configstore_server
+    -hal_drm_server
+    -hal_graphics_allocator_server
+    -hal_neuralnetworks_server
+    -hal_omx_server
+    -mtk_safe_halserverdomain_type
 }:binder { call transfer };
 ')
diff --git a/neverallows/plat_public/app_neverallows.te b/neverallows/plat_public/app_neverallows.te
index d66bb15..48d161d 100644
--- a/neverallows/plat_public/app_neverallows.te
+++ b/neverallows/plat_public/app_neverallows.te
@@ -58,6 +58,7 @@ neverallow all_untrusted_apps ~{
   hidl_manager_hwservice         # coredomain_hwservice. Designed for use by any domain
   hidl_memory_hwservice          # coredomain_hwservice. Designed for use by any domain
   hidl_token_hwservice           # coredomain_hwservice. Designed for use by any domain
+  mtk_safe_hwservice_manager_type
 }:hwservice_manager find;
 
 # Restrict *Binder access from apps to HAL domains. We can only do this on full
@@ -65,6 +66,15 @@ neverallow all_untrusted_apps ~{
 # restricted.
 full_treble_only(`
   neverallow all_untrusted_apps {
-  hwservice_manager_type
+    halserverdomain
+    -coredomain
+    -hal_cas_server
+    -hal_codec2_server
+    -hal_configstore_server
+    -hal_drm_server
+    -hal_graphics_allocator_server
+    -hal_neuralnetworks_server
+    -hal_omx_server
+    -mtk_safe_halserverdomain_type
 }:binder { call transfer };
 ')
diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te
index e802754..d8f8037 100644
--- a/non_plat/aee_aedv.te
+++ b/non_plat/aee_aedv.te
@@ -118,27 +118,27 @@ allow aee_aedv crash_dump:file r_file_perms;
 allow aee_aedv vendor_file:file execute_no_trans;
 
 # Purpose: debugfs files
-allow aee_aedv debugfs_binder:dir { read open };
-allow aee_aedv debugfs_binder:file { read open };
-allow aee_aedv debugfs_blockio:file { read open };
+allow aee_aedv debugfs_binder:dir r_dir_perms;
+allow aee_aedv debugfs_binder:file r_file_perms;
+allow aee_aedv debugfs_blockio:file r_file_perms;
 allow aee_aedv debugfs_fb:dir search;
-allow aee_aedv debugfs_fb:file { read open };
+allow aee_aedv debugfs_fb:file r_file_perms;
 allow aee_aedv debugfs_fuseio:dir search;
-allow aee_aedv debugfs_fuseio:file { read open };
+allow aee_aedv debugfs_fuseio:file r_file_perms;
 allow aee_aedv debugfs_ged:dir search;
-allow aee_aedv debugfs_ged:file { read open };
+allow aee_aedv debugfs_ged:file r_file_perms;
 allow aee_aedv debugfs_rcu:dir search;
-allow aee_aedv debugfs_shrinker_debug:file { read open };
-allow aee_aedv debugfs_wakeup_sources:file { read open };
-allow aee_aedv debugfs_dmlog_debug:file { read open };
-allow aee_aedv debugfs_page_owner_slim_debug:file { read open };
+allow aee_aedv debugfs_shrinker_debug:file r_file_perms;
+allow aee_aedv debugfs_wakeup_sources:file r_file_perms;
+allow aee_aedv debugfs_dmlog_debug:file r_file_perms;
+allow aee_aedv debugfs_page_owner_slim_debug:file r_file_perms;
 allow aee_aedv debugfs_ion_mm_heap:dir search;
 allow aee_aedv debugfs_ion_mm_heap:file r_file_perms;
 allow aee_aedv debugfs_ion_mm_heap:lnk_file read;
 allow aee_aedv debugfs_cpuhvfs:dir search;
-allow aee_aedv debugfs_cpuhvfs:file { read open };
-allow aee_aedv debugfs_emi_mbw_buf:file { read open };
-allow aee_aedv debugfs_vpu_device_dbg:file { read open };
+allow aee_aedv debugfs_cpuhvfs:file r_file_perms;
+allow aee_aedv debugfs_emi_mbw_buf:file r_file_perms;
+allow aee_aedv debugfs_vpu_device_dbg:file r_file_perms;
 allow aee_aedv debugfs_vpu_memory:file r_file_perms;
 allow aee_aedv debugfs_apusys_midware_register_all:file r_file_perms;
 allow aee_aedv debugfs_apusys_mdla_memory:file r_file_perms;
@@ -465,3 +465,17 @@ allow aee_aedv proc_log_much:file r_file_perms;
 # Purpose: Allow aee_aedv to read /sys/kernel/tracing/instances/mmstat/trace
 allow aee_aedv debugfs_tracing_instances:dir r_dir_perms;
 allow aee_aedv debugfs_tracing_instances:file r_file_perms;
+
+allow aee_aedv binderfs_logs:dir r_dir_perms;
+allow aee_aedv binderfs_logs:file r_file_perms;
+
+allow aee_aedv proc_ion:dir r_dir_perms;
+allow aee_aedv proc_ion:file r_file_perms;
+allow aee_aedv proc_m4u_dbg:dir r_dir_perms;
+allow aee_aedv proc_m4u_dbg:file r_file_perms;
+allow aee_aedv proc_mtkfb:file r_file_perms;
+
+allow aee_aedv debugfs_cmdq:file r_file_perms;
+
+allow aee_aedv sysfs_dvfsrc_dbg:dir r_dir_perms;
+allow aee_aedv sysfs_dvfsrc_dbg:file r_file_perms;
diff --git a/non_plat/aee_hidl.te b/non_plat/aee_hidl.te
index d7d97f0..49536fb 100644
--- a/non_plat/aee_hidl.te
+++ b/non_plat/aee_hidl.te
@@ -5,6 +5,9 @@ type aee_hal,domain;
 type aee_hal_exec, exec_type, file_type, vendor_file_type;
 typeattribute aee_hal mlstrustedsubject;
 # Purpose : for create hidl server
+allow aee_hal aee_exp_vendor_file:dir w_dir_perms;
+allow aee_hal aee_exp_vendor_file:file create_file_perms;
+allow aee_hal aee_exp_data_file:file { read write };
 hal_server_domain(aee_hal, mtk_hal_aee)
 # ==============================================
 # MTK Policy Rule
diff --git a/non_plat/app.te b/non_plat/app.te
index 5d1d8ac..776ea4b 100644
--- a/non_plat/app.te
+++ b/non_plat/app.te
@@ -7,15 +7,16 @@
 allow appdomain proc_ged:file rw_file_perms;
 allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls };
 
+# Data : WK16.42
+# Operator: Whitney bring up
+# Purpose: call surfaceflinger due to powervr
+allow appdomain surfaceflinger:fifo_file rw_file_perms;
+
 # Date : W16.42
 # Operation : Integration
 # Purpose : DRM / DRI GPU driver required
 allow appdomain gpu_device:dir search;
 
-# Date : W17.30
-# Purpose : Allow MDP user access cmdq driver
-allow appdomain mtk_cmdq_device:chr_file {open read ioctl};
-
 # Date : W17.41
 # Operation: SQC
 # Purpose : Allow HWUI to access perfmgr
@@ -28,13 +29,6 @@ allowxperm appdomain proc_perfmgr:file ioctl {
   PERFMGR_FPSGO_BQID
 };
 
-# Date : W19.4
-# Purpose : Allow MDP user access mdp driver
-allow appdomain mdp_device:chr_file rw_file_perms;
-allow appdomain mtk_mdp_device:chr_file rw_file_perms;
-allow appdomain mtk_mdp_sync:chr_file rw_file_perms;
-allow appdomain sw_sync_device:chr_file rw_file_perms;
-
 # Date : W19.23
 # Operation : Migration
 # Purpose : For platform app com.android.gallery3d
@@ -44,3 +38,13 @@ allow { appdomain -isolated_app } radio_data_file:file rw_file_perms;
 # Operation : Migration
 # Purpose : For app com.tencent.qqpimsecure
 allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START;
+
+# Date : W20.26
+# Operation : Migration
+# Purpose : For apps other than isolated_app call hidl
+hwbinder_use({ appdomain -isolated_app })
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop)
+allow { appdomain -isolated_app } hidl_manager_hwservice:hwservice_manager find;
+binder_call({ appdomain -isolated_app }, mtk_safe_halserverdomain_type)
+binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app })
+allow { appdomain -isolated_app } mtk_safe_hwservice_manager_type:hwservice_manager find;
diff --git a/non_plat/appdomain.te b/non_plat/appdomain.te
deleted file mode 100644
index 3311b98..0000000
--- a/non_plat/appdomain.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# ==============================================
-# MTK Policy Rule
-# ============
-
-# Data : WK16.42
-# Operator: Whitney bring up
-# Purpose: call surfaceflinger due to powervr
-allow appdomain surfaceflinger:fifo_file rw_file_perms;
diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te
index 1adf671..3ca0b46 100644
--- a/non_plat/atci_service.te
+++ b/non_plat/atci_service.te
@@ -109,10 +109,10 @@ allow atci_service fwk_sensor_hwservice:hwservice_manager find;
 allow atci_service hidl_allocator_hwservice:hwservice_manager find;
 allow atci_service hidl_memory_hwservice:hwservice_manager find;
 allow atci_service ion_device:chr_file { read ioctl open };
-allow atci_service mtk_cmdq_device:chr_file { read ioctl open };
-allow atci_service mtk_mdp_device:chr_file rw_file_perms;
-allow atci_service mtk_mdp_sync:chr_file rw_file_perms;
-allow atci_service sw_sync_device:chr_file rw_file_perms;
+allow atci_service mtk_cmdq_device:chr_file r_file_perms;
+allow atci_service mtk_mdp_device:chr_file r_file_perms;
+allow atci_service mtk_mdp_sync:chr_file r_file_perms;
+allow atci_service sw_sync_device:chr_file r_file_perms;
 hal_client_domain(atci_service, hal_power)
 allow atci_service sysfs_batteryinfo:dir search;
 allow atci_service sysfs_batteryinfo:file { read getattr open };
diff --git a/non_plat/bluetooth.te b/non_plat/bluetooth.te
index 257f85e..7ef4418 100644
--- a/non_plat/bluetooth.te
+++ b/non_plat/bluetooth.te
@@ -17,3 +17,11 @@ allow bluetooth bluetooth_logs_data_file:fifo_file { create_file_perms };
 
 # Date: 2019/09/19
 allow bluetooth mtk_hal_bluetooth_audio_hwservice:hwservice_manager find;
+
+# Date :  2020/06/11
+# Operation : allow bt native process to access driver debug node and set kernel thread priority
+# Purpose: allow bt native process to access driver debug node and set kernel thread priority
+allow bluetooth proc_btdbg:file rw_file_perms;
+allow bluetooth kernel:process setsched;
+
+
diff --git a/non_plat/ccci_mdinit.te b/non_plat/ccci_mdinit.te
index 750b36f..47a4e6d 100644
--- a/non_plat/ccci_mdinit.te
+++ b/non_plat/ccci_mdinit.te
@@ -101,3 +101,8 @@ allow ccci_mdinit block_device:dir search;
 allow ccci_mdinit metadata_file:dir search;
 allow ccci_mdinit proc_cmdline:file r_file_perms;
 allow ccci_mdinit sysfs_dt_firmware_android:dir search;
+
+# Date : 2020-07-06
+# Purpose: no trigger avc log when call nvram api
+dontaudit ccci_mdinit gsi_metadata_file:dir search;
+
diff --git a/non_plat/device.te b/non_plat/device.te
index 5a64882..bd1896e 100644
--- a/non_plat/device.te
+++ b/non_plat/device.te
@@ -281,3 +281,8 @@ type m_bio_misc_device, dev_type;
 # Operation : Migration
 # Purpose : Add permission for gpu access
 type dri_device, dev_type, mlstrustedobject;
+
+# Date : 2020/07/16
+# Operation : R Migration
+# Purpose : Add permission for adsp access
+type adsp_misc_device, dev_type;
diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te
index cc3c3ad..22cae01 100644
--- a/non_plat/dumpstate.te
+++ b/non_plat/dumpstate.te
@@ -14,36 +14,36 @@ allow dumpstate aee_exp_data_file:dir { w_dir_perms };
 allow dumpstate aee_exp_data_file:file { create_file_perms };
 
 # Purpose: debugfs files
-allow dumpstate debugfs_binder:dir { read open };
-allow dumpstate debugfs_binder:file { read open };
-allow dumpstate debugfs_blockio:file { read open };
+allow dumpstate debugfs_binder:dir r_dir_perms;
+allow dumpstate debugfs_binder:file r_file_perms;
+allow dumpstate debugfs_blockio:file r_file_perms;
 allow dumpstate debugfs_fb:dir search;
-allow dumpstate debugfs_fb:file { read open };
+allow dumpstate debugfs_fb:file r_file_perms;
 allow dumpstate debugfs_fuseio:dir search;
-allow dumpstate debugfs_fuseio:file { read open };
+allow dumpstate debugfs_fuseio:file r_file_perms;
 allow dumpstate debugfs_ged:dir search;
-allow dumpstate debugfs_ged:file { read open };
+allow dumpstate debugfs_ged:file r_file_perms;
 allow dumpstate debugfs_rcu:dir search;
-allow dumpstate debugfs_shrinker_debug:file { read open };
-allow dumpstate debugfs_wakeup_sources:file { read open };
-allow dumpstate debugfs_dmlog_debug:file { read open };
-allow dumpstate debugfs_page_owner_slim_debug:file { read open };
+allow dumpstate debugfs_shrinker_debug:file r_file_perms;
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+allow dumpstate debugfs_dmlog_debug:file r_file_perms;
+allow dumpstate debugfs_page_owner_slim_debug:file r_file_perms;
 allow dumpstate debugfs_ion_mm_heap:dir search;
-allow dumpstate debugfs_ion_mm_heap:file { read open };
+allow dumpstate debugfs_ion_mm_heap:file r_file_perms;
 allow dumpstate debugfs_ion_mm_heap:lnk_file read;
 allow dumpstate debugfs_cpuhvfs:dir search;
-allow dumpstate debugfs_cpuhvfs:file { read open };
-allow dumpstate debugfs_vpu_device_dbg:file { read open };
+allow dumpstate debugfs_cpuhvfs:file r_file_perms;
+allow dumpstate debugfs_vpu_device_dbg:file r_file_perms;
 
 # Purpose: /sys/kernel/ccci/md_chn
 allow dumpstate sysfs_ccci:dir search;
-allow dumpstate sysfs_ccci:file { read open };
+allow dumpstate sysfs_ccci:file r_file_perms;
 
 # Purpose: leds status
 allow dumpstate sysfs_leds:lnk_file read;
 
 # Purpose: /sys/module/lowmemorykiller/parameters/adj
-allow dumpstate sysfs_lowmemorykiller:file { read open };
+allow dumpstate sysfs_lowmemorykiller:file r_file_perms;
 allow dumpstate sysfs_lowmemorykiller:dir search;
 
 # Purpose: /dev/block/mmcblk0p10
@@ -188,3 +188,11 @@ hal_client_domain(dumpstate, hal_light)
 #Purpose: Allow dumpstate to read /sys/kernel/tracing/instances/mmstat/trace
 allow dumpstate debugfs_tracing_instances:dir r_dir_perms;
 allow dumpstate debugfs_tracing_instances:file r_file_perms;
+
+allow dumpstate proc_ion:dir r_dir_perms;
+allow dumpstate proc_ion:file r_file_perms;
+allow dumpstate proc_m4u_dbg:dir r_dir_perms;
+allow dumpstate proc_m4u_dbg:file r_file_perms;
+allow dumpstate proc_mtkfb:file r_file_perms;
+
+allow dumpstate debugfs_cmdq:file r_file_perms;
diff --git a/non_plat/factory.te b/non_plat/factory.te
index ddf43c9..4d56052 100644
--- a/non_plat/factory.te
+++ b/non_plat/factory.te
@@ -203,6 +203,13 @@ allow factory camera_owe_device:chr_file rw_file_perms;
 allow factory camera_mfb_device:chr_file rw_file_perms;
 hal_client_domain(factory, hal_power)
 get_prop(factory, vendor_mtk_mediatek_prop)
+# Date: 2020/07/20
+# Operation : For M4U security
+allow factory proc_m4u:file r_file_perms;
+allowxperm factory proc_m4u:file ioctl {
+     MTK_M4U_T_SEC_INIT
+     MTK_M4U_T_CONFIG_PORT
+};
 
 #Purpose: For FM test and headset test
 allow factory accdet_device:chr_file r_file_perms;
@@ -281,10 +288,10 @@ hal_client_domain(factory, hal_nfc);
 # Date : WK17.32
 # Operation : O Migration
 # Purpose: Allow to access cmdq driver
-allow factory mtk_cmdq_device:chr_file { read ioctl open };
-allow factory mtk_mdp_device:chr_file rw_file_perms;
-allow factory mtk_mdp_sync:chr_file rw_file_perms;
-allow factory sw_sync_device:chr_file rw_file_perms;
+allow factory mtk_cmdq_device:chr_file r_file_perms;
+allow factory mtk_mdp_device:chr_file r_file_perms;
+allow factory mtk_mdp_sync:chr_file r_file_perms;
+allow factory sw_sync_device:chr_file r_file_perms;
 
 # Date: WK1733
 # Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode
@@ -428,3 +435,4 @@ allow factory factory_vendor_file:dir { w_dir_perms };
 # Purpose : Add permission for health HAL and vbus
 hal_client_domain(factory, hal_health);
 allow factory sysfs_vbus:file r_file_perms;
+allow factory sysfs_chg2_present:file r_file_perms;
diff --git a/non_plat/file.te b/non_plat/file.te
index a7f0486..2610fde 100644
--- a/non_plat/file.te
+++ b/non_plat/file.te
@@ -269,6 +269,9 @@ type debugfs_gpu_mali_utgard, fs_type, debugfs_type;
 type debugfs_gpu_img, fs_type, debugfs_type;
 type debugfs_ion, fs_type, debugfs_type;
 
+# memtrack procfs file
+type procfs_gpu_img, fs_type, proc_type;
+
 # /sys/kernel/debug/ion/ion_mm_heap
 type debugfs_ion_mm_heap, fs_type, debugfs_type;
 
@@ -320,6 +323,7 @@ type sysfs_usb_nonplat, fs_type, sysfs_type;
 # Date : WK1820
 # Purpose : for charger to access pump_express
 type sysfs_pump_express, fs_type, sysfs_type;
+type sysfs_chg2_present, fs_type, sysfs_type;
 
 # Widevine move data/mediadrm folder from system to vendor
 type mediadrm_vendor_data_file, file_type, data_file_type;
@@ -346,10 +350,6 @@ type rilproxy_atci_socket, file_type;
 type atci_service_socket, file_type;
 type adb_atci_socket, file_type;
 
-# Date : 2018/11/01
-# Purpose : mtk EM c2k bypass read usb file
-type sys_usb_rawbulk, fs_type, sysfs_type;
-
 # Backlight brightness file
 type sysfs_leds_setting, fs_type, sysfs_type;
 
@@ -492,3 +492,34 @@ type sysfs_cache_status, fs_type, sysfs_type;
 # Date : 2020/06/12
 # Purpose: define sysfs_mali_power_policy fs_type
 type sysfs_mali_power_policy, fs_type, sysfs_type;
+
+# Date : 2020/06/12
+# Operation: R migration
+# Purpose: Allow powerhal to control displowpower
+type proc_displowpower, fs_type, proc_type;
+
+# Date : 2020/06/29
+# Operation: R migration
+# Purpose: Add permission for access /proc/ion/*
+type proc_ion, fs_type, proc_type;
+
+# Date : 2020/07/01
+# Operation: R migration
+# Purpose: Add permission for access /proc/m4u_dbg/*
+type proc_m4u_dbg, fs_type, proc_type;
+
+# Date : 20120/07/02
+# Purpose: define sysfs_mtk_nanohub_state fs_type
+type sysfs_mtk_nanohub_state, fs_type, sysfs_type;
+
+type proc_mtkfb, fs_type, proc_type;
+
+# Date : 2020/07/08
+# Purpose: add permission for /proc/sys/vm/swappiness
+type proc_swappiness, fs_type, proc_type;
+
+type debugfs_cmdq, fs_type, debugfs_type;
+
+# Date : 20120/07/13
+# Purpose: define sysfs_dvfsrc_dbg fs_type
+type sysfs_dvfsrc_dbg, fs_type, sysfs_type;
diff --git a/non_plat/file_contexts b/non_plat/file_contexts
index fd38259..ce9ad69 100644
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@@ -550,6 +550,9 @@
 # W19.23 Q new feature - Userdata Checkpoint
 /dev/block/by-name/md_udc             u:object_r:metadata_block_device:s0
 
+# W20.29 R migration - ADSP for tablet
+/dev/adsp_misc(/.*)? u:object_r:adsp_misc_device:s0
+
 #############################
 # System files
 #
@@ -620,7 +623,7 @@
 #PQ hal
 /(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0
 #MMS hal
-/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.4-service u:object_r:mtk_hal_mms_exec:s0
+/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.5-service u:object_r:mtk_hal_mms_exec:s0
 # Keymaster Attestation Hal
 /(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0
 #ST NFC 1.2 hidl service
@@ -670,6 +673,8 @@
 /vendor/lib(64)?/libgralloc_extra\.so   u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libgpu_aux\.so   u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libgpud\.so   u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgralloc_metadata\.so   u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgralloctypes_mtk\.so   u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libged\.so   u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libdrm\.so   u:object_r:same_process_hal_file:s0
@@ -680,6 +685,7 @@
 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-mediatek\.so u:object_r:same_process_hal_file:s0
 
+/vendor/lib(64)?/vendor\.mediatek\.hardware\.mms@[0-9]\.[0-9]\.so                 u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libdpframework\.so                                  u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libpq_cust_base\.so                                 u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/vendor\.mediatek\.hardware\.pq@[0-9]\.[0-9]\.so                 u:object_r:same_process_hal_file:s0
@@ -747,3 +753,8 @@
 # Operation: R migration
 # Purpose : Add permission for acess vendor_de.
 /data/vendor_de/factory(/.*)?  u:object_r:factory_vendor_file:s0
+
+# Date: 2020/06/16
+# Operation: R migration
+# Purpose: Add permission for boot control lazy HAL
+/vendor/bin/hw/android\.hardware\.boot@[0-9]+\.[0-9]+-service-lazy      u:object_r:hal_bootctl_default_exec:s0
diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts
index 9b78eef..8eb8e9d 100644
--- a/non_plat/genfs_contexts
+++ b/non_plat/genfs_contexts
@@ -39,6 +39,7 @@ genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0
 genfscon proc /pidmap u:object_r:proc_pidmap:s0
 genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0
 genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0
+genfscon proc /mtk_cmdq_debug/record u:object_r:proc_cmdq_debug:s0
 genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0
 
 # Purpose dump not exit file
@@ -78,11 +79,14 @@ genfscon sysfs /bus/platform/drivers/meta_uart_port_info/meta_uart_port_info u:o
 genfscon sysfs /devices/platform/battery    u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0
 genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0
+genfscon sysfs /devices/platform/charger/power_supply/mtk-slave-charger/present u:object_r:sysfs_chg2_present:s0
 genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/soc/11016000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/power_supply u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-charger-type-detection/power_supply u:object_r:sysfs_batteryinfo:s0
 genfscon sysfs /devices/platform/mt-rtc/rtc    u:object_r:sysfs_rtc:s0
 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0
@@ -96,7 +100,8 @@ genfscon sysfs /devices/platform/mt_usb/musb-hdrc/cmode u:object_r:sysfs_usb_non
 genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/cmode u:object_r:sysfs_usb_nonplat:s0
 genfscon sysfs /devices/platform/soc/usb0/cmode u:object_r:sysfs_usb_nonplat:s0
 genfscon sysfs /devices/platform/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0
-genfscon sysfs /devices/platform/soc/usb0/xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0
+genfscon sysfs /devices/platform/usb_xhci/usb1 u:object_r:sysfs_usb_nonplat:s0
 
 genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0
 genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_type u:object_r:sysfs_boot_type:s0
@@ -130,26 +135,31 @@ genfscon sysfs /power/vcorefs/opp_table    u:object_r:sysfs_vcore_debug:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/soc/soc:regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/soc/soc:pwm_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0
 genfscon sysfs /devices/platform/regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0
 genfscon sysfs /devices/platform/pwmleds/leds  u:object_r:sysfs_leds:s0
 genfscon sysfs /devices/platform/disp_leds/leds  u:object_r:sysfs_leds:s0
-# Date : 2018/11/01
-# Purpose : mtk EM c2k bypass read usb file
-genfscon sysfs /devices/virtual/usb_rawbulk u:object_r:sys_usb_rawbulk:s0
 
 #Date : 2018/11/22
 #Purpose: allow mdlogger to read mdinfo file
 genfscon sysfs /kernel/md/mdee u:object_r:sysfs_mdinfo:s0
 
 # Date : 2019/07/03
-# Purpose: SIU update mmcblk access
-genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0
+# Purpose: SIU update sysfs_devices_block access for emmc and ufs
+genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0                       u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0                 u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0        u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda                         u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb                         u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc                         u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sda                u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb                u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc                u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15          u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33          u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43          u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53          u:object_r:sysfs_devices_block:s0
 
 # Date : 2019/07/12
 # Purpose:dumpstate mmcblk1 access
@@ -294,8 +304,8 @@ genfscon sysfs /firmware/devicetree/base/chosen/atag,chipid u:object_r:sysfs_chi
 
 # Date : 2019/10/18
 # Purpose : allow system_server to access rt5509 param and calib node
-genfscon sysfs /devices/platform/rt5509_param.0 u:object_r:sysfs_rt_param:s0
-genfscon sysfs /devices/virtual/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0
+genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_param.0 u:object_r:sysfs_rt_param:s0
+genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0
 
 # 2019/11/14
 # Purpose: Allow powerhal to control MCDI
@@ -338,3 +348,60 @@ genfscon sysfs /kernel/gbe u:object_r:sysfs_gbe:s0
 # Date : 2020/06/12
 # Purpose : Allow powerhal to control mali power policy
 genfscon sysfs /class/misc/mali0/device/power_policy u:object_r:sysfs_mali_power_policy:s0
+
+# 2020/06/12
+# Operation: R migration
+# Purpose: Allow powerhal to control displowpower
+genfscon proc /displowpower u:object_r:proc_displowpower:s0
+
+# Date : WK20.25
+# Operation: R migration
+# Purpose : for VTS NetdSELinuxTest.CheckProperMTULabels requirement.
+genfscon sysfs /devices/platform/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/180f0000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/180f0000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/180f0000.wifi/net/p2p0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/180f0000.wifi/net/p2p1/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/wlan0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/wlan1/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/p2p0/mtu u:object_r:sysfs_net:s0
+genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/p2p1/mtu u:object_r:sysfs_net:s0
+
+# 2020/06/29
+# Operation: R migration
+# Purpose: Add permission for access /proc/ion/*
+genfscon proc /ion u:object_r:proc_ion:s0
+
+# 2020/07/01
+# Operation: R migration
+# Purpose: Add permission for access /proc/m4u_dbg/*
+genfscon proc /m4u_dbg u:object_r:proc_m4u_dbg:s0
+
+# Date : 2020/07/02
+# Purpose : mtk nanohub sensor state detect
+genfscon sysfs /bus/platform/drivers/mtk_nanohub/state u:object_r:sysfs_mtk_nanohub_state:s0
+
+genfscon proc /mtkfb u:object_r:proc_mtkfb:s0
+
+# 2020/07/07
+# Operation: R migration
+# Purpose: Add permission for access /proc/pvr/*
+genfscon proc /pvr u:object_r:procfs_gpu_img:s0
+
+# Date : 2020/07/08
+# Purpose: add permission for /proc/sys/vm/swappiness
+genfscon proc /sys/vm/swappiness                      u:object_r:proc_swappiness:s0
+
+genfscon debugfs /cmdq/cmdq-status u:object_r:debugfs_cmdq:s0
+genfscon debugfs /cmdq/cmdq-record u:object_r:debugfs_cmdq:s0
+
+# Date : 2020/07/13
+# Purpose : Add permission for access dvfsrc dbg sysfs
+genfscon sysfs /devices/platform/10012000.dvfsrc/helio-dvfsrc u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0
+genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0
diff --git a/non_plat/hal_graphics_composer_default.te b/non_plat/hal_graphics_composer_default.te
index 03bd5c7..58e3210 100644
--- a/non_plat/hal_graphics_composer_default.te
+++ b/non_plat/hal_graphics_composer_default.te
@@ -25,7 +25,7 @@ allow hal_graphics_composer_default debugfs_tracing:file open;
 # Date : WK17.30
 # Operation : O Migration
 # Purpose: Allow to access cmdq driver
-allow hal_graphics_composer_default mtk_cmdq_device:chr_file { read ioctl open };
+allow hal_graphics_composer_default mtk_cmdq_device:chr_file r_file_perms;
 
 # Date : W17.30
 # Add for control PowerHAL
@@ -41,8 +41,8 @@ set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_validate_separat
 
 # Date : WK18.03
 # Purpose: Allow to access property dev/mdp_sync
-allow hal_graphics_composer_default mtk_mdp_sync:chr_file rw_file_perms;
-allow hal_graphics_composer_default mtk_mdp_device:chr_file rw_file_perms;
+allow hal_graphics_composer_default mtk_mdp_sync:chr_file r_file_perms;
+allow hal_graphics_composer_default mtk_mdp_device:chr_file r_file_perms;
 allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms;
 allow hal_graphics_composer_default tee_device:chr_file rw_file_perms;
 allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls };
diff --git a/non_plat/hal_memtrack_default.te b/non_plat/hal_memtrack_default.te
index 8594ac3..5a75130 100644
--- a/non_plat/hal_memtrack_default.te
+++ b/non_plat/hal_memtrack_default.te
@@ -7,3 +7,11 @@ allow hal_memtrack debugfs_gpu_img:dir search;
 allow hal_memtrack debugfs_gpu_img:file {open read getattr };
 allow hal_memtrack debugfs_ion:dir rw_dir_perms;
 allow hal_memtrack debugfs_ion:file {open read getattr };
+allow hal_memtrack procfs_gpu_img:dir search;
+allow hal_memtrack procfs_gpu_img:file r_file_perms;
+
+# Date : 2020/06/29
+# Operation: R migration
+# Purpose: Add permission for access /proc/ion/*
+allow hal_memtrack proc_ion:dir r_dir_perms;
+allow hal_memtrack proc_ion:file r_file_perms;
diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te
index 6d26890..887fc26 100644
--- a/non_plat/hwservice.te
+++ b/non_plat/hwservice.te
@@ -41,7 +41,7 @@ type mtk_hal_em_hwservice, hwservice_manager_type;
 
 # Date: 2018/07/02
 # MMS HIDL
-type mtk_hal_mms_hwservice, hwservice_manager_type;
+type mtk_hal_mms_hwservice, hwservice_manager_type, mtk_safe_hwservice_manager_type;
 
 type hal_atci_hwservice, hwservice_manager_type;
 type mtk_hal_keymanage_hwservice, hwservice_manager_type;
diff --git a/non_plat/ioctl_defines b/non_plat/ioctl_defines
index 4204989..06bf7b0 100644
--- a/non_plat/ioctl_defines
+++ b/non_plat/ioctl_defines
@@ -71,3 +71,5 @@ define(`MTK_M4U_T_DMA_OP', `0x671d')
 define(`MTK_M4U_T_SEC_INIT', `0x6732')
 define(`MTK_M4U_T_CONFIG_PORT_ARRAY', `0x671a')
 define(`MTK_M4U_T_CACHE_SYNC', `0x670a')
+define(`MTK_M4U_GZ_SEC_INIT', `0x673c')
+
diff --git a/non_plat/mediacodec.te b/non_plat/mediacodec.te
index 2be21d7..853da9b 100644
--- a/non_plat/mediacodec.te
+++ b/non_plat/mediacodec.te
@@ -114,10 +114,10 @@ allow mediacodec debugfs_ion:dir search;
 # Date : WK17.30
 # Operation : O Migration
 # Purpose: Allow mediacodec to access cmdq driver
-allow mediacodec mtk_cmdq_device:chr_file { read ioctl open };
-allow mediacodec mtk_mdp_device:chr_file rw_file_perms;
-allow mediacodec mtk_mdp_sync:chr_file rw_file_perms;
-allow mediacodec sw_sync_device:chr_file rw_file_perms;
+allow mediacodec mtk_cmdq_device:chr_file r_file_perms;
+allow mediacodec mtk_mdp_device:chr_file r_file_perms;
+allow mediacodec mtk_mdp_sync:chr_file r_file_perms;
+allow mediacodec sw_sync_device:chr_file r_file_perms;
 
 # Date : WK17.28
 # Operation : MT6757 SQC
diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te
index 6f88644..4b8fb26 100644
--- a/non_plat/mediaserver.te
+++ b/non_plat/mediaserver.te
@@ -292,9 +292,9 @@ allow mediaserver camera_owe_device:chr_file rw_file_perms;
 # Date : WK17.30
 # Operation : O Migration
 # Purpose: Allow to access cmdq driver
-allow mediaserver mtk_cmdq_device:chr_file { read ioctl open };
-allow mediaserver mtk_mdp_device:chr_file rw_file_perms;
-allow mediaserver mtk_mdp_sync:chr_file rw_file_perms;
+allow mediaserver mtk_cmdq_device:chr_file r_file_perms;
+allow mediaserver mtk_mdp_device:chr_file r_file_perms;
+allow mediaserver mtk_mdp_sync:chr_file r_file_perms;
 
 # Date : WK17.43
 # Operation : Migration
diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te
index 276ace8..940af74 100644
--- a/non_plat/meta_tst.te
+++ b/non_plat/meta_tst.te
@@ -426,3 +426,8 @@ allow meta_tst self:capability2 {block_suspend};
 # Date : WK20.14
 # Purpose: Allow meta connect GPS MNLD
 allow meta_tst mnld:unix_stream_socket connectto;
+
+# Date : WK20.25
+# Operation: Android R migration
+# Purpose : for sensor test
+allow meta_tst hf_manager_device:chr_file rw_file_perms;
diff --git a/non_plat/mtk_agpsd.te b/non_plat/mtk_agpsd.te
index c805795..40abed3 100644
--- a/non_plat/mtk_agpsd.te
+++ b/non_plat/mtk_agpsd.te
@@ -68,3 +68,5 @@ get_prop(mtk_agpsd, vendor_mtk_mnld_prop)
 
 # Read the property of ro.vendor.mtk_log_hide_gps
 get_prop(mtk_agpsd, vendor_mtk_gps_support_prop)
+
+wakelock_use(mtk_agpsd)
diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te
index 24894b7..e09b0ef 100644
--- a/non_plat/mtk_hal_audio.te
+++ b/non_plat/mtk_hal_audio.te
@@ -240,3 +240,18 @@ allow mtk_hal_audio dri_device:chr_file rw_file_perms;
 allow mtk_hal_audio gpu_device:dir search;
 
 allow mtk_hal_audio mtk_hal_bluetooth_audio_hwservice:hwservice_manager find;
+
+# Date : WK20.26
+allow mtk_hal_audio sysfs_dt_firmware_android:file r_file_perms;
+allow mtk_hal_audio metadata_file:dir search;
+allow mtk_hal_audio nvdata_file:dir create_dir_perms;
+
+# Date : WK20.29
+# Purpose: no trigger avc log when call nvram api
+dontaudit mtk_hal_audio gsi_metadata_file:dir search;
+
+# Date : WK20.29
+# Operation : Migration
+# Purpose : SoundTrigger Hal for tablet
+allow mtk_hal_audio adsp_misc_device:chr_file rw_file_perms;
+allow mtk_hal_audio self:netlink_kobject_uevent_socket getopt;
\ No newline at end of file
diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te
index 2c01db3..131095e 100644
--- a/non_plat/mtk_hal_camera.te
+++ b/non_plat/mtk_hal_camera.te
@@ -265,9 +265,9 @@ allow mtk_hal_camera hal_graphics_composer_default:fd use;
 # Date : WK17.30
 # Operation : O Migration
 # Purpose: Allow to access cmdq driver
-allow mtk_hal_camera mtk_cmdq_device:chr_file { read ioctl open };
-allow mtk_hal_camera mtk_mdp_device:chr_file rw_file_perms;
-allow mtk_hal_camera mtk_mdp_sync:chr_file rw_file_perms;
+allow mtk_hal_camera mtk_cmdq_device:chr_file r_file_perms;
+allow mtk_hal_camera mtk_mdp_device:chr_file r_file_perms;
+allow mtk_hal_camera mtk_mdp_sync:chr_file r_file_perms;
 
 # Date : WK17.36
 # Operation : O Migration
diff --git a/non_plat/mtk_hal_mms.te b/non_plat/mtk_hal_mms.te
index e2cd478..d5e62b1 100644
--- a/non_plat/mtk_hal_mms.te
+++ b/non_plat/mtk_hal_mms.te
@@ -5,7 +5,7 @@
 # Type Declaration
 # ==============================================
 
-type mtk_hal_mms, domain;
+type mtk_hal_mms, domain, mtk_safe_halserverdomain_type;
 type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type;
 
 # ==============================================
@@ -16,7 +16,7 @@ type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(mtk_hal_mms)
 
 # Allow to use HWBinder IPC
-hwbinder_use(mtk_hal_mms);
+hwbinder_use(mtk_hal_mms)
 
 # Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
 hal_server_domain(mtk_hal_mms, hal_mms)
@@ -27,15 +27,15 @@ add_hwservice(hal_mms_server, mtk_hal_mms_hwservice)
 # Purpose : Allow to use kernel driver
 allow mtk_hal_mms graphics_device:chr_file { read write open ioctl };
 allow mtk_hal_mms ion_device:chr_file { read open ioctl };
-allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl };
-allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms;
-allow mtk_hal_mms mtk_mdp_sync:chr_file rw_file_perms;
-allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms;
-allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find;
+allow mtk_hal_mms mtk_cmdq_device:chr_file r_file_perms;
+allow mtk_hal_mms mtk_mdp_device:chr_file r_file_perms;
+allow mtk_hal_mms mtk_mdp_sync:chr_file r_file_perms;
+allow mtk_hal_mms sw_sync_device:chr_file r_file_perms;
 
 # Purpose : Allow to use allocator for JPEG
 hal_client_domain(mtk_hal_mms, hal_allocator)
-allow mtk_hal_mms mtk_hal_pq:binder call;
+hal_client_domain(mtk_hal_mms, hal_graphics_allocator)
+hal_client_domain(mtk_hal_mms, hal_pq)
 
 # Purpose : Allow to use graphics allocator fd for gralloc_extra
 allow mtk_hal_mms hal_graphics_allocator_default:fd use;
@@ -52,7 +52,11 @@ allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl {
      JPG_BRIDGE_ENC_IO_DEINIT
      JPG_BRIDGE_ENC_IO_START
      };
-# Allow to use mms by JPEG with handle
+
+# Purpose : Allow to use mms by JPEG with handle
 allow mtk_hal_mms platform_app:fd use;
 # Purpose : Allow Miravision to set Sharpness
 allow mtk_hal_mms system_app:fd use;
+
+# Purpose : Allow to set property for AIPQ
+allow mtk_hal_mms apusys_device:chr_file rw_file_perms;
diff --git a/non_plat/mtk_hal_power.te b/non_plat/mtk_hal_power.te
index 9313174..d2d9f86 100644
--- a/non_plat/mtk_hal_power.te
+++ b/non_plat/mtk_hal_power.te
@@ -203,3 +203,9 @@ allow mtk_hal_power proc_cpuidle:file rw_file_perms;
 # Operation: SQC
 # Purpose : Allow powerhal to control mali power policy
 allow mtk_hal_power sysfs_mali_power_policy:file rw_file_perms;
+
+# Date : 2020/06/12
+# Operation: SQC
+# Purpose : Allow powerhal to control displowpower
+allow mtk_hal_power proc_displowpower:dir r_dir_perms;
+allow mtk_hal_power proc_displowpower:file rw_file_perms;
diff --git a/non_plat/mtk_hal_sensors.te b/non_plat/mtk_hal_sensors.te
index 372130d..fddf5a7 100644
--- a/non_plat/mtk_hal_sensors.te
+++ b/non_plat/mtk_hal_sensors.te
@@ -71,3 +71,7 @@ allow mtk_hal_sensors mnt_vendor_file:dir search;
 # Date : WK19.48
 # Purpose: fix [vts_10.0_r2]VtsHalSensorsV2_0Target fail
 allow mtk_hal_sensors merged_hal_service:fd use;
+
+# Date : WK20.25
+# Purpose: Allow to read /bus/platform/drivers/mtk_nanohub/state
+allow mtk_hal_sensors sysfs_mtk_nanohub_state:file r_file_perms;
diff --git a/non_plat/netdiag.te b/non_plat/netdiag.te
index 8554d46..0b4e1ee 100644
--- a/non_plat/netdiag.te
+++ b/non_plat/netdiag.te
@@ -21,3 +21,6 @@ allow netdiag tmpfs:lnk_file read;
 # purpose: allow netdiag to access storage in new version
 allow netdiag media_rw_data_file:file  { create_file_perms };
 allow netdiag media_rw_data_file:dir { create_dir_perms };
+
+# purpose: read ip address
+allow netdiag self:netlink_route_socket nlmsg_readpriv;
\ No newline at end of file
diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te
index f191824..182c563 100644
--- a/non_plat/platform_app.te
+++ b/non_plat/platform_app.te
@@ -90,11 +90,6 @@ hal_client_domain(platform_app, mtk_hal_fm)
 # Purpose : MTKLogger need connect to log hidl server
 # Package: com.mediatek.mtklogger
 hal_client_domain(platform_app, mtk_hal_log)
-# Date: 2018/11/08
-# Operation : JPEG
-# Purpose : JPEG need to use PQ via MMS HIDL
-allow platform_app mtk_hal_mms_hwservice:hwservice_manager find;
-allow platform_app mtk_hal_mms:binder call;
 
 # Date: 2019/07/04
 # Stage: Migration
diff --git a/non_plat/property_contexts b/non_plat/property_contexts
index fff922c..9ecf97f 100644
--- a/non_plat/property_contexts
+++ b/non_plat/property_contexts
@@ -325,3 +325,6 @@ vendor.debug.gpud. u:object_r:vendor_mtk_gpu_prop:s0
 
 #============= sensor set initrc property ==============
 ro.vendor.init.sensor.rc u:object_r:vendor_mtk_sensor_prop:s0
+
+#=============add for bluetooth ldac abr====================
+vendor.bluetooth.ldac.abr u:object_r:vendor_mtk_default_prop:s0
diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te
index 0353697..9df1865 100644
--- a/non_plat/surfaceflinger.te
+++ b/non_plat/surfaceflinger.te
@@ -5,7 +5,7 @@
 # Data : WK14.42
 # Operation : Migration
 # Purpose : Video playback
-allow surfaceflinger sw_sync_device:chr_file { rw_file_perms };
+allow surfaceflinger sw_sync_device:chr_file rw_file_perms;
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
@@ -28,9 +28,10 @@ allow surfaceflinger debugfs_ion:dir search;
 # Date : WK17.30
 # Operation : O Migration
 # Purpose: Allow to access cmdq driver
-allow surfaceflinger mtk_cmdq_device:chr_file { read ioctl open };
+allow surfaceflinger mtk_cmdq_device:chr_file r_file_perms;
 allow surfaceflinger mtk_mdp_device:chr_file r_file_perms;
-allow surfaceflinger mtk_mdp_sync:chr_file rw_file_perms;
+allow surfaceflinger mtk_mdp_sync:chr_file r_file_perms;
+allow surfaceflinger sysfs_boot_mode:file r_file_perms;
 
 # Date : W17.39
 # Perform Binder IPC.
@@ -64,17 +65,13 @@ get_prop(surfaceflinger, vendor_mtk_graphics_hwc_latch_unsignaled_prop)
 get_prop(surfaceflinger, vendor_mtk_graphics_hwc_validate_separate_prop)
 allow surfaceflinger hal_graphics_composer_default:dir search;
 allow surfaceflinger hal_graphics_composer_default:lnk_file read;
+dontaudit surfaceflinger hal_graphics_composer_default:file r_file_perms;
 
 # Date : WK19.4
 # Operation : P Migration
 # Purpose: Allow to access /dev/mdp_device driver
 allow surfaceflinger mdp_device:chr_file rw_file_perms;
 
-# Date : WK19.09
-# Purpose: Allow to access property dev/mdp_sync
-#============= surfaceflinger ==============
-allow surfaceflinger mtk_mdp_device:chr_file rw_file_perms;
-
 # Date : WK18.43
 # Operation : HDR
 # Purpose: Allow to skip aosp hdr solution
diff --git a/non_plat/system_app.te b/non_plat/system_app.te
index 2bc6de6..a62e4d3 100644
--- a/non_plat/system_app.te
+++ b/non_plat/system_app.te
@@ -28,12 +28,6 @@ get_prop(system_app, vendor_mtk_thermal_config_prop)
 allow system_app aee_exp_data_file:file r_file_perms;
 allow system_app aee_exp_data_file:dir r_dir_perms;
 
-# Date: 2018/11/08
-# Operation : JPEG
-# Purpose : JPEG need to use PQ via MMS HIDL
-allow system_app mtk_hal_mms_hwservice:hwservice_manager find;
-allow system_app mtk_hal_mms:binder call;
-
 # Date: 2019/06/14
 # Operation : Migration
 # Purpose : system_app need vendor_default_prop
@@ -57,3 +51,8 @@ allowxperm system_app proc_mtk_jpeg:file ioctl {
       JPG_BRIDGE_DEC_IO_WAIT
       JPG_BRIDGE_DEC_IO_UNLOCK
 };
+
+# Date: 2020/06/29
+# Purpose: Allow system app to access mtk fpsgo
+allow system_app sysfs_fpsgo:dir search;
+allow system_app sysfs_fpsgo:file r_file_perms;
diff --git a/non_plat/system_server.te b/non_plat/system_server.te
index 0a448e9..8e37c12 100644
--- a/non_plat/system_server.te
+++ b/non_plat/system_server.te
@@ -255,3 +255,11 @@ allowxperm system_server proc_mtk_jpeg:file ioctl {
       JPG_BRIDGE_DEC_IO_WAIT
       JPG_BRIDGE_DEC_IO_UNLOCK
 };
+
+#Date : 2020/06/30
+#Operation : R Migration
+dontaudit system_server kernel:process sigkill;
+
+#Date:2020/07/23
+#Operation:R Migration
+dontaudit system_server iorapd:process setsched;
diff --git a/non_plat/vendor_init.te b/non_plat/vendor_init.te
index 784fb92..ac0b98d 100644
--- a/non_plat/vendor_init.te
+++ b/non_plat/vendor_init.te
@@ -84,3 +84,7 @@ allow vendor_init debugfs_tracing_debug:file w_file_perms;
 # Operation: SQC
 # Purpose : Allow vendor_init to control MCDI
 allow vendor_init proc_cpuidle:file rw_file_perms;
+
+# Date : 2020/07/08
+# Purpose: add permission for /proc/sys/vm/swappiness
+allow vendor_init proc_swappiness:file w_file_perms;
diff --git a/plat_private/file_contexts b/plat_private/file_contexts
index defa023..50f8ec3 100644
--- a/plat_private/file_contexts
+++ b/plat_private/file_contexts
@@ -15,17 +15,18 @@
 #
 
 /system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0
-/system/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
-/system/bin/mdlogger u:object_r:mdlogger_exec:s0
-/system/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0
+/(system_ext|system/system_ext)/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
+/(system_ext|system/system_ext)/bin/mdlogger u:object_r:mdlogger_exec:s0
+/(system_ext|system/system_ext)/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0
 /system/bin/modemdbfilter_client u:object_r:modemdbfilter_client_exec:s0
 /system/bin/netdiag u:object_r:netdiag_exec:s0
 /system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0
 /system/bin/cmddumper u:object_r:cmddumper_exec:s0
 /system/bin/em_svr u:object_r:em_svr_exec:s0
-/system/bin/aee_aed u:object_r:crash_dump_exec:s0
-/system/bin/aee_aed64 u:object_r:crash_dump_exec:s0
-/system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
+/(system_ext|system/system_ext)/bin/aee u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_aed64 u:object_r:crash_dump_exec:s0
+/(system_ext|system/system_ext)/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
 /system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0
 /system/bin/connsyslogger u:object_r:connsyslogger_exec:s0
 
diff --git a/plat_private/property_contexts b/plat_private/property_contexts
index 731038b..fc3324e 100644
--- a/plat_private/property_contexts
+++ b/plat_private/property_contexts
@@ -17,7 +17,6 @@ persist.vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0
 
 #=============allow vendor-init/system process access ro.telephony property==============
 ro.telephony.sim.count         u:object_r:telephony_config_prop:s0 exact int
-ro.telephony.max.active.modems u:object_r:telephony_config_prop:s0 exact int
 
 #=============allow netlog==============
 vendor.mtklog         u:object_r:system_mtk_debug_mtklog_prop:s0
diff --git a/plat_public/attributes b/plat_public/attributes
index 478dd6f..c9c3780 100644
--- a/plat_public/attributes
+++ b/plat_public/attributes
@@ -99,3 +99,9 @@ attribute hal_atci_server;
 attribute mtk_hal_aee;
 attribute mtk_hal_aee_client;
 attribute mtk_hal_aee_server;
+
+# All types used for mtk's safe hwservice
+attribute mtk_safe_hwservice_manager_type;
+
+# All types used for mtk's safe halserver
+attribute mtk_safe_halserverdomain_type;