From 77d95ce6ccb6046f9a55187c7d1fb873493f0673 Mon Sep 17 00:00:00 2001
From: Tellen Yu<tellen.yu@amlogic.com>
Date: Wed, 13  Sep  2017  01:38:59  +0000
Subject: treble: enable full treble mode [3/9]

PD# 151674

remove all policies that can not fit full treble,
hdmicec daemon use hwbinder instead of binder

Change-Id: Ia016d8704167a8782cb4681a3a7327901531365b
---
diff --git a/common/bluetooth.mk b/common/bluetooth.mk
index 0c63970..3b83ebe 100644
--- a/common/bluetooth.mk
+++ b/common/bluetooth.mk
@@ -48,8 +48,9 @@ PRODUCT_PACKAGES += Bluetooth \
     audio.a2dp.default \
     libbt-client-api \
     com.broadcom.bt \
+    com.broadcom.bt.xml \
     android.hardware.bluetooth@1.0-impl \
-    com.broadcom.bt.xml
+    android.hardware.bluetooth@1.0-service
 
 PRODUCT_COPY_FILES += \
     hardware/amlogic/libbt/data/auto_pairing.conf:$(TARGET_COPY_OUT_VENDOR)/etc/bluetooth/auto_pairing.conf \
diff --git a/common/core_amlogic.mk b/common/core_amlogic.mk
index b7ec4b3..5858b2f 100644
--- a/common/core_amlogic.mk
+++ b/common/core_amlogic.mk
@@ -170,7 +170,7 @@ PRODUCT_PACKAGES += \
     systemcontrol \
     systemcontrol_static \
     libsystemcontrolservice \
-    vendor.amlogic.hardware.systemcontrol@1.0
+    vendor.amlogic.hardware.systemcontrol@1.0_vendor
 
 PRODUCT_PACKAGES += \
     OTAUpgrade \
@@ -201,6 +201,7 @@ PRODUCT_PACKAGES += \
     ntfs-3g \
     ntfsfix \
     mkntfs \
+    libxml2 \
     gralloc.amlogic \
     power.amlogic \
     hwcomposer.amlogic \
@@ -335,20 +336,14 @@ PRODUCT_PROPERTY_OVERRIDES += \
 #
 #########################################################################
 PRODUCT_PACKAGES += \
-     android.hardware.light@2.0-impl \
-     android.hardware.drm@1.0-impl \
      android.hardware.soundtrigger@2.0-impl \
-     android.hardware.thermal@1.0-impl \
      android.hardware.wifi@1.0-service \
-     android.hardware.usb@1.0-service \
-     android.hardware.tv.cec@1.0-impl \
-     android.hardware.health@1.0-impl
-
-#android.hardware.biometrics.fingerprint@2.1-service
-#android.hardware.bluetooth@1.0-impl \
+     android.hardware.usb@1.0-service
 
+#workround because android.hardware.wifi@1.0-service has not permission to insmod ko
 PRODUCT_COPY_FILES += \
         hardware/amlogic/wifi/multi_wifi/android.hardware.wifi@1.0-service.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/android.hardware.wifi@1.0-service.rc
+
 #Audio HAL
 PRODUCT_PACKAGES += \
      android.hardware.audio@2.0-impl \
@@ -403,6 +398,31 @@ PRODUCT_PACKAGES += \
     android.hardware.drm@1.0-impl \
     android.hardware.drm@1.0-service
 
+# HDMITX CEC HAL
+PRODUCT_PACKAGES += \
+    android.hardware.tv.cec@1.0-impl \
+    android.hardware.tv.cec@1.0-service \
+    hdmicecd \
+    libhdmicec \
+    libhdmicec_jni \
+    vendor.amlogic.hardware.hdmicec@1.0_vendor \
+    hdmi_cec.amlogic
+
+#light hal
+PRODUCT_PACKAGES += \
+    android.hardware.light@2.0-impl \
+    android.hardware.light@2.0-service
+
+#thermal hal
+PRODUCT_PACKAGES += \
+    android.hardware.thermal@1.0-impl \
+    android.hardware.thermal@1.0-service
+
+#health hal
+PRODUCT_PACKAGES += \
+    android.hardware.health@1.0-impl \
+    android.hardware.health@1.0-service
+
 ifeq ($(TARGET_BUILD_GOOGLE_ATV), true)
 PRODUCT_IS_ATV := true
 endif
@@ -416,10 +436,36 @@ PRODUCT_PROPERTY_OVERRIDES += \
 
 # VNDK version is specified
 PRODUCT_PROPERTY_OVERRIDES += \
-    ro.vendor.vndk.version=26
+    ro.vendor.vndk.version=26.1.0
 
 PRODUCT_PROPERTY_OVERRIDES += \
     ro.treble.enabled=true
 
 PRODUCT_PACKAGES += \
-    libxml2
+    android.hardware.graphics.allocator@2.0.vndk-sp\
+    android.hardware.graphics.mapper@2.0.vndk-sp\
+    android.hardware.graphics.common@1.0.vndk-sp\
+    android.hardware.renderscript@1.0.vndk-sp\
+    android.hidl.base@1.0.vndk-sp\
+    android.hidl.memory@1.0.vndk-sp \
+    libRSCpuRef.vndk-sp\
+    libRSDriver.vndk-sp\
+    libRS_internal.vndk-sp\
+    libbacktrace.vndk-sp\
+    libbase.vndk-sp\
+    libbcinfo.vndk-sp\
+    libblas.vndk-sp\
+    libc++.vndk-sp\
+    libcompiler_rt.vndk-sp\
+    libcutils.vndk-sp\
+    libft2.vndk-sp\
+    libhardware.vndk-sp\
+    libhidlbase.vndk-sp\
+    libhidlmemory.vndk-sp \
+    libhidltransport.vndk-sp\
+    libhwbinder.vndk-sp\
+    libion.vndk-sp\
+    liblzma.vndk-sp\
+    libpng.vndk-sp\
+    libunwind.vndk-sp\
+    libutils.vndk-sp
diff --git a/common/products/mbox/init.amlogic.ab.rc b/common/products/mbox/init.amlogic.ab.rc
index 0b946c6..0a6532e 100644
--- a/common/products/mbox/init.amlogic.ab.rc
+++ b/common/products/mbox/init.amlogic.ab.rc
@@ -46,14 +46,9 @@ on fs
     setprop ro.crypto.fuse_sdcard true
     swapon_all /fstab.amlogic
 
-on post-fs
-    restorecon_recursive /tee
-    start tee_supplicant
-
 on post-fs-data
     mkdir /data/misc/wifi 0770 wifi wifi
     mkdir /data/misc/wifi/sockets 0770 wifi wifi
-    mkdir /data/misc/dhcp 0770 system dhcp
 
     mkdir /data/misc/etc 0777 system pppoe
     mkdir /data/misc/etc/ppp 0777 system pppoe
@@ -319,14 +314,6 @@ on boot
     chmod 664 /sys/devices/system/cpu/cpu1/online
 
     chown system system /sys/devices/system/clocksource/clocksource0/current_clocksource
-    # usbpm
-    chown system system /sys/devices/dwc2_a/peri_power
-    chown system system /sys/devices/dwc2_a/peri_sleepm
-    chown system system /sys/devices/dwc2_a/peri_otg_disable
-    chown system system /sys/devices/dwc2_b/peri_sleepm
-    chown system system /sys/devices/dwc2_b/peri_otg_disable
-    chown system system /sys/class/aml_mod/mod_off
-    chown system system /sys/class/aml_mod/mod_on
 
     # hdcp2
     write /sys/class/unifykeys/attach 1
@@ -404,37 +391,6 @@ service watchdogd /sbin/watchdogd 10 20
     seclabel u:r:watchdogd:s0
 
 
-
-service dhcpcd_eth0 /system/bin/dhcpcd -ABKLG
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_usbnet0 /system/bin/dhcpcd -ABKLG
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_wlan0 /system/bin/dhcpcd -ABKL
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_p2p /system/bin/dhcpcd -aABKL
-    class main
-    disabled
-    oneshot
-
-service iprenew_wlan0 /system/bin/dhcpcd -n
-    class main
-    disabled
-    oneshot
-
-service iprenew_p2p /system/bin/dhcpcd -n
-    class main
-    disabled
-    oneshot
-
 # on userdebug and eng builds, enable kgdb on the serial console
 on property:ro.debuggable=1
     write /sys/module/kgdboc/parameters/kgdboc ttyFIQ2
@@ -451,13 +407,6 @@ service pppoe_wrapper /vendor/bin/pppoe_wrapper
     oneshot
     seclabel u:r:pppoe_wrapper:s0
 
-service usbpm /vendor/bin/usbtestpm
-    class main
-    user system
-    group system
-    seclabel u:r:usbpm:s0
-    disabled
-
 service imageserver /vendor/bin/imageserver
     class main
     user root
@@ -471,14 +420,8 @@ service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo
     disabled
     oneshot
 
-on property:dev.bootcomplete=1
-    start usbpm
-
-on property:vold.post_fs_data_done=1
-    start tee_supplicant
-
 service hdcp_tx22 /vendor/bin/hdcp_tx22 \
-    -f /system/etc/firmware/firmware.le
+    -f /vendor/etc/firmware/firmware.le
     class main
     disabled
     oneshot
diff --git a/common/products/mbox/init.amlogic.rc b/common/products/mbox/init.amlogic.rc
index 31012dd..84e920e 100644
--- a/common/products/mbox/init.amlogic.rc
+++ b/common/products/mbox/init.amlogic.rc
@@ -46,14 +46,9 @@ on fs
     setprop ro.crypto.fuse_sdcard true
     swapon_all /fstab.amlogic
 
-on post-fs
-    restorecon_recursive /tee
-    start tee_supplicant
-
 on post-fs-data
     mkdir /data/misc/wifi 0770 wifi wifi
     mkdir /data/misc/wifi/sockets 0770 wifi wifi
-    mkdir /data/misc/dhcp 0770 system dhcp
 
     mkdir /data/misc/etc 0777 system pppoe
     mkdir /data/misc/etc/ppp 0777 system pppoe
@@ -319,14 +314,6 @@ on boot
     chmod 664 /sys/devices/system/cpu/cpu1/online
 
     chown system system /sys/devices/system/clocksource/clocksource0/current_clocksource
-    # usbpm
-    chown system system /sys/devices/dwc2_a/peri_power
-    chown system system /sys/devices/dwc2_a/peri_sleepm
-    chown system system /sys/devices/dwc2_a/peri_otg_disable
-    chown system system /sys/devices/dwc2_b/peri_sleepm
-    chown system system /sys/devices/dwc2_b/peri_otg_disable
-    chown system system /sys/class/aml_mod/mod_off
-    chown system system /sys/class/aml_mod/mod_on
 
     # hdcp2
     write /sys/class/unifykeys/attach 1
@@ -358,8 +345,6 @@ on boot
     chown root system /sys/module/di/parameters/det3d_en
     chown root system /sys/module/di/parameters/prog_proc_config
 
-#   start sdcard
-
     write /sys/class/vfm/map "rm default"
     write /sys/class/vfm/map "add default decoder ppmgr deinterlace amvideo"
 
@@ -370,11 +355,6 @@ on aml-firstboot-init
     wait /dev/block/cache 20
     confirm_formated ext4 /dev/block/cache /cache
 
-service hdmi_cec /vendor/bin/hdmi_cec
-    class core
-    user root
-    group system
-
 # virtual sdcard daemon running as media_rw (1023)
 #service sdcard /system/bin/sdcard -u 1023 -g 1023 /data/media /mnt/shell/emulated
 #   class late_start
@@ -406,37 +386,6 @@ service watchdogd /sbin/watchdogd 10 20
     seclabel u:r:watchdogd:s0
 
 
-
-service dhcpcd_eth0 /system/bin/dhcpcd -ABKLG
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_usbnet0 /system/bin/dhcpcd -ABKLG
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_wlan0 /system/bin/dhcpcd -ABKL
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_p2p /system/bin/dhcpcd -aABKL
-    class main
-    disabled
-    oneshot
-
-service iprenew_wlan0 /system/bin/dhcpcd -n
-    class main
-    disabled
-    oneshot
-
-service iprenew_p2p /system/bin/dhcpcd -n
-    class main
-    disabled
-    oneshot
-
 # on userdebug and eng builds, enable kgdb on the serial console
 on property:ro.debuggable=1
     write /sys/module/kgdboc/parameters/kgdboc ttyFIQ2
@@ -447,25 +396,6 @@ service remotecfg /vendor/bin/remotecfg /vendor/etc/remote.conf
     oneshot
     seclabel u:r:remotecfg:s0
 
-service pppoe_wrapper /vendor/bin/pppoe_wrapper
-    class main
-    group system inet
-    oneshot
-    seclabel u:r:pppoe_wrapper:s0
-
-service usbpm /vendor/bin/usbtestpm
-    class main
-    user system
-    group system
-    seclabel u:r:usbpm:s0
-    disabled
-
-service imageserver /vendor/bin/imageserver
-    class main
-    user root
-    group system
-    seclabel u:r:imageserver:s0
-
 service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo
     class main
     user root
@@ -473,14 +403,8 @@ service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo
     disabled
     oneshot
 
-on property:dev.bootcomplete=1
-    start usbpm
-
-on property:vold.post_fs_data_done=1
-    start tee_supplicant
-
 service hdcp_tx22 /vendor/bin/hdcp_tx22 \
-    -f /system/etc/firmware/firmware.le
+    -f /vendor/etc/firmware/firmware.le
     class main
     disabled
     oneshot
diff --git a/common/products/mbox/product_mbox.mk b/common/products/mbox/product_mbox.mk
index 0b2614e..c43a59d 100644
--- a/common/products/mbox/product_mbox.mk
+++ b/common/products/mbox/product_mbox.mk
@@ -35,13 +35,6 @@ PRODUCT_PACKAGES += \
 PRODUCT_PACKAGES += \
     camera.amlogic
 
-# HDMITX CEC HAL
-PRODUCT_PACKAGES += \
-    hdmi_cec \
-    libhdmicec \
-    libhdmicec_jni \
-    hdmi_cec.amlogic
-
 PRODUCT_PROPERTY_OVERRIDES += ro.hdmi.device_type=4
 
 #Tvsettings
diff --git a/common/products/tablet/init.amlogic.rc b/common/products/tablet/init.amlogic.rc
index 48224e4..5220adb 100644
--- a/common/products/tablet/init.amlogic.rc
+++ b/common/products/tablet/init.amlogic.rc
@@ -263,12 +263,6 @@ on aml-firstboot-init
     confirm_formated ext4 /dev/block/data /data
     confirm_formated ext4 /dev/block/cache /cache
 
-service system_control /vendor/bin/systemcontrol
-    class main
-    user root
-    group system
-    seclabel u:r:system_control:s0
-
 service usbpm /vendor/bin/usbtestpm
     class main
     user system
diff --git a/common/products/tv/init.amlogic.rc b/common/products/tv/init.amlogic.rc
index f8c68e6..9ce53ff 100644
--- a/common/products/tv/init.amlogic.rc
+++ b/common/products/tv/init.amlogic.rc
@@ -50,13 +50,10 @@ on init
 
 on post-fs
     restorecon_recursive /param
-    restorecon_recursive /tee
-    start tee_supplicant
 
 on post-fs-data
     mkdir /data/misc/wifi 0770 wifi wifi
     mkdir /data/misc/wifi/sockets 0770 wifi wifi
-    mkdir /data/misc/dhcp 0770 system dhcp
 
     mkdir /data/misc/etc 0777 system pppoe
     mkdir /data/misc/etc/ppp 0777 system pppoe
@@ -333,14 +330,6 @@ on boot
     chmod 664 /sys/devices/system/cpu/cpu1/online
 
     chown system system /sys/devices/system/clocksource/clocksource0/current_clocksource
-    # usbpm
-    chown system system /sys/devices/dwc2_a/peri_power
-    chown system system /sys/devices/dwc2_a/peri_sleepm
-    chown system system /sys/devices/dwc2_a/peri_otg_disable
-    chown system system /sys/devices/dwc2_b/peri_sleepm
-    chown system system /sys/devices/dwc2_b/peri_otg_disable
-    chown system system /sys/class/aml_mod/mod_off
-    chown system system /sys/class/aml_mod/mod_on
 
     # hdcp2
     write /sys/class/unifykeys/attach 1
@@ -397,12 +386,6 @@ service tvd /vendor/bin/tvserver
    group system
    seclabel u:r:tvserver:s0
 
-service hdmi_cec /vendor/bin/hdmi_cec
-    class core
-    user root
-    group system
-    seclabel u:r:hdmi_cec:s0
-
 # virtual sdcard daemon running as media_rw (1023)
 #service sdcard /system/bin/sdcard -u 1023 -g 1023 /data/media /mnt/shell/emulated
 #   class late_start
@@ -433,38 +416,6 @@ service watchdogd /sbin/watchdogd 10 20
     disabled
     seclabel u:r:watchdogd:s0
 
-
-
-service dhcpcd_eth0 /system/bin/dhcpcd -ABKLG
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_usbnet0 /system/bin/dhcpcd -ABKLG
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_wlan0 /system/bin/dhcpcd -ABKL
-    class main
-    disabled
-    oneshot
-
-service dhcpcd_p2p /system/bin/dhcpcd -aABKL
-    class main
-    disabled
-    oneshot
-
-service iprenew_wlan0 /system/bin/dhcpcd -n
-    class main
-    disabled
-    oneshot
-
-service iprenew_p2p /system/bin/dhcpcd -n
-    class main
-    disabled
-    oneshot
-
 # on userdebug and eng builds, enable kgdb on the serial console
 on property:ro.debuggable=1
     write /sys/module/kgdboc/parameters/kgdboc ttyFIQ2
@@ -494,18 +445,14 @@ service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo
     disabled
     oneshot
 
-on property:dev.bootcomplete=1
-on property:vold.post_fs_data_done=1
-    start tee_supplicant
-
 service hdcp_tx22 /vendor/bin/hdcp_tx22 \
-    -f /system/etc/firmware/firmware.le
+    -f /vendor/etc/firmware/firmware.le
     class main
     disabled
     oneshot
 
 service hdcp_rx22 /vendor/bin/hdcp_rx22 \
-    -f /system/etc/firmware/firmware.le
+    -f /vendor/etc/firmware/firmware.le
     class main
     disabled
     oneshot
diff --git a/common/products/tv/product_tv.mk b/common/products/tv/product_tv.mk
index fa63ecb..090434b 100644
--- a/common/products/tv/product_tv.mk
+++ b/common/products/tv/product_tv.mk
@@ -43,10 +43,6 @@ PRODUCT_PACKAGES += \
 PRODUCT_PACKAGES += \
     remotecfg
 
-# HDMITX CEC HAL
-PRODUCT_PACKAGES += \
-    hdmi_cec.amlogic
-
 USE_CUSTOM_AUDIO_POLICY := 1
 
 ifneq ($(TARGET_BUILD_GOOGLE_ATV), true)
@@ -67,13 +63,6 @@ PRODUCT_PACKAGES += \
 PRODUCT_PACKAGES += \
     camera.amlogic
 
-# HDMITX CEC HAL
-PRODUCT_PACKAGES += \
-    hdmi_cec \
-    libhdmicec \
-    libhdmicec_jni \
-    hdmi_cec.amlogic
-
 PRODUCT_PROPERTY_OVERRIDES += ro.hdmi.device_type=0
 
 #Tvsettings
diff --git a/common/sepolicy/adbd.te b/common/sepolicy/adbd.te
deleted file mode 100644
index 20b99e9..0000000
--- a/common/sepolicy/adbd.te
+++ b/dev/null
@@ -1 +0,0 @@
-set_prop(adbd, ctl_mdnsd_prop)
\ No newline at end of file
diff --git a/common/sepolicy/app.te b/common/sepolicy/app.te
index eb9f839..6f6cbad 100644
--- a/common/sepolicy/app.te
+++ b/common/sepolicy/app.te
@@ -1,75 +1,80 @@
 # Write to various pseudo file systems.
-allow untrusted_app block_device:dir { search getattr };
+#allow untrusted_app block_device:dir { search getattr };
+#
+#allow untrusted_app imageserver_service:service_manager find;
+#
+#allow untrusted_app system_control_service:service_manager find;
+#
+#allow untrusted_app unlabeled:dir { search read write getattr };
+#allow untrusted_app unlabeled:file { lock open read write getattr };
+#
+## Read and write /data/data subdirectory.
+#allow untrusted_app { system_app_data_file app_data_file }:dir { getattr read search };
+#
+#allow untrusted_app { system_app_data_file app_data_file }:file { getattr read write };
+#
+#allow untrusted_app subtitle_service:service_manager { find };
+#allow untrusted_app unlabeled:filesystem getattr;
+#allow untrusted_app proc_sysrq:file { read getattr };
+#allow untrusted_app kernel:file { open read getattr };
+#allow untrusted_app kernel:dir { search getattr };
+#allow untrusted_app pppoe_wrapper:file { open read getattr };
+#allow untrusted_app pppoe_wrapper:dir { search getattr };
+#allow untrusted_app zygote:file { open read getattr };
+#allow untrusted_app zygote:dir { search getattr };
+#allow untrusted_app gatekeeperd:file { open read getattr };
+#allow untrusted_app gatekeeperd:dir { search getattr };
+#allow untrusted_app imageserver:file { open read getattr };
+#allow untrusted_app imageserver:dir { search getattr };
+#allow untrusted_app system_control:file { open read getattr };
+#allow untrusted_app system_control:dir { search getattr };
+#allow untrusted_app keystore:file { open read getattr };
+#allow untrusted_app keystore:dir { search getattr };
+#allow untrusted_app installd:file { open read getattr };
+#allow untrusted_app installd:dir { search getattr };
+#allow untrusted_app mediaserver:file { open read getattr };
+#allow untrusted_app mediaserver:dir { search getattr };
+#allow untrusted_app drmserver:file { open read getattr };
+#allow untrusted_app drmserver:dir { search getattr };
+#allow untrusted_app netd:file { open read getattr };
+#allow untrusted_app netd:dir { search getattr };
+#allow untrusted_app surfaceflinger:file { open read getattr };
+#allow untrusted_app surfaceflinger:dir { search getattr };
+#allow untrusted_app servicemanager:file { open read getattr };
+#allow untrusted_app servicemanager:dir { search getattr };
+#allow untrusted_app lmkd:file { open read getattr };
+#allow untrusted_app lmkd:dir { search getattr };
+#allow untrusted_app shell:file { open read getattr };
+#allow untrusted_app shell:dir { search getattr };
+#allow untrusted_app healthd:file { open read getattr };
+#allow untrusted_app healthd:dir { search getattr };
+#allow untrusted_app vold:file { open read getattr };
+#allow untrusted_app vold:dir { search getattr };
+#allow untrusted_app logd:file { open read getattr };
+#allow untrusted_app logd:dir { search getattr };
+#allow untrusted_app ueventd:file { open read getattr };
+#allow untrusted_app ueventd:dir { search getattr };
+#allow untrusted_app init:file { open read getattr };
+#allow untrusted_app init:dir { search getattr };
+#allow untrusted_app system_server:file { open read getattr };
+#allow untrusted_app system_server:dir { search getattr };
+#allow untrusted_app dhcp:file { open read getattr };
+#allow untrusted_app dhcp:dir { search getattr };
+#allow untrusted_app sdcardd:file { open read getattr };
+#allow untrusted_app sdcardd:dir { search getattr };
+#allow untrusted_app platform_app:file { open read getattr };
+#allow untrusted_app platform_app:dir { search getattr };
+#allow untrusted_app system_app:file { open read getattr };
+#allow untrusted_app system_app:dir { search getattr };
+#allow untrusted_app usbpm:file { open read getattr };
+#allow untrusted_app usbpm:dir { search getattr };
+#
+#allow untrusted_app fuseblk:dir { search };
+#allow untrusted_app fuseblk:file { read open };
+#allow untrusted_app dex2oat:dir { getattr };
+#allow untrusted_app storage_stub_file:dir { getattr };
 
-allow untrusted_app imageserver_service:service_manager find;
 
-allow untrusted_app system_control_service:service_manager find;
-
-allow untrusted_app unlabeled:dir { search read write getattr };
-allow untrusted_app unlabeled:file { lock open read write getattr };
-
-# Read and write /data/data subdirectory.
-allow untrusted_app { system_app_data_file app_data_file }:dir { getattr read search };
-
-allow untrusted_app { system_app_data_file app_data_file }:file { getattr read write };
-
-allow untrusted_app subtitle_service:service_manager { find };
-allow untrusted_app unlabeled:filesystem getattr;
-allow untrusted_app proc_sysrq:file { read getattr };
-allow untrusted_app kernel:file { open read getattr };
-allow untrusted_app kernel:dir { search getattr };
-allow untrusted_app pppoe_wrapper:file { open read getattr };
-allow untrusted_app pppoe_wrapper:dir { search getattr };
-allow untrusted_app zygote:file { open read getattr };
-allow untrusted_app zygote:dir { search getattr };
-allow untrusted_app gatekeeperd:file { open read getattr };
-allow untrusted_app gatekeeperd:dir { search getattr };
-allow untrusted_app imageserver:file { open read getattr };
-allow untrusted_app imageserver:dir { search getattr };
-allow untrusted_app system_control:file { open read getattr };
-allow untrusted_app system_control:dir { search getattr };
-allow untrusted_app keystore:file { open read getattr };
-allow untrusted_app keystore:dir { search getattr };
-allow untrusted_app installd:file { open read getattr };
-allow untrusted_app installd:dir { search getattr };
-allow untrusted_app mediaserver:file { open read getattr };
-allow untrusted_app mediaserver:dir { search getattr };
-allow untrusted_app drmserver:file { open read getattr };
-allow untrusted_app drmserver:dir { search getattr };
-allow untrusted_app netd:file { open read getattr };
-allow untrusted_app netd:dir { search getattr };
-allow untrusted_app surfaceflinger:file { open read getattr };
-allow untrusted_app surfaceflinger:dir { search getattr };
-allow untrusted_app servicemanager:file { open read getattr };
-allow untrusted_app servicemanager:dir { search getattr };
-allow untrusted_app lmkd:file { open read getattr };
-allow untrusted_app lmkd:dir { search getattr };
-allow untrusted_app shell:file { open read getattr };
-allow untrusted_app shell:dir { search getattr };
-allow untrusted_app healthd:file { open read getattr };
-allow untrusted_app healthd:dir { search getattr };
-allow untrusted_app vold:file { open read getattr };
-allow untrusted_app vold:dir { search getattr };
-allow untrusted_app logd:file { open read getattr };
-allow untrusted_app logd:dir { search getattr };
-allow untrusted_app ueventd:file { open read getattr };
-allow untrusted_app ueventd:dir { search getattr };
-allow untrusted_app init:file { open read getattr };
-allow untrusted_app init:dir { search getattr };
-allow untrusted_app system_server:file { open read getattr };
-allow untrusted_app system_server:dir { search getattr };
-allow untrusted_app dhcp:file { open read getattr };
-allow untrusted_app dhcp:dir { search getattr };
-allow untrusted_app sdcardd:file { open read getattr };
-allow untrusted_app sdcardd:dir { search getattr };
-allow untrusted_app platform_app:file { open read getattr };
-allow untrusted_app platform_app:dir { search getattr };
-allow untrusted_app system_app:file { open read getattr };
-allow untrusted_app system_app:dir { search getattr };
-allow untrusted_app usbpm:file { open read getattr };
-allow untrusted_app usbpm:dir { search getattr };
-
-allow untrusted_app fuseblk:dir { search };
-allow untrusted_app fuseblk:file { read open };
-allow untrusted_app dex2oat:dir { getattr };
-allow untrusted_app storage_stub_file:dir { getattr };
+allow untrusted_app vendor_file:file { getattr read open execute };
+allow untrusted_app sysfs_zram:file { read open getattr };
+allow untrusted_app sysfs_zram:dir { search };
diff --git a/common/sepolicy/audioserver.te b/common/sepolicy/audioserver.te
index ea026c1..e1993ec 100644
--- a/common/sepolicy/audioserver.te
+++ b/common/sepolicy/audioserver.te
@@ -1,7 +1,6 @@
-allow audioserver sysfs_digital_codec:file { open read write getattr };
-allow audioserver sysfs_audio_samesource:file { open read write getattr };
-allow audioserver sysfs_audio_cap:file { open read write getattr };
-allow audioserver sysfs_xbmc:file { open read write getattr };
+allow audioserver { sysfs_xbmc sysfs_digital_codec sysfs_audio_samesource sysfs_audio_cap }:file { open read write getattr };
+
+allow audioserver vendor_file:file { read open getattr execute };
 
 allow audioserver kernel:system module_request;
 
diff --git a/common/sepolicy/bluetooth.te b/common/sepolicy/bluetooth.te
deleted file mode 100644
index eddaea3..0000000
--- a/common/sepolicy/bluetooth.te
+++ b/dev/null
@@ -1 +0,0 @@
-allow bluetooth system_control_service:service_manager find;
diff --git a/common/sepolicy/bootanim.te b/common/sepolicy/bootanim.te
index faefeb2..8468e7c 100644
--- a/common/sepolicy/bootanim.te
+++ b/common/sepolicy/bootanim.te
@@ -1,2 +1 @@
-#Bootanim start bootvideo
-allow bootanim system_control:binder call;
\ No newline at end of file
+allow bootanim vendor_file:file { open read getattr execute };
\ No newline at end of file
diff --git a/common/sepolicy/bootvideo.te b/common/sepolicy/bootvideo.te
index 5237fc3..49a341e 100644
--- a/common/sepolicy/bootvideo.te
+++ b/common/sepolicy/bootvideo.te
@@ -1,7 +1,7 @@
 type bootvideo, domain;
-type bootvideo_exec, exec_type, file_type;
-init_daemon_domain(bootvideo)
-binder_use(bootvideo);
+type bootvideo_exec, exec_type, vendor_file_type, file_type;
+#init_daemon_domain(bootvideo)
+#binder_use(bootvideo);
 #unix_socket_connect(bootvideo, property, init);
 
 #Bootvideo
@@ -31,6 +31,6 @@ allow bootvideo property_socket:sock_file write;
 allow bootvideo system_data_file:file open;
 
 allow bootvideo sysfs_xbmc:file { open read write getattr };
-allow bootvideo system_control_service:service_manager find;
+#allow bootvideo system_control_service:service_manager find;
 
 set_prop(bootvideo, system_prop)
diff --git a/common/sepolicy/cameraserver.te b/common/sepolicy/cameraserver.te
deleted file mode 100644
index e507c6e..0000000
--- a/common/sepolicy/cameraserver.te
+++ b/dev/null
@@ -1 +0,0 @@
-allow cameraserver kernel:system module_request;
\ No newline at end of file
diff --git a/common/sepolicy/device.te b/common/sepolicy/device.te
index 160cbcf..77b2fa0 100644
--- a/common/sepolicy/device.te
+++ b/common/sepolicy/device.te
@@ -23,6 +23,7 @@ type drm_block_device, dev_type;
 type tee_block_device, dev_type;
 type odm_block_device, dev_type;
 type vendor_block_device, dev_type;
+type system_block_fsck_device, dev_type;
 type dvb_video_device, dev_type;
 type subtitle_device, dev_type;
 type sw_sync_device, dev_type;
diff --git a/common/sepolicy/dex2oat.te b/common/sepolicy/dex2oat.te
deleted file mode 100644
index c6e8e73..0000000
--- a/common/sepolicy/dex2oat.te
+++ b/dev/null
@@ -1 +0,0 @@
-allow dex2oat kernel:system module_request;
diff --git a/common/sepolicy/drm_device.te b/common/sepolicy/drm_device.te
deleted file mode 100644
index fbd7be1..0000000
--- a/common/sepolicy/drm_device.te
+++ b/dev/null
@@ -1,2 +0,0 @@
-allow drm_device tmpfs:filesystem associate;
-allow drm_device tmpfs:chr_file { read write open};
diff --git a/common/sepolicy/drmserver.te b/common/sepolicy/drmserver.te
index 2f82742..22a676a 100644
--- a/common/sepolicy/drmserver.te
+++ b/common/sepolicy/drmserver.te
@@ -1,10 +1,14 @@
 allow drmserver sysfs_xbmc:file rw_file_perms;
 allow drmserver sysfs:file rw_file_perms;
 allow drmserver drm_data_file:lnk_file  {create open read write};
-allow drmserver system_control_service:service_manager  find;
-allow drmserver system_control:binder  call;
+#allow drmserver system_control_service:service_manager  find;
+#allow drmserver system_control:binder  call;
 allow drmserver mediaserver:dir  {getattr};
 allow drmserver kernel:system module_request;
 
+
 allow drmserver exfat:file { read };
 allow drmserver ntfs:file { read };
+
+allow drmserver unlabeled:file { read };
+
diff --git a/common/sepolicy/droidvold.te b/common/sepolicy/droidvold.te
new file mode 100644
index 0000000..cb8ae6b
--- a/dev/null
+++ b/common/sepolicy/droidvold.te
@@ -0,0 +1,38 @@
+type droidvold, domain;
+type droidvold_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(droidvold)
+
+allow droidvold self:capability { setgid setuid };
+
+allow droidvold cpuctl_device:dir search;
+
+allow droidvold device:dir { open read };
+allow droidvold usb_device:dir { open read search };
+allow droidvold system_data_file:fifo_file { open read write };
+
+allow droidvold block_device:dir { create read write search add_name };
+
+allow droidvold fuseblk:filesystem mount;
+
+#allow droidvold self:capability { dac_override sys_admin };
+
+allow droidvold tmpfs:dir create_dir_perms;
+allow droidvold tmpfs:dir mounton;
+
+allow droidvold kernel:system module_request;
+allow droidvold mnt_media_rw_file:dir { r_dir_perms };
+allow droidvold mnt_media_rw_stub_file:dir { r_dir_perms mounton };
+
+allow droidvold droidvold:netlink_kobject_uevent_socket { create setopt bind read getopt };
+allow droidvold self:capability { net_admin };
+
+allow droidvold rootfs:dir mounton;
+allow droidvold rootfs:file { read open getattr };
+
+allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:dir { open read search };
+allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:file { write open read };
+
+allow droidvold file_contexts_file:file r_file_perms;
+
+allow proc_net proc:filesystem { associate };
diff --git a/common/sepolicy/dv_config.te b/common/sepolicy/dv_config.te
deleted file mode 100644
index 31136fd..0000000
--- a/common/sepolicy/dv_config.te
+++ b/dev/null
@@ -1,4 +0,0 @@
-type dv_config, domain;
-type dv_config_exec, exec_type, file_type;
-
-init_daemon_domain(dv_config)
\ No newline at end of file
diff --git a/common/sepolicy/file.te b/common/sepolicy/file.te
index ecfb2a4..1cfbd12 100644
--- a/common/sepolicy/file.te
+++ b/common/sepolicy/file.te
@@ -31,5 +31,9 @@ type sysfs_audio_cap, fs_type, sysfs_type;
 type ppp_system_file, exec_type, file_type;
 type ppp_data_file, file_type;
 type log_file, file_type, data_file_type;
+
 type ntfs, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
+
+type optee_file, file_type, data_file_type;
+
diff --git a/common/sepolicy/file_contexts b/common/sepolicy/file_contexts
index 7e06f56..4a5806b 100644
--- a/common/sepolicy/file_contexts
+++ b/common/sepolicy/file_contexts
@@ -1,142 +1,136 @@
+/boot/optee.ko                          u:object_r:optee_file:s0
+
 /data/log(/.*)?         		u:object_r:log_file:s0
 /data/media_rw/sdcard1  		u:object_r:media_rw_data_file:s0
 /data/tee(/.*)?         		u:object_r:tee_data_file:s0
-/data/droidota(/.*)?				u:object_r:update_data_file:s0
+/data/droidota(/.*)?			u:object_r:update_data_file:s0
 
-/dev/amaudio_.*     				u:object_r:audio_device:s0
+/dev/amaudio_.*     			u:object_r:audio_device:s0
 /dev/amaudio2_out       		u:object_r:audio_device:s0
-/dev/amremote       				u:object_r:input_device:s0
-/dev/am_adc_kpd     				u:object_r:input_device:s0
-/dev/amv.*          				u:object_r:video_device:s0
+/dev/amremote       			u:object_r:input_device:s0
+/dev/am_adc_kpd     			u:object_r:input_device:s0
+/dev/amv.*          			u:object_r:video_device:s0
 /dev/amvecm            			u:object_r:amvecm_device:s0
-/dev/amvideo   							u:object_r:dvb_video_device:s0
-/dev/amvideo_poll   				u:object_r:amvideo_device:s0
+/dev/amvideo   				u:object_r:dvb_video_device:s0
+/dev/amvideo_poll   			u:object_r:amvideo_device:s0
 /dev/ionvideo   			u:object_r:dvb_video_device:s0
-/dev/amstream_.*    				u:object_r:video_device:s0
-/dev/amstream_sub   				u:object_r:subtitle_device:s0
+/dev/amstream_.*    			u:object_r:video_device:s0
+/dev/amstream_sub   			u:object_r:subtitle_device:s0
 /dev/amstream_sub_read			u:object_r:subtitle_device:s0
-/dev/amstream_mpts					u:object_r:dvb_video_device:s0
+/dev/amstream_mpts			u:object_r:dvb_video_device:s0
 /dev/amstream_userdata			u:object_r:dvb_video_device:s0
-/dev/avin_detect    				u:object_r:avin_device:s0
-
-/dev/block/env      				u:object_r:env_device:s0
-/dev/block/data     				u:object_r:userdata_block_device:s0
-/dev/block/cache    				u:object_r:cache_block_device:s0
-/dev/block/zram0    				u:object_r:swap_block_device:s0
-/dev/block/param    				u:object_r:param_block_device:s0
-/dev/block/cri_data 				u:object_r:cri_block_device:s0
-/dev/block/sd[a-z]  				u:object_r:sda_block_device:s0
+/dev/avin_detect    			u:object_r:avin_device:s0
+
+/dev/block/env      			u:object_r:env_device:s0
+/dev/block/data     			u:object_r:userdata_block_device:s0
+/dev/block/cache    			u:object_r:cache_block_device:s0
+/dev/block/zram0    			u:object_r:swap_block_device:s0
+/dev/block/param    			u:object_r:param_block_device:s0
+/dev/block/cri_data 			u:object_r:cri_block_device:s0
+/dev/block/sd[a-z]  			u:object_r:sda_block_device:s0
 /dev/block/sd[a-z](.*) 			u:object_r:sda_block_device:s0
 /dev/block/vold(/.*)? 			u:object_r:vold_block_device:s0
-/dev/block/drm      				u:object_r:drm_block_device:s0
-/dev/block/boot_a   				u:object_r:boot_block_device:s0
-/dev/block/boot_b   				u:object_r:boot_block_device:s0
-/dev/block/boot     				u:object_r:boot_block_device:s0
-/dev/block/system_a					u:object_r:system_block_device:s0
-/dev/block/system_b   			u:object_r:system_block_device:s0
+/dev/block/drm      			u:object_r:drm_block_device:s0
+/dev/block/boot_a   			u:object_r:boot_block_device:s0
+/dev/block/boot_b   			u:object_r:boot_block_device:s0
+/dev/block/boot     			u:object_r:boot_block_device:s0
+/dev/block/system_a			u:object_r:system_block_fsck_device:s0
+/dev/block/system_b   			u:object_r:system_block_fsck_device:s0
+/dev/block/system   			u:object_r:system_block_fsck_device:s0
 /dev/block/vendor_a   			u:object_r:vendor_block_device:s0
 /dev/block/vendor_b   			u:object_r:vendor_block_device:s0
 /dev/block/vendor   			u:object_r:vendor_block_device:s0
-/dev/block/misc     				u:object_r:misc_block_device:s0
+/dev/block/misc     			u:object_r:misc_block_device:s0
 /dev/block/tee          		u:object_r:tee_block_device:s0
 /dev/block/odm          		u:object_r:odm_block_device:s0
-/dev/block/odm_a          		u:object_r:odm_block_device:s0
-/dev/block/odm_b          		u:object_r:odm_block_device:s0
+/dev/block/odm_a                        u:object_r:odm_block_device:s0
+/dev/block/odm_b                        u:object_r:odm_block_device:s0
 /dev/block/mmcblk[0-9]  		u:object_r:sda_block_device:s0
-/dev/block/mmcblk[0-9]p(.*)	u:object_r:sda_block_device:s0
-/dev/block/mmcblk[0-9]rpmb 	u:object_r:sda_block_device:s0
-/dev/block/droidvold/.+     u:object_r:vold_device:s0
-
-/dev/bootloader     				u:object_r:bootloader_device:s0
-/dev/btusb0         				u:object_r:hci_attach_dev:s0
-/dev/cec            				u:object_r:cec_device:s0
-/dev/defendkey      				u:object_r:defendkey_device:s0
-/dev/dtb            				u:object_r:dtb_device:s0
-/dev/dvb0.*         				u:object_r:dvb_device:s0
-/dev/dvb.*          				u:object_r:video_device:s0
-/dev/esm            				u:object_r:hdcptx_device:s0
-/dev/esm_rx         				u:object_r:hdcprx_device:s0
-/dev/ge2d              			u:object_r:ge2d_device:s0
-/dev/hdmirx0        				u:object_r:hdmirx0_device:s0
-/dev/irblaster1     				u:object_r:ir_device:s0
-/dev/mali           				u:object_r:gpu_device:s0
-/dev/mali0          				u:object_r:gpu_device:s0
-/dev/nand_env       				u:object_r:env_device:s0
+/dev/block/mmcblk[0-9]p(.*)             u:object_r:sda_block_device:s0
+/dev/block/mmcblk[0-9]rpmb              u:object_r:sda_block_device:s0
+
+/dev/bootloader     			u:object_r:bootloader_device:s0
+/dev/btusb0         			u:object_r:hci_attach_dev:s0
+/dev/cec            			u:object_r:cec_device:s0
+/dev/defendkey      			u:object_r:defendkey_device:s0
+/dev/dtb            			u:object_r:dtb_device:s0
+/dev/dvb0.*         			u:object_r:dvb_device:s0
+/dev/dvb.*          			u:object_r:video_device:s0
+/dev/esm            			u:object_r:hdcptx_device:s0
+/dev/esm_rx         			u:object_r:hdcprx_device:s0
+/dev/ge2d                               u:object_r:ge2d_device:s0
+/dev/hdmirx0        			u:object_r:hdmirx0_device:s0
+/dev/irblaster1     			u:object_r:ir_device:s0
+/dev/mali           			u:object_r:gpu_device:s0
+/dev/mali0          			u:object_r:gpu_device:s0
+/dev/nand_env       			u:object_r:env_device:s0
 /dev/opteearmtz00       		u:object_r:drm_device:s0
-/dev/otz_client     				u:object_r:tee_device:s0
-/dev/picdec         				u:object_r:picture_device:s0
-/dev/rtk_btusb      				u:object_r:hci_attach_dev:s0
+/dev/otz_client     			u:object_r:tee_device:s0
+/dev/picdec         			u:object_r:picture_device:s0
+/dev/rtk_btusb      			u:object_r:hci_attach_dev:s0
 /dev/socket/dig	        		u:object_r:dig_socket:s0
 /dev/socket/pppoe_wrapper		u:object_r:pppoe_wrapper_socket:s0
 /dev/sw_sync           			u:object_r:sw_sync_device:s0
 /dev/tee0               		u:object_r:drm_device:s0
 /dev/teepriv0           		u:object_r:drm_device:s0
-/dev/ttyS[1-2]      				u:object_r:hci_attach_dev:s0
-/dev/ttyUSB.*								u:object_r:radio_device:s0
+/dev/ttyS[1-2]      			u:object_r:hci_attach_dev:s0
+/dev/ttyUSB.*				u:object_r:radio_device:s0
 /dev/tvafe0             		u:object_r:video_device:s0
 /dev/vdin0              		u:object_r:video_device:s0
-/dev/wifi_power     				u:object_r:radio_device:s0
-
-
-/sys/devices/platform/bt-dev/rfkill/rfkill0/state					u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/platform/bt-dev/rfkill/rfkill0/type					u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bt-dev.*/rfkill/rfkill0/state								u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bt-dev.*/rfkill/rfkill0/type									u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/virtual/amhdmitx/amhdmitx0/aud_cap						u:object_r:sysfs_audio_cap:s0
-/sys/devices/d0074000.emmc/mmc_host/emmc/emmc:0001/cid    u:object_r:sysfs_xbmc:s0
-
-/sys/class/audiodsp/digital_raw         			u:object_r:sysfs_xbmc:s0
-/sys/class/video/disable_video          			u:object_r:sysfs_xbmc:s0
-/sys/class/video/axis                   			u:object_r:sysfs_xbmc:s0
-/sys/class/video/screen_mode            			u:object_r:sysfs_xbmc:s0
-/sys/class/tsync/pts_pcrscr             			u:object_r:sysfs_xbmc:s0
-/sys/class/tsync/enable                 			u:object_r:sysfs_xbmc:s0
-/sys/class/tsync/event                  			u:object_r:sysfs_xbmc:s0
-/sys/class/tsync/pts_audio              			u:object_r:sysfs_xbmc:s0
-/sys/class/amhdmitx/amhdmitx0/aud_output_chs	u:object_r:sysfs_xbmc:s0
-/sys/class/audiodsp/digital_codec       			u:object_r:sysfs_digital_codec:s0
-/sys/class/audiodsp/audio_samesource    			u:object_r:sysfs_audio_samesource:s0
-/sys/class/amhdmitx/amhdmitx0/aud_cap   			u:object_r:sysfs_audio_cap:s0
-
-/sys/class/mpgpu/mpgpucmd                     u:object_r:sysfs_mpgpu_cmd:s0
-/sys/power/early_suspend_trigger              u:object_r:sysfs_power_trigger:s0
-
-/sys/class/vfm/map   							u:object_r:sysfs_xbmc:s0
-
-/param(/.*)?        				u:object_r:param_tv_file:s0
-/tee(/.*)?              		u:object_r:tee_data_file:s0
-
-#for daemon seclabel
-/vendor/bin/bootplayer      u:object_r:bootvideo_exec:s0
-/vendor/bin/dv_config    		u:object_r:dv_config_exec:s0
-/vendor/bin/hdcp_rx22       u:object_r:hdcp_rx22_exec:s0
-/vendor/bin/hdcp_tx22       u:object_r:hdcp_tx22_exec:s0
-/vendor/bin/hdmi_cec    		u:object_r:hdmi_cec_exec:s0
-/vendor/bin/imageserver     u:object_r:imageserver_exec:s0
-/system/bin/make_ext4fs     u:object_r:make_ext4fs_exec:s0
-/vendor/bin/pppoe_wrapper   u:object_r:pppoe_wrapper_exec:s0
-/vendor/bin/remotecfg       u:object_r:remotecfg_exec:s0
-/vendor/bin/systemcontrol   u:object_r:system_control_exec:s0
-/system/bin/tee-supplicant	u:object_r:tee_exec:s0
-/vendor/bin/tee_preload_fw  u:object_r:firmload_exec:s0
-/vendor/bin/tvserver    		u:object_r:tvserver_exec:s0
-/vendor/bin/usbtestpm       u:object_r:usbpm_exec:s0
-/vendor/bin/wlan_fwloader   u:object_r:wlan_fwloader_exec:s0
-/vendor/xbin/bcmdl   				u:object_r:bcmdl_exec:s0
-/vendor/bin/droidvold       u:object_r:vold_exec:s0
+/dev/wifi_power     			u:object_r:radio_device:s0
+
+
+/sys/devices/platform/bt-dev/rfkill/rfkill0/state	        u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/platform/bt-dev/rfkill/rfkill0/type	        u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bt-dev.*/rfkill/rfkill0/state		        u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bt-dev.*/rfkill/rfkill0/type			u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/virtual/amhdmitx/amhdmitx0/aud_cap                 u:object_r:sysfs_audio_cap:s0
+/sys/devices/d0074000.emmc/mmc_host/emmc/emmc:0001/cid          u:object_r:sysfs_xbmc:s0
+
+/sys/class/audiodsp/digital_raw         		        u:object_r:sysfs_xbmc:s0
+/sys/class/video/disable_video          		        u:object_r:sysfs_xbmc:s0
+/sys/class/video/axis                   		        u:object_r:sysfs_xbmc:s0
+/sys/class/video/screen_mode            		        u:object_r:sysfs_xbmc:s0
+/sys/class/tsync/pts_pcrscr             		        u:object_r:sysfs_xbmc:s0
+/sys/class/tsync/enable                 		        u:object_r:sysfs_xbmc:s0
+/sys/class/tsync/event                  		        u:object_r:sysfs_xbmc:s0
+/sys/class/tsync/pts_audio              		        u:object_r:sysfs_xbmc:s0
+/sys/class/amhdmitx/amhdmitx0/aud_output_chs	                u:object_r:sysfs_xbmc:s0
+/sys/class/audiodsp/digital_codec       		        u:object_r:sysfs_digital_codec:s0
+/sys/class/audiodsp/audio_samesource    		        u:object_r:sysfs_audio_samesource:s0
+/sys/class/amhdmitx/amhdmitx0/aud_cap   		        u:object_r:sysfs_audio_cap:s0
+
+/sys/class/mpgpu/mpgpucmd                                       u:object_r:sysfs_mpgpu_cmd:s0
+/sys/power/early_suspend_trigger                                u:object_r:sysfs_power_trigger:s0
+
+/sys/class/vfm/map   					        u:object_r:sysfs_xbmc:s0
+
+/param(/.*)?                  u:object_r:param_tv_file:s0
+/tee(/.*)?                    u:object_r:tee_data_file:s0
+
+#/vendor/bin/bootplayer       u:object_r:bootvideo_exec:s0
+#/vendor/bin/dv_config        u:object_r:dv_config_exec:s0
+
+
+#/vendor/bin/imageserver      u:object_r:imageserver_exec:s0
+#/system/bin/make_ext4fs      u:object_r:make_ext4fs_exec:s0
+#/vendor/bin/pppoe_wrapper    u:object_r:pppoe_wrapper_exec:s0
+
+/vendor/bin/hdcp_rx22         u:object_r:hdcp_rx22_exec:s0
+/vendor/bin/hdcp_tx22         u:object_r:hdcp_tx22_exec:s0
+/vendor/bin/remotecfg         u:object_r:remotecfg_exec:s0
+/vendor/bin/systemcontrol     u:object_r:system_control_exec:s0
+/vendor/bin/hdmicecd          u:object_r:hdmicecd_exec:s0
+/vendor/bin/droidvold         u:object_r:droidvold_exec:s0
+/vendor/bin/tee-supplicant    u:object_r:tee_exec:s0
+/vendor/bin/tee_preload_fw    u:object_r:firmload_exec:s0
+
+#/vendor/bin/tvserver         u:object_r:tvserver_exec:s0
+#/vendor/bin/wlan_fwloader    u:object_r:wlan_fwloader_exec:s0
+#/vendor/xbin/bcmdl   	      u:object_r:bcmdl_exec:s0
 
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service.droidlogic      u:object_r:hal_dumpstate_default_exec:s0
 
-/system/vendor/bin/bootplayer      u:object_r:bootvideo_exec:s0
-/system/vendor/bin/dv_config    		u:object_r:dv_config_exec:s0
-/system/vendor/bin/hdcp_rx22       u:object_r:hdcp_rx22_exec:s0
-/system/vendor/bin/hdcp_tx22       u:object_r:hdcp_tx22_exec:s0
-/system/vendor/bin/hdmi_cec    		u:object_r:hdmi_cec_exec:s0
-/system/vendor/bin/imageserver     u:object_r:imageserver_exec:s0
-/system/vendor/bin/pppoe_wrapper   u:object_r:pppoe_wrapper_exec:s0
-/system/vendor/bin/remotecfg       u:object_r:remotecfg_exec:s0
-/system/vendor/bin/systemcontrol   u:object_r:system_control_exec:s0
-/system/vendor/bin/tvserver    		u:object_r:tvserver_exec:s0
-/system/vendor/bin/usbtestpm       u:object_r:usbpm_exec:s0
-/system/vendor/bin/wlan_fwloader   u:object_r:wlan_fwloader_exec:s0
-/system/vendor/xbin/bcmdl   				u:object_r:bcmdl_exec:s0
+/vendor/lib(64)?/hw/gralloc\.amlogic\.so   u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libfbcnf\.so              u:object_r:same_process_hal_file:s0
+
diff --git a/common/sepolicy/firmload.te b/common/sepolicy/firmload.te
index 6ea347d..e394ffb 100644
--- a/common/sepolicy/firmload.te
+++ b/common/sepolicy/firmload.te
@@ -1,10 +1,10 @@
 type firmload, domain;
-type firmload_exec, exec_type, file_type;
+type firmload_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(firmload)
 
-allow firmload drm_device:chr_file {open read write ioctl};
+allow firmload drm_device:chr_file { open read write ioctl };
 allow firmload rootfs:lnk_file getattr;
-allow firmload system_data_file:dir { write};
-allow firmload system_data_file:file { read open getattr};
+allow firmload system_data_file:dir { write add_name };
+allow firmload system_data_file:file { read open getattr };
 allow firmload sysfs:file { read open getattr };
-allow firmload proc:file { read open getattr };
\ No newline at end of file
+allow firmload proc:file { read open getattr };
diff --git a/common/sepolicy/fsck.te b/common/sepolicy/fsck.te
index 5b6d99b..cfc5eaa 100644
--- a/common/sepolicy/fsck.te
+++ b/common/sepolicy/fsck.te
@@ -1,9 +1,10 @@
-allow fsck param_block_device:blk_file { getattr read write open ioctl };
-allow fsck block_device:blk_file { getattr };
-allow fsck drm_block_device:blk_file { getattr read write };
-allow fsck userdata_block_device:blk_file { getattr read write };
-allow fsck tee_block_device:blk_file rw_file_perms;
-allow fsck odm_block_device:blk_file rw_file_perms;
-allow fsck vold_block_device:blk_file { getattr read write open ioctl };
+#allow fsck block_device:blk_file { getattr read write };
+allow fsck tmpfs:blk_file { getattr read write open ioctl };
+
+allow fsck { vold_block_device param_block_device drm_block_device tee_block_device }:blk_file { getattr read write open ioctl };
+
+allow fsck { vendor_block_device odm_block_device userdata_block_device }:blk_file { getattr read write open ioctl };
+
+allow fsck { system_block_fsck_device }:blk_file { getattr read write open ioctl };
 
 allow fsck rootfs:lnk_file  { getattr };
\ No newline at end of file
diff --git a/common/sepolicy/genfs_contexts b/common/sepolicy/genfs_contexts
index 2732a03..21d754e 100644..100755
--- a/common/sepolicy/genfs_contexts
+++ b/common/sepolicy/genfs_contexts
@@ -1,9 +1,9 @@
-genfscon fuseblk / u:object_r:fuseblk:s0
-genfscon hfsplus / u:object_r:hfsplus:s0
-genfscon iso9660 / u:object_r:iso9660:s0
-genfscon udf     / u:object_r:udf:s0
-genfscon proc /mounts u:object_r:proc_mounts:s0
-genfscon proc /bluetooth/sleep/lpm     u:object_r:proc_bluetooth_writable:s0
-genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
-genfscon ntfs / u:object_r:ntfs:s0
-genfscon exfat / u:object_r:exfat:s0
+genfscon fuseblk /       u:object_r:fuseblk:s0
+genfscon hfsplus /       u:object_r:hfsplus:s0
+genfscon iso9660 /       u:object_r:iso9660:s0
+genfscon udf     /       u:object_r:udf:s0
+genfscon proc    /mounts u:object_r:proc_mounts:s0
+genfscon proc    /bluetooth/sleep/lpm     u:object_r:proc_bluetooth_writable:s0
+genfscon proc    /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0
+genfscon ntfs    /       u:object_r:ntfs:s0
+genfscon exfat   /       u:object_r:exfat:s0
diff --git a/common/sepolicy/hal_camera_default.te b/common/sepolicy/hal_camera_default.te
index a60e4c4..3752db0 100644
--- a/common/sepolicy/hal_camera_default.te
+++ b/common/sepolicy/hal_camera_default.te
@@ -1,2 +1,3 @@
-allow hal_camera_default vndbinder_device:dir {search};
-allow hal_camera_default vndbinder_device:chr_file {open read write ioctl};
+allow hal_camera_default hal_camera_default:netlink_kobject_uevent_socket { create setopt bind read shutdown };
+
+allow hal_camera_default vndbinder_device:chr_file { read write open ioctl };
\ No newline at end of file
diff --git a/common/sepolicy/hal_drm_default.te b/common/sepolicy/hal_drm_default.te
index 77021b5..4f2d0be 100644
--- a/common/sepolicy/hal_drm_default.te
+++ b/common/sepolicy/hal_drm_default.te
@@ -1,2 +1,4 @@
 allow hal_drm_default vndbinder_device:chr_file { read write open ioctl };
 allow hal_drm_default drm_device:chr_file { read open write ioctl };
+
+get_prop(hal_drm_default, media_prop)
diff --git a/common/sepolicy/hal_dumpstate_impl.te b/common/sepolicy/hal_dumpstate_impl.te
index 14b262d..f0d0e6a 100644
--- a/common/sepolicy/hal_dumpstate_impl.te
+++ b/common/sepolicy/hal_dumpstate_impl.te
@@ -1,10 +1,9 @@
 type hal_dumpstate_impl, domain;
-hal_server_domain(hal_dumpstate_impl, hal_dumpstate)
+#hal_server_domain(hal_dumpstate_impl, hal_dumpstate)
 
-type hal_dumpstate_impl_exec, exec_type, file_type;
-init_daemon_domain(hal_dumpstate_impl)
+#type hal_dumpstate_impl_exec, exec_type, file_type;
+#init_daemon_domain(hal_dumpstate_impl)
 
 # Access to files for dumping
-allow hal_dumpstate_impl proc_interrupts:file { open read };
+#allow hal_dumpstate_impl proc_interrupts:file { open read };
 allow hal_dumpstate_impl pstorefs:dir search;
-allow hal_dumpstate_impl sysfs:file { open read };
diff --git a/common/sepolicy/hal_memtrack_default.te b/common/sepolicy/hal_memtrack_default.te
index 6db0312..6cde1cc 100644
--- a/common/sepolicy/hal_memtrack_default.te
+++ b/common/sepolicy/hal_memtrack_default.te
@@ -1,3 +1,5 @@
+typeattribute hal_memtrack_default mlstrustedsubject;
+
 allow hal_memtrack_default proc:file { open read getattr };
 allow hal_memtrack_default system_app:file { open read getattr };
 allow hal_memtrack_default system_app:dir { search };
@@ -11,18 +13,27 @@ allow hal_memtrack_default hal_dumpstate_default:file { open read getattr };
 allow hal_memtrack_default hal_dumpstate_default:dir { search };
 allow hal_memtrack_default hal_configstore_default:file { open read getattr };
 allow hal_memtrack_default hal_configstore_default:dir { search };
-allow hal_memtrack_default hal_usb_default:file { open read getattr };
-allow hal_memtrack_default hal_usb_default:dir { search };
-allow hal_memtrack_default hal_power_default:dir { search };
-allow hal_memtrack_default hal_power_default:file { read };
 
-allow hal_memtrack_default { priv_app platform_app untrusted_app }:dir { search };
-allow hal_memtrack_default { priv_app platform_app untrusted_app }:file { read };
+allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver installd keystore mdnsd isolated_app }:dir { search };
+allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver installd keystore mdnsd isolated_app }:file { read open getattr };
+
+allow hal_memtrack_default { gatekeeperd tombstoned webview_zygote zygote netd wificond sdcardd hal_camera_default hal_tv_cec_default }:dir { search };
+allow hal_memtrack_default { gatekeeperd tombstoned webview_zygote zygote netd wificond sdcardd hal_camera_default hal_tv_cec_default }:file { read open getattr };
+
+allow hal_memtrack_default { hal_audio_default hal_usb_default hal_power_default hal_wifi_default hal_drm_default }:dir { search };
+allow hal_memtrack_default { hal_audio_default hal_usb_default hal_power_default hal_wifi_default hal_drm_default }:file { read open getattr };
+allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:dir { search };
+allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:file { read open getattr };
+
+allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:dir { search };
+allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:file { read open getattr };
+
+allow hal_memtrack_default { hal_keymaster_default droidvold adbd tee hdmicecd bluetooth untrusted_app_25 }:dir { search };
+allow hal_memtrack_default { hal_keymaster_default droidvold adbd tee hdmicecd bluetooth untrusted_app_25 }:file { read open getattr };
+
+allow hal_memtrack_default { mediadrmserver mediaextractor mediametrics mediacodec audioserver cameraserver mediaserver }:dir { search };
+allow hal_memtrack_default { mediadrmserver mediaextractor mediametrics mediacodec audioserver cameraserver mediaserver }:file { read open getattr };
 
-allow hal_memtrack_default { logd ueventd vold system_server init }:dir { search };
-allow hal_memtrack_default { logd ueventd vold system_server init }:file { read open getattr };
+allow hal_memtrack_default { logd ueventd vold system_server init shell surfaceflinger lmkd healthd system_control }:dir { search };
+allow hal_memtrack_default { logd ueventd vold system_server init shell surfaceflinger lmkd healthd system_control }:file { read open getattr };
 
-allow hal_memtrack_default untrusted_app:dir { search };
-allow hal_memtrack_default untrusted_app:file { read open };
-allow hal_memtrack_default platform_app:dir { search };
-allow hal_memtrack_default untrusted_app:file { read open getattr};
\ No newline at end of file
diff --git a/common/sepolicy/hal_tv_cec_default.te b/common/sepolicy/hal_tv_cec_default.te
new file mode 100644
index 0000000..32d5870
--- a/dev/null
+++ b/common/sepolicy/hal_tv_cec_default.te
@@ -0,0 +1,2 @@
+allow hal_tv_cec_default hdmicecd_hwservice:hwservice_manager { find };
+allow hal_tv_cec_default hdmicecd:binder { call transfer };
diff --git a/common/sepolicy/hal_wifi_default.te b/common/sepolicy/hal_wifi_default.te
index 0fbfee7..163f403 100644
--- a/common/sepolicy/hal_wifi_default.te
+++ b/common/sepolicy/hal_wifi_default.te
@@ -10,5 +10,9 @@ allow hal_wifi_default ctl_default_prop:property_service  set;
 allow hal_wifi_default wifi_data_file:file  { open setattr create read write};
 allow hal_wifi_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow hal_wifi_default { system_file vendor_file }:system module_load;
-allow hal_wifi_default hal_wifi_default:capability chown;
-allow hal_wifi_default kernel:system module_request;
+
+#allow hal_wifi_default hal_wifi_default:capability chown;
+#allow hal_wifi_default kernel:system module_request;
+
+allow hal_wifi_default wifi_data_file:dir { search };
+
diff --git a/common/sepolicy/hdcp_rx22.te b/common/sepolicy/hdcp_rx22.te
index 2ff4f35..af1b729 100644
--- a/common/sepolicy/hdcp_rx22.te
+++ b/common/sepolicy/hdcp_rx22.te
@@ -1,13 +1,14 @@
 type hdcp_rx22, domain;
-type hdcp_rx22_exec, exec_type, file_type;
+type hdcp_rx22_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hdcp_rx22)
 
-allow hdcp_rx22 system_file:file execute_no_trans;
+#allow hdcp_rx22 system_file:file execute_no_trans;
 
-allow hdcp_rx22 sysfs:file rw_file_perms;
+#allow hdcp_rx22 sysfs:file rw_file_perms;
+
+#allow hdcp_rx22 param_tv_file:dir  { search read write open add_name remove_name rmdir };
+#allow hdcp_rx22 param_tv_file:file { create open read write setattr getattr lock unlink };
+
+#allow hdcp_rx22 device:dir {write};
+#allow hdcp_rx22 kmsg_device:chr_file { open write };
 
-allow hdcp_rx22 param_tv_file:dir  { search read write open add_name remove_name rmdir };
-allow hdcp_rx22 param_tv_file:file { create open read write setattr getattr lock unlink };
-allow hdcp_rx22 kmsg_device:chr_file {write};
-allow hdcp_rx22 device:dir {write};
-allow hdcp_rx22 kmsg_device:chr_file {open};
\ No newline at end of file
diff --git a/common/sepolicy/hdcp_tx22.te b/common/sepolicy/hdcp_tx22.te
index 2c8feaa..7ac7f26 100644
--- a/common/sepolicy/hdcp_tx22.te
+++ b/common/sepolicy/hdcp_tx22.te
@@ -1,8 +1,9 @@
 type hdcp_tx22, domain;
-type hdcp_tx22_exec, exec_type, file_type;
+type hdcp_tx22_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hdcp_tx22)
 
 allow hdcp_tx22 hdcptx_device:chr_file { open read write getattr ioctl };
 allow hdcp_tx22 system_file:file execute_no_trans;
 
 allow hdcp_tx22 sysfs:file rw_file_perms;
+
diff --git a/common/sepolicy/hdmi_cec.te b/common/sepolicy/hdmi_cec.te
deleted file mode 100644
index 4bdefb9..0000000
--- a/common/sepolicy/hdmi_cec.te
+++ b/dev/null
@@ -1,14 +0,0 @@
-type hdmi_cec, domain;
-type hdmi_cec_exec, exec_type, file_type;
-
-init_daemon_domain(hdmi_cec)
-
-binder_use(hdmi_cec);
-binder_call(hdmi_cec, binderservicedomain)
-binder_call(hdmi_cec, appdomain)
-binder_service(hdmi_cec)
-
-allow hdmi_cec system_file:file execute_no_trans;
-allow hdmi_cec hdmi_cec_exec:file { entrypoint read };
-allow hdmi_cec hdmi_cec_service:service_manager add;
-allow hdmi_cec cec_device:chr_file { open read write ioctl };
diff --git a/common/sepolicy/hdmicecd.te b/common/sepolicy/hdmicecd.te
new file mode 100644
index 0000000..96ddcac
--- a/dev/null
+++ b/common/sepolicy/hdmicecd.te
@@ -0,0 +1,15 @@
+type hdmicecd, domain;
+type hdmicecd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hdmicecd)
+
+allow hdmicecd vndbinder_device:chr_file { read write open ioctl };
+allow hdmicecd vndservicemanager:binder { call transfer };
+
+allow hdmicecd hwservicemanager:binder { call transfer };
+allow hdmicecd { hdmicecd_hwservice  hidl_base_hwservice }:hwservice_manager { add };
+
+allow hdmicecd cec_device:chr_file { open read write ioctl };
+allow hdmicecd hwservicemanager_prop:file { open read getattr };
+
+allow hdmicecd hal_tv_cec_default:binder { call transfer };
diff --git a/common/sepolicy/hwservice.te b/common/sepolicy/hwservice.te
index cdf8581..9668e00 100644
--- a/common/sepolicy/hwservice.te
+++ b/common/sepolicy/hwservice.te
@@ -1 +1,2 @@
-type systemcontrol_hwservice, hwservice_manager_type;
\ No newline at end of file
+type systemcontrol_hwservice, hwservice_manager_type;
+type hdmicecd_hwservice, hwservice_manager_type;
diff --git a/common/sepolicy/hwservice_contexts b/common/sepolicy/hwservice_contexts
index 48a2be0..e6787ae 100644
--- a/common/sepolicy/hwservice_contexts
+++ b/common/sepolicy/hwservice_contexts
@@ -1 +1,2 @@
 vendor.amlogic.hardware.systemcontrol::ISystemControl              u:object_r:systemcontrol_hwservice:s0
+vendor.amlogic.hardware.hdmicec::IDroidHdmiCEC                     u:object_r:hdmicecd_hwservice:s0
diff --git a/common/sepolicy/hwservicemanager.te b/common/sepolicy/hwservicemanager.te
index 0395fac..b74d62b 100644
--- a/common/sepolicy/hwservicemanager.te
+++ b/common/sepolicy/hwservicemanager.te
@@ -1,4 +1,9 @@
 allow hwservicemanager system_control:binder { call transfer };
 allow hwservicemanager system_control:dir { search };
 allow hwservicemanager system_control:file { read open };
-allow hwservicemanager system_control:process { getattr };
\ No newline at end of file
+allow hwservicemanager system_control:process { getattr };
+
+allow hwservicemanager hdmicecd:binder { call transfer };
+allow hwservicemanager hdmicecd:dir { search };
+allow hwservicemanager hdmicecd:file { read open };
+allow hwservicemanager hdmicecd:process { getattr };
\ No newline at end of file
diff --git a/common/sepolicy/imageserver.te b/common/sepolicy/imageserver.te
index 2807189..4f68d0e 100644
--- a/common/sepolicy/imageserver.te
+++ b/common/sepolicy/imageserver.te
@@ -1,42 +1,44 @@
 type imageserver, domain;
-type imageserver_exec, exec_type, file_type;
+type imageserver_exec, exec_type, vendor_file_type, file_type;
 
 typeattribute imageserver mlstrustedsubject;
 
 init_daemon_domain(imageserver)
 
-allow imageserver shell_exec:file rx_file_perms;
-allow imageserver system_file:file execute_no_trans;
+allow imageserver vendor_file:file { execute };
 
-allow imageserver imageserver_service:service_manager add;
+#allow imageserver shell_exec:file rx_file_perms;
+#allow imageserver system_file:file execute_no_trans;
 
-allow imageserver imageserver_exec:file { entrypoint read };
+#allow imageserver imageserver_service:service_manager add;
 
-allow imageserver self:process execmem;
+#allow imageserver imageserver_exec:file { entrypoint read };
 
-binder_use(imageserver);
-binder_call(imageserver, binderservicedomain)
-binder_call(imageserver, appdomain)
-binder_service(imageserver)
+#allow imageserver self:process execmem;
 
-allow imageserver self:capability dac_override;
-allow imageserver self:capability dac_read_search;
+#binder_use(imageserver);
+#binder_call(imageserver, binderservicedomain)
+#binder_call(imageserver, appdomain)
+#binder_service(imageserver)
+
+#allow imageserver self:capability dac_override;
+#allow imageserver self:capability dac_read_search;
 
 #allow imageserver appdomain:file { r_file_perms };
-allow imageserver fuse:dir r_dir_perms;
-allow imageserver fuse:file r_file_perms;
-allow imageserver app_data_file:file rw_file_perms;
+#allow imageserver fuse:dir r_dir_perms;
+#allow imageserver fuse:file r_file_perms;
+#allow imageserver app_data_file:file rw_file_perms;
 #allow imageserver system_file:file execmod;
 
-allow imageserver app_data_file:dir search;
+#allow imageserver app_data_file:dir search;
 
-allow imageserver system_control_service:service_manager find;
+#allow imageserver system_control_service:service_manager find;
 
-allow imageserver { mnt_user_file storage_file }:dir { getattr search };
-allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read };
-allow imageserver permission_service:service_manager find;
+#allow imageserver { mnt_user_file storage_file }:dir { getattr search };
+#allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read };
+#allow imageserver permission_service:service_manager find;
 
-allow imageserver picture_device:chr_file { read write open ioctl };
-allow imageserver kernel:system module_request;
+#allow imageserver picture_device:chr_file { read write open ioctl };
+#allow imageserver kernel:system module_request;
 
-allow imageserver tmpfs:dir { getattr search };
+#allow imageserver tmpfs:dir { getattr search };
diff --git a/common/sepolicy/init.te b/common/sepolicy/init.te
index 275b00c..dfb48d9 100644
--- a/common/sepolicy/init.te
+++ b/common/sepolicy/init.te
@@ -1,76 +1,110 @@
 allow init self:capability { sys_module };
-# add system_control service
-domain_trans(init, system_control_exec, system_control)
-domain_auto_trans(init, system_control_exec, system_control)
+allow init tmpfs:lnk_file { create_file_perms };
+allow init tmpfs:blk_file { getattr read write open };
 
-#allow init imageserver_service:service_manager add;
-domain_trans(init, imageserver_exec, imageserver)
-
-domain_trans(init, shell_exec, logcat)
-
-domain_trans(init, tee_exec, tee)
-allow init fuse:file { open read write };
-allow init fuse:dir search;
+allow init sysfs:dir { add_name };
+allow init sysfs:file { create };
 
-#allow tvserver service
-domain_trans(init, tvserver_exec, tvserver)
-domain_auto_trans(init, tvserver_exec, tvserver)
+allow init kernel:system module_request;
+allow init configfs:file { create getattr open unlink write };
 
-#allow hdmi_cec service
-domain_trans(init, hdmi_cec_exec, hdmi_cec)
-domain_auto_trans(init, hdmi_cec_exec, hdmi_cec)
+allow init cgroup:file create_file_perms;
+allow init { system_file vendor_file rootfs}:system { module_load };
 
-#allow dv_config service
-domain_trans(init, dv_config_exec, dv_config)
-domain_auto_trans(init, dv_config_exec, dv_config)
+allow init vendor_file:file { execute };
 
-domain_trans(init, make_ext4fs_exec, make_ext4fs)
+allow init { tee_block_device userdata_block_device cache_block_device block_device }:blk_file { relabelto write read };
+allow init { vendor_block_device system_block_fsck_device odm_block_device }:blk_file { relabelto write read };
 
-domain_trans(init, hdcp_tx22_exec, hdcp_tx22)
+allow init configfs:file { create getattr open unlink write };
+allow init configfs:lnk_file { create unlink };
 
-domain_trans(init, bcmdl_exec, bcmdl);
-#allow usbpm service
-domain_trans(init, usbpm_exec, usbpm)
-domain_auto_trans(init, usbpm_exec, usbpm)
+allow init sysfs_devices_system_cpu:file { create };
+allow init sysfs_devices_system_cpu:dir { write add_name };
+allow init functionfs:dir mounton;
 
 allow init property_socket:sock_file write;
-allow param_tv_file rootfs:filesystem { associate };
+allow init proc:dir { write add_name };
+allow init proc:file { create };
 
-allow init vfat:dir rw_dir_perms;
-allow init vfat:file create_file_perms;
+allow init socket_device:sock_file { create setattr unlink };
 
-allow init init:tcp_socket create_stream_socket_perms;
-allow init port:tcp_socket name_bind;
-allow init node:tcp_socket node_bind;
-allow init tmpfs:lnk_file {create_file_perms};
-allow init socket_device:sock_file create_file_perms;
-allow init functionfs:file mounton;
-allow init functionfs:dir mounton;
-allow init system_data_file:file {link};
-allow init debugfs:dir mounton;
-allow init debugfs:file w_file_perms;
-allow init userdata_block_device:blk_file rw_file_perms;
-allow init cache_block_device:blk_file rw_file_perms;
-allow init drm_device:chr_file {setattr read write open ioctl};
-allow init tee_block_device:blk_file rw_file_perms;
-allow init odm_block_device:blk_file rw_file_perms;
-allow shell drm_device:chr_file rw_file_perms;
+allow init drm_device:chr_file { setattr read write open ioctl };
 allow init firmload_exec:file {getattr};
 
-recovery_only(`
-  domain_trans(init, rootfs, shell)
-  domain_trans(init, rootfs, adbd)
-')
-
-allow init property_socket:sock_file write;
-allow init configfs:file { create getattr open unlink write };
-allow init configfs:lnk_file { create };
-allow init sysfs_devices_system_cpu:dir { add_name write };
-allow init sysfs_devices_system_cpu:file { create };
-
-allow init sysfs:dir { add_name };
-allow init sysfs:file { create };
-allow init cgroup:file create_file_perms;
-allow init kernel:system module_request;
-
-allow init { system_file vendor_file rootfs}:system { module_load };
+#
+#
+## add system_control service
+##domain_trans(init, system_control_exec, system_control)
+#domain_auto_trans(init, system_control_exec, system_control)
+#
+##allow init imageserver_service:service_manager add;
+#domain_trans(init, imageserver_exec, imageserver)
+#
+#domain_trans(init, shell_exec, logcat)
+#
+#domain_trans(init, tee_exec, tee)
+#allow init fuse:file { open read write };
+#allow init fuse:dir search;
+#
+##allow tvserver service
+#domain_trans(init, tvserver_exec, tvserver)
+#domain_auto_trans(init, tvserver_exec, tvserver)
+#
+##allow hdmi_cec service
+#domain_trans(init, hdmi_cec_exec, hdmi_cec)
+#domain_auto_trans(init, hdmi_cec_exec, hdmi_cec)
+#
+##allow dv_config service
+#domain_trans(init, dv_config_exec, dv_config)
+#domain_auto_trans(init, dv_config_exec, dv_config)
+#
+#domain_trans(init, make_ext4fs_exec, make_ext4fs)
+#
+#domain_trans(init, hdcp_tx22_exec, hdcp_tx22)
+#
+#domain_trans(init, bcmdl_exec, bcmdl);
+##allow usbpm service
+#domain_trans(init, usbpm_exec, usbpm)
+#domain_auto_trans(init, usbpm_exec, usbpm)
+#
+#allow init property_socket:sock_file write;
+#allow param_tv_file rootfs:filesystem { associate };
+#
+#allow init vfat:dir rw_dir_perms;
+#allow init vfat:file create_file_perms;
+#
+#allow init init:tcp_socket create_stream_socket_perms;
+#allow init port:tcp_socket name_bind;
+#allow init node:tcp_socket node_bind;
+#allow init tmpfs:lnk_file {create_file_perms};
+#allow init socket_device:sock_file create_file_perms;
+#allow init functionfs:file mounton;
+#allow init functionfs:dir mounton;
+#allow init system_data_file:file {link};
+#allow init debugfs:dir mounton;
+#allow init debugfs:file w_file_perms;
+#allow init userdata_block_device:blk_file rw_file_perms;
+#allow init cache_block_device:blk_file rw_file_perms;
+
+#allow init tee_block_device:blk_file rw_file_perms;
+#allow init odm_block_device:blk_file rw_file_perms;
+
+#
+#recovery_only(`
+#  domain_trans(init, rootfs, shell)
+#  domain_trans(init, rootfs, adbd)
+#')
+#
+#allow init property_socket:sock_file write;
+#allow init configfs:file { create getattr open unlink write };
+#allow init configfs:lnk_file { create };
+#allow init sysfs_devices_system_cpu:dir { add_name write };
+#allow init sysfs_devices_system_cpu:file { create };
+#
+#allow init sysfs:dir { add_name };
+#allow init sysfs:file { create };
+#allow init cgroup:file create_file_perms;
+#allow init kernel:system module_request;
+#
+#allow init { system_file vendor_file rootfs}:system { module_load };
diff --git a/common/sepolicy/installd.te b/common/sepolicy/installd.te
deleted file mode 100644
index a751249..0000000
--- a/common/sepolicy/installd.te
+++ b/dev/null
@@ -1,8 +0,0 @@
-# Types extracted from seapp_contexts type= fields.
-allow installd { media_data_file }:dir { create_dir_perms relabelfrom relabelto };
-allow installd { media_data_file }:lnk_file { create setattr getattr unlink rename relabelfrom relabelto };
-allow installd { media_data_file }:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
-
-allow installd media_data_file:dir { getattr read write open search setattr rmdir add_name relabelfrom relabelto};
-
-allow installd self:capability sys_nice;
\ No newline at end of file
diff --git a/common/sepolicy/kernel.te b/common/sepolicy/kernel.te
index 0856d03..a51302f 100644
--- a/common/sepolicy/kernel.te
+++ b/common/sepolicy/kernel.te
@@ -2,3 +2,5 @@ allow kernel self:capability mknod;
 allow kernel device:blk_file { ioctl read write create getattr setattr unlink };
 allow kernel device:dir {rw_file_perms rw_dir_perms write create};
 allow kernel device:chr_file { getattr setattr create };
+
+allow kernel vendor_file:file { getattr read open execute };
diff --git a/common/sepolicy/keystore.te b/common/sepolicy/keystore.te
deleted file mode 100644
index 0a0edb3..0000000
--- a/common/sepolicy/keystore.te
+++ b/dev/null
@@ -1,3 +0,0 @@
-allow keystore app_data_file:file rw_file_perms;
-allow keystore tmpfs:filesystem associate;
-allow keystore drm_device:chr_file { read open write ioctl };
diff --git a/common/sepolicy/lmkd.te b/common/sepolicy/lmkd.te
deleted file mode 100644
index d6c7a6e..0000000
--- a/common/sepolicy/lmkd.te
+++ b/dev/null
@@ -1,2 +0,0 @@
-allow lmkd mediaserver:dir {open read search };
-allow lmkd mediaserver:file { open read write};
\ No newline at end of file
diff --git a/common/sepolicy/logcat.te b/common/sepolicy/logcat.te
deleted file mode 100644
index da7b7fd..0000000
--- a/common/sepolicy/logcat.te
+++ b/dev/null
@@ -1,12 +0,0 @@
-type logcat, domain;
-
-allow logcat logcat_exec:file { entrypoint read execute getattr };
-
-allow logcat log_file:dir { read open write add_name create setattr search remove_name rename };
-allow logcat log_file:file { create write open getattr read append rename unlink setattr };
-allow logcat logdr_socket:sock_file write;
-allow logcat logd:unix_stream_socket connectto;
-
-
-allow logcat shell_exec:file rx_file_perms;
-allow logcat shell_exec:file { execute_no_trans execute read open };
\ No newline at end of file
diff --git a/common/sepolicy/make_ext4fs.te b/common/sepolicy/make_ext4fs.te
deleted file mode 100644
index 2f73a93..0000000
--- a/common/sepolicy/make_ext4fs.te
+++ b/dev/null
@@ -1,19 +0,0 @@
-type make_ext4fs, domain;
-type make_ext4fs_exec, exec_type, file_type;
-init_daemon_domain(make_ext4fs)
-
-allow make_ext4fs devpts:dir { search };
-allow make_ext4fs devpts:chr_file { read write getattr ioctl };
-
-allow make_ext4fs block_device:dir { search getattr };
-
-# Allow stdin/out back to vold
-allow make_ext4fs vold:fd use;
-allow make_ext4fs vold:fifo_file { read write getattr };
-
-allow make_ext4fs dm_device:blk_file { ioctl open read write create getattr };
-
-allow make_ext4fs rootfs:lnk_file {getattr};
-allow make_ext4fs rootfs:file {getattr read open};
-
-allow make_ext4fs file_contexts_file:file {getattr read open};
diff --git a/common/sepolicy/mediacodec.te b/common/sepolicy/mediacodec.te
index e82a2fd..ebd66e9 100644
--- a/common/sepolicy/mediacodec.te
+++ b/common/sepolicy/mediacodec.te
@@ -1,11 +1,13 @@
-allow mediacodec system_control_service:service_manager find;
-allow mediacodec drm_device:chr_file {setattr read write open ioctl};
-allow mediacodec sysfs:file  { open read write};
+#allow mediacodec system_control_service:service_manager find;
+allow mediacodec drm_device:chr_file { setattr read write open ioctl };
+allow mediacodec sysfs:file  { open read write };
 allow mediacodec sysfs_xbmc:file  { open read write};
-allow mediacodec audioserver_service:service_manager find;
+#allow mediacodec audioserver_service:service_manager find;
 get_prop(mediacodec, media_prop)
 
 allow mediacodec kernel:system module_request;
 allow mediacodec mediaserver:dir { search };
 allow mediacodec mediaserver:file { read open };
 allow mediacodec dvb_video_device:chr_file rw_file_perms;
+
+allow mediacodec system_file:dir { read open };
diff --git a/common/sepolicy/mediaserver.te b/common/sepolicy/mediaserver.te
index 2461546..749c070 100644
--- a/common/sepolicy/mediaserver.te
+++ b/common/sepolicy/mediaserver.te
@@ -1,27 +1,27 @@
-allow mediaserver system_server:unix_stream_socket { read write setopt };
-# media.* props
-allow mediaserver media_prop:property_service set;
-allow mediaserver system_server:dir search;
-# /dev/uio0 for amadec
-#allow mediaserver uio_device:chr_file rw_file_perms;
-#allow mediaserver dvb_video_device:chr_file rw_file_perms;
-# read app /proc/pid/
-allow mediaserver appdomain:dir { getattr search };
-allow mediaserver appdomain:file { r_file_perms };
-
-allow mediaserver graphics_device:dir r_dir_perms;
-allow mediaserver system_data_file:dir {write add_name};
-allow mediaserver sysfs:file  { open read write};
-allow mediaserver sysfs_xbmc:file {open read write};
-allow mediaserver screenmediasource_service:service_manager add;
-allow mediaserver system_control_service:service_manager find;
-allow mediaserver media_data_file:lnk_file  {create open read write};
-allow mediaserver tvserver:fd use;
-allow mediaserver storage_file:dir search;
-
-allow mediaserver audio_device:dir r_dir_perms;
-allow mediaserver sysfs_audio_cap:file {open read write};
-allow mediaserver kernel:system module_request;
+#allow mediaserver system_server:unix_stream_socket { read write setopt };
+## media.* props
+#allow mediaserver media_prop:property_service set;
+#allow mediaserver system_server:dir search;
+## /dev/uio0 for amadec
+##allow mediaserver uio_device:chr_file rw_file_perms;
+##allow mediaserver dvb_video_device:chr_file rw_file_perms;
+## read app /proc/pid/
+#allow mediaserver appdomain:dir { getattr search };
+#allow mediaserver appdomain:file { r_file_perms };
+#
+#allow mediaserver graphics_device:dir r_dir_perms;
+#allow mediaserver system_data_file:dir {write add_name};
+#allow mediaserver sysfs:file  { open read write};
+#allow mediaserver sysfs_xbmc:file {open read write};
+#allow mediaserver screenmediasource_service:service_manager add;
+#allow mediaserver system_control_service:service_manager find;
+#allow mediaserver media_data_file:lnk_file  {create open read write};
+#allow mediaserver tvserver:fd use;
+#allow mediaserver storage_file:dir search;
+#
+#allow mediaserver audio_device:dir r_dir_perms;
+#allow mediaserver sysfs_audio_cap:file {open read write};
+#allow mediaserver kernel:system module_request;
 
 allow mediaserver exfat:file { getattr read };
 allow mediaserver ntfs:file { getattr read };
diff --git a/common/sepolicy/netd.te b/common/sepolicy/netd.te
index 0cf070b..9361eaf 100644
--- a/common/sepolicy/netd.te
+++ b/common/sepolicy/netd.te
@@ -3,5 +3,8 @@ allow netd self:capability sys_module;
 
 allow netd servicemanager:binder call;
 
+allow netd proc_net:dir { write add_name };
+allow netd proc_net:file { create };
+
 allow netd rootfs:lnk_file { getattr };
-allow netd self:capability sys_nice;
\ No newline at end of file
+allow netd self:capability sys_nice;
diff --git a/common/sepolicy/platform_app.te b/common/sepolicy/platform_app.te
index 9447a97..37d09a7 100644
--- a/common/sepolicy/platform_app.te
+++ b/common/sepolicy/platform_app.te
@@ -1,23 +1,32 @@
-allow platform_app sysfs_xbmc:file {rw_file_perms};
-allow platform_app usb_device:dir {open read};
-allow platform_app system_control_service:service_manager find;
-allow platform_app subtitle_service:service_manager find;
-allow platform_app system_control_service:dir { read open search };
-allow platform_app imageserver_service:service_manager find;
+#allow platform_app sysfs_xbmc:file {rw_file_perms};
+#allow platform_app usb_device:dir {open read};
+#allow platform_app system_control_service:service_manager find;
+#allow platform_app subtitle_service:service_manager find;
+#allow platform_app system_control_service:dir { read open search };
+#allow platform_app imageserver_service:service_manager find;
+#
+#allow platform_app mediadrmserver_service:service_manager find;
+#allow platform_app loop_device:dir { open read };
+#
+#allow platform_app iso9660:dir { search open read getattr };
+#allow platform_app iso9660:file { open read getattr };
+#
+#allow platform_app udf:dir { search open read getattr };
+#allow platform_app udf:file { open read getattr };
+#
+#allow platform_app fuseblk:dir create_dir_perms;
+#allow platform_app fuseblk:file create_file_perms;
+#
+#allow platform_app tvserver_service:service_manager find;
+#allow system_app unlabeled:dir { search read write getattr };
+#allow system_app unlabeled:file { lock open read write getattr };
+#allow priv_app media_prop:file { read };
 
-allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app loop_device:dir { open read };
-
-allow platform_app iso9660:dir { search open read getattr };
-allow platform_app iso9660:file { open read getattr };
-
-allow platform_app udf:dir { search open read getattr };
-allow platform_app udf:file { open read getattr };
+get_prop(platform_app, media_prop)
+get_prop(system_app, media_prop)
 
-allow platform_app fuseblk:dir create_dir_perms;
-allow platform_app fuseblk:file create_file_perms;
+allow platform_app vendor_file:file { getattr read open execute };
 
-allow platform_app tvserver_service:service_manager find;
 
 allow platform_app exfat:dir create_dir_perms;
 allow platform_app exfat:file create_file_perms;
@@ -25,8 +34,3 @@ allow platform_app exfat:file create_file_perms;
 allow platform_app ntfs:dir create_dir_perms;
 allow platform_app ntfs:file create_file_perms;
 
-allow platform_app storage_stub_file:dir { read open getattr search };
-
-allow priv_app media_prop:file { read };
-get_prop(platform_app, media_prop)
-get_prop(system_app, media_prop)
diff --git a/common/sepolicy/ppp.te b/common/sepolicy/ppp.te
deleted file mode 100644
index 4d4d25f..0000000
--- a/common/sepolicy/ppp.te
+++ b/dev/null
@@ -1,13 +0,0 @@
-# Point to Point Protocol daemon
-allow ppp mtp:socket rw_socket_perms;
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-#allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
-allow ppp system_file:file rx_file_perms;
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
-allow ppp dhcp_prop:property_service set;
-allow ppp ppp_data_file:dir { write search setattr create add_name mounton create_dir_perms };
-allow ppp ppp_system_file:dir { search };
-allow ppp ppp_system_file:file { getattr execute read open execute_no_trans };
diff --git a/common/sepolicy/pppd.te b/common/sepolicy/pppd.te
deleted file mode 100644
index 66a4408..0000000
--- a/common/sepolicy/pppd.te
+++ b/dev/null
@@ -1,42 +0,0 @@
-# Point to Point Protocol daemon
-type sh, domain;
-type sh_device, dev_type;
-type sh_exec, exec_type, file_type;
-
-domain_auto_trans(ppp, sh_exec, sh)
-
-init_daemon_domain(ppp)
-net_domain(ppp)
-
-allow ppp mtp:socket rw_socket_perms;
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:file { rw_file_perms x_file_perms };
-allow ppp ppp_device:dir { rw_file_perms search };
-allow ppp self:capability { dac_override net_admin net_raw setgid setuid };
-allow ppp system_file:file rx_file_perms;
-allow ppp system_file:dir  r_file_perms;
-allow ppp system_data_file:dir  rw_file_perms;
-allow ppp system_data_file:fifo_file  rw_file_perms;
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
-
-allow ppp shell_exec:file rx_file_perms;
-allow ppp property_socket:sock_file write;
-allow ppp radio_prop:property_service set;
-allow ppp system_prop:property_service set;
-allow ppp net_radio_prop:property_service set;
-allow ppp init:unix_stream_socket connectto;
-
-allow ppp radio_device:chr_file rw_file_perms;
-allow ppp radio_data_file:file rw_file_perms;
-allow ppp unlabeled:filesystem { associate };
-allow ppp ppp_exec:file rx_file_perms;
-allow ppp device:file create_file_perms;
-allow ppp device:lnk_file create_file_perms;
-allow ppp device:dir { create_file_perms add_name };
-
-allow sh shell_exec:file rx_file_perms;
-allow sh system_file:file rx_file_perms;
-allow sh ppp_exec:file rx_file_perms;
-allow sh radio_device:file { rw_file_perms link unlink };
diff --git a/common/sepolicy/pppoe_wrapper.te b/common/sepolicy/pppoe_wrapper.te
index 892d556..f8f55d4 100644
--- a/common/sepolicy/pppoe_wrapper.te
+++ b/common/sepolicy/pppoe_wrapper.te
@@ -1,28 +1,31 @@
 type pppoe_wrapper, domain;
-type pppoe_wrapper_exec, exec_type, file_type;
-
+type pppoe_wrapper_exec, exec_type, vendor_file_type, file_type;
+#
 init_daemon_domain(pppoe_wrapper)
 
-allow pppoe_wrapper ppp_exec:file { execute_no_trans execute getattr read open };
-allow pppoe_wrapper pppoe_wrapper_exec:file { entrypoint read execute };
-allow pppoe_wrapper system_file:file execute_no_trans;
-allow pppoe_wrapper pppoe_wrapper:process setfscreate;
-allow pppoe_wrapper pppoe_wrapper:capability { net_raw dac_override net_admin setgid setuid kill };
-allow pppoe_wrapper pppoe_wrapper:netlink_route_socket { bind create read write };
-allow pppoe_wrapper property_socket:sock_file write;
-allow pppoe_wrapper system_app:unix_dgram_socket sendto;
-allow pppoe_wrapper ppp_data_file:sock_file { create write setattr unlink };
-allow pppoe_wrapper ppp_data_file:dir { write search setattr create add_name mounton remove_name };
-allow pppoe_wrapper ppp_data_file:file { create write open lock getattr read unlink };
-allow pppoe_wrapper ppp_system_file:dir search;
-allow pppoe_wrapper socket_device:dir { add_name write };
-allow pppoe_wrapper socket_device:sock_file { create setattr };
-allow pppoe_wrapper pppoe_wrapper_socket:sock_file { create setattr write };
-allow pppoe_wrapper shell_exec:file { execute_no_trans execute read open };
-allow pppoe_wrapper net_radio_prop:property_service set;
-allow pppoe_wrapper dhcp_prop:property_service set;
-allow pppoe_wrapper init:unix_stream_socket connectto;
-allow pppoe_wrapper socket_device:sock_file { setattr write };
-allow pppoe_wrapper rootfs:file { read open getattr };
-allow pppoe_wrapper shell_exec:file getattr;
-allow pppoe_wrapper proc_net:file { read open getattr };
\ No newline at end of file
+allow pppoe_wrapper vendor_file:file { execute };
+
+#
+#allow pppoe_wrapper ppp_exec:file { execute_no_trans execute getattr read open };
+#allow pppoe_wrapper pppoe_wrapper_exec:file { entrypoint read execute };
+#allow pppoe_wrapper system_file:file execute_no_trans;
+#allow pppoe_wrapper pppoe_wrapper:process setfscreate;
+#allow pppoe_wrapper pppoe_wrapper:capability { net_raw dac_override net_admin setgid setuid kill };
+#allow pppoe_wrapper pppoe_wrapper:netlink_route_socket { bind create read write };
+#allow pppoe_wrapper property_socket:sock_file write;
+#allow pppoe_wrapper system_app:unix_dgram_socket sendto;
+#allow pppoe_wrapper ppp_data_file:sock_file { create write setattr unlink };
+#allow pppoe_wrapper ppp_data_file:dir { write search setattr create add_name mounton remove_name };
+#allow pppoe_wrapper ppp_data_file:file { create write open lock getattr read unlink };
+#allow pppoe_wrapper ppp_system_file:dir search;
+#allow pppoe_wrapper socket_device:dir { add_name write };
+#allow pppoe_wrapper socket_device:sock_file { create setattr };
+#allow pppoe_wrapper pppoe_wrapper_socket:sock_file { create setattr write };
+#allow pppoe_wrapper shell_exec:file { execute_no_trans execute read open };
+#allow pppoe_wrapper net_radio_prop:property_service set;
+#allow pppoe_wrapper dhcp_prop:property_service set;
+#allow pppoe_wrapper init:unix_stream_socket connectto;
+#allow pppoe_wrapper socket_device:sock_file { setattr write };
+#allow pppoe_wrapper rootfs:file { read open getattr };
+#allow pppoe_wrapper shell_exec:file getattr;
+#allow pppoe_wrapper proc_net:file { read open getattr };
diff --git a/common/sepolicy/priv_app.te b/common/sepolicy/priv_app.te
index efb5f52..2b02883 100644
--- a/common/sepolicy/priv_app.te
+++ b/common/sepolicy/priv_app.te
@@ -1,5 +1,16 @@
 allow priv_app fuseblk:dir { search };
 allow priv_app fuseblk:file { read open getattr };
-allow priv_app proc_modules:file {getattr};
-allow priv_app media_prop:file {read};
+allow priv_app proc_modules:file { getattr read open };
+allow priv_app proc_interrupts:file { getattr read open };
+
+allow priv_app media_prop:file { read };
 allow priv_app dvb_device:chr_file rw_file_perms;
+#allow priv_app property_socket:sock_file { write };
+
+allow priv_app vendor_file:file { open read getattr execute };
+
+allow priv_app zygote:dir { search read };
+allow priv_app zygote:file { open read };
+allow priv_app device:dir { read search open };
+
+allow priv_app { su_exec bootanim_exec bootstat_exec }:file { getattr };
diff --git a/common/sepolicy/recovery.te b/common/sepolicy/recovery.te
deleted file mode 100644
index e559270..0000000
--- a/common/sepolicy/recovery.te
+++ b/dev/null
@@ -1,34 +0,0 @@
-recovery_only(`
-
-  allow recovery uboot_prop:property_service set;
-  allow recovery rootfs:dir create_dir_perms;
-  allow recovery sysfs:dir mounton;
-  #allow recovery debugfs:file r_file_perms;
-
-  allow recovery vfat:dir create_dir_perms;
-  allow recovery vfat:file create_file_perms;
-
-  #allow recovery ppp_system_file:file {create_file_perms relabelfrom relabelto};
-  #allow recovery ppp_system_file:dir {create_dir_perms relabelfrom relabelto};
-
-#  allow recovery env_device:chr_file rw_file_perms;
-#  allow recovery input_device:chr_file write;
-  allow recovery property_data_file:dir { search };
-  allow recovery device:dir rw_dir_perms;
-#  allow recovery bootloader_device:chr_file rw_file_perms;
-#  allow recovery defendkey_device:chr_file rw_file_perms;
-  allow recovery dtb_device:chr_file { open read write };
-  allow recovery aml_display_prop:property_service set;
-#  allow recovery kmsg_device:chr_file rw_file_perms;
-  allow recovery recovery:capability { net_admin };
-#  allow recovery recovery:netlink_kobject_uevent_socket { create bind setopt read };
-  allow recovery aml_display_prop:file {open read getattr};
-  allow recovery uboot_prop:file {open read getattr};
-  allow recovery sysfs_xbmc:file {open read write};
-  allow recovery update_data_file:file rw_file_perms;
-  allow recovery update_data_file:dir { search read write open };
-
-  allow shell tmpfs:file {open read getattr};
-  allow shell sysfs:file {read};
-  allow shell rootfs:file {execute_no_trans};
-')
diff --git a/common/sepolicy/remotecfg.te b/common/sepolicy/remotecfg.te
index 72e0334..32116ad 100644
--- a/common/sepolicy/remotecfg.te
+++ b/common/sepolicy/remotecfg.te
@@ -1,6 +1,6 @@
 # remotecfg seclabel is specified in init.amlogic.rc
 type remotecfg, domain;
-type remotecfg_exec, exec_type, file_type;
+type remotecfg_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(remotecfg)
 
diff --git a/common/sepolicy/seapp_contexts b/common/sepolicy/seapp_contexts
deleted file mode 100644
index e3aab7e..0000000
--- a/common/sepolicy/seapp_contexts
+++ b/dev/null
@@ -1,38 +0,0 @@
-# Input selectors:
-#	isSystemServer (boolean)
-#	user (string)
-#	seinfo (string)
-#	name (string)
-#	path (string)
-#	sebool (string)
-# isSystemServer=true can only be used once.
-# An unspecified isSystemServer defaults to false.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
-#
-# Precedence rules:
-# 	  (1) isSystemServer=true before isSystemServer=false.
-#	  (2) Specified user= string before unspecified user= string.
-#	  (3) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (4) Longer user= prefix before shorter user= prefix.
-#	  (5) Specified seinfo= string before unspecified seinfo= string.
-#	  (6) Specified name= string before unspecified name= string.
-#	  (7) Specified path= string before unspecified path= string.
-#	  (8) Specified sebool= string before unspecified sebool= string.
-#
-# Outputs:
-#	domain (string)
-#	type (string)
-#	levelFrom (string; one of none, all, app, or user)
-#	level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-#user=media domain=mediaserver type=media_data_file
diff --git a/common/sepolicy/servicemanager.te b/common/sepolicy/servicemanager.te
deleted file mode 100644
index f698d9d..0000000
--- a/common/sepolicy/servicemanager.te
+++ b/dev/null
@@ -1,6 +0,0 @@
-allow servicemanager init:dir search;
-allow servicemanager init:file { read open };
-allow servicemanager init:process getattr;
-
-allow servicemanager system_control:dir r_dir_perms;
-allow servicemanager system_control:file r_file_perms;
\ No newline at end of file
diff --git a/common/sepolicy/shell.te b/common/sepolicy/shell.te
new file mode 100644
index 0000000..5c3da9a
--- a/dev/null
+++ b/common/sepolicy/shell.te
@@ -0,0 +1,6 @@
+allow shell rootfs:file { entrypoint };
+allow shell sysfs:file { read open getattr };
+
+
+allow shell hdcptx_device:chr_file { open read write getattr ioctl };
+
diff --git a/common/sepolicy/surfaceflinger.te b/common/sepolicy/surfaceflinger.te
index 4348c9b..b94ba82 100644
--- a/common/sepolicy/surfaceflinger.te
+++ b/common/sepolicy/surfaceflinger.te
@@ -1,7 +1,5 @@
-allow surfaceflinger sysfs:file write;
-allow surfaceflinger sysfs_xbmc:file {open read write};
+allow surfaceflinger vendor_file:file { open read getattr execute };
 allow surfaceflinger system_control_service:service_manager find;
 
 get_prop(surfaceflinger, tv_prop)
-set_prop(surfaceflinger, ctl_default_prop)
-allow surfaceflinger dvb_video_device:chr_file rw_file_perms;
\ No newline at end of file
+set_prop(surfaceflinger, ctl_default_prop)
\ No newline at end of file
diff --git a/common/sepolicy/system_app.te b/common/sepolicy/system_app.te
index c24b45c..f9dd27b 100644
--- a/common/sepolicy/system_app.te
+++ b/common/sepolicy/system_app.te
@@ -1,56 +1,67 @@
-allow system_app sysfs_lowmemorykiller:file { getattr w_file_perms };
-allow system_app subtitle_service:service_manager add;
-
-#added for atv remote
-allow system_app uhid_device:dir r_dir_perms;
-
-allow system_app dhcp_data_file:file { r_file_perms };
-allow system_app ppp_data_file:dir { create_dir_perms };
-allow system_app ppp_data_file:file { create_file_perms };
-allow system_app ppp_data_file:sock_file { create_file_perms };
-allow system_app pppoe_wrapper_socket:sock_file { write setattr };
-allow system_app pppoe_wrapper_socket:file { getattr write open };
-allow system_app pppoe_wrapper:unix_dgram_socket sendto;
-allow system_app dhcp_data_file:dir { r_dir_perms };
-allow system_app dhcp_data_file:fifo_file { r_file_perms };
-
-allow system_app vold:unix_stream_socket connectto;
-allow system_app pppoe_service:service_manager add;
-allow system_app dig_socket:sock_file write;
-
-allow system_app iso9660:dir { search read open };
-allow system_app unlabeled:dir { open search read write getattr };
-allow system_app unlabeled:file { lock open read write getattr };
-
-# /cache_file for dvb app creat update.zip file at /cache  dir
-allow system_app cache_file:dir {create_dir_perms create_file_perms rw_file_perms};
-allow system_app cache_file:file {create_file_perms rw_file_perms getattr};
-
-allow system_app log_file:dir { search read open getattr };
-allow system_app log_file:file { read open getattr };
-allow system_app tombstone_data_file:dir r_dir_perms;
-allow system_app tombstone_data_file:file r_file_perms;
-
-allow system_app shell_data_file:dir search;
-allow system_app graphics_device:dir search;
-allow system_app sysfs_xbmc:file {open read write};
-allow system_app media_prop:property_service set;
-allow system_app system_app:process setfscreate;
-allow system_app socket_device:sock_file setattr;
-allow system_app pppoe_wrapper_socket:sock_file create;
-allow system_app pppoe_wrapper_socket:sock_file unlink;
-allow system_app pppoe_wrapper_socket:file create;
-allow system_app cache_recovery_file:dir { search read open write add_name remove_name};
-allow system_app cache_recovery_file:file { create rw_file_perms unlink};
-allow system_app update_data_file:dir {getattr search read write open add_name remove_name};
-allow system_app update_data_file:file {getattr write read create open unlink};
-allow system_app update_engine:binder {call transfer};
-
-allow system_app tv_prop:file {open read getattr};
-allow system_app tv_prop:property_service {set};
-
-allow system_app proc_stat:file { read open getattr };
-allow system_app proc_interrupts:file { read open getattr };
+#allow system_app sysfs_lowmemorykiller:file { getattr w_file_perms };
+#allow system_app subtitle_service:service_manager add;
+#
+##added for atv remote
+#allow system_app uhid_device:dir r_dir_perms;
+#
+#allow system_app dhcp_data_file:file { r_file_perms };
+#allow system_app ppp_data_file:dir { create_dir_perms };
+#allow system_app ppp_data_file:file { create_file_perms };
+#allow system_app ppp_data_file:sock_file { create_file_perms };
+#allow system_app pppoe_wrapper_socket:sock_file { write setattr };
+#allow system_app pppoe_wrapper_socket:file { getattr write open };
+#allow system_app pppoe_wrapper:unix_dgram_socket sendto;
+#allow system_app dhcp_data_file:dir { r_dir_perms };
+#allow system_app dhcp_data_file:fifo_file { r_file_perms };
+#
+#allow system_app vold:unix_stream_socket connectto;
+#allow system_app pppoe_service:service_manager add;
+#allow system_app dig_socket:sock_file write;
+#
+#allow system_app iso9660:dir { search read open };
+#allow system_app unlabeled:dir { search read write getattr };
+#allow system_app unlabeled:file { lock open read write getattr };
+#
+## /cache_file for dvb app creat update.zip file at /cache  dir
+#allow system_app cache_file:dir {create_dir_perms create_file_perms rw_file_perms};
+#allow system_app cache_file:file {create_file_perms rw_file_perms};
+#
+#allow system_app log_file:dir { search read open getattr };
+#allow system_app log_file:file { read open getattr };
+#allow system_app tombstone_data_file:dir r_dir_perms;
+#allow system_app tombstone_data_file:file r_file_perms;
+#
+#allow system_app shell_data_file:dir search;
+#allow system_app graphics_device:dir search;
+#allow system_app sysfs_xbmc:file {open read write};
+#allow system_app media_prop:property_service set;
+#allow system_app system_app:process setfscreate;
+#allow system_app socket_device:sock_file setattr;
+#allow system_app pppoe_wrapper_socket:sock_file create;
+#allow system_app pppoe_wrapper_socket:sock_file unlink;
+#allow system_app pppoe_wrapper_socket:file create;
+#allow system_app cache_recovery_file:dir { search read open write add_name remove_name};
+#allow system_app cache_recovery_file:file { create rw_file_perms unlink};
+
+#allow system_app update_engine:binder {call transfer};
+#
+#allow system_app tv_prop:file {open read getattr};
+#allow system_app tv_prop:property_service {set};
+
+allow system_app rootfs:dir { getattr };
+
+allow system_app vendor_file:file { read open getattr execute };
+
+allow system_app system_app:netlink_kobject_uevent_socket { create };
+
+allow system_app update_data_file:dir { getattr search read write open add_name remove_name };
+allow system_app update_data_file:file { getattr write read create open unlink };
+
+allow system_app { pppoe_service subtitle_service }:service_manager { add };
+
+allow system_app system_app:netlink_kobject_uevent_socket { create setopt bind read getopt };
+
+#allow system_app socket_device:sock_file { write };
 
 allow system_app exfat:dir create_dir_perms;
 allow system_app exfat:file create_file_perms;
@@ -59,3 +70,6 @@ allow system_app ntfs:dir create_dir_perms;
 allow system_app ntfs:file create_file_perms;
 
 allow system_app mnt_media_rw_file:dir r_dir_perms;
+allow system_app { systemcontrol_hwservice hdmicecd_hwservice }:hwservice_manager { find };
+
+allow system_app { system_control hdmicecd }:binder { call transfer };
diff --git a/common/sepolicy/system_control.te b/common/sepolicy/system_control.te
index 8038edb..828b97b 100644
--- a/common/sepolicy/system_control.te
+++ b/common/sepolicy/system_control.te
@@ -1,12 +1,7 @@
 type system_control, domain;
-type system_control_exec, exec_type, file_type;
+type system_control_exec, exec_type, vendor_file_type, file_type;
 
-allow system_control system_control_exec:file { entrypoint read };
-
-binder_use(system_control);
-binder_call(system_control, binderservicedomain)
-binder_call(system_control, system_server)
-binder_service(system_control)
+init_daemon_domain(system_control)
 
 allow system_control vndbinder_device:chr_file { read write open ioctl };
 allow system_control vndservicemanager:binder { call transfer };
@@ -24,7 +19,7 @@ allow system_control system_control:netlink_kobject_uevent_socket { create setop
 allow system_control self:capability { net_admin };
 
 
-unix_socket_connect(system_control, vold, vold);
+#unix_socket_connect(system_control, vold, vold);
 #unix_socket_connect(system_control, property, init);
 
 # Property Service write
@@ -82,9 +77,9 @@ allow system_control graphics_device:dir r_dir_perms;
 allow system_control sysfs_audio_cap:file {open getattr read};
 allow system_control sysfs_xbmc:file rw_file_perms;
 allow system_control app_data_file:file rw_file_perms;
-allow system_control system_control_service:service_manager add;
-allow system_control permission_service:service_manager find;
-allow system_control surfaceflinger_service:service_manager find;
+#allow system_control system_control_service:service_manager add;
+#allow system_control permission_service:service_manager find;
+#allow system_control surfaceflinger_service:service_manager find;
 # Allow system_control to read /proc/pid for all processes
 r_dir_file(system_control, domain)
 r_dir_file(system_control, binderservicedomain)
@@ -99,9 +94,11 @@ allow system_control platform_app:dir { search };
 allow system_control param_tv_file:dir  { search read write open add_name remove_name rmdir };
 allow system_control param_tv_file:file { create open read write setattr getattr lock unlink };
 
-allow system_control shell_exec:file { execute_no_trans execute open read getattr };
+#allow system_control shell_exec:file { execute_no_trans execute open read getattr };
 allow system_control sysfs_digital_codec:file { read write };
-allow system_control system_file:file execute_no_trans;
+#allow system_control system_file:file execute_no_trans;
 
 allow system_control env_device:blk_file { getattr read open write };
-allow system_control self:capability sys_nice;
\ No newline at end of file
+allow system_control self:capability sys_nice;
+
+allow system_control system_app:binder { call };
diff --git a/common/sepolicy/system_server.te b/common/sepolicy/system_server.te
index 2baf4bc..94eb4fd 100644
--- a/common/sepolicy/system_server.te
+++ b/common/sepolicy/system_server.te
@@ -1,32 +1,46 @@
-allow system_server fuse:dir search;
+#allow system_server fuse:dir search;
+#
+#allow system_server mediaserver:process {signal sigkill};
+#allow system_server { system_app_data_file media_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+#
+#allow system_server self:capability sys_module;
+#
+#allow system_server { system_control_service tvserver_service hdmi_cec_service }:service_manager find;
+#
+#allow system_server storage_stub_file:dir { getattr read open };
+#
+#allow system_server debugfs:dir { getattr read open };
+#allow system_server debugfs:file r_file_perms;
+#
+#allow system_server system_app:fifo_file { read write getattr };
+#
+#allow system_server param_tv_file:dir { search };
+#
+#set_prop(system_server, uboot_prop)
+#get_prop(system_server, uboot_prop)
+#
+#allow system_server { system_app platform_app untrusted_app priv_app }:file { write };
+#allow system_server uhid_device:chr_file {write open ioctl};
+#allow system_server dvb_device:chr_file rw_file_perms;
+#
+
+typeattribute system_server mlstrustedsubject;
+
+allow system_server vendor_file:file { getattr read open execute };
+allow system_server vendor_framework_file:dir { search getattr };
+allow system_server vendor_framework_file:file { read getattr open };
 
-allow system_server mediaserver:process {signal sigkill};
-allow system_server { system_app_data_file media_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
-
-allow system_server self:capability sys_module;
-
-allow system_server { system_control_service tvserver_service hdmi_cec_service }:service_manager find;
-
-allow system_server storage_stub_file:dir { getattr read open };
-
-set_prop(system_control, bcmdl_prop)
-set_prop(system_control, media_prop)
 get_prop(system_server, media_prop)
 
-allow system_server debugfs:dir { getattr read open };
-allow system_server debugfs:file r_file_perms;
+# For writing to /proc/<tid>/timerslack_ns (XXX - this is probably wrong)
+allow system_server priv_app:file write;
+allow system_server untrusted_app:file write;
+allow system_server untrusted_app_25:file write;
+allow system_server platform_app:file write;
+allow system_server system_app:file write;
+allow system_server isolated_app:file write;
+allow system_server bluetooth:file write;
 
-allow system_server system_app:fifo_file { read write getattr };
+allow system_server socket_device:sock_file { write };
 
-allow system_server param_tv_file:dir { search };
-
-set_prop(system_server, uboot_prop)
-get_prop(system_server, uboot_prop)
-
-allow system_server { system_app platform_app untrusted_app priv_app }:file { write };
-allow system_server uhid_device:chr_file {write open ioctl};
-allow system_server dvb_device:chr_file rw_file_perms;
 allow system_server uhid_device:chr_file { write open ioctl };
-
-allow system_server socket_device:sock_file { read write open };
-
diff --git a/common/sepolicy/tee.te b/common/sepolicy/tee.te
index 1690548..0b9d645 100644
--- a/common/sepolicy/tee.te
+++ b/common/sepolicy/tee.te
@@ -7,3 +7,5 @@ allow tee tee_data_file:dir { add_name write create ioctl remove_name open read
 allow tee tee_data_file:file { write create open unlink link read };
 allow tee system_data_file:dir { write search add_name create };
 allow tee system_data_file:file read;
+
+allow tee vendor_file:file { read open getattr execute };
diff --git a/common/sepolicy/tvserver.te b/common/sepolicy/tvserver.te
deleted file mode 100644
index e5bdbde..0000000
--- a/common/sepolicy/tvserver.te
+++ b/dev/null
@@ -1,63 +0,0 @@
-type tvserver, domain;
-type tvserver_exec, exec_type, file_type;
-
-init_daemon_domain(tvserver)
-
-allow tvserver shell_exec:file rx_file_perms;
-allow tvserver system_file:file execute_no_trans;
-allow tvserver tvserver_service:service_manager add;
-allow tvserver tvserver_exec:file { entrypoint read };
-allow tvserver audio_device:dir  { search };
-allow tvserver block_device:dir search;
-allow tvserver input_device:dir search;
-allow tvserver sysfs:file { read write open getattr };
-allow tvserver sysfs_xbmc:file { open read write getattr };
-allow tvserver property_socket:sock_file write;
-allow tvserver init:unix_stream_socket connectto;
-allow tvserver mediaserver:fd { use };
-allow tvserver { mediaserver system_app system_control }:binder { call transfer };
-allow mediaserver tvserver:binder { call transfer };
-allow system_app tvserver:binder { call transfer };
-allow system_control tvserver:binder { call transfer };
-allow system_server tvserver:binder { call transfer };
-allow tvserver platform_app:binder { call transfer };
-allow platform_app tvserver:binder { call transfer };
-allow tvserver { ctl_default_prop ctl_bootanim_prop media_prop system_prop uboot_prop powerctl_prop }:property_service set;
-
-allow tvserver self:process execmem;
-allow tvserver self:capability dac_override;
-
-get_prop(tvserver, media_prop)
-allow tvserver media_prop:property_service set;
-allow tvserver system_control_service:service_manager find;
-allow tvserver mediaserver_service:service_manager find;
-allow tvserver audioserver_service:service_manager find;
-allow tvserver mediacodec_service:service_manager find;
-binder_use(tvserver);
-binder_call(tvserver, system_server)
-binder_call(tvserver, binderservicedomain)
-binder_service(tvserver)
-
-allow tvserver param_tv_file:dir  { search read write open add_name remove_name rmdir };
-allow tvserver param_tv_file:file { create open read write setattr getattr lock unlink };
-allow param_tv_file labeledfs:filesystem { associate };
-
-allow tvserver tv_config_prop:property_service set;
-
-allow tvserver sysfs:dir { write };
-allow tvserver self:capability sys_nice;
-
-allow tvserver { fuse storage_file }:dir { read search };
-allow tvserver { fuse storage_file }:file { open read getattr };
-
-allow tvserver unlabeled:dir { setattr search write };
-allow tvserver unlabeled:file { getattr open write read lock };
-
-allow tvserver self:capability kill;
-allow tvserver appdomain:process { sigkill signal };
-
-allow tvserver proc:file { read write open getattr };
-
-get_prop(tvserver, tv_prop)
-allow tvserver tv_prop:property_service set;
-allow tvserver tv_prop:file { read open getattr};
diff --git a/common/sepolicy/ueventd.te b/common/sepolicy/ueventd.te
index 8fe630c..ff0d91b 100644
--- a/common/sepolicy/ueventd.te
+++ b/common/sepolicy/ueventd.te
@@ -1 +1,2 @@
 allow ueventd drm_device:chr_file { create getattr setattr relabelfrom relabelto } ;
+allow { ueventd drm_device } tmpfs:filesystem { associate } ;
diff --git a/common/sepolicy/update_engine.te b/common/sepolicy/update_engine.te
index 75af4e9..b59ec26 100644
--- a/common/sepolicy/update_engine.te
+++ b/common/sepolicy/update_engine.te
@@ -2,4 +2,4 @@
 allow update_engine misc_block_device:blk_file rw_file_perms;
 allow update_engine vendor_block_device:blk_file rw_file_perms;
 allow update_engine odm_block_device:blk_file rw_file_perms;
-allow update_engine system_app:binder {call};
+allow update_engine system_app:binder { call };
diff --git a/common/sepolicy/update_verifier.te b/common/sepolicy/update_verifier.te
index 2b3ddec..1235cd2 100644
--- a/common/sepolicy/update_verifier.te
+++ b/common/sepolicy/update_verifier.te
@@ -1,5 +1,5 @@
 # TODO: Add rules to allow update_verifier to read system_block_device.
 allow update_verifier system_block_device:blk_file r_file_perms;
-allow update_verifier rootfs:file {getattr read open};
+allow update_verifier rootfs:file { getattr read open };
 allow update_verifier proc:file { read open getattr };
-allow update_verifier misc_block_device:blk_file rw_file_perms;
\ No newline at end of file
+#allow update_verifier misc_block_device:blk_file rw_file_perms;
diff --git a/common/sepolicy/usbpm.te b/common/sepolicy/usbpm.te
deleted file mode 100644
index 044ec5e..0000000
--- a/common/sepolicy/usbpm.te
+++ b/dev/null
@@ -1,9 +0,0 @@
-type usbpm, domain;
-type usbpm_exec, exec_type, file_type;
-
-init_daemon_domain(usbpm)
-
-allow usbpm usbpm_exec:file { entrypoint read };
-allow usbpm sysfs:file { open read write getattr };
-allow usbpm sysfs:dir { read };
-allow usbpm rootfs:lnk_file { getattr };
\ No newline at end of file
diff --git a/common/sepolicy/vndservicemanager.te b/common/sepolicy/vndservicemanager.te
deleted file mode 100644
index e42e765..0000000
--- a/common/sepolicy/vndservicemanager.te
+++ b/dev/null
@@ -1,3 +0,0 @@
-allow vndservicemanager system_control:dir { search };
-allow vndservicemanager system_control:file { open read getattr };
-allow vndservicemanager system_control:process { getattr };
diff --git a/common/sepolicy/vold.te b/common/sepolicy/vold.te
index 9418698..cccd57c 100644
--- a/common/sepolicy/vold.te
+++ b/common/sepolicy/vold.te
@@ -1,39 +1,35 @@
 # NTFS
-userdebug_or_eng(`
-  allow vold self:capability { sys_rawio };
-')
-allow vold self:capability { setgid setuid };
-
-allow vold cpuctl_device:dir search;
-
-allow vold device:dir { open read };
-allow vold usb_device:dir { open read search };
-allow vold system_data_file:fifo_file { open read write };
-allow vold kernel:system { module_request };
-
-domain_auto_trans(vold, vold_ext_exec, vold_ext)
-allow vold vold_ext_exec:file { execute read open execute_no_trans };
-allow vold kernel:system module_request;
-allow vold mnt_media_rw_stub_file:dir { r_dir_perms mounton };
-allow vold sda_block_device:blk_file rw_file_perms;
-
-#for dig
-allow vold cache_file:file create_file_perms;
-allow vold cache_file:dir { create_file_perms add_name remove_name };
-
-allow vold vold_block_device:blk_file { create getattr read open unlink ioctl lock write };
-allow vold param_tv_file:dir { read open };
-
-allow vold storage_stub_file:dir { getattr read open search write add_name };
+#userdebug_or_eng(`
+#  allow vold self:capability { sys_rawio };
+#')
+#allow vold self:capability { setgid setuid };
+#
+#allow vold cpuctl_device:dir search;
+#
+#allow vold device:dir { open read };
+#allow vold usb_device:dir { open read search };
+#allow vold system_data_file:fifo_file { open read write };
+#allow vold kernel:system { module_request };
+#
+#domain_auto_trans(vold, vold_ext_exec, vold_ext)
+#allow vold vold_ext_exec:file { execute read open execute_no_trans };
+#allow vold kernel:system module_request;
+#allow vold mnt_media_rw_stub_file:dir { r_dir_perms mounton };
+#
+##for dig
+#allow vold cache_file:file create_file_perms;
+#allow vold cache_file:dir { create_file_perms add_name remove_name };
+#
+#allow vold param_tv_file:dir { read open };
+#
+#allow vold storage_stub_file:dir { getattr read open search write add_name };
 
 # for make ext4fs
-domain_auto_trans(vold, make_ext4fs_exec, make_ext4fs);
-
-allow vold tee_data_file:dir { open read };
+#domain_auto_trans(vold, make_ext4fs_exec, make_ext4fs);
 
-allow vold vold_block_device:blk_file { create read open ioctl unlink };
+allow vold tee_data_file:dir { open read ioctl };
 
-allow vold apk_data_file:dir { getattr open read };
+#allow vold vold_block_device:blk_file { create read open ioctl unlink };
 
 #for hw keymaster
 allow vold drm_device:chr_file  {open read write ioctl};
diff --git a/common/sepolicy/vold_ext.te b/common/sepolicy/vold_ext.te
deleted file mode 100644
index 4133855..0000000
--- a/common/sepolicy/vold_ext.te
+++ b/dev/null
@@ -1,27 +0,0 @@
-type vold_ext, domain;
-type vold_ext_exec, exec_type, file_type;
-
-init_daemon_domain(vold_ext)
-
-allow vold_ext self:capability { setgid setuid };
-
-allow vold_ext cpuctl_device:dir search;
-
-allow vold_ext device:dir { open read };
-allow vold_ext usb_device:dir { open read search };
-allow vold_ext system_data_file:fifo_file { open read write };
-
-allow vold_ext block_device:dir rw_dir_perms;
-allow vold_ext fuseblk:filesystem mount;
-allow vold_ext rootfs:dir mounton;
-allow vold_ext self:capability { dac_override sys_admin };
-allow vold_ext vold:fd use;
-allow vold_ext vold:fifo_file { read write };
-allow vold_ext vold:unix_stream_socket { read write };
-
-allow vold_ext tmpfs:dir create_dir_perms;
-allow vold_ext tmpfs:dir mounton;
-
-allow vold_ext kernel:system module_request;
-allow vold_ext mnt_media_rw_file:dir { r_dir_perms };
-allow vold_ext mnt_media_rw_stub_file:dir { r_dir_perms mounton };
\ No newline at end of file
diff --git a/common/sepolicy/webview_zygote.te b/common/sepolicy/webview_zygote.te
index d06664c..fe347f6 100644
--- a/common/sepolicy/webview_zygote.te
+++ b/common/sepolicy/webview_zygote.te
@@ -1 +1 @@
-allow webview_zygote kernel:system module_request;
+allow webview_zygote mnt_expand_file:dir { getattr };
diff --git a/common/sepolicy/wlan_fwloader.te b/common/sepolicy/wlan_fwloader.te
deleted file mode 100644
index cd1bb6d..0000000
--- a/common/sepolicy/wlan_fwloader.te
+++ b/dev/null
@@ -1,10 +0,0 @@
-type wlan_fwloader, domain;
-type wlan_fwloader_exec, exec_type, file_type;
-
-init_daemon_domain(wlan_fwloader)
-
-allow wlan_fwloader init:unix_stream_socket connectto;
-allow wlan_fwloader kernel:system module_request;
-allow wlan_fwloader property_socket:sock_file write;
-allow wlan_fwloader self:capability { net_admin net_raw sys_module };
-allow wlan_fwloader system_prop:property_service set;
\ No newline at end of file
diff --git a/common/sepolicy/zygote.te b/common/sepolicy/zygote.te
index 1899a7a..683ea47 100644
--- a/common/sepolicy/zygote.te
+++ b/common/sepolicy/zygote.te
@@ -10,5 +10,4 @@ get_prop(zygote, media_prop)
 
 allow zygote kernel:system module_request;
 
-#allow zygote zygote_socket:sock_file { write };
-allow zygote adbd:unix_stream_socket { connectto read write };
+allow zygote vendor_file:file { read open getattr execute };
diff --git a/common/software.mk b/common/software.mk
index 0c3fe67..7f647fa 100644
--- a/common/software.mk
+++ b/common/software.mk
@@ -1,5 +1,6 @@
 PRODUCT_PROPERTY_OVERRIDES += \
-    ro.adb.secure=1
+    ro.adb.secure=1 \
+    sys.open.deepcolor=true
 
 ifeq ($(TARGET_BUILD_CTS), true)
 
diff --git a/common/vndk/Android.mk b/common/vndk/Android.mk
new file mode 100644
index 0000000..f4bdb14
--- a/dev/null
+++ b/common/vndk/Android.mk
@@ -0,0 +1,57 @@
+LOCAL_PATH := $(call my-dir)
+
+VNDK_SP_LIBRARIES := \
+    android.hardware.graphics.allocator@2.0 \
+    android.hardware.graphics.mapper@2.0 \
+    android.hardware.graphics.common@1.0 \
+    android.hardware.renderscript@1.0 \
+    android.hidl.base@1.0 \
+    android.hidl.memory@1.0 \
+    libRSCpuRef \
+    libRSDriver \
+    libRS_internal \
+    libbacktrace \
+    libbase \
+    libbcinfo \
+    libblas \
+    libc++ \
+    libcompiler_rt \
+    libcutils \
+    libft2 \
+    libhardware \
+    libhidlbase \
+    libhidlmemory \
+    libhidltransport \
+    libhwbinder \
+    libion \
+    liblzma \
+    libpng \
+    libunwind \
+    libutils \
+
+define add-vndk-sp-lib
+include $$(CLEAR_VARS)
+LOCAL_MODULE := $1.vndk-sp
+LOCAL_MODULE_CLASS := SHARED_LIBRARIES
+LOCAL_PREBUILT_MODULE_FILE := $$(TARGET_OUT)/lib/$1.so
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_TAGS := optional
+LOCAL_INSTALLED_MODULE_STEM := $1.so
+LOCAL_MODULE_SUFFIX := .so
+LOCAL_MODULE_RELATIVE_PATH := vndk-sp
+include $$(BUILD_PREBUILT)
+
+include $$(CLEAR_VARS)
+LOCAL_MODULE := $1.vndk-sp
+LOCAL_MODULE_CLASS := SHARED_LIBRARIES
+LOCAL_PREBUILT_MODULE_FILE := $$(TARGET_OUT)/lib64/$1.so
+LOCAL_MULTILIB := 64
+LOCAL_MODULE_TAGS := optional
+LOCAL_INSTALLED_MODULE_STEM := $1.so
+LOCAL_MODULE_SUFFIX := .so
+LOCAL_MODULE_RELATIVE_PATH := vndk-sp
+include $$(BUILD_PREBUILT)
+endef
+
+$(foreach lib,$(VNDK_SP_LIBRARIES),\
+    $(eval $(call add-vndk-sp-lib,$(lib))))
diff --git a/p212/BoardConfig.mk b/p212/BoardConfig.mk
index d517c1f..51c128a 100644
--- a/p212/BoardConfig.mk
+++ b/p212/BoardConfig.mk
@@ -108,4 +108,8 @@ include device/amlogic/common/gpu/mali450-user-$(TARGET_ARCH).mk
 #MALLOC_IMPL := dlmalloc
 
 WITH_DEXPREOPT := true
-TARGET_USES_HWC2ON1ADAPTER := true
+PRODUCT_FULL_TREBLE_OVERRIDE := true
+BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
+
+DEVICE_MANIFEST_FILE := device/amlogic/p212/manifest.xml
+#DEVICE_MATRIX_FILE   := device/amlogic/common/compatibility_matrix.xml
diff --git a/p212/device.mk b/p212/device.mk
index 7122a92..ffdd33a 100644
--- a/p212/device.mk
+++ b/p212/device.mk
@@ -44,7 +44,7 @@ PRODUCT_COPY_FILES += \
     device/amlogic/p212/files/audio_policy.conf:$(TARGET_COPY_OUT_VENDOR)/etc/audio_policy.conf \
     device/amlogic/p212/files/media_codecs.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs.xml \
     device/amlogic/p212/files/media_codecs_performance.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs_performance.xml \
-    device/amlogic/p212/files/mixer_paths.xml:system/etc/mixer_paths.xml \
+    device/amlogic/p212/files/mixer_paths.xml:$(TARGET_COPY_OUT_VENDOR)/etc/mixer_paths.xml \
     device/amlogic/p212/files/mesondisplay.cfg:$(TARGET_COPY_OUT_VENDOR)/etc/mesondisplay.cfg \
     device/amlogic/p212/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml
 
diff --git a/p212/fstab.amlogic b/p212/fstab.amlogic
index d444f85..adaa6b1 100644
--- a/p212/fstab.amlogic
+++ b/p212/fstab.amlogic
@@ -4,9 +4,6 @@
 # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
 
 /dev/block/misc       /misc               emmc      defaults      defaults
-/dev/block/system     /system             ext4      ro                                                    wait
-/dev/block/vendor     /vendor             ext4      ro       wait
-/dev/block/odm        /odm                ext4      ro       wait
 /dev/block/data       /data               ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check,encryptable=footer,quota
 /dev/block/cache      /cache              ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check
 /devices/*.sd/mmc_host/sd*  auto                vfat      defaults                       voldmanaged=sdcard1:auto,noemulatedsd
@@ -16,4 +13,4 @@
 /dev/block/loop     auto                loop      defaults                                  voldmanaged=loop:auto
 # Add for zram. zramsize can be in numeric (byte) , in percent
 /dev/block/zram0     /swap_zram0             swap      defaults                             wait,zramsize=524288000
-/dev/block/tee       /tee                 ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check
+/dev/block/tee       /tee                 ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check
\ No newline at end of file
diff --git a/p212/init.amlogic.board.rc b/p212/init.amlogic.board.rc
index 0517829..c6e6623 100644
--- a/p212/init.amlogic.board.rc
+++ b/p212/init.amlogic.board.rc
@@ -6,9 +6,6 @@ on early-init
     mount configfs configfs /sys/kernel/config
     #mount usbfs none /proc/bus/usb
 
-    insmod /boot/optee.ko
-    insmod /boot/optee_armtz.ko
-
 on init
 
 on post-fs-data
@@ -26,21 +23,8 @@ on boot
     chmod 666 /sys/class/sii9233a/enable
     chmod 666 /sys/module/tvin_vdin/parameters/max_buf_num
 
-    #chmod 0666 /dev/amstream_sub_read
-
-#    insmod  /vendor/lib/audio_data.ko
-
     # chmod 0666 /dev/ge2d
     chmod 666 /dev/cec
     chmod 0666 /dev/opteearmtz00
     chmod 0666 /dev/tee0
 
-on fs
-on post-fs-data
-   mkdir  /data/tee
-
-service tee_supplicant /system/bin/tee-supplicant
-		class main
-		oneshot
-		seclabel u:r:tee:s0
-
diff --git a/p212/manifest.xml b/p212/manifest.xml
index 10fdb8c..153af53 100644
--- a/p212/manifest.xml
+++ b/p212/manifest.xml
@@ -9,6 +9,15 @@
         </interface>
     </hal>
     <hal format="hidl">
+        <name>android.hardware.bluetooth</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IBluetoothHci</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
         <name>android.hardware.usb</name>
         <transport>hwbinder</transport>
         <version>1.0</version>
@@ -27,6 +36,15 @@
         </interface>
     </hal>
     <hal format="hidl">
+        <name>android.hardware.wifi.supplicant</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ISupplicant</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
         <name>android.hardware.power</name>
         <transport>hwbinder</transport>
         <version>1.0</version>
@@ -134,6 +152,15 @@
         </interface>
     </hal>
     <hal>
+        <name>android.hardware.tv.cec</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IHdmiCec</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal>
         <name>vendor.amlogic.hardware.systemcontrol</name>
         <transport>hwbinder</transport>
         <version>1.0</version>
@@ -142,6 +169,42 @@
             <instance>default</instance>
         </interface>
     </hal>
+    <hal>
+        <name>vendor.amlogic.hardware.hdmicec</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IDroidHdmiCEC</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
+        <name>android.hardware.thermal</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IThermal</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
+        <name>android.hardware.light</name>
+        <transport>hwbinder</transport>
+        <version>2.0</version>
+        <interface>
+            <name>ILight</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
+        <name>android.hardware.health</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IHealth</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
     <sepolicy>
         <version>26.0</version>
     </sepolicy>
diff --git a/p212/system.prop b/p212/system.prop
index 36d7460..048b952 100644
--- a/p212/system.prop
+++ b/p212/system.prop
@@ -91,84 +91,3 @@ mbx.hdmiin.videolayer=false
 
 #adb
 service.adb.tcp.port=5555
-
-#netflix
-ro.nrdp.modelgroup=S905
-
-sys.open.deepcolor=true
-######## UBOOTENV VARIBLES - r/w as system properties ##########
-#
-#  Now we can load ubootenv varibles to system properties.
-#  We use a special prefix ("ubootenv.var" as default) to indicate that the 'property'
-#  actually is an ubootenv varible.
-#
-#  A ubootenv 'property' will be initialized during system booting. And when user set
-#  a different value, it will be written back to ubootenv device immediately.
-#
-
-## prefix of ubootenv varibles - should less than 16 chars.
-#UBOOTENV MTD NAME
-#ubootenv.var.bootcmd=
-#ubootenv.var.cpuclock=
-#ubootenv.var.gpuclock=
-#ubootenv.var.memsize=
-#ubootenv.var.ethaddr=
-#ubootenv.var.ipaddr=
-#ubootenv.var.gatewayip=
-ubootenv.var.outputmode=
-#ubootenv.var.screenratio=
-#ubootenv.var.oobeflag=
-ubootenv.var.480p_x=
-ubootenv.var.480p_y=
-ubootenv.var.480p_w=
-ubootenv.var.480p_h=
-ubootenv.var.480i_x=
-ubootenv.var.480i_y=
-ubootenv.var.480i_w=
-ubootenv.var.480i_h=
-ubootenv.var.576p_x=
-ubootenv.var.576p_y=
-ubootenv.var.576p_w=
-ubootenv.var.576p_h=
-ubootenv.var.576i_x=
-ubootenv.var.576i_y=
-ubootenv.var.576i_w=
-ubootenv.var.576i_h=
-ubootenv.var.720p_x=
-ubootenv.var.720p_y=
-ubootenv.var.720p_w=
-ubootenv.var.720p_h=
-ubootenv.var.1080p_x=
-ubootenv.var.1080p_y=
-ubootenv.var.1080p_w=
-ubootenv.var.1080p_h=
-ubootenv.var.1080i_x=
-ubootenv.var.1080i_y=
-ubootenv.var.1080i_w=
-ubootenv.var.1080i_h=
-ubootenv.var.4k2k24hz_x=
-ubootenv.var.4k2k24hz_y=
-ubootenv.var.4k2k24hz_w=
-ubootenv.var.4k2k24hz_h=
-ubootenv.var.4k2k25hz_x=
-ubootenv.var.4k2k25hz_y=
-ubootenv.var.4k2k25hz_w=
-ubootenv.var.4k2k25hz_h=
-ubootenv.var.4k2k30hz_x=
-ubootenv.var.4k2k30hz_y=
-ubootenv.var.4k2k30hz_w=
-ubootenv.var.4k2k30hz_h=
-ubootenv.var.4k2ksmpte_x=
-ubootenv.var.4k2ksmpte_y=
-ubootenv.var.4k2ksmpte_w=
-ubootenv.var.4k2ksmpte_h=
-ubootenv.var.digitaudiooutput=
-ubootenv.var.defaulttvfrequency=
-ubootenv.var.has.accelerometer=
-ubootenv.var.cecconfig=
-ubootenv.var.cvbsmode=
-ubootenv.var.hdmimode=
-ubootenv.var.is.bestmode=
-ubootenv.var.disp.fromleft=
-ubootenv.var.edid.crcvalue=
-ubootenv.var.colorattribute=
diff --git a/p230/BoardConfig.mk b/p230/BoardConfig.mk
index 9ccbd10..277af49 100644
--- a/p230/BoardConfig.mk
+++ b/p230/BoardConfig.mk
@@ -109,3 +109,8 @@ include device/amlogic/common/gpu/mali450-user-$(TARGET_ARCH).mk
 #MALLOC_IMPL := dlmalloc
 
 WITH_DEXPREOPT := true
+PRODUCT_FULL_TREBLE_OVERRIDE := true
+BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
+
+DEVICE_MANIFEST_FILE := device/amlogic/p230/manifest.xml
+#DEVICE_MATRIX_FILE   := device/amlogic/common/compatibility_matrix.xml
diff --git a/p230/device.mk b/p230/device.mk
index ff82ee2..b14b8f6 100644
--- a/p230/device.mk
+++ b/p230/device.mk
@@ -31,7 +31,7 @@ PRODUCT_COPY_FILES += \
     device/amlogic/p230/files/audio_policy.conf:$(TARGET_COPY_OUT_VENDOR)/etc/audio_policy.conf \
     device/amlogic/p230/files/media_codecs.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs.xml \
     device/amlogic/p230/files/media_codecs_performance.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs_performance.xml \
-    device/amlogic/p230/files/mixer_paths.xml:system/etc/mixer_paths.xml \
+    device/amlogic/p230/files/mixer_paths.xml:$(TARGET_COPY_OUT_VENDOR)/etc/mixer_paths.xml \
     device/amlogic/p230/files/mesondisplay.cfg:$(TARGET_COPY_OUT_VENDOR)/etc/mesondisplay.cfg \
     frameworks/native/data/etc/android.hardware.hdmi.cec.xml:system/etc/permissions/android.hardware.hdmi.cec.xml \
     device/amlogic/p230/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml
diff --git a/p230/fstab.AB.amlogic b/p230/fstab.AB.amlogic
index 3376911..a7b1b72 100644
--- a/p230/fstab.AB.amlogic
+++ b/p230/fstab.AB.amlogic
@@ -4,9 +4,6 @@
 # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
 
 /dev/block/platform/d0074000.emmc/misc   /misc       emmc      defaults      defaults
-/dev/block/system     /system             ext4      ro       wait,slotselect
-/dev/block/vendor     /vendor             ext4      ro       wait,slotselect
-/dev/block/odm        /odm                ext4      ro       wait,slotselect
 /dev/block/data       /data               ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check,encryptable=footer,quota
 /devices/*.sd/mmc_host/sd*  auto                vfat      defaults                       voldmanaged=sdcard1:auto,noemulatedsd
 /devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd*  auto             vfat      defaults                       voldmanaged=udisk0:auto
diff --git a/p230/fstab.AB.verity.amlogic b/p230/fstab.AB.verity.amlogic
index 4c3d152..a7b1b72 100644
--- a/p230/fstab.AB.verity.amlogic
+++ b/p230/fstab.AB.verity.amlogic
@@ -4,9 +4,6 @@
 # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
 
 /dev/block/platform/d0074000.emmc/misc   /misc       emmc      defaults      defaults
-/dev/block/system     /system             ext4      ro       wait,slotselect,verify
-/dev/block/vendor     /vendor             ext4      ro       wait,slotselect,verify
-/dev/block/odm        /odm                ext4      ro       wait,slotselect
 /dev/block/data       /data               ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check,encryptable=footer,quota
 /devices/*.sd/mmc_host/sd*  auto                vfat      defaults                       voldmanaged=sdcard1:auto,noemulatedsd
 /devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd*  auto             vfat      defaults                       voldmanaged=udisk0:auto
diff --git a/p230/fstab.amlogic b/p230/fstab.amlogic
index d444f85..2e4888b 100644
--- a/p230/fstab.amlogic
+++ b/p230/fstab.amlogic
@@ -4,9 +4,6 @@
 # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
 
 /dev/block/misc       /misc               emmc      defaults      defaults
-/dev/block/system     /system             ext4      ro                                                    wait
-/dev/block/vendor     /vendor             ext4      ro       wait
-/dev/block/odm        /odm                ext4      ro       wait
 /dev/block/data       /data               ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check,encryptable=footer,quota
 /dev/block/cache      /cache              ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check
 /devices/*.sd/mmc_host/sd*  auto                vfat      defaults                       voldmanaged=sdcard1:auto,noemulatedsd
diff --git a/p230/fstab.amlogic.bak b/p230/fstab.amlogic.bak
deleted file mode 100644
index bc3c5f3..0000000
--- a/p230/fstab.amlogic.bak
+++ b/dev/null
@@ -1,19 +0,0 @@
-# Android fstab file.
-#<src>                                                  <mnt_point>         <type>    <mnt_flags and options>                       <fs_mgr_flags>
-# The filesystem that contains the filesystem checker binary (typically /system) cannot
-# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
-
-/dev/block/misc       /misc               emmc      defaults      defaults
-/dev/block/system     /system             ext4      ro                                                    wait
-/dev/block/vendor     /vendor             ext4      ro       wait
-/dev/block/odm        /odm                ext4      ro       wait
-/dev/block/data       /data               ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check,encryptable=footer
-/dev/block/cache      /cache              ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check
-/devices/*.sd/mmc_host/sd*  auto                vfat      defaults                       voldmanaged=sdcard1:auto,noemulatedsd
-/devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd*  auto             vfat      defaults                       voldmanaged=udisk0:auto
-/devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd*  auto             vfat      defaults                       voldmanaged=udisk1:auto
-/devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sr*  auto             vfat      defaults                       voldmanaged=sr0:auto
-/dev/block/loop     auto                loop      defaults                                  voldmanaged=loop:auto
-# Add for zram. zramsize can be in numeric (byte) , in percent
-/dev/block/zram0     /swap_zram0             swap      defaults                             wait,zramsize=524288000
-#/dev/block/tee       /tee                 ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check
diff --git a/p230/fstab.verity.amlogic b/p230/fstab.verity.amlogic
index ef2ff90..2e4888b 100644
--- a/p230/fstab.verity.amlogic
+++ b/p230/fstab.verity.amlogic
@@ -4,9 +4,6 @@
 # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
 
 /dev/block/misc       /misc               emmc      defaults      defaults
-/dev/block/system     /system             ext4      ro       wait,verify
-/dev/block/vendor     /vendor             ext4      ro       wait,verify
-/dev/block/odm        /odm                ext4      ro       wait
 /dev/block/data       /data               ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check,encryptable=footer,quota
 /dev/block/cache      /cache              ext4      noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic    wait,check
 /devices/*.sd/mmc_host/sd*  auto                vfat      defaults                       voldmanaged=sdcard1:auto,noemulatedsd
diff --git a/p230/init.amlogic.board.rc b/p230/init.amlogic.board.rc
index 81ab73e..18068b3 100644
--- a/p230/init.amlogic.board.rc
+++ b/p230/init.amlogic.board.rc
@@ -6,9 +6,6 @@ on early-init
     mount configfs configfs /sys/kernel/config
     #mount usbfs none /proc/bus/usb
 
-    insmod /boot/optee.ko
-    insmod /boot/optee_armtz.ko
-
 on init
 
 on post-fs-data
@@ -27,21 +24,8 @@ on boot
     chmod 666 /sys/class/sii9233a/enable
     chmod 666 /sys/module/tvin_vdin/parameters/max_buf_num
 
-    #chmod 0666 /dev/amstream_sub_read
-
-#    insmod  /vendor/lib/audio_data.ko
-
     # chmod 0666 /dev/ge2d
     chmod 666 /dev/cec
     chmod 0666 /dev/opteearmtz00
     chmod 0666 /dev/tee0
 
-on fs
-on post-fs-data
-   mkdir  /data/tee
-
-service tee_supplicant /system/bin/tee-supplicant
-		class main
-		oneshot
-		seclabel u:r:tee:s0
-
diff --git a/p230/manifest.xml b/p230/manifest.xml
index 88567d2..1bf74e9 100644
--- a/p230/manifest.xml
+++ b/p230/manifest.xml
@@ -9,6 +9,15 @@
         </interface>
     </hal>
     <hal format="hidl">
+        <name>android.hardware.bluetooth</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IBluetoothHci</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
         <name>android.hardware.usb</name>
         <transport>hwbinder</transport>
         <version>1.0</version>
@@ -27,6 +36,15 @@
         </interface>
     </hal>
     <hal format="hidl">
+        <name>android.hardware.wifi.supplicant</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ISupplicant</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
         <name>android.hardware.power</name>
         <transport>hwbinder</transport>
         <version>1.0</version>
@@ -134,6 +152,15 @@
         </interface>
     </hal>
     <hal>
+        <name>android.hardware.tv.cec</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IHdmiCec</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal>
         <name>vendor.amlogic.hardware.systemcontrol</name>
         <transport>hwbinder</transport>
         <version>1.0</version>
@@ -142,6 +169,15 @@
             <instance>default</instance>
         </interface>
     </hal>
+    <hal>
+        <name>vendor.amlogic.hardware.hdmicec</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IDroidHdmiCEC</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
     <hal format="hidl">
         <name>android.hardware.boot</name>
         <transport>hwbinder</transport>
@@ -151,6 +187,33 @@
             <instance>default</instance>
         </interface>
     </hal>
+    <hal format="hidl">
+        <name>android.hardware.thermal</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IThermal</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
+        <name>android.hardware.light</name>
+        <transport>hwbinder</transport>
+        <version>2.0</version>
+        <interface>
+            <name>ILight</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
+        <name>android.hardware.health</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IHealth</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
     <sepolicy>
         <version>26.0</version>
     </sepolicy>
diff --git a/p230/system.prop b/p230/system.prop
index 36d7460..048b952 100644
--- a/p230/system.prop
+++ b/p230/system.prop
@@ -91,84 +91,3 @@ mbx.hdmiin.videolayer=false
 
 #adb
 service.adb.tcp.port=5555
-
-#netflix
-ro.nrdp.modelgroup=S905
-
-sys.open.deepcolor=true
-######## UBOOTENV VARIBLES - r/w as system properties ##########
-#
-#  Now we can load ubootenv varibles to system properties.
-#  We use a special prefix ("ubootenv.var" as default) to indicate that the 'property'
-#  actually is an ubootenv varible.
-#
-#  A ubootenv 'property' will be initialized during system booting. And when user set
-#  a different value, it will be written back to ubootenv device immediately.
-#
-
-## prefix of ubootenv varibles - should less than 16 chars.
-#UBOOTENV MTD NAME
-#ubootenv.var.bootcmd=
-#ubootenv.var.cpuclock=
-#ubootenv.var.gpuclock=
-#ubootenv.var.memsize=
-#ubootenv.var.ethaddr=
-#ubootenv.var.ipaddr=
-#ubootenv.var.gatewayip=
-ubootenv.var.outputmode=
-#ubootenv.var.screenratio=
-#ubootenv.var.oobeflag=
-ubootenv.var.480p_x=
-ubootenv.var.480p_y=
-ubootenv.var.480p_w=
-ubootenv.var.480p_h=
-ubootenv.var.480i_x=
-ubootenv.var.480i_y=
-ubootenv.var.480i_w=
-ubootenv.var.480i_h=
-ubootenv.var.576p_x=
-ubootenv.var.576p_y=
-ubootenv.var.576p_w=
-ubootenv.var.576p_h=
-ubootenv.var.576i_x=
-ubootenv.var.576i_y=
-ubootenv.var.576i_w=
-ubootenv.var.576i_h=
-ubootenv.var.720p_x=
-ubootenv.var.720p_y=
-ubootenv.var.720p_w=
-ubootenv.var.720p_h=
-ubootenv.var.1080p_x=
-ubootenv.var.1080p_y=
-ubootenv.var.1080p_w=
-ubootenv.var.1080p_h=
-ubootenv.var.1080i_x=
-ubootenv.var.1080i_y=
-ubootenv.var.1080i_w=
-ubootenv.var.1080i_h=
-ubootenv.var.4k2k24hz_x=
-ubootenv.var.4k2k24hz_y=
-ubootenv.var.4k2k24hz_w=
-ubootenv.var.4k2k24hz_h=
-ubootenv.var.4k2k25hz_x=
-ubootenv.var.4k2k25hz_y=
-ubootenv.var.4k2k25hz_w=
-ubootenv.var.4k2k25hz_h=
-ubootenv.var.4k2k30hz_x=
-ubootenv.var.4k2k30hz_y=
-ubootenv.var.4k2k30hz_w=
-ubootenv.var.4k2k30hz_h=
-ubootenv.var.4k2ksmpte_x=
-ubootenv.var.4k2ksmpte_y=
-ubootenv.var.4k2ksmpte_w=
-ubootenv.var.4k2ksmpte_h=
-ubootenv.var.digitaudiooutput=
-ubootenv.var.defaulttvfrequency=
-ubootenv.var.has.accelerometer=
-ubootenv.var.cecconfig=
-ubootenv.var.cvbsmode=
-ubootenv.var.hdmimode=
-ubootenv.var.is.bestmode=
-ubootenv.var.disp.fromleft=
-ubootenv.var.edid.crcvalue=
-ubootenv.var.colorattribute=
--
cgit