diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index aee7448..d38ca57 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -102,7 +102,6 @@ BOARD_KERNEL_CMDLINE += msm_rtb.filter=0x237
BOARD_KERNEL_CMDLINE += service_locator.enable=1
BOARD_KERNEL_CMDLINE += swiotlb=1
BOARD_KERNEL_CMDLINE += video=vfb:640x400,bpp=32,memsize=3072000
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
# HIDL
DEVICE_MANIFEST_FILE := $(COMMON_PATH)/manifest.xml
diff --git a/common.mk b/common.mk
index 8a57fa0..a4bf8c4 100644
--- a/common.mk
+++ b/common.mk
@@ -10,9 +10,6 @@ $(call inherit-product, $(SRC_TARGET_DIR)/product/full_base_telephony.mk)
# Inherit proprietary targets
$(call inherit-product-if-exists, vendor/xiaomi/sm6250-common/sm6250-common-vendor.mk)
-# Enable updating of APEXes
-$(call inherit-product, $(SRC_TARGET_DIR)/product/updatable_apex.mk)
-
# Setup dalvik vm configs
$(call inherit-product, frameworks/native/build/phone-xhdpi-4096-dalvik-heap.mk)
@@ -199,8 +196,7 @@ PRODUCT_PACKAGES += \
PRODUCT_COPY_FILES += \
$(LOCAL_PATH)/rootdir/etc/init.qcom.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.qcom.rc \
$(LOCAL_PATH)/rootdir/etc/init.qcom.usb.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.qcom.usb.rc \
- $(LOCAL_PATH)/rootdir/etc/init.target.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.target.rc \
- $(LOCAL_PATH)/rootdir/etc/init.safailnet.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.safailnet.rc
+ $(LOCAL_PATH)/rootdir/etc/init.target.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.target.rc
PRODUCT_COPY_FILES += \
$(LOCAL_PATH)/rootdir/bin/init.qcom.post_boot.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.post_boot.sh \
diff --git a/manifest.xml b/manifest.xml
index 113d6af..9f157e9 100644
--- a/manifest.xml
+++ b/manifest.xml
@@ -481,12 +481,12 @@
vendor.qti.hardware.perf
hwbinder
- 2.0
+ 2.2
IPerf
default
- @2.0::IPerf/default
+ @2.2::IPerf/default
vendor.qti.hardware.qdutils_disp
@@ -687,6 +687,17 @@
@1.0::ITuiComm/default
+
+ android.frameworks.sensorservice
+ hwbinder
+ 1.0
+
+ ISensors
+ default
+
+ @1.0::ISensors/default
+ @1.0::ISensorManager/default
+
vendor.qti.hardware.wifidisplaysession
hwbinder
diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc
index 6715d40..7173152 100644
--- a/rootdir/etc/init.qcom.rc
+++ b/rootdir/etc/init.qcom.rc
@@ -28,7 +28,6 @@
import /vendor/etc/init/hw/init.qcom.usb.rc
import /vendor/etc/init/hw/init.target.rc
import /vendor/etc/init/hw/init.device.rc
-import /vendor/etc/init/hw/init.safailnet.rc
on early-init
mount debugfs debugfs /sys/kernel/debug
diff --git a/rootdir/etc/init.safailnet.rc b/rootdir/etc/init.safailnet.rc
deleted file mode 100644
index 53676c5..0000000
--- a/rootdir/etc/init.safailnet.rc
+++ /dev/null
@@ -1,8 +0,0 @@
-# Safetynet bypass
-# Inspired in magisk source code, by topjohnwu
-# Ported to ramdisk by jhenrique09
-
-on boot
- # selinux nodes, hide permissive state
- chmod 0640 /sys/fs/selinux/enforce
- chmod 0440 /sys/fs/selinux/policy
diff --git a/sepolicy/private/fsck.te b/sepolicy/private/fsck.te
new file mode 100644
index 0000000..9990eda
--- /dev/null
+++ b/sepolicy/private/fsck.te
@@ -0,0 +1 @@
+dontaudit fsck self:capability kill;
diff --git a/sepolicy/private/linkerconfig.te b/sepolicy/private/linkerconfig.te
new file mode 100644
index 0000000..6b0a1fa
--- /dev/null
+++ b/sepolicy/private/linkerconfig.te
@@ -0,0 +1 @@
+dontaudit linkerconfig self:capability kill;
diff --git a/sepolicy/private/system_suspend.te b/sepolicy/private/system_suspend.te
new file mode 100644
index 0000000..03824e2
--- /dev/null
+++ b/sepolicy/private/system_suspend.te
@@ -0,0 +1,2 @@
+allow system_suspend sysfs:dir { open read };
+dontaudit system_suspend sysfs:file { getattr open read };
diff --git a/sepolicy/private/vdc.te b/sepolicy/private/vdc.te
new file mode 100644
index 0000000..9123f99
--- /dev/null
+++ b/sepolicy/private/vdc.te
@@ -0,0 +1 @@
+dontaudit vdc self:capability kill;
diff --git a/sepolicy/vendor/battery.te b/sepolicy/vendor/battery.te
index 4c91aaa..77d6ff0 100644
--- a/sepolicy/vendor/battery.te
+++ b/sepolicy/vendor/battery.te
@@ -21,7 +21,6 @@ r_dir_file(battery_daemons, vendor_sysfs_usbpd_device)
allow battery_daemons persist_subsys_file:dir w_dir_perms;
allow battery_daemons rootfs:dir w_dir_perms;
-
allow battery_daemons kmsg_device:chr_file w_file_perms;
allow battery_daemons persist_subsys_file:file w_file_perms;
allow battery_daemons sysfs:file w_file_perms;
@@ -29,12 +28,9 @@ allow battery_daemons vendor_sysfs_battery_supply:file w_file_perms;
allow battery_daemons sysfs_usb:file w_file_perms;
allow battery_daemons vendor_sysfs_usb_supply:file w_file_perms;
allow battery_daemons vendor_sysfs_usbpd_device:file w_file_perms;
-
allow battery_daemons self:global_capability_class_set sys_tty_config;
allow battery_daemons self:global_capability_class_set sys_boot;
-
allow battery_daemons self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
allow battery_daemons self:capability { chown fsetid };
wakelock_use(battery_daemons)
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
new file mode 100644
index 0000000..b84e726
--- /dev/null
+++ b/sepolicy/vendor/device.te
@@ -0,0 +1,2 @@
+type fingerprint_device, dev_type;
+type spidev_device, dev_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 5dd0560..6ac7dbf 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -3,8 +3,26 @@
/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0
/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0
+# Biometric
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sm6250 u:object_r:hal_fingerprint_default_exec:s0
+
# Fingerprint
-/vendor/bin/hw/android\.hardware\.fingerprint@2\.1-service\.xiaomi_sm6250 u:object_r:hal_fingerprint_default_exec:s0
+/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
+/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+/dev/goodix_fp u:object_r:fingerprint_device:s0
+
+# IR
+/dev/lirc0 u:object_r:spidev_device:s0
+/dev/spidev7.1 u:object_r:spidev_device:s0
+/dev/spidev0.1 u:object_r:spidev_device:s0
+
+#Light
+/vendor/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sm6250 u:object_r:hal_light_default_exec:s0
+
+#Perf
+/vendor/bin/hw/vendor\.qti\.hardware\.perf@2\.2-service\.xiaomi_sm6250 u:object_r:same_process_hal_file:s0
# Power HAL
/vendor/bin/hw/android\.hardware\.power@1\.3-service\.xiaomi_sm6250 u:object_r:hal_power_default_exec:s0
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
new file mode 100644
index 0000000..0fa98c8
--- /dev/null
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,26 @@
+hal_server_domain(hal_fingerprint_default, hal_fingerprint)
+init_daemon_domain(hal_fingerprint_default)
+
+# access to /data/system/users/[0-9]+/fpdata
+allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;
+allow hal_fingerprint_default vendor_sysfs_fps_attr:file { open read write };
+allow hal_fingerprint_default property_socket:sock_file write;
+allow hal_fingerprint_default init:unix_stream_socket connectto;
+
+allow hal_fingerprint_default {
+ fingerprint_device
+ tee_device
+ uhid_device
+}:chr_file rw_file_perms;
+
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# hal_fingerprint no longer directly accesses fingerprintd_data_file.
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+binder_call(hal_fingerprint_default, hal_perf_default)
+r_dir_file(hal_fingerprint_default, firmware_file)
+set_prop(hal_fingerprint_default, hal_fingerprint_prop)
+dontaudit hal_fingerprint_default storage_file:dir search;
+
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..146238d
--- /dev/null
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1 @@
+allow hal_health_default sysfs:file read;
diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te
new file mode 100644
index 0000000..f6f771a
--- /dev/null
+++ b/sepolicy/vendor/hal_ir_default.te
@@ -0,0 +1,2 @@
+get_prop(hal_ir_default, lirc_prop)
+allow hal_ir_default spidev_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_light_default.te b/sepolicy/vendor/hal_light_default.te
new file mode 100644
index 0000000..ba3fc9b
--- /dev/null
+++ b/sepolicy/vendor/hal_light_default.te
@@ -0,0 +1 @@
+allow hal_light_default sysfs:file { open write getattr };
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..e117d6a
--- /dev/null
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -0,0 +1 @@
+set_prop(hal_sensors_default, vendor_camera_prop)
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
new file mode 100644
index 0000000..d83bf7f
--- /dev/null
+++ b/sepolicy/vendor/hwservice_contexts
@@ -0,0 +1,2 @@
+vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
new file mode 100644
index 0000000..b4bba15
--- /dev/null
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1,4 @@
+type hal_fingerprint_prop, property_type;
+type mlipay_prop, property_type;
+type thermal_engine_prop, property_type;
+type lirc_prop, property_type;
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
new file mode 100644
index 0000000..053c0fe
--- /dev/null
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,45 @@
+# Audio
+audio.sys.noisy.broadcast.delay u:object_r:vendor_default_prop:s0
+audio.sys.offload.pstimeout.secs u:object_r:vendor_default_prop:s0
+audio_hal.in_period_size u:object_r:vendor_default_prop:s0
+audio_hal.period_multiplier u:object_r:vendor_default_prop:s0
+persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0
+
+# Camera
+cameradaemon.SaveMemAtBoot u:object_r:vendor_default_prop:s0
+cpp.set.clock u:object_r:vendor_default_prop:s0
+disable.cpp.power.collapse u:object_r:vendor_default_prop:s0
+vendor.camera.eis.gyro_name u:object_r:vendor_camera_prop:s0
+vidc.enc.dcvs.extra-buff-count u:object_r:vendor_default_prop:s0
+
+#IR
+ro.lirc.dev u:object_r:lirc_prop:s0
+
+# Fingerprint
+fpc_kpi u:object_r:vendor_default_prop:s0
+gf.debug.dump_data u:object_r:vendor_default_prop:s0
+persist.sys.fp. u:object_r:hal_fingerprint_prop:s0
+persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0
+ro.boot.fp. u:object_r:hal_fingerprint_prop:s0
+ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0
+sys.fp. u:object_r:hal_fingerprint_prop:s0
+
+# Media
+gpu.stats.debug.level u:object_r:vendor_default_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay. u:object_r:mlipay_prop:s0
+persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
+
+# RIL
+ro.build.software.version u:object_r:exported_radio_prop:s0
+ro.fota.oem u:object_r:exported_radio_prop:s0
+ro.miui. u:object_r:exported_radio_prop:s0
+ro.product.mod_device u:object_r:exported_radio_prop:s0
+
+# Thermal engine
+persist.sys.thermal. u:object_r:thermal_engine_prop:s0
+sys.thermal. u:object_r:thermal_engine_prop:s0
+
+# Wlan
+persist.vendor.wigig.npt.enable u:object_r:vendor_default_prop:s0
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
new file mode 100644
index 0000000..a372b82
--- /dev/null
+++ b/sepolicy/vendor/tee.te
@@ -0,0 +1,4 @@
+typeattribute tee data_between_core_and_vendor_violators;
+allow tee system_data_file:dir r_dir_perms;
+allow tee fingerprintd_data_file:dir rw_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..5335e96
--- /dev/null
+++ b/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,11 @@
+typeattribute vendor_init data_between_core_and_vendor_violators;
+
+allow vendor_init {
+ system_data_file
+ tombstone_data_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow init adsprpcd_file:file mounton;
+
+set_prop(vendor_init, vendor_freq_prop)
+set_prop(vendor_init, vendor_camera_prop)