sm6250-common: Enforcing bring up for R

sm6250-common: Label Light & Perf HALs

sm6250-common: Add Sensor Service to Manifest

sm6250-common: Disable APEXes

sm6250-common: Revert "Introduce 'SafailNet'"

sm6250-common: Address FP HAL Denials

sm6250-common: Merge Erfan Fingerprint Sepolicy

Co-authored-by: Erfan Abdi  <erfangplus@gmail.com>
Co-authored-by: Volodymyr Zhdanov <wight554@gmail.com>
Co-authored-by: Cosmin Tanislav <demonsingur@gmail.com>

BoardConfigCommon.mk

@@ -102,7 +102,6 @@ BOARD_KERNEL_CMDLINE += msm_rtb.filter=0x237
 BOARD_KERNEL_CMDLINE += service_locator.enable=1
 BOARD_KERNEL_CMDLINE += swiotlb=1
 BOARD_KERNEL_CMDLINE += video=vfb:640x400,bpp=32,memsize=3072000
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 
 # HIDL
 DEVICE_MANIFEST_FILE := $(COMMON_PATH)/manifest.xml

common.mk

@@ -10,9 +10,6 @@ $(call inherit-product, $(SRC_TARGET_DIR)/product/full_base_telephony.mk)
 # Inherit proprietary targets
 $(call inherit-product-if-exists, vendor/xiaomi/sm6250-common/sm6250-common-vendor.mk)
 
-# Enable updating of APEXes
-$(call inherit-product, $(SRC_TARGET_DIR)/product/updatable_apex.mk)
-
 # Setup dalvik vm configs
 $(call inherit-product, frameworks/native/build/phone-xhdpi-4096-dalvik-heap.mk)
 
@@ -199,8 +196,7 @@ PRODUCT_PACKAGES += \
 PRODUCT_COPY_FILES += \
     $(LOCAL_PATH)/rootdir/etc/init.qcom.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.qcom.rc \
     $(LOCAL_PATH)/rootdir/etc/init.qcom.usb.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.qcom.usb.rc \
-    $(LOCAL_PATH)/rootdir/etc/init.target.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.target.rc \
+    $(LOCAL_PATH)/rootdir/etc/init.target.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.target.rc
-    $(LOCAL_PATH)/rootdir/etc/init.safailnet.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.safailnet.rc
 
 PRODUCT_COPY_FILES += \
     $(LOCAL_PATH)/rootdir/bin/init.qcom.post_boot.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.post_boot.sh \

manifest.xml

@@ -481,12 +481,12 @@
     <hal format="hidl">
         <name>vendor.qti.hardware.perf</name>
         <transport>hwbinder</transport>
-        <version>2.0</version>
+        <version>2.2</version>
         <interface>
             <name>IPerf</name>
             <instance>default</instance>
         </interface>
-        <fqname>@2.0::IPerf/default</fqname>
+        <fqname>@2.2::IPerf/default</fqname>
     </hal>
     <hal format="hidl">
         <name>vendor.qti.hardware.qdutils_disp</name>
@@ -687,6 +687,17 @@
         </interface>
         <fqname>@1.0::ITuiComm/default</fqname>
     </hal>
+    <hal format="hidl">
+        <name>android.frameworks.sensorservice</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ISensors</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::ISensors/default</fqname>
+        <fqname>@1.0::ISensorManager/default</fqname>
+    </hal>
     <hal format="hidl">
         <name>vendor.qti.hardware.wifidisplaysession</name>
         <transport>hwbinder</transport>

rootdir/etc/init.qcom.rc

@@ -28,7 +28,6 @@
 import /vendor/etc/init/hw/init.qcom.usb.rc
 import /vendor/etc/init/hw/init.target.rc
 import /vendor/etc/init/hw/init.device.rc
-import /vendor/etc/init/hw/init.safailnet.rc
 
 on early-init
     mount debugfs debugfs /sys/kernel/debug

rootdir/etc/init.safailnet.rc

@@ -1,8 +0,0 @@
-# Safetynet bypass
-# Inspired in magisk source code, by topjohnwu
-# Ported to ramdisk by jhenrique09
-
-on boot
-    # selinux nodes, hide permissive state
-    chmod 0640 /sys/fs/selinux/enforce
-    chmod 0440 /sys/fs/selinux/policy

sepolicy/private/fsck.te

@@ -0,0 +1 @@
+dontaudit fsck self:capability kill;

sepolicy/private/linkerconfig.te

@@ -0,0 +1 @@
+dontaudit linkerconfig self:capability kill;

sepolicy/private/system_suspend.te

@@ -0,0 +1,2 @@
+allow system_suspend sysfs:dir { open read };
+dontaudit system_suspend sysfs:file { getattr open read };

sepolicy/private/vdc.te

@@ -0,0 +1 @@
+dontaudit vdc self:capability kill;

sepolicy/vendor/battery.te

@@ -21,7 +21,6 @@ r_dir_file(battery_daemons, vendor_sysfs_usbpd_device)
 
 allow battery_daemons persist_subsys_file:dir w_dir_perms;
 allow battery_daemons rootfs:dir w_dir_perms;
-
 allow battery_daemons kmsg_device:chr_file w_file_perms;
 allow battery_daemons persist_subsys_file:file w_file_perms;
 allow battery_daemons sysfs:file w_file_perms;
@@ -29,12 +28,9 @@ allow battery_daemons vendor_sysfs_battery_supply:file w_file_perms;
 allow battery_daemons sysfs_usb:file w_file_perms;
 allow battery_daemons vendor_sysfs_usb_supply:file w_file_perms;
 allow battery_daemons vendor_sysfs_usbpd_device:file w_file_perms;
-
 allow battery_daemons self:global_capability_class_set sys_tty_config;
 allow battery_daemons self:global_capability_class_set sys_boot;
-
 allow battery_daemons self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
 allow battery_daemons self:capability { chown fsetid };
 
 wakelock_use(battery_daemons)

sepolicy/vendor/device.te

@@ -0,0 +1,2 @@
+type fingerprint_device, dev_type;
+type spidev_device, dev_type;

sepolicy/vendor/file_contexts

@@ -3,8 +3,26 @@
 /vendor/bin/batterysecret		u:object_r:batterysecret_exec:s0
 /mnt/vendor/persist/subsys(/.*)?                u:object_r:persist_subsys_file:s0
 
+# Biometric
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sm6250                               u:object_r:hal_fingerprint_default_exec:s0
+
 # Fingerprint
-/vendor/bin/hw/android\.hardware\.fingerprint@2\.1-service\.xiaomi_sm6250                               u:object_r:hal_fingerprint_default_exec:s0
+/data/gf_data(/.*)?                             u:object_r:fingerprintd_data_file:s0
+/data/vendor/fpc(/.*)?                          u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/gf_data(/.*)?                      u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/goodix(/.*)?                       u:object_r:fingerprint_vendor_data_file:s0
+/dev/goodix_fp                                  u:object_r:fingerprint_device:s0
+
+# IR
+/dev/lirc0                                      u:object_r:spidev_device:s0
+/dev/spidev7.1                                  u:object_r:spidev_device:s0
+/dev/spidev0.1					u:object_r:spidev_device:s0
+
+#Light
+/vendor/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sm6250    u:object_r:hal_light_default_exec:s0
+
+#Perf
+/vendor/bin/hw/vendor\.qti\.hardware\.perf@2\.2-service\.xiaomi_sm6250    u:object_r:same_process_hal_file:s0
 
 # Power HAL
 /vendor/bin/hw/android\.hardware\.power@1\.3-service\.xiaomi_sm6250                                     u:object_r:hal_power_default_exec:s0

sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,26 @@
+hal_server_domain(hal_fingerprint_default, hal_fingerprint)
+init_daemon_domain(hal_fingerprint_default)
+
+# access to /data/system/users/[0-9]+/fpdata
+allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;
+allow hal_fingerprint_default vendor_sysfs_fps_attr:file { open read write };
+allow hal_fingerprint_default property_socket:sock_file write;
+allow hal_fingerprint_default init:unix_stream_socket connectto;
+
+allow hal_fingerprint_default {
+    fingerprint_device
+    tee_device
+    uhid_device
+}:chr_file rw_file_perms;
+
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# hal_fingerprint no longer directly accesses fingerprintd_data_file.
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+binder_call(hal_fingerprint_default, hal_perf_default)
+r_dir_file(hal_fingerprint_default, firmware_file)
+set_prop(hal_fingerprint_default, hal_fingerprint_prop)
+dontaudit hal_fingerprint_default storage_file:dir search;
+

sepolicy/vendor/hal_health_default.te

@@ -0,0 +1 @@
+allow hal_health_default sysfs:file read;

sepolicy/vendor/hal_ir_default.te

@@ -0,0 +1,2 @@
+get_prop(hal_ir_default, lirc_prop)
+allow hal_ir_default spidev_device:chr_file rw_file_perms;

sepolicy/vendor/hal_light_default.te

@@ -0,0 +1 @@
+allow hal_light_default sysfs:file { open write getattr };

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1 @@
+set_prop(hal_sensors_default, vendor_camera_prop)

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,2 @@
+vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint        u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.mlipay::IMlipayService                           u:object_r:hal_mlipay_hwservice:s0

sepolicy/vendor/property.te

@@ -0,0 +1,4 @@
+type hal_fingerprint_prop, property_type;
+type mlipay_prop, property_type;
+type thermal_engine_prop, property_type;
+type lirc_prop, property_type;

sepolicy/vendor/property_contexts

@@ -0,0 +1,45 @@
+# Audio
+audio.sys.noisy.broadcast.delay         u:object_r:vendor_default_prop:s0
+audio.sys.offload.pstimeout.secs        u:object_r:vendor_default_prop:s0
+audio_hal.in_period_size                u:object_r:vendor_default_prop:s0
+audio_hal.period_multiplier             u:object_r:vendor_default_prop:s0
+persist.audio.fluence.voicecomm         u:object_r:vendor_default_prop:s0
+
+# Camera
+cameradaemon.SaveMemAtBoot              u:object_r:vendor_default_prop:s0
+cpp.set.clock                           u:object_r:vendor_default_prop:s0
+disable.cpp.power.collapse              u:object_r:vendor_default_prop:s0
+vendor.camera.eis.gyro_name             u:object_r:vendor_camera_prop:s0
+vidc.enc.dcvs.extra-buff-count          u:object_r:vendor_default_prop:s0
+
+#IR
+ro.lirc.dev				u:object_r:lirc_prop:s0
+
+# Fingerprint
+fpc_kpi                                 u:object_r:vendor_default_prop:s0
+gf.debug.dump_data                      u:object_r:vendor_default_prop:s0
+persist.sys.fp.                         u:object_r:hal_fingerprint_prop:s0
+persist.vendor.sys.fp.                  u:object_r:hal_fingerprint_prop:s0
+ro.boot.fp.                             u:object_r:hal_fingerprint_prop:s0
+ro.boot.fpsensor                        u:object_r:hal_fingerprint_prop:s0
+sys.fp.                                 u:object_r:hal_fingerprint_prop:s0
+
+# Media
+gpu.stats.debug.level                   u:object_r:vendor_default_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay.                 u:object_r:mlipay_prop:s0
+persist.vendor.sys.provision.status     u:object_r:mlipay_prop:s0
+
+# RIL
+ro.build.software.version               u:object_r:exported_radio_prop:s0
+ro.fota.oem                             u:object_r:exported_radio_prop:s0
+ro.miui.                                u:object_r:exported_radio_prop:s0
+ro.product.mod_device                   u:object_r:exported_radio_prop:s0
+
+# Thermal engine
+persist.sys.thermal.                    u:object_r:thermal_engine_prop:s0
+sys.thermal.                            u:object_r:thermal_engine_prop:s0
+
+# Wlan
+persist.vendor.wigig.npt.enable         u:object_r:vendor_default_prop:s0

sepolicy/vendor/tee.te

@@ -0,0 +1,4 @@
+typeattribute tee data_between_core_and_vendor_violators;
+allow tee system_data_file:dir r_dir_perms;
+allow tee fingerprintd_data_file:dir rw_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,11 @@
+typeattribute vendor_init data_between_core_and_vendor_violators;
+
+allow vendor_init {
+  system_data_file
+  tombstone_data_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow init adsprpcd_file:file mounton;
+
+set_prop(vendor_init, vendor_freq_prop)
+set_prop(vendor_init, vendor_camera_prop)