Merge "Run sensors daemon as system user instead of root" into oc-dr1-dev

init.hardware.rc

@@ -325,11 +325,26 @@ on zygote-start
     mkdir /data/system/perfd 0770 root system
     chmod 2770 /data/system/perfd
 
+    # Setup sensors-related directories and permissions
+    chown root system /persist/sensors
     chmod 775 /persist/sensors
+    chown root system /persist/sensors/sensors_settings
     chmod 664 /persist/sensors/sensors_settings
-    chown system root /persist/sensors/sensors_settings
+    chown root system /persist/sensors/sns.reg
+    chmod 664 /persist/sensors/sns.reg
 
     mkdir /data/vendor/sensors 0770
+    chown system system /data/vendor/sensors
+
+    # These files might have been created by root from a prior build - make sure
+    # they are accessible to the sensors daemon
+    chown system system /data/vendor/sensors/cal.bin
+    chown system system /data/vendor/sensors/cal.txt
+
+    # /dev/sensors only supports an ioctl to get the current SLPI timestamp;
+    # allow the sensors daemon to perform this as non-root
+    chown root system /dev/sensors
+    chmod 660 /dev/sensors
 
     # Mark the copy complete flag to not completed
     write /data/vendor/radio/copy_complete 0
@@ -554,8 +569,11 @@ on property:persist.sys.ssr.enable_ramdumps=0
 
 service sensors /vendor/bin/sensors.qcom
     class core
-    user root
-    group root
+    user system
+    group system
+    # Grants the ability for this daemon to bind IPC router ports so it can
+    # register QMI services
+    capabilities NET_BIND_SERVICE
 
 service adsprpcd /vendor/bin/adsprpcd
    class main

sepolicy/vendor/sensors.te

@@ -5,8 +5,6 @@ type sensors_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(sensors)
 
 allow sensors self:capability {
-    setuid
-    setgid
     net_bind_service
 };