From a13246a7fc2a121aa8adbb6c865038e067aa145d Mon Sep 17 00:00:00 2001
From: Felix <google@ix5.org>
Date: Fri, 26 Apr 2019 18:02:06 +0200
Subject: [PATCH] sm6150-common: Force restorecon for /mnt/vendor/persist

The restorecon_recursive directive in init is only applied if the
file_contexts file changed between builds, but not necessarily if any
file or folder inside /mnt/vendor/persist/ has changed.

The restorecon code checks whether an xattr named
"security.sehash" contains a string that matches the current
combined hashes of the SELinux context files and skips restoring labels
if there is a match, see
https://android.googlesource.com/platform/external/selinux/+/refs/tags/android-9.0.0_r35/libselinux/src/android/android_platform.c#1546

Force wiping that xattr so that restorecon always runs since it's not
very expensive (there are currently only about 50 files on /persist).

The restorecon is needed to fix issues such as wrong stock labels on
/mnt/vendor/persist/sensors/:
sensors_persist_file -> persist_sensors_file

Change-Id: Ic0cd848836ee550499d9236f56ed6e939e35f01e
---
 rootdir/etc/init.target.rc        |  1 +
 sepolicy/vendor/vendor_init.te    |  3 +++
 sepolicy/vendor/vendor_toolbox.te | 41 +++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 sepolicy/vendor/vendor_toolbox.te

diff --git a/rootdir/etc/init.target.rc b/rootdir/etc/init.target.rc
index 464867f..8dc51a3 100644
--- a/rootdir/etc/init.target.rc
+++ b/rootdir/etc/init.target.rc
@@ -60,6 +60,7 @@ on init
 on fs
     mount_all --early /vendor/etc/fstab.qcom
 
+    exec u:r:vendor_toolbox:s0 root audio bluetooth graphics media net_raw system vendor_rfs vendor_rfs_shared -- /vendor/bin/toybox_vendor find /mnt/vendor/persist -type d -exec /vendor/bin/toybox_vendor setfattr -x security.sehash {} \;
     restorecon_recursive /mnt/vendor/persist
     mkdir /mnt/vendor/persist/data 0700 system system
     mkdir /mnt/vendor/persist/audio 0755 system system
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 8bd20c9..04a19f6 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -1 +1,4 @@
 set_prop(vendor_init, vendor_fp_prop)
+
+# Allow vendor_init to relabel unlabeled files and directories
+allow vendor_init unlabeled:{ dir file } { getattr relabelfrom };
diff --git a/sepolicy/vendor/vendor_toolbox.te b/sepolicy/vendor/vendor_toolbox.te
new file mode 100644
index 0000000..86de3ee
--- /dev/null
+++ b/sepolicy/vendor/vendor_toolbox.te
@@ -0,0 +1,41 @@
+type vendor_toolbox, domain;
+
+init_daemon_domain(vendor_toolbox)
+
+# Allow vendor_toolbox to use sys_admin capability
+allow vendor_toolbox self:capability sys_admin;
+
+# Allow vendor_toolbox to execute /vendor/bin/toybox_vendor
+allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;
+
+# Allow vendor_toolbox to read directories in rootfs
+allow vendor_toolbox rootfs:dir r_dir_perms;
+
+# Allow vendor_toolbox to remove "security.*" xattrs from /mnt/vendor/persist
+allow vendor_toolbox {
+    mnt_vendor_file
+    persist_block_device
+    unlabeled
+    vendor_persist_alarm_file
+    vendor_persist_audio_file
+    vendor_persist_bluetooth_file
+    vendor_persist_camera_file
+    vendor_persist_data_file
+    vendor_persist_display_file
+    vendor_persist_drm_file
+    vendor_persist_elabel_file
+    vendor_persist_feature_enabler_file
+    vendor_persist_file
+    vendor_persist_haptics_file
+    vendor_persist_hvdcp_file
+    vendor_persist_iar_db_file
+    vendor_persist_mmi_file
+    vendor_persist_qti_fp_file
+    vendor_persist_rfs_file
+    vendor_persist_rfs_shared_hlos_file
+    vendor_persist_secnvm_file
+    vendor_persist_sensors_file
+    vendor_persist_time_file
+    vendor_persist_vpp_file
+    vendor_persist_wcnss_service_file
+}:dir { r_dir_perms setattr };