From 33b432dc0356efb525c5f12e86eae2695cda1e71 Mon Sep 17 00:00:00 2001
From: Jan Altensen <info@stricted.net>
Date: Thu, 19 May 2022 08:42:56 +0200
Subject: [PATCH 1/2] emerald: address fastbootd denials

Change-Id: I548b614785f10187195df385aaa329e9ae41a96e
---
 sepolicy/fastbootd.te | 69 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 sepolicy/fastbootd.te

diff --git a/sepolicy/fastbootd.te b/sepolicy/fastbootd.te
new file mode 100644
index 0000000..bc9b574
--- /dev/null
+++ b/sepolicy/fastbootd.te
@@ -0,0 +1,69 @@
+recovery_only(`
+allow fastbootd {
+    boot_block_device
+    boot_para_block_device
+    bootdevice_block_device
+    dtbo_block_device
+    expdb_block_device
+    gz_block_device
+    lk_block_device
+    logo_block_device
+    md_block_device
+    metadata_block_device
+    nvcfg_block_device
+    nvdata_device
+    nvram_device
+    otp_part_block_device
+    para_block_device
+    persist_block_device
+    preloader_block_device
+    protect1_block_device
+    protect2_block_device
+    scp_block_device
+    sec1_block_device
+    seccfg_block_device
+    spmfw_block_device
+    sspm_block_device
+    super_block_device
+    tee_block_device
+    userdata_block_device
+    vbmeta_block_device
+}:blk_file { rw_file_perms };
+
+allowxperm fastbootd {
+    boot_block_device
+    boot_para_block_device
+    bootdevice_block_device
+    dtbo_block_device
+    expdb_block_device
+    gz_block_device
+    lk_block_device
+    logo_block_device
+    md_block_device
+    metadata_block_device
+    nvcfg_block_device
+    nvdata_device
+    nvram_device
+    otp_part_block_device
+    para_block_device
+    persist_block_device
+    preloader_block_device
+    protect1_block_device
+    protect2_block_device
+    scp_block_device
+    sec1_block_device
+    seccfg_block_device
+    spmfw_block_device
+    sspm_block_device
+    super_block_device
+    tee_block_device
+    userdata_block_device
+    vbmeta_block_device
+}:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+allow fastbootd sysfs:dir r_dir_perms;
+r_dir_file(fastbootd, sysfs_batteryinfo)
+allow fastbootd {
+    sysfs_batteryinfo
+}:file w_file_perms;
+')
-- 
GitLab


From fe669024671b209d0e32d9cd852ff208ec694c41 Mon Sep 17 00:00:00 2001
From: Jan Altensen <info@stricted.net>
Date: Thu, 19 May 2022 08:43:18 +0200
Subject: [PATCH 2/2] emerald: do not default to permissive on eng

 * caused confusion, enforce by default

Change-Id: Iea2727b390f83a5f6c9ff31db28ded8070090db3
---
 BoardConfig.mk     | 4 ----
 lineage_emerald.mk | 5 -----
 2 files changed, 9 deletions(-)

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 82193f0..50829e0 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -68,10 +68,6 @@ BUILD_BROKEN_DUP_RULES := true
 BOARD_KERNEL_CMDLINE := bootopt=64S3,32N2,64N2
 BOARD_KERNEL_CMDLINE += androidboot.init_fatal_reboot_target=recovery
 
-ifeq ($(EMERALD_DEBUG),true)
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
-endif
-
 BOARD_KERNEL_BASE := 0x40000000
 BOARD_KERNEL_TAGS_OFFSET := 0x07880000
 BOARD_KERNEL_OFFSET := 0x00080000
diff --git a/lineage_emerald.mk b/lineage_emerald.mk
index 0c37da4..d83a5dd 100644
--- a/lineage_emerald.mk
+++ b/lineage_emerald.mk
@@ -16,11 +16,6 @@
 $(call inherit-product, $(SRC_TARGET_DIR)/product/core_64_bit.mk)
 $(call inherit-product, $(SRC_TARGET_DIR)/product/full_base_telephony.mk)
 
-# Enable debug options for emerald product.
-ifeq (eng,$(TARGET_BUILD_VARIANT))
-  EMERALD_DEBUG := true
-endif
-
 # Inherit from emerald device
 $(call inherit-product, $(LOCAL_PATH)/emerald.mk)
 
-- 
GitLab