zenfone6: Selinux Enforcing :)
Change-Id: Iceb74a5d8ca3dd49ea707cb505d787c53a3df6d7
diff --git a/BoardConfig.mk b/BoardConfig.mk
index c7fe693..64985a5 100755
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -105,7 +105,7 @@
# Kernel
BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xa90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 androidboot.usbcontroller=a600000.dwc3
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
+#BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
BOARD_KERNEL_PAGESIZE := 4096
BOARD_KERNEL_BASE := 0x00000000
BOARD_KERNEL_TAGS_OFFSET := 0x00008000
diff --git a/prebuilt/system/etc/init/init.qcom.rc b/prebuilt/system/etc/init/init.qcom.rc
index d2843ce..5328172 100644
--- a/prebuilt/system/etc/init/init.qcom.rc
+++ b/prebuilt/system/etc/init/init.qcom.rc
@@ -1,7 +1,2 @@
on post-fs
- mount none /dev/null /vendor/overlay/FrameworksResCommon.apk bind
-
-on boot
- # Smart Key
- chown system system /sys/devices/platform/soc/soc:asustek_googlekey/googlekey_enable
- chmod 0660 /sys/devices/platform/soc/soc:asustek_googlekey/googlekey_enable
+ mount none /dev/null /vendor/overlay/FrameworksResCommon.apk bind
\ No newline at end of file
diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te
index ce2daf2..2a2a99a 100644
--- a/sepolicy/private/file.te
+++ b/sepolicy/private/file.te
@@ -10,4 +10,4 @@
# Offscreen Gestures
type sysfs_gesture, sysfs_type, fs_type;
-type sysfs_touchscreen, sysfs_type, fs_type;
\ No newline at end of file
+type proc_touchscreen, proc_type, sysfs_type, fs_type;
\ No newline at end of file
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
index 54f9451..d2462df 100644
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -6,12 +6,6 @@
/voucher(/.*)? u:object_r:voucher_file:s0
/xrom(/.*)? u:object_r:xrom_file:s0
-# Gestures
-/proc/driver/glove u:object_r:sysfs_gesture:s0
-/proc/driver/gesture_type u:object_r:sysfs_gesture:s0
-/proc/driver/swipeup u:object_r:sysfs_gesture:s0
-/sys/devices/platform/soc/soc:asustek_googlekey/googlekey_enable u:object_r:sysfs_gesture:s0
-
# HALs
/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts
index 550fd10..ac504cd 100644
--- a/sepolicy/private/genfs_contexts
+++ b/sepolicy/private/genfs_contexts
@@ -1 +1,5 @@
-genfscon proc /driver/dclick u:object_r:sysfs_touchscreen:s0
\ No newline at end of file
+genfscon sysfs /devices/platform/soc/soc:asustek_googlekey/googlekey_enable u:object_r:sysfs_gesture:s0
+genfscon proc /driver/dclick u:object_r:proc_touchscreen:s0
+genfscon proc /driver/gesture_type u:object_r:proc_touchscreen:s0
+genfscon proc /driver/glove u:object_r:proc_touchscreen:s0
+genfscon proc /driver/swipeup u:object_r:proc_touchscreen:s0
\ No newline at end of file
diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te
index 8caaa57..7d7e100 100644
--- a/sepolicy/private/init.te
+++ b/sepolicy/private/init.te
@@ -1,5 +1,4 @@
# Allow init to chown/chmod on pseudo files in /sys
-allow init sysfs_touchscreen:file { rw_file_perms setattr };
allow init sysfs_gesture:file { rw_file_perms setattr };
# Allow init to bind mount over vendor file
diff --git a/sepolicy/private/rs.te b/sepolicy/private/rs.te
new file mode 100644
index 0000000..2dffbab
--- /dev/null
+++ b/sepolicy/private/rs.te
@@ -0,0 +1,2 @@
+allow rs surfaceflinger:fd use;
+allow rs sdcardfs:file rw_file_perms;
\ No newline at end of file
diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te
index b73fb60..ee4f984 100644
--- a/sepolicy/private/system_app.te
+++ b/sepolicy/private/system_app.te
@@ -1 +1,4 @@
-allow system_app sysfs_gesture:file { rw_file_perms setattr };
\ No newline at end of file
+#allow system_app system_suspend_control_service:service_manager { find };
+#allow system_app apex_service:service_manager { find };
+allow system_app sysfs_gesture:file { rw_file_perms setattr };
+allow system_app proc_touchscreen:file { rw_file_perms setattr };
\ No newline at end of file
diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te
index eb2a942..b6b8e25 100644
--- a/sepolicy/private/system_server.te
+++ b/sepolicy/private/system_server.te
@@ -1,4 +1,4 @@
-allow system_server sysfs_touchscreen:file rw_file_perms;
+allow system_server proc_touchscreen:file rw_file_perms;
allow system_server sysfs_gesture:file rw_file_perms;
# allow system server to get vendor_camera_prop